Play interactive tour

Edit tour

Windows Analysis Report June-July_Commission_List_Summary-2021.exe

Overview

General Information

Sample Name:	June-July_Commission_List_Summary-2021.exe
Analysis ID:	457757
MD5:	bc6d6f6c55211e9ffc8972f330135da7
SHA1:	07b6f45608594b9ee812a9a95f80e51d644424c9
SHA256:	4326190ec077d66ad458337eed8a4f517cfd354247e921c4d01d9f50d9346e32
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

June-July_Commission_List_Summary-2021.exe (PID: 5756 cmdline: 'C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe' MD5: BC6D6F6C55211E9FFC8972F330135DA7)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: June-July_Commission_List_Summary-2021.exe	Virustotal: Detection: 29%			Perma Link
Source: June-July_Commission_List_Summary-2021.exe	ReversingLabs: Detection: 17%

Machine Learning detection for sample

Show sources

Source: June-July_Commission_List_Summary-2021.exe

Joe Sandbox ML: detected

Source: June-July_Commission_List_Summary-2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F7A3A	0_2_021F7A3A
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F7A68	0_2_021F7A68
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F4F09	0_2_021F4F09
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F78FC	0_2_021F78FC
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F70E7	0_2_021F70E7
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F5521	0_2_021F5521
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F5574	0_2_021F5574
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F4DBE	0_2_021F4DBE
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F59CC	0_2_021F59CC

Source: June-July_Commission_List_Summary-2021.exe, 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWivrejaygeesca9.exe vs June-July_Commission_List_Summary-2021.exe
Source: June-July_Commission_List_Summary-2021.exe	Binary or memory string: OriginalFilenameWivrejaygeesca9.exe vs June-July_Commission_List_Summary-2021.exe

Source: June-July_Commission_List_Summary-2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal68.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF152992B35EEE298A.TMP

Jump to behavior

Source: June-July_Commission_List_Summary-2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: June-July_Commission_List_Summary-2021.exe	Virustotal: Detection: 29%
Source: June-July_Commission_List_Summary-2021.exe	ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_00404923 push ds; ret	0_2_00404930
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_0040659A push esp; retf	0_2_0040659B
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_0040569B push ebp; retf	0_2_0040569E
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_00408B7B push ebx; iretd	0_2_00408B82
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_00406F8F push ebp; retf	0_2_00406F93
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F24F8 push es; iretd	0_2_021F24FA

Source: initial sample

Static PE information: section name: .text entropy: 7.14012596914

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021FD52B	0_2_021FD52B
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F5521	0_2_021F5521
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F5574	0_2_021F5574

