Play interactive tour

Edit tour

Analysis Report pansy.exe

Overview

General Information

Sample Name:	pansy.exe
Analysis ID:	430639
MD5:	be5a85f85d011252e63cab4566239280
SHA1:	72a8f524a3b449b3c459cdfe4a7b6c1c46b0dcdd
SHA256:	057144f38e786ee18295c76f3f06a975fc342358a5d6ba049000ca0fe44e8179
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

pansy.exe (PID: 7068 cmdline: 'C:\Users\user\Desktop\pansy.exe' MD5: BE5A85F85D011252E63CAB4566239280)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1k6joaGLkNYxFw0lOjR395hYutsonOF5Q"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
pansy.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: pansy.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1k6joaGLkNYxFw0lOjR395hYutsonOF5Q"}

Source: pansy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1k6joaGLkNYxFw0lOjR395hYutsonOF5Q

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\pansy.exe

Process Stats: CPU usage > 98%

Source: pansy.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: pansy.exe, 00000000.00000002.1166613915.00000000020B0000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs pansy.exe

Source: pansy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Source: pansy.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pansy.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\pansy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: pansy.exe, type: SAMPLE
Source: Yara match	File source: 0.2.pansy.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.pansy.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\pansy.exe	Code function: 0_2_0040662F push ss; ret	0_2_0040662E
Source: C:\Users\user\Desktop\pansy.exe	Code function: 0_2_00406D73 pushfd ; retf	0_2_00406D74
Source: C:\Users\user\Desktop\pansy.exe	Code function: 0_2_00407F0F push 0000005Ah; retf	0_2_00407F1D
Source: C:\Users\user\Desktop\pansy.exe	Code function: 0_2_00406516 push ss; ret	0_2_0040662E
Source: C:\Users\user\Desktop\pansy.exe	Code function: 0_2_0040EBF1 push cs; ret	0_2_0040EBFB

Source: C:\Users\user\Desktop\pansy.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\pansy.exe	RDTSC instruction interceptor: First address: 0000000002B6FACE second address: 0000000002B6FACE instructions:
Source: C:\Users\user\Desktop\pansy.exe	RDTSC instruction interceptor: First address: 0000000002B725A5 second address: 0000000002B725A5 instructions:
Source: C:\Users\user\Desktop\pansy.exe	RDTSC instruction interceptor: First address: 0000000002B69737 second address: 0000000002B697D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edi, dword ptr [ebp+0000017Fh] 0x00000010 push cx 0x00000012 mov cx, 7167h 0x00000016 pop cx 0x00000018 cmp di, 3711h 0x0000001d call 00007F78F49BFB7Dh 0x00000022 call 00007F78F49BFB84h 0x00000027 lfence 0x0000002a mov edx, 464DB255h 0x0000002f xor edx, 60CB488Eh 0x00000035 xor edx, A32252D0h 0x0000003b xor edx, FA5AA81Fh 0x00000041 mov edx, dword ptr [edx] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\pansy.exe	RDTSC instruction interceptor: First address: 0000000002B6FACE second address: 0000000002B6FACE instructions:
Source: C:\Users\user\Desktop\pansy.exe	RDTSC instruction interceptor: First address: 0000000002B725A5 second address: 0000000002B725A5 instructions:
Source: C:\Users\user\Desktop\pansy.exe	RDTSC instruction interceptor: First address: 0000000002B69737 second address: 0000000002B697D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edi, dword ptr [ebp+0000017Fh] 0x00000010 push cx 0x00000012 mov cx, 7167h 0x00000016 pop cx 0x00000018 cmp di, 3711h 0x0000001d call 00007F78F49BFB7Dh 0x00000022 call 00007F78F49BFB84h 0x00000027 lfence 0x0000002a mov edx, 464DB255h 0x0000002f xor edx, 60CB488Eh 0x00000035 xor edx, A32252D0h 0x0000003b xor edx, FA5AA81Fh 0x00000041 mov edx, dword ptr [edx] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\pansy.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: pansy.exe, 00000000.00000002.1166514064.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery3	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
pansy.exe	9%	ReversingLabs	Win32.Trojan.Mucc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	430639
Start date:	07.06.2021
Start time:	17:57:43
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	pansy.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 10.3% (good quality ratio 2.1%) Quality average: 12.6% Quality standard deviation: 25.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe VT rate limit hit for: /opt/package/joesandbox/database/analysis/430639/sample/pansy.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.667078138121212
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	pansy.exe
File size:	143360
MD5:	be5a85f85d011252e63cab4566239280
SHA1:	72a8f524a3b449b3c459cdfe4a7b6c1c46b0dcdd
SHA256:	057144f38e786ee18295c76f3f06a975fc342358a5d6ba049000ca0fe44e8179
SHA512:	732e41dc029f793c9076904909ad3fe222d127dd47bec8075b682dd2a4505be38e76a3b764271ca2930945bf31c0e39f48c42295d703595247c7ba6cac5829b9
SSDEEP:	1536:Q/Qq7xbuNxA3JhkGpwPRRHkOVPVXYstBRQeag24T1f:sYN63cWqRHkOVPVostrQeTJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......`.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4014b8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x60BE1B8F [Mon Jun 7 13:13:51 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b1d5215cf0ff1abab4dacdc311d642d4

Entrypoint Preview

Instruction
push 0040174Ch
call 00007F78F4E3F635h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
adc al, 5Fh
hlt
sub dword ptr [edx-42h], ecx
mov cl, 05h
cwde
in eax, dx
add dword ptr [eax+00000026h], eax
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+45h], al
dec esi
inc ebp
push edx
inc ecx
dec esp
inc esp
inc ebp
inc edx
inc ecx
push esp
push esp
inc ebp
dec esi
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or byte ptr [eax], bh
into
fisubr word ptr [ebp-61h]
jmp 00007F787E813B7Fh
mov al, byte ptr [C51B966Dh]
popfd
fist word ptr [edx]
dec esi
push ss
mov al, byte ptr [47B24923h]
push esp
push eax
and dword ptr [ecx], esi
movsb
sahf
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov al, byte ptr [ecx]
add byte ptr [eax], al
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [ecx+ebp*2+6Eh], cl
jc 00007F78F4E3F674h
add byte ptr [46000C01h], cl
dec edi
push edx
inc edi
push edx
inc ebp
dec esi
dec ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20a84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0x9ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x154	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1fffc	0x20000	False	0.330955505371	data	4.91992394666	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x21000	0x1234	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0x9ec	0x1000	False	0.1806640625	data	2.17086442612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x238bc	0x130	data
RT_ICON	0x235d4	0x2e8	data
RT_ICON	0x234ac	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2347c	0x30	data
RT_VERSION	0x23150	0x32c	data	Sesotho (Sutu)	South Africa

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0430 0x04b0
LegalCopyright	Yonyou Network
InternalName	pansy
FileVersion	1.00
CompanyName	Yonyou Network
LegalTrademarks	Yonyou Network
Comments	Yonyou Network
ProductName	Yonyou Network
ProductVersion	1.00
FileDescription	Yonyou Network
OriginalFilename	pansy.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Sesotho (Sutu)	South Africa

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: pansy.exe PID: 7068 Parent PID: 5920

General

Start time:	17:58:29
Start date:	07/06/2021
Path:	C:\Users\user\Desktop\pansy.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\pansy.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	BE5A85F85D011252E63CAB4566239280
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: pansy.exe PID: 7068 Parent PID: 5920 pansy.exeCOMMON

Executed Functions

Function 0041C8A0, Relevance: 328.9, APIs: 175, Strings: 12, Instructions: 1669COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0041C9DC
#563.MSVBVM60(?), ref: 0041C9E9
__vbaFreeVar.MSVBVM60 ref: 0041CA02
#531.MSVBVM60(Sammenskruendes), ref: 0041CA12
#606.MSVBVM60(00000001,?), ref: 0041CA35
__vbaStrMove.MSVBVM60 ref: 0041CA43
__vbaStrCmp.MSVBVM60(00402B98,00000000), ref: 0041CA4F
__vbaFreeStr.MSVBVM60 ref: 0041CA65
__vbaFreeVar.MSVBVM60 ref: 0041CA71
__vbaNew2.MSVBVM60(00402BBC,004213C0), ref: 0041CA8F
__vbaObjSetAddref.MSVBVM60(?,00401168), ref: 0041CAA5
__vbaHresultCheckObj.MSVBVM60(00000000,0216EDD4,00402BAC,00000010), ref: 0041CAC5
__vbaFreeObj.MSVBVM60 ref: 0041CACD
__vbaFreeObj.MSVBVM60 ref: 0041CAE1
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CB02
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CB1E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,00000158), ref: 0041CB48
__vbaFreeObj.MSVBVM60 ref: 0041CBB3
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CBCC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CBE8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000001E0), ref: 0041CC12
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CC27
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CC43
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000001A0), ref: 0041CC6D
__vbaStrCopy.MSVBVM60 ref: 0041CC7A
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,000006F8), ref: 0041CCC9
__vbaFreeStr.MSVBVM60 ref: 0041CCD1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041CCE7
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CD03
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CD1F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF0,00000130), ref: 0041CD49
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041CD5D
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CD79
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CD95
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000001D8), ref: 0041CDBF
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CDD4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CDF0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000048), ref: 0041CE14
__vbaStrCopy.MSVBVM60 ref: 0041CE21
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041CE2E
__vbaStrMove.MSVBVM60 ref: 0041CE3C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041CE94
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041CEB8
__vbaFreeVar.MSVBVM60 ref: 0041CEC7
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CEE0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CEFC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,00000150), ref: 0041CF26
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,000006FC), ref: 0041CF65
__vbaFreeObj.MSVBVM60 ref: 0041CF6D
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CF86
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CFA2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF0,00000050), ref: 0041CFC6
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041CFDB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CFF7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,000000E8), ref: 0041D021
__vbaStrMove.MSVBVM60 ref: 0041D043
__vbaFreeStr.MSVBVM60 ref: 0041D07E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D094
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D0C0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D0DC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,000001E0), ref: 0041D106
__vbaStrMove.MSVBVM60 ref: 0041D132
__vbaStrCopy.MSVBVM60 ref: 0041D143
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,00000700), ref: 0041D183
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D195
__vbaFreeObj.MSVBVM60 ref: 0041D1A4
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D1BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D1D9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF0,00000190), ref: 0041D203
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D218
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D234
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000070), ref: 0041D258
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D26D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D289
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,000001C8), ref: 0041D2B3
__vbaStrCopy.MSVBVM60 ref: 0041D2C0
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,00000704), ref: 0041D313
__vbaFreeStr.MSVBVM60 ref: 0041D31B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041D338
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D354
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D370
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,000001F0), ref: 0041D39A
__vbaFreeObj.MSVBVM60 ref: 0041D3D4
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D3ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D409
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,00000128), ref: 0041D433
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D448
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D464
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,00000088), ref: 0041D48E
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,00000708), ref: 0041D4D2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D4E4
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D500
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D51C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000000E0), ref: 0041D546
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,0000070C), ref: 0041D583
__vbaFreeObj.MSVBVM60 ref: 0041D58B
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D5A4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D5C0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,00000148), ref: 0041D5EA
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D5FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D61B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,00000048), ref: 0041D63F
__vbaStrMove.MSVBVM60 ref: 0041D66B
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041D6AB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D6C1
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D6DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D6F9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000058), ref: 0041D71D
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D732
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D74E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,00000148), ref: 0041D778
__vbaStrMove.MSVBVM60 ref: 0041D790
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,00000710), ref: 0041D7C9
__vbaFreeStr.MSVBVM60 ref: 0041D7D1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D7E7
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D803
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D81F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000178), ref: 0041D849
__vbaFreeObj.MSVBVM60 ref: 0041D883
__vbaStrCopy.MSVBVM60 ref: 0041D894
__vbaFreeStr.MSVBVM60 ref: 0041D8C6
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D8DF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D8FB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,000001E0), ref: 0041D925
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041D93A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D956
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,00000218), ref: 0041D980
__vbaStrMove.MSVBVM60 ref: 0041D9AC
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,00000714), ref: 0041D9FB
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041DA0D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DA23
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DA3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DA5B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF0,00000120), ref: 0041DA85
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DA9A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DAB6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,00000110), ref: 0041DAE0
__vbaStrCopy.MSVBVM60 ref: 0041DAF9
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041DB13
__vbaI4Var.MSVBVM60(00000000), ref: 0041DB1D
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,00000718), ref: 0041DB53
__vbaFreeStr.MSVBVM60 ref: 0041DB5B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DB78
__vbaFreeVar.MSVBVM60 ref: 0041DB87
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DBA0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DBBC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000000D8), ref: 0041DBE6
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DBFB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC17
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000170), ref: 0041DC41
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DC56
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC72
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000170), ref: 0041DC9C
__vbaStrCopy.MSVBVM60 ref: 0041DCC1
__vbaFreeStr.MSVBVM60 ref: 0041DD01
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DD1E
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DD3A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DD56
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000130), ref: 0041DD80
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DD95
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DDB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,00000130), ref: 0041DDDB
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0040260C,0000071C), ref: 0041DE46
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DE58
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DE74
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DE90
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,000001C0), ref: 0041DEBA
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041DECF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DEEB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,00000110), ref: 0041DF15
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DF51
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,004025DC,000002B4), ref: 0041DF75
__vbaVarAdd.MSVBVM60(00000002,00000008,?), ref: 0041DFAF
__vbaVarMove.MSVBVM60 ref: 0041DFB6
__vbaVarTstLt.MSVBVM60(00000002,?), ref: 0041DFD7