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 00000000021FE4B4 second address: 00000000021FE4B4 instructions:
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 0000000002201AA0 second address: 0000000002201AA0 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 00000000021FE4B4 second address: 00000000021FE4B4 instructions:
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 00000000021FDC02 second address: 00000000021FDDA2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+00000223h] 0x00000011 mov dword ptr [ebp+0000021Bh], eax 0x00000017 mov eax, esi 0x00000019 push eax 0x0000001a cmp dl, cl 0x0000001c mov eax, dword ptr [ebp+0000021Bh] 0x00000022 mov dword ptr [ebp+0000019Ch], ebx 0x00000028 test dx, F826h 0x0000002d mov ebx, edx 0x0000002f test bx, 655Ch 0x00000034 push ebx 0x00000035 mov ebx, dword ptr [ebp+0000019Ch] 0x0000003b call 00007F79C8CDA548h 0x00000040 test edx, ebx 0x00000042 mov esi, dword ptr [esp+04h] 0x00000046 mov eax, 020D0734h 0x0000004b xor eax, 97E8A2A4h 0x00000050 jmp 00007F79C8CDA5A9h 0x00000055 test dx, bx 0x00000058 xor eax, 66496E64h 0x0000005d sub eax, F3ACB6EFh 0x00000062 test ax, cx 0x00000065 test ax, ax 0x00000068 mov dword ptr [ebp+000001DCh], ebx 0x0000006e mov ebx, FD8668ABh 0x00000073 pushad 0x00000074 mov edx, 00000025h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 00000000021FDDA2 second address: 00000000021FDDA2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add ebx, 2EB48951h 0x00000009 xor ebx, 4D05852Ah 0x0000000f test ah, ah 0x00000011 sub ebx, 613F7432h 0x00000017 cmp byte ptr [esi], bl 0x00000019 mov ebx, dword ptr [ebp+000001DCh] 0x0000001f jnc 00007F79C8CDA55Dh 0x00000021 mov ebx, eax 0x00000023 test dh, ch 0x00000025 shl eax, 05h 0x00000028 add eax, ebx 0x0000002a movzx ecx, byte ptr [esi] 0x0000002d test bh, dh 0x0000002f add eax, ecx 0x00000031 xor eax, 87814D76h 0x00000036 test dh, dh 0x00000038 inc esi 0x00000039 mov dword ptr [ebp+00000199h], ecx 0x0000003f mov ecx, 8083BC92h 0x00000044 cmp edx, E060B676h 0x0000004a test al, bl 0x0000004c xor ecx, 15B192FBh 0x00000052 xor ecx, 1B76C997h 0x00000058 test ecx, eax 0x0000005a xor ecx, 8E44E7FEh 0x00000060 cmp ebx, D7C88536h 0x00000066 cmp dh, FFFFFFD5h 0x00000069 cmp byte ptr [esi], cl 0x0000006b mov ecx, dword ptr [ebp+00000199h] 0x00000071 jne 00007F79C8CDA47Eh 0x00000077 mov dword ptr [ebp+000001DCh], ebx 0x0000007d mov ebx, FD8668ABh 0x00000082 pushad 0x00000083 mov edx, 00000025h 0x00000088 rdtsc
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 0000000002201903 second address: 0000000002201903 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [ebp+000001DAh], ebx 0x00000009 jne 00007F79C8CDA4C6h 0x0000000b xor dword ptr [eax], edx 0x0000000d add eax, 04h 0x00000010 mov dword ptr [ebp+000001DAh], eax 0x00000016 pushad 0x00000017 mov eax, 000000FCh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 0000000002201AA0 second address: 0000000002201AA0 instructions:
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 00000000021FF545 second address: 00000000021FDDA2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c mov ecx, dword ptr [ebp+000001B8h] 0x00000012 test bh, dh 0x00000014 mov dword ptr [ebp+0000020Fh], edx 0x0000001a mov edx, ecx 0x0000001c cmp ch, dh 0x0000001e push edx 0x0000001f cmp eax, D3D4D650h 0x00000024 mov edx, dword ptr [ebp+0000020Fh] 0x0000002a mov dword ptr [ebp+0000024Ah], ecx 0x00000030 mov ecx, esi 0x00000032 push ecx 0x00000033 mov ecx, dword ptr [ebp+0000024Ah] 0x00000039 test dl, cl 0x0000003b mov dword ptr [ebp+00000210h], eax 0x00000041 mov eax, esi 0x00000043 push eax 0x00000044 cmp ah, dh 0x00000046 mov eax, dword ptr [ebp+00000210h] 0x0000004c cmp cx, bx 0x0000004f add dword ptr [esp], ecx 0x00000052 call 00007F79C8CD8BEEh 0x00000057 test edx, ebx 0x00000059 mov esi, dword ptr [esp+04h] 0x0000005d mov eax, 020D0734h 0x00000062 xor eax, 97E8A2A4h 0x00000067 jmp 00007F79C8CDA5A9h 0x0000006c test dx, bx 0x0000006f xor eax, 66496E64h 0x00000074 sub eax, F3ACB6EFh 0x00000079 test ax, cx 0x0000007c test ax, ax 0x0000007f mov dword ptr [ebp+000001DCh], ebx 0x00000085 mov ebx, FD8668ABh 0x0000008a pushad 0x0000008b mov edx, 00000025h 0x00000090 rdtsc

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Code function: 0_2_021FCE12 rdtsc

0_2_021FCE12

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Code function: 0_2_021FCE12 rdtsc

0_2_021FCE12

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021FE347 mov eax, dword ptr fs:[00000030h]		0_2_021FE347
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 0_2_021F5521 mov eax, dword ptr fs:[00000030h]		0_2_021F5521

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: June-July_Commission_List_Summary-2021.exe, 00000000.00000002.757153981.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: June-July_Commission_List_Summary-2021.exe, 00000000.00000002.757153981.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: June-July_Commission_List_Summary-2021.exe, 00000000.00000002.757153981.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: June-July_Commission_List_Summary-2021.exe, 00000000.00000002.757153981.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
June-July_Commission_List_Summary-2021.exe	30%	Virustotal		Browse
June-July_Commission_List_Summary-2021.exe	17%	ReversingLabs	Win32.Trojan.Mucc
June-July_Commission_List_Summary-2021.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457757
Start date:	02.08.2021
Start time:	09:23:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	June-July_Commission_List_Summary-2021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 59.2% (good quality ratio 33.3%) Quality average: 32.7% Quality standard deviation: 34.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.8708154897145
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	June-July_Commission_List_Summary-2021.exe
File size:	471040
MD5:	bc6d6f6c55211e9ffc8972f330135da7
SHA1:	07b6f45608594b9ee812a9a95f80e51d644424c9
SHA256:	4326190ec077d66ad458337eed8a4f517cfd354247e921c4d01d9f50d9346e32
SHA512:	a7947412f8c4d063d8fc4618f806d3900df4a47cc042da6ebbc893f7399eb2be20361ca92c324b31f37ffb896c2b827ca161cf7d24d17ceda0c9a2a8db85afec
SSDEEP:	3072:W1bzponwO9HPBFRXBQnmCpy4eeF9d6tTbsYPYcF4v98C8OZW44PcpLg7SO32OGl0:W1bz+woHOmtmmTNYMSB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......S.....................@....................@................

File Icon


Icon Hash:	09090d0909040901

Static PE Info

General
Entrypoint:	0x4015bc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5317A394 [Wed Mar 5 22:22:12 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6a2215b83e94f57aa594370ef2448759

Entrypoint Preview

Instruction
push 004027A4h
call 00007F79C8D91655h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+6A214ED7h], al
shr dword ptr [ebp+48h], cl
mov dl, 49h
jo 00007F79C8D91684h
lds ebp, esi
lodsb
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
mov al, 8Fh
adc byte ptr [ebx], al
dec ebx
jne 00007F79C8D916CEh
insd
imul ebp, dword ptr [esi+65h], 666C6974h
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or al, 41h
in al, dx
out 9Dh, eax
sahf
or al, byte ptr [edi-4Dh]
cmpsd
adc dword ptr [edx-2Eh], edi
inc esi
wait
jbe 00007F79C8D91634h
or byte ptr [ecx+44C5F4EFh], ch
mov cl, F3h
xchg eax, ebx
nop
cmp byte ptr [ebx+eax*8], cl
mov byte ptr [33AD4F3Ah], al
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push esp
adc byte ptr [eax], al
add byte ptr [ebp+0000000Eh], al
or al, byte ptr [eax]
push ebx
popad
outsb
outsb
arpl word ptr [edi+61h], bp
xor eax, 05010D00h
add byte ptr [ecx+4Eh], al
push ebx
dec ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f954	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x41ae4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x16c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ee9c	0x2f000	False	0.605172664561	data	7.14012596914	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x30000	0x11e8	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x32000	0x41ae4	0x42000	False	0.052353367661	data	2.16158172255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x320e8	0x417e8	data
RT_GROUP_ICON	0x738d0	0x14	data
RT_VERSION	0x738e4	0x200	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaBoolStr, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
ProductVersion	1.04
InternalName	Wivrejaygeesca9
FileVersion	1.04
OriginalFilename	Wivrejaygeesca9.exe
ProductName	Kulminetilf