Strings

, xrefs: 0041CA21
skattejagters, xrefs: 0041D138
FORSRGELSES, xrefs: 0041DCB0
Daftardar7, xrefs: 0041D889
BEGROANS, xrefs: 0041D167
Estancieros, xrefs: 0041D2B5
}D, xrefs: 0041D998
CARCINEMIA, xrefs: 0041DAE8
Whiney, xrefs: 0041CE16
Sammenskruendes, xrefs: 0041CA0D
Logria1, xrefs: 0041CC6F
Frihedsheltens, xrefs: 0041DCD3

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Move$Copy$CallLate$#531#563#606Addref
String ID: $BEGROANS$CARCINEMIA$Daftardar7$Estancieros$FORSRGELSES$Frihedsheltens$Logria1$Sammenskruendes$Whiney$skattejagters$}D
API String ID: 450096576-3881086472
Opcode ID: 9da13acc0e7ed7cf12d2967515e0eba873cd5a88ff5bb4757a9ebae0ceff6fff
Instruction ID: ee52c6d1d14cd2a93294bc054cf7d92a70eba72448200a3d4d3d324c5805f47e
Opcode Fuzzy Hash: 9da13acc0e7ed7cf12d2967515e0eba873cd5a88ff5bb4757a9ebae0ceff6fff
Instruction Fuzzy Hash: 5AE24EB0A00218ABDB25DF54CD88FDA77BCBF58704F0085AAF549F71A0DA745A85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004014B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 85%

			_entry_() {
				signed char _t172;
				signed int _t173;
				signed int _t174;
				intOrPtr* _t175;
				signed char _t176;
				signed int _t179;
				intOrPtr* _t180;
				void* _t181;
				intOrPtr* _t182;
				intOrPtr* _t183;
				intOrPtr* _t184;
				signed int _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				signed int _t189;
				signed char _t190;
				signed char _t191;
				intOrPtr* _t192;
				signed char _t196;
				intOrPtr* _t198;
				signed int _t204;
				intOrPtr* _t206;
				intOrPtr* _t207;
				signed char _t208;
				intOrPtr* _t210;
				signed char _t211;
				signed char _t213;
				signed char _t215;
				signed char _t216;
				intOrPtr* _t217;
				signed int _t219;
				intOrPtr* _t221;
				signed int* _t223;
				signed char _t224;
				void* _t226;
				intOrPtr* _t227;
				void* _t228;
				intOrPtr* _t229;
				signed char _t230;
				signed int* _t232;
				intOrPtr* _t234;
				signed int _t240;
				signed int _t241;
				signed char _t243;
				void* _t245;
				signed int* _t247;
				signed int _t248;
				intOrPtr* _t250;
				intOrPtr* _t251;
				signed int _t255;
				intOrPtr* _t257;
				intOrPtr* _t258;
				intOrPtr* _t264;
				void* _t281;
				signed int _t298;
				signed int _t299;
				signed int* _t300;
				signed int _t302;
				signed int _t305;
				void* _t306;
				void* _t307;
				signed int _t308;
				signed int _t309;
				intOrPtr* _t310;
				void* _t311;
				intOrPtr* _t312;
				signed char _t313;
				intOrPtr* _t316;
				void* _t324;
				void* _t327;
				intOrPtr* _t328;
				signed int _t329;
				intOrPtr _t330;
				signed char _t331;
				void* _t333;
				signed char _t334;
				void* _t335;
				void* _t336;
				signed int _t337;
				intOrPtr* _t338;
				void* _t345;
				signed int _t348;
				void* _t354;
				void* _t357;
				signed int _t361;
				void* _t369;
				void* _t371;
				void* _t372;
				void* _t373;
				signed int _t374;
				signed int _t377;
				intOrPtr _t384;
				intOrPtr _t390;
				signed int _t393;
				void* _t407;