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: June-July_Commission_List_Summary-2021.exe PID: 5756 Parent PID: 5832

General

Start time:	09:24:23
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe'
Imagebase:	0x400000
File size:	471040 bytes
MD5 hash:	BC6D6F6C55211E9FFC8972F330135DA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: June-July_Commission_List_Summary-2021.exe PID: 5756 Parent PID: 5832 June-July_Commission_List_Summary-2021.exeCOMMON

Executed Functions

Function 0042CD3C, Relevance: 286.6, APIs: 154, Strings: 9, Instructions: 1341
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042CD3C(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr* _v0;
				signed int _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				short _v40;
				intOrPtr _v44;
				short _v48;
				void* _v56;
				void* _v60;
				signed int _v64;
				char _v68;
				void* _v72;
				signed int _v80;
				long long _v84;
				char _v88;
				signed int _v92;
				short _v100;
				char _v104;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				signed int _v128;
				void* _v132;
				char _v136;
				char _v140;
				void* _v148;
				short _v168;
				void* _v172;
				signed int _v180;
				void* _v184;
				signed int _v188;
				void* _v200;
				long long _v216;
				signed int _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				intOrPtr _v240;
				signed int _v244;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v276;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				signed int _v308;
				char _v316;
				char _v332;
				char _v348;
				char _v364;
				void* _v368;
				signed int _v372;
				long long _v384;
				intOrPtr _v388;
				char _v392;
				signed int _v396;
				signed int _v400;
				void* _v404;
				signed int _v408;
				short _v412;
				signed int _v436;
				intOrPtr _v440;
				signed int* _v456;
				signed int _v460;
				signed int _v464;
				signed int* _v468;
				signed int _v472;
				signed int _v476;
				signed int* _v480;
				signed int _v484;
				signed int _v488;
				signed int* _v492;
				signed int _v496;
				signed int _v500;
				signed int* _v504;
				signed int _v508;
				signed int _v512;
				signed int* _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int* _v532;
				signed int _v536;
				signed int _v540;
				signed int* _v544;
				signed int _v548;
				signed int _v552;
				signed int* _v556;
				signed int _v560;
				signed int _v564;
				signed int* _v568;
				signed int _v572;
				signed int _v576;
				signed int* _v580;
				signed int _v584;
				signed int _v588;
				signed int* _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _t642;
				signed int _t647;
				signed int _t651;
				signed int _t655;
				signed int _t662;
				signed int _t668;
				signed int _t687;
				signed int _t689;
				signed int _t691;
				signed int _t695;
				signed int _t699;
				signed int _t701;
				intOrPtr* _t702;
				signed int _t703;
				signed int _t707;
				intOrPtr* _t708;
				signed int _t709;
				signed int _t711;
				intOrPtr* _t712;
				signed int _t713;
				signed int _t715;
				intOrPtr* _t716;
				signed int _t717;
				signed int _t719;
				intOrPtr* _t720;
				signed char _t721;
				signed int _t728;
				signed int _t733;
				signed int _t740;
				signed int _t744;
				signed int _t750;
				signed int _t755;
				signed int _t762;
				signed int _t772;
				signed int _t777;
				signed int _t784;
				signed int _t793;
				signed int _t798;
				signed int _t807;
				signed int _t812;
				signed int _t813;
				signed int _t821;
				signed int _t825;
				signed int _t831;
				signed int _t836;
				signed int _t843;
				signed int _t848;
				void* _t849;
				intOrPtr* _t851;
				void* _t852;
				signed int* _t863;
				intOrPtr _t895;
				void* _t940;
				void* _t950;
				void* _t951;
				void* _t952;
				signed int _t959;
				intOrPtr* _t960;
				signed int _t961;
				intOrPtr* _t962;
				signed int _t964;
				intOrPtr* _t965;
				signed int _t966;
				intOrPtr* _t967;
				signed int _t968;
				intOrPtr* _t969;
				void* _t970;
				void* _t971;
				void* _t973;
				intOrPtr _t974;
				void* _t976;
				intOrPtr _t977;
				signed int _t986;