				_push("VB5!6&*"); // executed
				L004014B2(); // executed
				 *_t172 =  *_t172 + _t172;
				 *_t172 =  *_t172 + _t172;
				 *_t172 =  *_t172 + _t172;
				 *_t172 =  *_t172 ^ _t172;
				 *_t172 =  *_t172 + _t172;
				_t173 = _t172 + 1;
				 *_t173 =  *_t173 + _t173;
				 *_t173 =  *_t173 + _t173;
				 *_t173 =  *_t173 + _t173;
				 *_t316 =  *_t316 + _t173;
				asm("adc al, 0x5f");
				asm("repe hlt");
				 *[es:edx-0x42] =  *[es:edx-0x42] - _t316;
				_t174 = _t173;
				asm("in eax, dx");
				 *((intOrPtr*)(_t174 + 0x26)) =  *((intOrPtr*)(_t174 + 0x26)) + _t174;
				 *_t174 =  *_t174 + _t174;
				 *5 =  *5 + _t174;
				 *_t174 =  *_t174 + _t174;
				 *_t174 =  *_t174 + _t174;
				 *_t174 =  *_t174 + _t174;
				 *_t174 =  *_t174 + _t174;
				 *((intOrPtr*)(_t336 + 0x45)) =  *((intOrPtr*)(_t336 + 0x45)) + _t174;
				_t337 = _t336 + 1;
				_push(_t327);
				_t371 = _t369 - 1 + 1;
				_t328 = _t327 + 1;
				_t319 = 7;
				_push(_t371);
				_push(_t371);
				_t361 = _t357 + 4;
				 *_t174 =  *_t174 + _t174;
				 *_t174 =  *_t174 + _t174;
				_t308 = _t307 + _t307;
				asm("int3");
				 *_t174 =  *_t174 ^ _t174;
				 *_t174 =  *_t174 | _t308;
				asm("into");
				asm("fisubr word [ebp-0x61]");
				goto 0x89dd5a51;
				asm("repe mov al, [0xc51b966d]");
				asm("popfd");
				asm("fist word [edx]");
				_t348 = _t345 - 0xffffffffffffffff;
				_push(ss);
				_t175 =  *0x47b24923;
				_push(_t371);
				_push(_t175);
				 *0x00000007 =  *0x00000007 & _t348;
				asm("movsb");
				asm("sahf");
				_t309 = _t308 ^  *0xFFFFFFFFB711CF6D;
				asm("cdq");
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				 *_t175 =  *_t175 + _t175;
				_t176 =  *0x00000007;
				 *_t176 =  *_t176 + _t176;
				_t372 = _t371 - 1;
				 *_t176 =  *_t176 + _t176;
				 *_t176 =  *_t176 + _t176;
				_push(es);
				_t7 = 7 + 0x6e + _t361 * 2;
				 *_t7 =  *((intOrPtr*)(7 + 0x6e + _t361 * 2)) + 5;
				if( *_t7 >= 0) {
					 *0x46000c01 =  *0x46000c01 + 5;
					_push(_t328);
					_push(_t328);
					_t354 = _t348 - 0xffffffffffffffff;
					 *0x00000006 =  *((intOrPtr*)(6)) + _t309;
					 *_t176 =  *_t176 + _t176;
					_t328 = _t328 + 1;
					 *_t328 =  *_t328 + _t176;
					 *((intOrPtr*)(_t372 + 6)) =  *((intOrPtr*)(_t372 + 6)) + _t372;
					 *((intOrPtr*)(_t354 + 0x4f)) =  *((intOrPtr*)(_t354 + 0x4f)) + _t176;
					_push(_t328);
					_push(_t328);
					_t319 = 5;
					_t337 = _t337 - 1 + 4;
					_t361 = _t361 + 4;
					_t348 = _t354 - 0xffffffffffffffff;
					 *0xf31 =  *0xf31 + _t328;
					asm("insb");
					asm("sbb eax, [eax]");
				}
				 *((intOrPtr*)(_t328 + 0x1700001e)) =  *((intOrPtr*)(_t328 + 0x1700001e)) + _t309;
				_push(cs);
				 *_t176 =  *_t176 + _t176;
				_t373 = _t372 + 1;
				 *((intOrPtr*)(_t348 + 3)) =  *((intOrPtr*)(_t348 + 3)) + _t176;
				 *_t319 =  *_t319 + 1;
				asm("das");
				 *_t176 =  *_t176 + _t176;
				 *_t319 =  *_t319 + _t176;
				 *_t176 =  *_t176 | _t176;
				_t310 = _t309 + 1;
				asm("outsd");
				asm("insd");
				asm("insd");
				asm("popad");
				asm("outsb");
				_t179 = (_t176 ^  *[fs:eax]) + 0x00000001 | 0x61615200;
				asm("fs outsb");
				if(_t179 == 0) {
					L10:
					_t310 = _t310 + _t310;
					_t374 = _t373 +  *_t337;
					 *_t179 =  *_t179 + _t179;
					_t40 = _t179 + 0x78655400;
					 *_t40 =  *((intOrPtr*)(_t179 + 0x78655400)) + _t179;
					if( *_t40 == 0) {
						L18:
						if(_t393 != 0) {
							asm("adc [esi], eax");
							L33:
							_push(es);
							L34:
							_t311 = _t310 + _t310;
							_t180 = _t179 +  *((intOrPtr*)(_t179 + _t179));
							_push(es);
							 *_t180 =  *_t180 + _t180;
							_t181 = _t180 + _t319;
							asm("int3");
							asm("das");
							_t182 = _t181 + 1;
							 *_t337 =  *_t337 + _t182;
							 *_t182 =  *_t182 + _t182;
							 *((intOrPtr*)(_t182 + 0x700402a)) =  *((intOrPtr*)(_t182 + 0x700402a)) + _t328;
							 *_t182 =  *_t182 + _t182;
							 *((intOrPtr*)(_t182 + 0x2a)) =  *((intOrPtr*)(_t182 + 0x2a)) + _t319;
							_t183 = _t182 + 1;
							 *_t337 =  *_t337 + _t183;
							 *_t183 =  *_t183 + _t183;
							 *((intOrPtr*)(_t328 + _t361)) =  *((intOrPtr*)(_t328 + _t361)) + _t183;
							_t184 = _t183 + 1;
							 *_t337 =  *_t337 + _t184;
							 *_t184 =  *_t184 + _t184;
							_t185 = _t184 + _t319;
							 *_t185 =  *_t185 - _t185;
							L37:
							 *_t337 =  *_t337 + _t185;
							 *_t185 =  *_t185 + _t185;
							 *((intOrPtr*)(_t319 + _t361 + 0x40)) =  *((intOrPtr*)(_t319 + _t361 + 0x40)) + _t185;
							 *_t337 =  *_t337 + _t185;
							 *_t185 =  *_t185 + _t185;
							 *((intOrPtr*)(_t319 + _t361)) =  *((intOrPtr*)(_t319 + _t361)) + _t311;
							_t186 = _t185 + 1;
							 *_t337 =  *_t337 + _t186;
							 *_t186 =  *_t186 + _t186;
							_t187 = _t186 + _t328;
							 *_t187 =  *_t187 - _t187;
							_pop(es);
							 *_t187 =  *_t187 + _t187;
							 *((intOrPtr*)(_t187 + 0x7004028)) =  *((intOrPtr*)(_t187 + 0x7004028)) + _t187;
							 *_t187 =  *_t187 + _t187;
							 *_t187 =  *_t187 + _t311;
							 *_t187 =  *_t187 - _t187;
							_pop(es);
							 *_t187 =  *_t187 + _t187;
							asm("daa");
							_t189 = _t187 + _t187 + 1;
							 *_t337 =  *_t337 + _t189;
							 *_t189 =  *_t189 + _t189;
							 *((intOrPtr*)(_t189 + 0x56004027)) =  *((intOrPtr*)(_t189 + 0x56004027)) + _t319;
							_t329 = _t328 + 1;
							_t190 = _t189 ^ 0x2a263621;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t348 =  *_t348 + _t311;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							 *_t190 =  *_t190 + _t190;
							_t191 = _t190 |  *_t190;
							 *(_t191 + _t191) =  *(_t191 + _t191) | _t191;
							 *_t191 =  *_t191 + _t191;
							 *_t191 =  *_t191 + _t191;
							 *_t191 =  *_t191 + _t191;
							 *_t191 =  *_t191 + _t191;
							 *((intOrPtr*)(_t329 + _t311 + 0x40)) =  *((intOrPtr*)(_t329 + _t311 + 0x40)) + _t319;
							 *((intOrPtr*)(_t319 + _t348 * 8)) =  *((intOrPtr*)(_t319 + _t348 * 8)) + _t311;
							 *_t191 =  *_t191 ^ _t191;
							_t312 = _t311 + _t311;
							asm("invalid");
							 *_t191 =  *_t191 | _t191;
							 *_t191 =  *_t191 + _t191;
							 *_t191 =  *_t191 + _t191;
							 *_t191 =  *_t191 + _t191;
							_t192 = _t191 +  *_t191;
							 *_t192 =  *_t192 + _t192;
							goto 0xec401799;
							_pop(ss);
							_push(ss);
							_t196 = _t192 + 1 + _t319 + 1 + _t192 + 1 + _t319 + 1;
							asm("adc al, 0x40");
							 *_t196 =  *_t196 + _t312;
							 *_t196 =  *_t196 + _t196;
							if ( *_t196 <= 0) goto L39;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							es =  *_t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							_t407 =  *_t196;
							if(_t407 < 0) {
								L42:
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								_t312 = _t312 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t319;
								asm("adc eax, 0x4c0040");
								 *_t196 =  *_t196 + _t196;
								_push(_t196);
								 *_t196 =  *_t196 + _t196;
								 *((intOrPtr*)(_t312 - 0x3a)) =  *((intOrPtr*)(_t312 - 0x3a)) + _t319;
								L43:
								asm("daa");
								asm("xlatb");
								_t330 =  *((intOrPtr*)(_t196 + 0x79 + _t329 * 2));
								_t338 = ss;
								asm("pcmpgtw mm6, [edx]");
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t348 =  *_t348 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								 *_t196 =  *_t196 + _t196;
								_t198 = (_t196 ^ 0x00000032) + 1;
								 *((intOrPtr*)(_t198 + _t198 + 0x10000)) =  *((intOrPtr*)(_t198 + _t198 + 0x10000)) + _t312;
								 *_t198 =  *_t198 + _t198;
								 *0x00000024 =  *((intOrPtr*)(0x24)) + 0x23;
								 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x23;
								 *((intOrPtr*)(_t374 + 0xffffffffffff0161)) =  *((intOrPtr*)(_t374 + 0xffffffffffff0161)) + 0x24;
								asm("invalid");
								 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x23;
								 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x23;
								 *((intOrPtr*)(1 + _t330)) =  *((intOrPtr*)(1 + _t330)) + _t312;
								_t331 = _t330 + 1;
								 *((intOrPtr*)(1)) =  *((intOrPtr*)(1)) + 0x23;
								 *((intOrPtr*)(1)) =  *((intOrPtr*)(1)) + 0x23;
								 *0xFFFFFFFFFFFFFFCF =  *((intOrPtr*)(0xffffffffffffffcf)) + _t331;
								_push(0);
								 *((intOrPtr*)(1)) =  *((intOrPtr*)(1)) + 0x23;
								 *((intOrPtr*)(1)) =  *((intOrPtr*)(1)) + 0x23;
								 *((intOrPtr*)(1)) =  *((intOrPtr*)(1)) + 0x23;
								 *((intOrPtr*)(1)) =  *((intOrPtr*)(1)) + 0x23;
								 *((intOrPtr*)(_t319 + _t312)) =  *((intOrPtr*)(_t319 + _t312)) + 0x23;
								 *_t319 =  *_t319 + 0x23;
								 *0x00000002 =  *((intOrPtr*)(2)) + 0x23;
								_t204 = 2 + _t319;
								 *_t204 =  *_t204 ^ _t204;
								 *_t204 =  *_t204 + 0x23;
								 *_t204 =  *_t204 + 0x23;
								_t206 = _t204 + 0x1a;
								 *_t319 =  *_t319 + 0x23;
								 *_t206 =  *_t206 + 0x23;
								 *((intOrPtr*)(_t319 + _t312)) =  *((intOrPtr*)(_t319 + _t312)) + _t319;
								_t207 = _t206 + 1;
								 *_t207 =  *_t207 + 0x23;
								 *_t207 =  *_t207 + 0x23;
								 *_t207 =  *_t207 + _t319;
								asm("sbb [eax], eax");
								_t208 = _t207 +  *_t207;
								 *_t208 =  *_t208 + 0x23;
								_t210 = (_t208 | 0x00000019) + 1;
								 *_t210 =  *_t210 + 0x23;
								 *((intOrPtr*)(_t338 + 0x6c006801)) =  *((intOrPtr*)(_t338 + 0x6c006801)) + _t331;
								 *((intOrPtr*)(_t319 + _t312 + 0x40)) =  *((intOrPtr*)(_t319 + _t312 + 0x40)) + _t312;
								_t211 = _t210 + _t312;
								asm("adc eax, [edx]");
								 *_t211 =  *_t211 + 0x23;
								 *_t211 =  *_t211 + 0x23;
								_t213 =  *(_t211 ^ 0x0000004c) * 0xfffffffc;
								 *_t213 =  *_t213 ^ _t213;
								_t215 = (_t213 | 0x00000032) + 1;
								 *_t215 =  *_t215 + 0x23;
								asm("adc [eax], eax");
								_t216 = _t215 ^ 0x00000000;
								 *_t216 =  *_t216 + 0x23;
								asm("lodsb");
								_t217 = _t216 + 1;
								 *_t319 =  *_t319 + 0x23;
								 *_t312 =  *_t312 + 0x23;
								 *_t217 =  *_t217 + 0x23;
								 *_t217 =  *_t217 + 0x23;
								 *_t217 =  *_t217 + 0x23;
								 *_t217 =  *_t217 + 0x23;
								 *((intOrPtr*)(_t319 + _t312 + 0x40)) =  *((intOrPtr*)(_t319 + _t312 + 0x40)) + _t312;
								_push(_t331);
								_t219 =  *(_t217 + _t331) * "graveship";
								 *_t219 =  *_t219 + _t219;
								_t221 = _t219 +  *_t219 + 1;
								 *_t338 =  *_t338 + _t312;
								 *_t221 =  *_t221 + _t312;
								 *_t221 =  *_t221 + 0x23;
								_t223 = _t221 + _t319 + 1;
								_t313 = _t312 + _t312;
								asm("invalid");
								 *_t223 =  *_t223 + 1;
								 *_t223 =  *_t223 + 0x23;
								 *_t223 =  *_t223 + 0x23;
								 *_t223 =  *_t223 + 0x23;
								_t223[0x1006] = _t223[0x1006] + _t313;
								_push(_t313);
								_t224 =  *_t223 * 0x4026d8;
								asm("invalid");
								asm("invalid");
								 *_t224 =  *_t224 + 0x23;
								 *_t224 =  *_t224 + 0x23;
								_t226 = (_t224 | 0x00000019) + 1;
								 *((intOrPtr*)(_t226 + _t313 + 0x14a00040)) =  *((intOrPtr*)(_t226 + _t313 + 0x14a00040)) + _t319;
								_t227 = _t226 + 1;
								 *((intOrPtr*)(_t348 - 0x53ffbfec)) =  *((intOrPtr*)(_t348 - 0x53ffbfec)) + _t227;
								asm("adc al, 0x40");
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *_t227 =  *_t227 + 0x23;
								 *((intOrPtr*)(_t319 + _t313)) =  *((intOrPtr*)(_t319 + _t313)) + _t331;
								_t228 = _t227 + 1;
								 *((intOrPtr*)(_t228 + _t313 + 0x14a00040)) =  *((intOrPtr*)(_t228 + _t313 + 0x14a00040)) + _t319;