				_t952 = __esi;
				_t950 = __edi;
				_t849 = __ebx;
				_t971 = _t973;
				_t974 = _t973 - 0x18;
				 *[fs:0x0] = _t974;
				L004013A0();
				_v28 = _t974;
				_v24 = 0x4011b8;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013a6, _t970);
				_v8 = 1;
				_v8 = 2;
				if( *0x43039c != 0) {
					_v456 = 0x43039c;
				} else {
					_push(0x43039c);
					_push(0x40398c);
					L00401592();
					_v456 = 0x43039c;
				}
				_v396 =  *_v456;
				_t642 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
				asm("fclex");
				_v400 = _t642;
				__eflags = _v400;
				if(_v400 >= 0) {
					_t26 =  &_v460;
					 *_t26 = _v460 & 0x00000000;
					__eflags =  *_t26;
				} else {
					_push(0x14);
					_push(0x40397c);
					_push(_v396);
					_push(_v400);
					L0040158C();
					_v460 = _t642;
				}
				_v404 = _v236;
				_t647 =  *((intOrPtr*)( *_v404 + 0x100))(_v404,  &_v372);
				asm("fclex");
				_v408 = _t647;
				__eflags = _v408;
				if(_v408 >= 0) {
					_t39 =  &_v464;
					 *_t39 = _v464 & 0x00000000;
					__eflags =  *_t39;
				} else {
					_push(0x100);
					_push(0x40399c);
					_push(_v404);
					_push(_v408);
					L0040158C();
					_v464 = _t647;
				}
				__eflags = _v372 - 0x400000;
				_v412 =  ~(0 | _v372 != 0x00400000);
				L00401586();
				_t651 = _v412;
				__eflags = _t651;
				if(_t651 != 0) {
					_v8 = 3;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v468 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v468 = 0x43039c;
					}
					_v396 =  *_v468;
					_t821 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t821;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t61 =  &_v472;
						 *_t61 = _v472 & 0x00000000;
						__eflags =  *_t61;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v472 = _t821;
					}
					_v404 = _v236;
					_t825 =  *((intOrPtr*)( *_v404 + 0x138))(_v404, L"SYLFIDENS", 1);
					asm("fclex");
					_v408 = _t825;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t73 =  &_v476;
						 *_t73 = _v476 & 0x00000000;
						__eflags =  *_t73;
					} else {
						_push(0x138);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v476 = _t825;
					}
					L00401586();
					_v8 = 4;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v480 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v480 = 0x43039c;
					}
					_v396 =  *_v480;
					_t831 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t831;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t90 =  &_v484;
						 *_t90 = _v484 & 0x00000000;
						__eflags =  *_t90;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v484 = _t831;
					}
					_v404 = _v236;
					_t836 =  *((intOrPtr*)( *_v404 + 0x140))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t836;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t103 =  &_v488;
						 *_t103 = _v488 & 0x00000000;
						__eflags =  *_t103;
					} else {
						_push(0x140);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v488 = _t836;
					}
					_v40 = _v368;
					L00401586();
					_v8 = 5;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v492 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v492 = 0x43039c;
					}
					_v396 =  *_v492;
					_t843 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t843;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t122 =  &_v496;
						 *_t122 = _v496 & 0x00000000;
						__eflags =  *_t122;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v496 = _t843;
					}
					_v404 = _v236;
					_t848 =  *((intOrPtr*)( *_v404 + 0x68))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t848;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t135 =  &_v500;
						 *_t135 = _v500 & 0x00000000;
						__eflags =  *_t135;
					} else {
						_push(0x68);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v500 = _t848;
					}
					_t651 = _v368;
					_v92 = _t651;
					L00401586();
					_v8 = 6;
					_push(L"Austrogaean3");
					L004014E4();
				}
				_v8 = 8;
				_push(0x403a84);
				_push(0x403a8c);
				L00401532();
				L00401598();
				_push(_t651);
				_push(0x403a94);
				L00401532();
				L00401598();
				_push(_t651);
				_push(0x403aa0);
				L00401532();
				L00401598();
				_push(_t651);
				_push(0x403a84);
				L00401532();
				L00401598();
				_push(_t651);
				_push(0x403a8c);
				L00401532();
				_v244 = _t651;
				_v252 = 8;
				_push( &_v252);
				_push( &_v268); // executed
				L004014D8(); // executed
				_v308 = 0xa;
				_v316 = 0x8002;
				_push( &_v268);
				_t655 =  &_v316;
				_push(_t655);
				L004014DE();
				_v396 = _t655;
				_push( &_v232);
				_push( &_v228);
				_push( &_v224);
				_push( &_v220);
				_push(4);
				L004014D2();
				_push( &_v268);
				_push( &_v252);
				_push(2);
				L00401562();
				_t976 = _t974 + 0x20;
				_t662 = _v396;
				__eflags = _t662;
				if(_t662 != 0) {
					_v8 = 9;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v504 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v504 = 0x43039c;
					}
					_v396 =  *_v504;
					_t793 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t793;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t176 =  &_v508;
						 *_t176 = _v508 & 0x00000000;
						__eflags =  *_t176;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v508 = _t793;
					}
					_v404 = _v236;
					_t798 =  *((intOrPtr*)( *_v404 + 0xf8))(_v404,  &_v220);
					asm("fclex");
					_v408 = _t798;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t189 =  &_v512;
						 *_t189 = _v512 & 0x00000000;
						__eflags =  *_t189;
					} else {
						_push(0xf8);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v512 = _t798;
					}
					_v436 = _v220;
					_v220 = _v220 & 0x00000000;
					L00401598();
					L00401586();
					_v8 = 0xa;
					_push(1);
					_push(1);
					_push(1);
					_push( &_v252);
					L004014CC();
					_push( &_v252);
					L0040156E();
					L00401598();
					L00401550();
					_v8 = 0xb;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v516 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v516 = 0x43039c;
					}
					_v396 =  *_v516;
					_t807 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t807;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t217 =  &_v520;
						 *_t217 = _v520 & 0x00000000;
						__eflags =  *_t217;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v520 = _t807;
					}
					_v404 = _v236;
					_t812 =  *((intOrPtr*)( *_v404 + 0xf0))(_v404,  &_v220);
					asm("fclex");
					_v408 = _t812;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t230 =  &_v524;
						 *_t230 = _v524 & 0x00000000;
						__eflags =  *_t230;
					} else {
						_push(0xf0);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v524 = _t812;
					}
					_t813 = _v220;
					_v440 = _t813;
					_v220 = _v220 & 0x00000000;
					L00401598();
					L00401586();
					_v8 = 0xc;
					L004014C6();
					_t662 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t813);
					asm("fclex");
					_v396 = _t662;
					__eflags = _v396;
					if(_v396 >= 0) {
						_t248 =  &_v528;
						 *_t248 = _v528 & 0x00000000;
						__eflags =  *_t248;
					} else {
						_push(0x64);
						_push(0x4034b4);
						_push(_a4);
						_push(_v396);
						L0040158C();
						_v528 = _t662;
					}
				}
				_v8 = 0xe;
				E00403914();
				_v372 = _t662;
				L004014C0();
				__eflags = _v372 - 0x5cf000;
				if(_v372 == 0x5cf000) {
					_v8 = 0xf;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v532 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v532 = 0x43039c;
					}
					_v396 =  *_v532;
					_t772 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t772;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t267 =  &_v536;
						 *_t267 = _v536 & 0x00000000;
						__eflags =  *_t267;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v536 = _t772;
					}
					_v404 = _v236;
					_t777 =  *((intOrPtr*)( *_v404 + 0xb8))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t777;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t280 =  &_v540;