								_t229 = _t228 + 1;
								 *((intOrPtr*)(_t348 - 0x53ffbfec)) =  *((intOrPtr*)(_t348 - 0x53ffbfec)) + _t229;
								asm("adc al, 0x40");
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								 *_t229 =  *_t229 + 0x23;
								_t230 = _t229 + _t331;
								 *_t230 =  *_t230 + _t230;
								 *((intOrPtr*)(_t230 + 0x4023)) =  *((intOrPtr*)(_t230 + 0x4023)) + _t331;
								 *_t230 =  *_t230 + 0x23;
								 *((intOrPtr*)(_t230 - 0x7fffbe38)) =  *((intOrPtr*)(_t230 - 0x7fffbe38)) + _t331;
								_t232 = (_t230 |  *_t331) - 0x12;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 | _t331;
								_t333 = _t331 + 0x24;
								asm("adc al, [eax]");
								 *_t232 =  *_t232 + _t333;
								_t334 = _t333 + 1;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								 *_t232 =  *_t232 + 0x23;
								_push(ss);
								_t234 = _t232 + _t319 + 1;
								 *((intOrPtr*)(_t234 + _t234)) =  *((intOrPtr*)(_t234 + _t234)) + _t319;
								 *_t234 =  *_t234 + 0x23;
								 *_t234 =  *_t234 + _t234;
								 *_t234 =  *_t234 + _t234;
								 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x23;
								 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x23;
								asm("les eax, [ecx]");
								asm("invalid");
								asm("invalid");
								 *0x00000048 =  *((intOrPtr*)(0x48)) + 0x23;
								 *((intOrPtr*)(0x48)) =  *((intOrPtr*)(0x48)) + 0x23;
								 *0x0000006D =  *0x0000006D + _t319;
								asm("adc [edx], al");
								_t240 = 0x6d |  *0x0000006D;
								 *_t240 =  *_t240 + 0x23;
								 *0x40 =  *0x40 + _t313;
								 *_t240 =  *_t240 + 0x23;
								 *_t240 =  *_t240 + 0x23;
								 *_t240 =  *_t240 + 0x23;
								 *_t240 =  *_t240 + 0x23;
								 *_t240 =  *_t240 + 0x23;
								 *0x10040 =  *0x10040 + _t313;
								 *_t240 =  *_t240 + 0x23;
								asm("in al, dx");
								_t241 = _t240 & 0x00000040;
								 *_t241 =  *_t241 + 0x23;
								_t243 = _t241 - 0x1d + 1;
								 *_t319 =  *_t319 + 0x23;
								 *_t243 =  *_t243 + 0x23;
								 *((intOrPtr*)(_t313 + 0x40)) =  *((intOrPtr*)(_t313 + 0x40)) + _t334;
								 *_t243 =  *_t243 + 0x23;
								 *0x90040 =  *0x90040 ^ _t313;
								 *_t243 =  *_t243 + 0x23;
								_t245 = (_t243 ^ 0x0000001d) + 1;
								 *0x6801b700 =  *0x6801b700 + _t334;
								 *((intOrPtr*)(_t245 + _t245 - 0x64)) =  *((intOrPtr*)(_t245 + _t245 - 0x64)) + _t319;
								_push(ds);
								_t247 = _t245 + 1 + _t313;
								asm("sbb al, [edx]");
								 *_t247 =  *_t247 + 0x23;
								 *_t247 =  *_t247 + 0x23;
								asm("in al, 0x4f");
								_t248 =  *_t247 * 0;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								 *_t248 =  *_t248 + 0x23;
								asm("cld");
								_t250 = (_t248 & 0x260c0040) + 1;
								 *_t250 =  *_t250 + 0x23;
								asm("adc eax, 0x3400");
								 *_t348 =  *_t348 + _t313;
								_t251 = _t250 + 1;
								 *_t251 =  *_t251 + _t319;
								 *_t313 =  *_t313 + 0x23;
								 *_t251 =  *_t251 + 0x23;
								 *_t251 =  *_t251 + 0x23;
								 *_t251 =  *_t251 + 0x23;
								 *_t251 =  *_t251 + 0x23;
								_push(ds);
								_t255 =  *(_t251 + _t334 + 1 + _t251 + _t334 + 1) * 0x40262c;
								 *_t255 =  *_t255 | 0x00000023;
								_t257 = _t255 +  *_t255 + 1;
								 *_t319 =  *_t319 + _t334;
								 *_t257 =  *_t257 + _t313;
								 *_t257 =  *_t257 + 0x23;
								 *((intOrPtr*)(_t348 + 0x20040)) =  *((intOrPtr*)(_t348 + 0x20040)) + _t319;
								_t258 = _t257 +  *_t257;
								 *_t258 =  *_t258 + 0x23;
								 *_t258 =  *_t258 + 0x23;
								 *_t258 =  *_t258 + 0x23;
								 *_t258 =  *_t258 + 0x23;
								ds = _t334;
								_push(_t334);
								_t264 =  *(_t258 + 1 + _t334) * "Command1" +  *( *(_t258 + 1 + _t334) * "Command1") +  *((intOrPtr*)( *(_t258 + 1 + _t334) * "Command1" +  *( *(_t258 + 1 + _t334) * "Command1"))) + 1;
								 *_t338 =  *_t338 + _t313;
								 *((intOrPtr*)(_t264 + _t264)) =  *((intOrPtr*)(_t264 + _t264)) + _t313;
								 *_t264 =  *_t264 + 0x23;
								asm("enter 0x4026, 0x0");
								asm("invalid");
								asm("invalid");
								 *_t264 =  *_t264 + 0x23;
								 *_t264 =  *_t264 + 0x23;
								 *_t264 =  *_t264 + 0x23;
								 *_t264 =  *_t264 + 0x23;
								_push(_t313);
								asm("invalid");
								asm("invalid");
								 *_t319 =  *_t319 + _t334;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								asm("lodsb");
								 *_t319 =  *_t319 + 0x23;
								 *_t313 =  *_t313 + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x0000405F =  *((intOrPtr*)(0x405f)) + _t319;
								_push(_t334);
								 *0x401f = 0x401f +  *0x401f;
								 *0x401f =  *0x401f + _t313;
								 *0x0000803E =  *((intOrPtr*)(0x803e)) + 0x23;
								 *((intOrPtr*)(0x803e)) =  *((intOrPtr*)(0x803e)) + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + _t334;
								_push(_t313);
								 *0x4800 =  *0x4800 + _t319;
								 *_t338 =  *_t338 + 0x23;
								_t281 =  *( *(2 +  *0x401f * 0x4026d8 + _t334) * "Command2" +  *( *(2 +  *0x401f * 0x4026d8 + _t334) * "Command2") + 1 + _t319 + 1 +  *((intOrPtr*)( *(2 +  *0x401f * 0x4026d8 + _t334) * "Command2" +  *( *(2 +  *0x401f * 0x4026d8 + _t334) * "Command2") + 1 + _t319 + 1)) + 1) * 0x4026fc +  *( *( *(2 +  *0x401f * 0x4026d8 + _t334) * "Command2" +  *( *(2 +  *0x401f * 0x4026d8 + _t334) * "Command2") + 1 + _t319 + 1 +  *((intOrPtr*)( *(2 +  *0x401f * 0x4026d8 + _t334) * "Command2" +  *( *(2 +  *0x401f * 0x4026d8 + _t334) * "Command2") + 1 + _t319 + 1)) + 1) * 0x4026fc) + 2;
								 *0x300 =  *0x300 + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + _t281;
								 *0x401f =  *0x401f & 0x0000401f;
								 *(_t313 + 0x69) =  *(_t313 + 0x69) & _t334;
								 *_t338 =  *_t338 + _t334;
								 *0x40000300 =  *0x40000300 + 0x23;
								 *0x401f =  *0x401f + _t313;
								 *((intOrPtr*)(0x803e)) =  *((intOrPtr*)(0x803e)) + _t319;
								 *_t313 =  *_t313 + 0x23;
								 *_t313 =  *_t313 + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *((intOrPtr*)(_t319 + 0x40)) =  *((intOrPtr*)(_t319 + 0x40)) + _t319;
								 *0x401f =  *0x401f + _t334;
								 *0x5000 =  *0x5000 + _t334;
								 *_t348 =  *_t348 + _t313;
								 *_t338 =  *_t338 + 0x23;
								 *_t313 =  *_t313 + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f & 0x0000401f;
								asm("loopne 0x54");
								es = _t313;
								 *_t313 =  *_t313 + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *_t338 =  *_t338 + 0x23;
								 *_t348 =  *_t348 + 0x23;
								 *_t313 =  *_t313 + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x401f =  *0x401f + 0x23;
								 *0x00004041 =  *((intOrPtr*)(0x4041)) + _t334;
								 *0x401f =  *0x401f + ( *( *(_t281 + 1 + _t319 + 1) * 0x40271c +  *( *(_t281 + 1 + _t319 + 1) * 0x40271c) +  *((intOrPtr*)( *(_t281 + 1 + _t319 + 1) * 0x40271c +  *( *(_t281 + 1 + _t319 + 1) * 0x40271c))) + 2 +  *(_t281 + 1 + _t319 + 1) * 0x40271c +  *( *(_t281 + 1 + _t319 + 1) * 0x40271c) +  *((intOrPtr*)( *(_t281 + 1 + _t319 + 1) * 0x40271c +  *( *(_t281 + 1 + _t319 + 1) * 0x40271c))) + 2) * 0x00402724 | 0x00005400) + 2;
								_push(_t313);
								_push(es);
								 *_t313 =  *_t313 + 0x23;
								 *((intOrPtr*)(_t348 - 0x27ffbfde)) =  *((intOrPtr*)(_t348 - 0x27ffbfde)) + _t313;
								goto ( *__edx);
							}
							asm("outsb");
							if(_t407 >= 0) {
								goto L43;
							}
							 *((intOrPtr*)(_t361 + 0x4e)) =  *((intOrPtr*)(_t361 + 0x4e)) + _t329;
							_push(_t196);
							_push(_t196);
							_t335 = _t329 + 1;
							_t377 = _t374;
							_t324 = _t377;
							 *_t196 =  *_t196 + _t196;
							_push(_t335);
							_t374 = _t377 - 1 + 1;
							_t329 = _t335 + 1;
							_t319 = _t324 + 2;
							_push(_t374);
							_push(_t374);
							_t348 = _t348 + 1;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t329;
							 *_t196 =  *_t196 + _t196;
							asm("fisubr word [ebp-0x61]");
							goto 0x89dd5d34;
							asm("repe mov al, [0xc51b966d]");
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							asm("adc [eax+eax], al");
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							 *_t196 =  *_t196 + _t196;
							goto L42;
						}
						if(_t393 >= 0) {
							L30:
							_t348 =  *(_t310 + 0x74) * 0x4080031;
						}
						if(_t393 >= 0) {
							goto L34;
						}
						if(_t393 < 0) {
							goto L30;
						}
						if(_t393 == 0) {
							goto L33;
						}
						if (_t393 < 0) goto L24;
						asm("cmpsd");
						_t298 = _t179 + 0x00000078 | 0x04120c3f;
						_t311 = _t310 + _t310;
						_t361 = _t361 +  *_t328;
						 *_t298 =  *_t298 + _t298;
						 *_t348 =  *_t348 + _t298;
						_push(es);
						 *((intOrPtr*)(_t348 + 0x72)) =  *((intOrPtr*)(_t348 + 0x72)) + _t298;
						asm("popad");
						asm("insd");
						_t185 = _t298 ^ 0x0a010300;
						_t50 = _t328 + 0x69 + _t348 * 2;
						 *_t50 =  *((intOrPtr*)(_t328 + 0x69 + _t348 * 2)) + _t328;
						if( *_t50 < 0) {
							goto L37;
						}
						asm("outsb");
						asm("arpl [ecx+0x6c], si");
						 *0x78 =  *0x78 + _t185;
						asm("cmpsd");
						_t299 = _t185 | 0x05120c3f;
						_t310 = _t311 + _t311 +  *((intOrPtr*)(_t311 + _t311));
						 *_t299 =  *_t299 + _t299;
						 *_t337 =  *_t337 + _t299;
						_t300 = _t299 + 0x73694c00;
						_t374 = _t374 - 1;
					}
					 *_t328 =  *_t328 + _t179;
					_t300 = _t179 + 0xf0;
					 *_t300 =  *_t300 + _t310;
					_t337 = 0xb01ef04;
					L12:
					_t319 = _t319 |  *_t300;
					_t42 = _t319 + 0x70;
					 *_t42 =  *((intOrPtr*)(_t319 + 0x70)) + _t328;
					_t390 =  *_t42;
				}
				asm("outsb");
				_t374 =  *(_t361 + 0x6e) * 0x73;
				 *((intOrPtr*)(_t179 + _t179 * 4)) =  *((intOrPtr*)(_t179 + _t179 * 4)) + _t179;
				_pop(es);
				_t337 = _t337 +  *((intOrPtr*)(_t337 + 0x1101ef04));
				_t305 = _t179 - 1 +  *((intOrPtr*)(_t179 - 1));
				 *_t310 =  *_t310 + 1;
				 *_t305 =  *_t305 - _t305;
				 *_t305 =  *_t305 + _t305;
				_t319 = _t319 +  *_t305;
				 *((intOrPtr*)(_t310 + 0x6f)) =  *((intOrPtr*)(_t310 + 0x6f)) + _t305;
				asm("insd");
				asm("insd");
				asm("popad");
				asm("outsb");
				 *[fs:eax] =  *[fs:eax] ^ _t305;
				_t302 = _t305 + 1;
				_push(es);
				_t29 = _t328 + 0x65;
				 *_t29 =  *((intOrPtr*)(_t328 + 0x65)) + _t328;
				_t384 =  *_t29;
				if(_t384 > 0) {
					 *_t302 =  *_t302 + _t302;
					 *0x72460006 =  *0x72460006 + _t302;
					L17:
					 *((intOrPtr*)(_t348 + 0x72)) =  *((intOrPtr*)(_t348 + 0x72)) + _t302;
					asm("popad");
					asm("insd");
					 *[gs:eax] =  *[gs:eax] ^ _t302;
					_t179 = _t302 +  *_t319;
					_t393 = _t179;
					_push(_t310);
					if (_t393 >= 0) goto L32;
					goto L18;
				}
				if(_t384 < 0) {
					goto L17;
				}
				 *((intOrPtr*)(_t302 + _t337 * 2)) =  *((intOrPtr*)(_t302 + _t337 * 2)) + _t302;
				 *((intOrPtr*)(_t302 + 3)) =  *((intOrPtr*)(_t302 + 3)) + _t319;
				_t337 = 0x1101ef04;
				_t306 = _t302 +  *_t302;
				 *_t310 =  *_t310 + 1;
				 *[es:eax] =  *[es:eax] + _t306;
				 *_t310 =  *_t310 + _t306;
				_t300 = _t306 + 0x78655400;
				if(_t300 == 0) {
					goto L12;
				}
				 *_t328 =  *_t328 + _t300;
				_t179 =  &(_t300[0x3e]);
				_pop(es);
				if (_t179 < 0) goto L9;
				_t337 = 0xb01ef04;
				_pop(es);
				 *((intOrPtr*)(_t310 + 0x68)) =  *((intOrPtr*)(_t310 + 0x68)) + _t328;
				_t361 =  *(_t310 + 0x73) * 0x12003961;
				 *_t179 =  *_t179 + _t179;
				goto L10;
			}