						 *_t280 = _v540 & 0x00000000;
						__eflags =  *_t280;
					} else {
						_push(0xb8);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v540 = _t777;
					}
					_v48 = _v368;
					L00401586();
					_v8 = 0x10;
					L00401580();
					L00401598();
					_v8 = 0x11;
					L0040151A();
					_v8 = 0x12;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v544 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v544 = 0x43039c;
					}
					_v396 =  *_v544;
					_t784 =  *((intOrPtr*)( *_v396 + 0x1c))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t784;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t302 =  &_v548;
						 *_t302 = _v548 & 0x00000000;
						__eflags =  *_t302;
					} else {
						_push(0x1c);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v548 = _t784;
					}
					_v404 = _v236;
					_t662 =  *((intOrPtr*)( *_v404 + 0x50))(_v404);
					asm("fclex");
					_v408 = _t662;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t314 =  &_v552;
						 *_t314 = _v552 & 0x00000000;
						__eflags =  *_t314;
					} else {
						_push(0x50);
						_push(0x4039d4);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v552 = _t662;
					}
					L00401586();
				}
				_v8 = 0x14;
				_push(0x403aac);
				_push(0x403ab4);
				L00401532();
				L00401598();
				_push(_t662);
				L00401574();
				_push(_t662);
				L004014B4();
				L00401598();
				_push(_t662);
				_push(0x403abc);
				L004014BA();
				asm("sbb eax, eax");
				_v396 =  ~( ~( ~_t662));
				_push( &_v224);
				_push( &_v220);
				_push(2);
				L004014D2();
				_t977 = _t976 + 0xc;
				_t668 = _v396;
				__eflags = _t668;
				if(_t668 != 0) {
					_v8 = 0x15;
					L00401580();
					L00401598();
					_v8 = 0x16;
					_t327 =  &_v244;
					 *_t327 = _v244 & 0x00000000;
					__eflags =  *_t327;
					_v252 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v252);
					L004014F6();
					L00401598();
					L00401550();
					_v8 = 0x17;
					_v244 = 2;
					_v252 = 2;
					_t668 =  &_v252;
					_push(_t668);
					L004014AE();
					L00401598();
					L00401550();
					_v8 = 0x18;
					_v8 = 0x19;
					_push(0x7b);
					L004014A8();
					_v188 = _t668;
				}
				_v8 = 0x1b;
				E00403914();
				_v372 = _t668;
				L004014C0();
				__eflags = _v372 - 0x1f5459;
				if(_v372 == 0x1f5459) {
					_v8 = 0x1c;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v556 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v556 = 0x43039c;
					}
					_v396 =  *_v556;
					_t750 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t750;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t359 =  &_v560;
						 *_t359 = _v560 & 0x00000000;
						__eflags =  *_t359;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v560 = _t750;
					}
					_v404 = _v236;
					_t755 =  *((intOrPtr*)( *_v404 + 0xb8))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t755;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t372 =  &_v564;
						 *_t372 = _v564 & 0x00000000;
						__eflags =  *_t372;
					} else {
						_push(0xb8);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v564 = _t755;
					}
					_v168 = _v368;
					L00401586();
					_v8 = 0x1d;
					L00401580();
					L00401598();
					_v8 = 0x1e;
					L0040151A();
					_v8 = 0x1f;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v568 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v568 = 0x43039c;
					}
					_v396 =  *_v568;
					_t762 =  *((intOrPtr*)( *_v396 + 0x1c))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t762;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t394 =  &_v572;
						 *_t394 = _v572 & 0x00000000;
						__eflags =  *_t394;
					} else {
						_push(0x1c);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v572 = _t762;
					}
					_v404 = _v236;
					_t668 =  *((intOrPtr*)( *_v404 + 0x50))(_v404);
					asm("fclex");
					_v408 = _t668;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t406 =  &_v576;