0x004014b8
0x004014bd
0x004014c2
0x004014c4
0x004014c6
0x004014c8
0x004014ca
0x004014cc
0x004014cd
0x004014cf
0x004014d1
0x004014d3
0x004014d5
0x004014d7
0x004014d9
0x004014df
0x004014e0
0x004014e1
0x004014e7
0x004014e9
0x004014eb
0x004014ed
0x004014ef
0x004014f1
0x004014f3
0x004014f4
0x004014f8
0x004014fb
0x004014fd
0x004014fe
0x004014ff
0x00401500
0x00401501
0x00401503
0x00401505
0x00401507
0x00401509
0x0040150a
0x0040150c
0x0040150e
0x0040150f
0x00401512
0x00401517
0x0040151d
0x0040151e
0x00401520
0x00401521
0x00401522
0x00401527
0x00401528
0x00401529
0x0040152b
0x0040152c
0x00401530
0x00401531
0x00401532
0x00401534
0x0040153a
0x0040153b
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x0040155f
0x00401561
0x00401563
0x00401565
0x00401566
0x00401568
0x0040156a
0x0040156b
0x0040156b
0x0040156f
0x00401572
0x00401579
0x0040157b
0x00401582
0x00401583
0x00401585
0x00401587
0x00401588
0x0040158a
0x0040158d
0x00401590
0x00401592
0x00401595
0x00401597
0x00401598
0x00401599
0x0040159a
0x004015a0
0x004015a1
0x004015a1
0x004015a3
0x004015a9
0x004015aa
0x004015ac
0x004015ad
0x004015b0
0x004015b2
0x004015b3
0x004015b5
0x004015b7
0x004015b9
0x004015ba
0x004015bb
0x004015bc
0x004015bd
0x004015be
0x004015c4
0x004015c9
0x004015cb
0x0040162f
0x0040162f
0x00401631
0x00401633
0x00401635
0x00401635
0x0040163c
0x0040166f
0x0040166f
0x004016e5
0x004016e6
0x004016e6
0x004016e7
0x004016e7
0x004016e9
0x004016ec
0x004016ed
0x004016ef
0x004016f0
0x004016f1
0x004016f2
0x004016f3
0x004016f5
0x004016f7
0x004016fd
0x004016ff
0x00401702
0x00401703
0x00401705
0x00401707
0x0040170a
0x0040170b
0x0040170d
0x0040170f
0x00401711
0x00401713
0x00401713
0x00401715
0x00401717
0x0040171b
0x0040171d
0x0040171f
0x00401722
0x00401723
0x00401725
0x00401727
0x00401729
0x0040172c
0x0040172d
0x0040172f
0x00401735
0x00401737
0x00401739
0x0040173c
0x0040173d
0x00401741
0x00401742
0x00401743
0x00401745
0x00401747
0x0040174d
0x0040174e
0x00401753
0x00401755
0x00401757
0x00401759
0x0040175b
0x0040175d
0x0040175f
0x00401762
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00401770
0x00401773
0x00401775
0x00401777
0x00401779
0x0040177b
0x0040177f
0x00401782
0x00401784
0x00401786
0x00401788
0x0040178a
0x0040178c
0x0040178e
0x00401790
0x00401792
0x00401794
0x00401799
0x0040179d
0x0040179f
0x004017a1
0x004017a3
0x004017a6
0x004017a8
0x004017aa
0x004017ae
0x004017b0
0x004017b2
0x004017b4
0x004017b6
0x004017b8
0x004017ba
0x004017bc
0x004017be
0x004017c0
0x004017c2
0x004017c2
0x004017c4
0x00401827
0x00401827
0x00401829
0x0040182b
0x0040182d
0x0040182f
0x00401831
0x00401833
0x00401835
0x0040183a
0x0040183c
0x0040183d
0x0040183f
0x00401842
0x00401842
0x00401844
0x00401848
0x0040184c
0x0040184d
0x00401850
0x00401852
0x00401854
0x00401856
0x00401858
0x0040185a
0x0040185c
0x0040185e
0x00401860
0x00401862
0x00401864
0x00401867
0x00401869
0x0040186b
0x0040186d
0x0040186f
0x00401871
0x00401873
0x00401875
0x00401877
0x00401879
0x0040187b
0x0040187e
0x00401880
0x00401882
0x00401886
0x00401887
0x0040188e
0x00401893
0x00401895
0x00401897
0x0040189e
0x004018a0
0x004018a2
0x004018a7
0x004018aa
0x004018ab
0x004018ad
0x004018af
0x004018b2
0x004018b7
0x004018b9
0x004018bb
0x004018bd
0x004018bf
0x004018c3
0x004018c5
0x004018c7
0x004018c9
0x004018cc
0x004018ce
0x004018d2
0x004018d3
0x004018d5
0x004018d7
0x004018da
0x004018db
0x004018dd
0x004018df
0x004018e1
0x004018e4
0x004018e6
0x004018ea
0x004018eb
0x004018ed
0x004018f3
0x004018f7
0x004018f9
0x004018fc
0x004018fe
0x00401902
0x00401905
0x0040190a
0x0040190b
0x0040190e
0x00401910
0x00401912
0x00401914
0x00401915
0x00401917
0x00401919
0x0040191b
0x0040191d
0x0040191f
0x00401921
0x00401923
0x00401929
0x0040192a
0x00401930
0x00401934
0x00401935
0x00401937
0x00401939
0x0040193d
0x0040193f
0x00401941
0x00401943
0x00401945
0x00401947
0x00401949
0x0040194b
0x00401951
0x00401952
0x00401958
0x0040195a
0x0040195c
0x0040195e
0x00401962
0x00401963
0x0040196a
0x0040196b
0x00401971
0x00401973
0x00401975
0x00401977
0x00401979
0x0040197b
0x0040197d
0x0040197f
0x00401981
0x00401983
0x00401985
0x00401987
0x00401989
0x0040198b
0x0040198d
0x0040198f
0x00401991
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019a1
0x004019a3
0x004019a5
0x004019a7
0x004019a9
0x004019ab
0x004019ad
0x004019af
0x004019b1
0x004019b3
0x004019b5
0x004019b7
0x004019b9
0x004019bb
0x004019be
0x004019bf
0x004019c6
0x004019c7
0x004019cd
0x004019cf
0x004019d1
0x004019d3
0x004019d5
0x004019d7
0x004019d9
0x004019db
0x004019dd
0x004019df
0x004019e1
0x004019e3
0x004019e5
0x004019e7
0x004019e9
0x004019eb
0x004019ed
0x004019ef
0x004019f1
0x004019f3
0x004019f5
0x004019f7
0x004019f9
0x004019fb
0x004019fd
0x004019ff
0x00401a01
0x00401a03
0x00401a05
0x00401a07
0x00401a09
0x00401a0b
0x00401a0d
0x00401a0f
0x00401a11
0x00401a13
0x00401a15
0x00401a17
0x00401a19
0x00401a1b
0x00401a1d
0x00401a1f
0x00401a21
0x00401a23
0x00401a25
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a2f
0x00401a31
0x00401a33
0x00401a35
0x00401a37
0x00401a39
0x00401a3b
0x00401a3d
0x00401a3f
0x00401a41
0x00401a43
0x00401a45
0x00401a47
0x00401a49
0x00401a4b
0x00401a4d
0x00401a4f
0x00401a55
0x00401a57
0x00401a60
0x00401a62
0x00401a64
0x00401a67
0x00401a69
0x00401a6c
0x00401a6e
0x00401a6f
0x00401a71
0x00401a73
0x00401a75
0x00401a77
0x00401a79
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a83
0x00401a85
0x00401a87
0x00401a89
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a91
0x00401a93
0x00401a95
0x00401a97
0x00401a99
0x00401a9b
0x00401a9d
0x00401a9f
0x00401aa1
0x00401aa3
0x00401aa5
0x00401aa7
0x00401aa9
0x00401aab
0x00401aad
0x00401aaf
0x00401ab1
0x00401ab3
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401abd
0x00401abf
0x00401ac1
0x00401ac3
0x00401ac5
0x00401ac7
0x00401ac9
0x00401acb
0x00401acd
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401add
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae9
0x00401aeb
0x00401aed
0x00401aef
0x00401af1
0x00401af3
0x00401af5
0x00401af7
0x00401af9
0x00401afb
0x00401afd
0x00401aff
0x00401b01
0x00401b03
0x00401b05
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b0f
0x00401b11
0x00401b13
0x00401b15
0x00401b17
0x00401b19
0x00401b1b
0x00401b1d
0x00401b1f
0x00401b21
0x00401b23
0x00401b25
0x00401b27
0x00401b29
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b31
0x00401b33
0x00401b35
0x00401b37
0x00401b39
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b41
0x00401b43
0x00401b45
0x00401b47
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b55
0x00401b57
0x00401b59
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b61
0x00401b63
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6d
0x00401b6f
0x00401b71
0x00401b73
0x00401b75
0x00401b77
0x00401b79
0x00401b7b
0x00401b7d
0x00401b7f
0x00401b81
0x00401b83
0x00401b85
0x00401b87
0x00401b89
0x00401b8b
0x00401b8d
0x00401b8f
0x00401b91
0x00401b93
0x00401b95
0x00401b97
0x00401b99
0x00401b9b
0x00401b9d
0x00401b9f
0x00401ba1
0x00401ba3
0x00401ba5
0x00401ba7
0x00401ba9
0x00401bab
0x00401bad
0x00401baf
0x00401bb1
0x00401bb3
0x00401bb5
0x00401bb7
0x00401bb9
0x00401bbb
0x00401bbd
0x00401bbf
0x00401bc1
0x00401bc3
0x00401bc5
0x00401bc7
0x00401bc9
0x00401bcb
0x00401bcd
0x00401bcf
0x00401bd1
0x00401bd3
0x00401bd5
0x00401bd7
0x00401bd9
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be1
0x00401be3
0x00401be5
0x00401be7
0x00401be9
0x00401beb
0x00401bed
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf5
0x00401bf7
0x00401bf9
0x00401bfb
0x00401bfd
0x00401bff
0x00401c01
0x00401c03
0x00401c05
0x00401c07
0x00401c09
0x00401c0b
0x00401c0d
0x00401c0f
0x00401c11
0x00401c13
0x00401c15
0x00401c17
0x00401c19
0x00401c1b
0x00401c1d
0x00401c1f
0x00401c21
0x00401c23
0x00401c25
0x00401c27
0x00401c29
0x00401c2b
0x00401c2d
0x00401c2f
0x00401c31
0x00401c33
0x00401c35
0x00401c37
0x00401c39
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c41
0x00401c43
0x00401c45
0x00401c47
0x00401c49
0x00401c4b
0x00401c4d
0x00401c4f
0x00401c51
0x00401c53
0x00401c55
0x00401c57
0x00401c59
0x00401c5b
0x00401c5d
0x00401c5f
0x00401c61
0x00401c63
0x00401c65
0x00401c67
0x00401c69
0x00401c6b
0x00401c6d
0x00401c6f
0x00401c71
0x00401c73
0x00401c75
0x00401c77
0x00401c79
0x00401c7b
0x00401c7d
0x00401c81
0x00401c82
0x00401c83
0x00401c86
0x00401c88
0x00401c8a
0x00401c8f
0x00401c91
0x00401c95
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9e
0x00401ca3
0x00401ca5
0x00401ca8
0x00401caa
0x00401cac
0x00401cb2
0x00401cb4
0x00401cb6
0x00401cb8
0x00401cba
0x00401cbc
0x00401cc2
0x00401cc4
0x00401cc5
0x00401cca
0x00401cce
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cda
0x00401cdc
0x00401ce2
0x00401ce6
0x00401ce7
0x00401ced
0x00401cf1
0x00401cf3
0x00401cf5
0x00401cf8
0x00401cfa
0x00401cfc
0x00401cfe
0x00401d04
0x00401d06
0x00401d08
0x00401d0a
0x00401d0c
0x00401d0e
0x00401d10
0x00401d12
0x00401d14
0x00401d16
0x00401d18
0x00401d1a
0x00401d1c
0x00401d1e
0x00401d20
0x00401d22
0x00401d24
0x00401d26
0x00401d28
0x00401d2a
0x00401d2c
0x00401d32
0x00401d33
0x00401d36
0x00401d3b
0x00401d3e
0x00401d3f
0x00401d41
0x00401d43
0x00401d45
0x00401d47
0x00401d49
0x00401d4d
0x00401d52
0x00401d58
0x00401d5c
0x00401d5d
0x00401d5f
0x00401d61
0x00401d63
0x00401d6a
0x00401d6c
0x00401d6e
0x00401d70
0x00401d72
0x00401d75
0x00401d79
0x00401d84
0x00401d85
0x00401d87
0x00401d8a
0x00401d8c
0x00401d90
0x00401d92
0x00401d94
0x00401d96
0x00401d98
0x00401d9a
0x00401da1
0x00401da8
0x00401daa
0x00401dad
0x00401daf
0x00401db2
0x00401db4
0x00401db7
0x00401db9
0x00401dbb
0x00401dbd
0x00401dbf
0x00401dc1
0x00401dc3
0x00401dc9
0x00401dd0
0x00401dd5
0x00401dd7
0x00401ddf
0x00401de4
0x00401de6
0x00401de8
0x00401dea
0x00401def
0x00401df1
0x00401dfd
0x00401e03
0x00401e06
0x00401e07
0x00401e0d
0x00401e0f
0x00401e11
0x00401e13
0x00401e15
0x00401e18
0x00401e1b
0x00401e1f
0x00401e25
0x00401e27
0x00401e2f
0x00401e31
0x00401e33
0x00401e35
0x00401e37
0x00401e39
0x00401e3b
0x00401e3f
0x00401e4d
0x00401e53
0x00401e57
0x00401e59
0x00401e5b
0x00401e5d
0x00401e5f
0x00401e61
0x00401e65
0x00401e68
0x00401e70
0x00401e71
0x00401e73
0x00401e7b
0x00401e7f
0x00401e81
0x00401e83
0x00401e85
0x00401e87
0x00401e89
0x00401e8b
0x00401e8f
0x00401e91
0x00401e98
0x00401e99
0x00401e9b
0x00401ea4
0x00401ea4
0x004017c6
0x004017c7
0x00000000
0x00000000
0x004017c9
0x004017cf
0x004017d0
0x004017d2
0x004017d4
0x004017d7
0x004017d8
0x004017de
0x004017e1
0x004017e3
0x004017e4
0x004017e5
0x004017e6
0x004017e8
0x004017e9
0x004017eb
0x004017ee
0x004017f2
0x004017f5
0x004017fa
0x00401800
0x00401802
0x00401804
0x00401806
0x00401808
0x0040180a
0x0040180c
0x0040180e
0x00401810
0x00401812
0x00401814
0x00401817
0x00401819
0x0040181b
0x0040181d
0x0040181f
0x00401821
0x00401823
0x00401825
0x00000000
0x00401825
0x00401670
0x004016d6
0x004016d6
0x004016d6
0x00401671
0x00000000
0x00000000
0x00401673
0x00000000
0x00000000
0x00401675
0x00000000
0x00000000
0x00401677
0x0040167e
0x0040167f
0x00401684
0x00401686
0x00401688
0x0040168a
0x0040168c
0x0040168d
0x00401690
0x00401691
0x00401692
0x00401698
0x00401698
0x0040169c
0x00000000
0x00000000
0x0040169e
0x0040169f
0x004016a3
0x004016a9
0x004016aa
0x004016b1
0x004016b3
0x004016b5
0x004016b7
0x004016b9
0x004016ba
0x0040163e
0x00401640
0x00401642
0x00401645
0x00401649
0x00401649
0x0040164b
0x0040164b
0x0040164b
0x0040164b
0x004015ce
0x004015cf
0x004015d3
0x004015d6
0x004015d8
0x004015de
0x004015e0
0x004015e2
0x004015e4
0x004015e6
0x004015e8
0x004015eb
0x004015ec
0x004015ed
0x004015ee
0x004015ef
0x004015f2
0x004015f4
0x004015f5
0x004015f5
0x004015f5
0x004015f8
0x0040165b
0x0040165d
0x00401660
0x00401660
0x00401663
0x00401664
0x00401665
0x0040166a
0x0040166a
0x0040166c
0x0040166d
0x00000000
0x0040166d
0x004015fa
0x00000000
0x00000000
0x004015fc
0x004015ff
0x00401602
0x00401607
0x00401609
0x0040160b
0x0040160e
0x00401610
0x00401615
0x00000000
0x00000000
0x00401617
0x00401619
0x0040161b
0x0040161c
0x0040161e
0x00401623
0x00401624
0x00401627
0x0040162e
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004014BD

Strings

VB5!6&*, xrefs: 004014B8

Memory Dump Source

Source File: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 52a6d5008e123b8ee4e40c80d589c66f6676afa906a912300af352e1b6cf90a8
Instruction ID: a2f5081608dbe610ee30d52c52de5d909079e5e8f6c2fac59b5977de64d8f8e5
Opcode Fuzzy Hash: 52a6d5008e123b8ee4e40c80d589c66f6676afa906a912300af352e1b6cf90a8
Instruction Fuzzy Hash: EB01726144F3C08FC30747B14C2A9A23FB09E0362430A12EBC1E2CA8B3D21D084AC373

Uniqueness

Uniqueness Score: -1.00%

Function 004183E4, Relevance: 1.4, APIs: 1, Instructions: 163memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(1B14B119,00017000,70E21EC1,?,00409C03), ref: 0041898F

Memory Dump Source

Source File: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5259595c3604787d56f8485f6b0645cd0f4a0c38b6c3c2b473d3f3d7561ab50c
Instruction ID: f6f63db3054c0ff58cddc0cb37d921ecef5dfb9f1ea52341a1a3a0958bf337ba
Opcode Fuzzy Hash: 5259595c3604787d56f8485f6b0645cd0f4a0c38b6c3c2b473d3f3d7561ab50c
Instruction Fuzzy Hash: 7D41E563F0871585FF752068C9E05ED6202DB86341F368A3FDAAB338D56D3E09C2159B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0041FEE0, Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041FF35
__vbaStrCopy.MSVBVM60 ref: 0041FF3F
#515.MSVBVM60(?,?,00000002), ref: 0041FF58
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041FF74
__vbaFreeVar.MSVBVM60 ref: 0041FF80
__vbaNew2.MSVBVM60(00402BBC,004213C0), ref: 0041FFA1
__vbaHresultCheckObj.MSVBVM60(00000000,0216EDD4,00402BAC,0000004C), ref: 0041FFC6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F24,00000024), ref: 0041FFF4
__vbaStrMove.MSVBVM60 ref: 00420003
__vbaFreeObj.MSVBVM60 ref: 0042000C
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 00420025
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042003E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,00000068), ref: 0042005F
__vbaFreeObj.MSVBVM60 ref: 0042006E
__vbaFreeStr.MSVBVM60(004200B7), ref: 004200AA
__vbaFreeStr.MSVBVM60 ref: 004200AF
__vbaFreeStr.MSVBVM60 ref: 004200B4

Strings

var, xrefs: 0041FF37
Monascidian, xrefs: 0041FFDA
CAREENING, xrefs: 0041FFD5

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#515Move
String ID: CAREENING$Monascidian$var
API String ID: 860825397-1736873049
Opcode ID: 4d82713559e72eca696945d315c867bd4ccbdb45d13eb8448730d56aa86c1d52
Instruction ID: 5a93a4987f1dba70a765a8882e44034d5d902fac6c0682f1b150bb3ad2f94b33
Opcode Fuzzy Hash: 4d82713559e72eca696945d315c867bd4ccbdb45d13eb8448730d56aa86c1d52
Instruction Fuzzy Hash: C0512B75900259ABCB14DF94DD88EDEBBF8FF58700F20442AE505B72A0D7B85945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00420280, Relevance: 31.7, APIs: 21, Instructions: 182COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 004202E0
#522.MSVBVM60(?,?), ref: 004202EE
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042030A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042031D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025DC,00000160), ref: 00420351
__vbaNew2.MSVBVM60(00402BBC,004213C0), ref: 00420369
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 00420388
__vbaObjSet.MSVBVM60(?,00000000), ref: 004203A1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,00000120), ref: 004203C8
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004203E6
__vbaStrVarMove.MSVBVM60(00000000), ref: 004203F0
__vbaStrMove.MSVBVM60 ref: 004203FB
__vbaObjSet.MSVBVM60(?,?,00000000), ref: 00420407
__vbaHresultCheckObj.MSVBVM60(00000000,0216EDD4,00402BAC,00000040), ref: 00420429
__vbaFreeStr.MSVBVM60 ref: 00420432
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00420446
__vbaFreeVar.MSVBVM60 ref: 00420452
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0042046B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420484
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C24,000000E8), ref: 004204AB
__vbaFreeObj.MSVBVM60 ref: 004204BA