						 *_t406 = _v576 & 0x00000000;
						__eflags =  *_t406;
					} else {
						_push(0x50);
						_push(0x4039d4);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v576 = _t668;
					}
					L00401586();
				}
				_v8 = 0x21;
				E00403914();
				_v372 = _t668;
				L004014C0();
				__eflags = _v372 - 0x73da0a;
				if(_v372 == 0x73da0a) {
					_v8 = 0x22;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v580 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v580 = 0x43039c;
					}
					_v396 =  *_v580;
					_t728 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t728;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t426 =  &_v584;
						 *_t426 = _v584 & 0x00000000;
						__eflags =  *_t426;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v584 = _t728;
					}
					_v404 = _v236;
					_t733 =  *((intOrPtr*)( *_v404 + 0xb8))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t733;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t439 =  &_v588;
						 *_t439 = _v588 & 0x00000000;
						__eflags =  *_t439;
					} else {
						_push(0xb8);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v588 = _t733;
					}
					_v100 = _v368;
					L00401586();
					_v8 = 0x23;
					L00401580();
					L00401598();
					_v8 = 0x24;
					L0040151A();
					_v8 = 0x25;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v592 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v592 = 0x43039c;
					}
					_v396 =  *_v592;
					_t740 =  *((intOrPtr*)( *_v396 + 0x1c))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t740;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t461 =  &_v596;
						 *_t461 = _v596 & 0x00000000;
						__eflags =  *_t461;
					} else {
						_push(0x1c);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v596 = _t740;
					}
					_v404 = _v236;
					_t744 =  *((intOrPtr*)( *_v404 + 0x50))(_v404);
					asm("fclex");
					_v408 = _t744;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t473 =  &_v600;
						 *_t473 = _v600 & 0x00000000;
						__eflags =  *_t473;
					} else {
						_push(0x50);
						_push(0x4039d4);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v600 = _t744;
					}
					L00401586();
				}
				_v8 = 0x27;
				_v384 =  *0x401320;
				L0040159E();
				_v372 = 0x7fcc0f;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4, 0x518ef8,  &_v372,  &_v220, 0xb3a85e80, 0x5b05, 0x34a425, L"milksop",  &_v384, 0x14d42aa0, 0x5afb,  &_v392);
				_v116 = _v392;
				_v112 = _v388;
				L0040154A();
				_v8 = 0x28;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v384);
				_v84 = _v384;
				_v8 = 0x29;
				L0040159E();
				_v372 =  *0x401318;
				_t687 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v372, L"ABILDGRAAT",  &_v220, 0xd31c9e10, 0x5af7,  &_v384);
				_v396 = _t687;
				__eflags = _v396;
				if(_v396 >= 0) {
					_t513 =  &_v604;
					 *_t513 = _v604 & 0x00000000;
					__eflags =  *_t513;
				} else {
					_push(0x6fc);
					_push(0x4034e4);
					_push(_a4);
					_push(_v396);
					L0040158C();
					_v604 = _t687;
				}
				_v216 = _v384;
				_t863 =  &_v220;
				L0040154A();
				while(1) {
					_v8 = 0x2b;
					_t689 = _v128 + 1;
					__eflags = _t689;
					if(_t689 < 0) {
						break;
					}
					_v128 = _t689;
					_v8 = 0x2c;
					__eflags = _v128 - 0x16581;
					if(_v128 >= 0x16581) {
						_v8 = 0x2f;
						_t940 = _t971;
						 *((intOrPtr*)(_t940 + 0xbc)) = 0x40e116;
						_push(_t950);
						_push(_t952);
						_push(0);
						_push(4);
						_push(8);
						goto ( *((intOrPtr*)(_t940 + 0xbc)));
					}
				}
				L00401466();
				_push(_t971);
				_push(_t863);
				_push(_t863);
				_push(0x4013a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t977;
				_push(_t849);
				_push(_t952);
				_push(_t950);
				_v244 = _t977 - 0x9c;
				_v240 = 0x401340;
				_v256 = 0;
				_v260 = 0;
				_v264 = 0;
				_v276 = 0;
				_v284 = 0;
				_v288 = 0;
				_v292 = 0;
				_v296 = 0;
				_v300 = 0;
				_v316 = 0;
				_