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$ListMove$#522CallLate
String ID:
API String ID: 3206667697-0
Opcode ID: 93ddd3d2cccb841665103290ad281c43c6bb1fc19fb90c05f055e8bcf081c761
Instruction ID: affd1a53efb9554e804900530d60f62f57efad3f9e40ebd8b40aa9cee4017766
Opcode Fuzzy Hash: 93ddd3d2cccb841665103290ad281c43c6bb1fc19fb90c05f055e8bcf081c761
Instruction Fuzzy Hash: C1613AB1900259AFDB10DF94DD88EDEBBB8FB48300F50452AF646B32A1D7785585CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7B0, Relevance: 21.1, APIs: 14, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041F802
__vbaI4Str.MSVBVM60(00402E74), ref: 0041F80D
#697.MSVBVM60(00000000), ref: 0041F814
__vbaStrMove.MSVBVM60 ref: 0041F81F
__vbaStrCmp.MSVBVM60(00402B6C,00000000), ref: 0041F82B
__vbaFreeStr.MSVBVM60 ref: 0041F83E
__vbaNew2.MSVBVM60(00402BBC,004213C0), ref: 0041F85F
__vbaHresultCheckObj.MSVBVM60(00000000,0216EDD4,00402BAC,0000001C), ref: 0041F884
__vbaCastObj.MSVBVM60(?,00402D50), ref: 0041F8B8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F8C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E94,00000058), ref: 0041F8DD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F8ED
__vbaFreeObj.MSVBVM60(0041F934), ref: 0041F924
__vbaFreeStr.MSVBVM60 ref: 0041F92D

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#697CastCopyListMoveNew2
String ID:
API String ID: 1550409211-0
Opcode ID: be90a806182460e2b4442ff54b16976e2e1ee19c032624186cdd85052726c2e2
Instruction ID: 544d324653dca906891d8767194e039d13fefa41aa701892c0170855f757f26e
Opcode Fuzzy Hash: be90a806182460e2b4442ff54b16976e2e1ee19c032624186cdd85052726c2e2
Instruction Fuzzy Hash: 5D414FB0D00245ABCB04DF95DA49ADEBBB8FF58701F10812AE541F72A0D7785945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F670, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

#591.MSVBVM60(?), ref: 0041F6B9
__vbaStrMove.MSVBVM60 ref: 0041F6C4
__vbaStrCmp.MSVBVM60(Integer,00000000), ref: 0041F6D0
__vbaFreeStr.MSVBVM60 ref: 0041F6E3
__vbaFreeVar.MSVBVM60 ref: 0041F6EC
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041F70A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F723
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000080), ref: 0041F74A
__vbaFreeObj.MSVBVM60 ref: 0041F759

Strings

Integer, xrefs: 0041F6CB
KK, xrefs: 0041F6AB

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#591CheckHresultMoveNew2
String ID: Integer$KK
API String ID: 609433361-2898439456
Opcode ID: d529f83a4991cd5237d5a8649f017f0ea0f5c14ea4a0bae646dc23a47cba8285
Instruction ID: 44ff2366891e3b5d46d50772480f940b023b1791551d441a028f61e0a60aeb4d
Opcode Fuzzy Hash: d529f83a4991cd5237d5a8649f017f0ea0f5c14ea4a0bae646dc23a47cba8285
Instruction Fuzzy Hash: 4B2191759402059BCB10DF94DD49EEEBBB8FB58700F104026E552F32A0D778594ACBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDB0, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

#606.MSVBVM60(00000001,?), ref: 0041FE04
__vbaStrMove.MSVBVM60 ref: 0041FE0F
__vbaStrCmp.MSVBVM60(00402B98,00000000), ref: 0041FE1B
__vbaFreeStr.MSVBVM60 ref: 0041FE2E
__vbaFreeVar.MSVBVM60 ref: 0041FE37
__vbaNew2.MSVBVM60(00402BBC,004213C0), ref: 0041FE54
__vbaObjSetAddref.MSVBVM60(?,00401218), ref: 0041FE6A
__vbaHresultCheckObj.MSVBVM60(00000000,0216EDD4,00402BAC,00000010), ref: 0041FE87
__vbaFreeObj.MSVBVM60 ref: 0041FE90

Strings

, xrefs: 0041FDF6

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#606AddrefCheckHresultMoveNew2
String ID:
API String ID: 2885364696-3916222277
Opcode ID: 136a7d3117e861ae34ddc02cb31fad809ee7a566f793b790a9d40f8ceee2fc9f
Instruction ID: f520d7c31c0e9562858801fef8f775bdfe29c5bf61979b32152ef0e7166bce00
Opcode Fuzzy Hash: 136a7d3117e861ae34ddc02cb31fad809ee7a566f793b790a9d40f8ceee2fc9f
Instruction Fuzzy Hash: 39218075900254EFCB10DFA4DE89AEEBBB4FB08701F10412AE942F32A1C7781945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F520, Relevance: 16.6, APIs: 11, Instructions: 89COMMON

Download Yara Rule

APIs

#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0041F561
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F56B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F588
#570.MSVBVM60(0000004F,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F591
__vbaNew2.MSVBVM60(00401C88,00421010,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F5AA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F5C3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF0,00000158), ref: 0041F5EA
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041F5FA
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F604
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F617
__vbaFreeVar.MSVBVM60 ref: 0041F623

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#538#557#570CallCheckHresultLateListNew2
String ID:
API String ID: 729259385-0
Opcode ID: 29bc8a58bab013fa0b11e2682f6ef06396553df9f035572e8521283f65bdf648
Instruction ID: 4729f7cd9904e0fa7919ee0016aa39d6ebef70e94f4712c49ae4adabfdd4932e
Opcode Fuzzy Hash: 29bc8a58bab013fa0b11e2682f6ef06396553df9f035572e8521283f65bdf648
Instruction Fuzzy Hash: CE319E74940245ABCB10DFA4DD89EEE77B8FB88B00F10442AF542B75A0D7785586CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00420520, Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420572
__vbaVarDup.MSVBVM60 ref: 0042058C
#528.MSVBVM60(?,?), ref: 0042059A
__vbaVarTstNe.MSVBVM60(?,?), ref: 004205B6
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004205C9
__vbaNew2.MSVBVM60(00402BBC,004213C0), ref: 004205E9
__vbaHresultCheckObj.MSVBVM60(00000000,0216EDD4,00402BAC,0000001C), ref: 0042060E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E94,00000050), ref: 0042062E
__vbaFreeObj.MSVBVM60 ref: 00420637
__vbaFreeStr.MSVBVM60(0042066F), ref: 00420668

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#528CopyListNew2
String ID:
API String ID: 1123914322-0
Opcode ID: 5b549620164804655012acd858c8e262a1da1e5dddc09b0256446ee721d01666
Instruction ID: d26fa17c9ad7b8b1cc217ce74c02095d8141072f82e9e163cfc3fec8cbb4c4d5
Opcode Fuzzy Hash: 5b549620164804655012acd858c8e262a1da1e5dddc09b0256446ee721d01666
Instruction Fuzzy Hash: E1311874D00249ABCB04DF95D949ADEFBB8FF98704F10801AE515B72A0D7B85546CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F310, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041F34D
__vbaI4Str.MSVBVM60(00402E74), ref: 0041F358
#698.MSVBVM60(?,00000000), ref: 0041F363
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041F37F
__vbaFreeVar.MSVBVM60 ref: 0041F38A
#569.MSVBVM60(00000068), ref: 0041F397
__vbaFreeStr.MSVBVM60(0041F3C9), ref: 0041F3C2

Strings

G*, xrefs: 0041F39D

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#569#698Copy
String ID: G*
API String ID: 3581547392-626655979
Opcode ID: cbef803ad6f351f98e7b27fef3f5d415f2680c6cc101e2edea69dd6ada62f5ff
Instruction ID: fd3c272f8f5d63f027951c74803cd3d9d3c5805758595123d6badc01be7afc36
Opcode Fuzzy Hash: cbef803ad6f351f98e7b27fef3f5d415f2680c6cc101e2edea69dd6ada62f5ff
Instruction Fuzzy Hash: 84114FB1C002099BCB10DFE5CA49ADEFBB8BF48700F00C12AE561B36A0D778154ACF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041F160, Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

#693.MSVBVM60(00402B6C), ref: 0041F1B7
#685.MSVBVM60 ref: 0041F1C5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F1D6
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041F20F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F228
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000001A8), ref: 0041F24E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402E60,00000044), ref: 0041F281
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F291
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041F2A9

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultList$#685#693New2
String ID:
API String ID: 587155547-0
Opcode ID: 4c9578db7eec6180331dc167984d9c264de36110de00e5b5d33111117ea21d04
Instruction ID: bf8bf6b65804986466b117bbdd3e81ca60bbd975c94f831c57044fbd4a98dcdc
Opcode Fuzzy Hash: 4c9578db7eec6180331dc167984d9c264de36110de00e5b5d33111117ea21d04
Instruction Fuzzy Hash: 9A4129B1D00248AFCB14DFD9C989AEEBBB8FB48700F50806AF255E7290D7785546CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC00, Relevance: 12.1, APIs: 8, Instructions: 120COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041FC53
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FC6C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000224), ref: 0041FCF3
__vbaFreeObj.MSVBVM60 ref: 0041FD02
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041FD17
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD30
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000000D0), ref: 0041FD57
__vbaFreeObj.MSVBVM60 ref: 0041FD66

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 5818824b9a1024ba1b6e8ea064657c8a76fe882b321d1e85bce3caaa30465947
Instruction ID: 72e0286233c38e3b5063e11ec24fe8bbf0c329a6892fcec327ba47c93c4900b2
Opcode Fuzzy Hash: 5818824b9a1024ba1b6e8ea064657c8a76fe882b321d1e85bce3caaa30465947
Instruction Fuzzy Hash: 93415E74A002049FCB14DFA9D988E9ABBF8FF48700F10856AE945F7365D7789846CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420690, Relevance: 12.1, APIs: 8, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401C88,00421010), ref: 004206E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420702
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0042071E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420737
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,000000E8), ref: 0042075A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000001EC), ref: 0042079A
__vbaFreeStr.MSVBVM60 ref: 004207A3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004207B3

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: a4f583f80849229d29c5d4a771b266b8c66477b3e770aafda199840223396f73
Instruction ID: 8874f08c1ba130e40a31d8c11e1516cb801044f62a40d747babeda15eba2f6e6
Opcode Fuzzy Hash: a4f583f80849229d29c5d4a771b266b8c66477b3e770aafda199840223396f73
Instruction Fuzzy Hash: 4C316FB0A00254AFC710DFA8DD89F9E7BF8FB48700F50846AF545F7261D678A9428FA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA80, Relevance: 12.1, APIs: 8, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041FAC7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FAE6
__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041FB02
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FB1B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C14,00000198), ref: 0041FB3E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000001EC), ref: 0041FB7E
__vbaFreeStr.MSVBVM60 ref: 0041FB87
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FB97

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: b964900997c64a2df26bca023950513922fdcbc2c1d8b5202bd5f2a8d6d240cb
Instruction ID: 3bdd25179e449f35cc355c26ee10d94caa94f291cc643fb3519884997f52f5fc
Opcode Fuzzy Hash: b964900997c64a2df26bca023950513922fdcbc2c1d8b5202bd5f2a8d6d240cb
Instruction Fuzzy Hash: E7314FB0A00244AFC704DFA8DD49FDE7BB8FB48704F10447AF545F72A1D678A9468BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F3F0, Relevance: 12.1, APIs: 8, Instructions: 78COMMON

Download Yara Rule

APIs

#713.MSVBVM60(00402E80,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F435
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F440
__vbaStrCmp.MSVBVM60(00402E8C,00000000,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F44C
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F45F
__vbaNew2.MSVBVM60(00402BBC,004213C0,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F47C
__vbaHresultCheckObj.MSVBVM60(00000000,0216EDD4,00402BAC,0000001C,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F4A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402E94,00000050,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F4C1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F4CA

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#713MoveNew2
String ID:
API String ID: 1476637831-0
Opcode ID: 2e9607f6903f28236eac9248339216ded7d831cb9ca288441cea950688f58aa4
Instruction ID: 7bdac1ae862f823b4537f27603bc293439098803d853f1a14e8aa9cf25aa199d
Opcode Fuzzy Hash: 2e9607f6903f28236eac9248339216ded7d831cb9ca288441cea950688f58aa4
Instruction Fuzzy Hash: 57219F74940254ABCB10DFA4DD49AAFBBB8FF58700F20412AF942F32A0D7785946CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00420170, Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

#592.MSVBVM60(?), ref: 004201B2
__vbaFreeVar.MSVBVM60 ref: 004201C9
__vbaNew2.MSVBVM60(00402BBC,004213C0), ref: 004201E7
__vbaHresultCheckObj.MSVBVM60(00000000,0216EDD4,00402BAC,0000001C), ref: 0042020C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402E94,00000050), ref: 0042022C
__vbaFreeObj.MSVBVM60 ref: 00420235

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#592New2
String ID:
API String ID: 3172800638-0
Opcode ID: 6166537a70195ed582b7a00b79976da2c731308e92d5143ec20e443f8ae67fa6
Instruction ID: 2ade409c2249c12df6d483aca6c3344d15282517b539300fafbf27e770b15a98
Opcode Fuzzy Hash: 6166537a70195ed582b7a00b79976da2c731308e92d5143ec20e443f8ae67fa6
Instruction Fuzzy Hash: E7218074640264ABD710DFA4DE4DF9E7FF8AB04B44F50006AE541F32A1D77858058AA9

Uniqueness

Uniqueness Score: -1.00%

Function 004208D0, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0042092A
#564.MSVBVM60(?,?), ref: 00420938
__vbaHresultCheck.MSVBVM60(00000000), ref: 00420943
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042095F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00420971
#568.MSVBVM60(00000093), ref: 00420984

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#564#568CheckFreeHresultList
String ID:
API String ID: 1114338403-0
Opcode ID: 8d01400128f85eb9611b8aeec0c66939c03d6173ba5ea0de7057059c8c5a779d
Instruction ID: ce6371c8710e063f577bcef36474876e18e06c858ee1b892273fbe9f1b5a94ea
Opcode Fuzzy Hash: 8d01400128f85eb9611b8aeec0c66939c03d6173ba5ea0de7057059c8c5a779d
Instruction Fuzzy Hash: 6F2133B5800258AFDB00DFD4D989ADDBFB8FB08B04F10411AF506BB251D7B45589CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00420800, Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,004012C6), ref: 00420837
__vbaNew2.MSVBVM60(00401C88,00421010,?,?,?,?,?,?,?,004012C6), ref: 00420850
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004012C6), ref: 00420869
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,00000208,?,?,?,?,?,?,?,004012C6), ref: 0042088C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,004012C6), ref: 00420895
__vbaFreeStr.MSVBVM60(004208B6,?,?,?,?,?,?,?,004012C6), ref: 004208AF

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 779cca5a297314a4215882555f0c20cd1c0fafd8064dfa986dccb922ea7ac62e
Instruction ID: 1810154887b4258c2f016908da9c494d0a7068ccebb251b544e45ca500ab52f4
Opcode Fuzzy Hash: 779cca5a297314a4215882555f0c20cd1c0fafd8064dfa986dccb922ea7ac62e
Instruction Fuzzy Hash: 5D119E70640244ABC710EF94DE89FAF7BF8EB58701F60442AF542F36A1C7785942CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F960, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E0041F960(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t28;
				intOrPtr* _t30;
				intOrPtr* _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t45;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				_t45 = _t44 - 0x2c;
				_v16 = _t45;
				_v12 = 0x4011e8;
				_v8 = 0;
				_t21 = _a4;
				 *((intOrPtr*)( *_t21 + 4))(_t21, __edi, __esi, __ebx,  *[fs:0x0], 0x4012c6, _t41);
				_t23 =  *0x421010; // 0x61f650
				_v32 = 0;
				_v28 = 0;
				_v36 = 0;
				if(_t23 == 0) {
					__imp____vbaNew2(0x401c88, 0x421010);
					_t23 =  *0x421010; // 0x61f650
				}
				_t25 =  &_v36;
				__imp____vbaObjSet(_t25,  *((intOrPtr*)( *_t23 + 0x318))(_t23));
				_t30 = _t45 - 0x10;
				 *_t30 = 0xa;
				_t40 = _t25;
				 *((intOrPtr*)(_t30 + 4)) = _v48;
				 *((intOrPtr*)(_t30 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t30 + 0xc)) = _v40;
				_t28 =  *((intOrPtr*)( *_t40 + 0x1ec))(_t40, L"Skottehistorien");
				asm("fclex");
				if(_t28 < 0) {
					__imp____vbaHresultCheckObj(_t28, _t40, 0x402bcc, 0x1ec);
				}
				__imp____vbaFreeObj();
				_v32 = 0x99500000;
				_v28 = 0x4202a36b;
				asm("wait");
				_push(0x41fa44);
				return _t28;
			}

0x0041f963
0x0041f972
0x0041f979
0x0041f97f
0x0041f982
0x0041f98b
0x0041f98e
0x0041f994
0x0041f997
0x0041f99e
0x0041f9a1
0x0041f9a4
0x0041f9a7
0x0041f9b3
0x0041f9b9
0x0041f9b9
0x0041f9c8
0x0041f9cc
0x0041f9d5
0x0041f9dc
0x0041f9e1
0x0041f9e5
0x0041f9ed
0x0041f9f9
0x0041f9fc
0x0041fa02
0x0041fa06
0x0041fa14
0x0041fa14
0x0041fa1d
0x0041fa23
0x0041fa2a
0x0041fa31
0x0041fa32
0x00000000

APIs

__vbaNew2.MSVBVM60(00401C88,00421010,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F9B3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F9CC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000001EC), ref: 0041FA14
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041FA1D

Strings

Skottehistorien, xrefs: 0041F9F3

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Skottehistorien
API String ID: 1645334062-3067532313
Opcode ID: b50a9be62b5479fe51610c16e74de2706f097683118112f9e3d5ec685d1132c4
Instruction ID: 87032a936a1e37fc93b393a2398d0e84b534019fab70e683fcaa1cf8ee2f006c
Opcode Fuzzy Hash: b50a9be62b5479fe51610c16e74de2706f097683118112f9e3d5ec685d1132c4
Instruction Fuzzy Hash: BE213070A40244AFCB00DFA9D989B9EBFF8FF58700F10846AE905F7661C77899418F98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F070, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401C88,00421010), ref: 0041F0B3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F0CC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BCC,000001EC), ref: 0041F114
__vbaFreeObj.MSVBVM60 ref: 0041F11D

Strings

weet, xrefs: 0041F0F3

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: weet
API String ID: 1645334062-3595723829
Opcode ID: efcb30ea199cf3941762e1b8febcf00998d311785bd4b28caf029e99738d594e
Instruction ID: 9f567f0585496d71ce6b2d7453d8077976490acf90975035e9736752e995cd14
Opcode Fuzzy Hash: efcb30ea199cf3941762e1b8febcf00998d311785bd4b28caf029e99738d594e
Instruction Fuzzy Hash: AC1181B4A00245AFC700DFA8CA49F9ABFF8FB08700F10843AE545F76A1D77858468B99

Uniqueness

Uniqueness Score: -1.00%

Function 004200E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E004200E0(intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr* _t13;
				signed char _t14;
				intOrPtr* _t15;
				void* _t18;
				void* _t23;
				void* _t25;
				intOrPtr _t27;

				 *[fs:0x0] = _t27;
				_v16 = _t27 - 0x18;
				_v12 = 0x401240;
				_v8 = 0;
				_t13 = _a4;
				_t14 =  *((intOrPtr*)( *_t13 + 4))(_t13, _t23, _t25, _t18,  *[fs:0x0], 0x4012c6);
				__imp____vbaR4Str(0x402f38);
				asm("fcomp dword [0x401238]");
				asm("fnstsw ax");
				if((_t14 & 0x00000040) == 0) {
					__imp____vbaFileOpen(0x20, 0xffffffff, 0x30, L"imprejudice");
				}
				_t15 = _a4;
				 *((intOrPtr*)( *_t15 + 8))(_t15);
				 *[fs:0x0] = _v24;
				return _v8;
			}

0x004200f2
0x004200ff
0x00420102
0x00420109
0x00420110
0x00420116
0x0042011e
0x00420124
0x0042012a
0x0042012f
0x0042013c
0x0042013c
0x00420142
0x00420148
0x00420153
0x0042015e

APIs

__vbaR4Str.MSVBVM60(00402F38,?,?,?,?,?,?,?,?,004012C6), ref: 0042011E
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000030,imprejudice,?,?,?,?,?,?,?,?,004012C6), ref: 0042013C

Strings

imprejudice, xrefs: 00420131

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FileOpen
String ID: imprejudice
API String ID: 1444369698-3142114848
Opcode ID: f7fdd44ea108bead8f08ea79611c0b4dec4998263d8a79ee98eb390992fdcef5
Instruction ID: 56741a9550a06e266b45177f90e898e681aa17923986fd91a2eca657ac5a52fa
Opcode Fuzzy Hash: f7fdd44ea108bead8f08ea79611c0b4dec4998263d8a79ee98eb390992fdcef5
Instruction Fuzzy Hash: 95018F75A40204EFC700DF98DA49B4ABBB8FB48B50F1082AAF945B73E0C7785940CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004209D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaVarTstNe.MSVBVM60(?,?), ref: 00420A24
#532.MSVBVM60(Emotionen3), ref: 00420A34

Strings

Emotionen3, xrefs: 00420A2F

Memory Dump Source

Source File: 00000000.00000002.1165623078.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165552073.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165559821.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165665236.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165688422.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: #532__vba
String ID: Emotionen3
API String ID: 1414456671-3255538820
Opcode ID: 4ac1489cfa578bce9845b2fe05735b288450cb1b112339d04a2fc33c3c7abb48
Instruction ID: 1473c182bcd770d46cbe502379d8474882fb35e0ed5b83f3b70ce4504ee61e0b
Opcode Fuzzy Hash: 4ac1489cfa578bce9845b2fe05735b288450cb1b112339d04a2fc33c3c7abb48
Instruction Fuzzy Hash: 4EF0F475D41248ABC700DF94DA4979DBBF8BB14745F90805AF501722D1D7B815098B65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report pansy.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: pansy.exe PID: 7068 Parent PID: 5920

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: pansy.exe PID: 7068 Parent PID: 5920 pansy.exeCOMMON

Executed Functions

Function 0041C8A0, Relevance: 328.9, APIs: 175, Strings: 12, Instructions: 1669COMMON

Function 004014B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Function 004183E4, Relevance: 1.4, APIs: 1, Instructions: 163memoryCOMMON

Function 004014B8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Function 0041F960, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
COMMON

Function 004200E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON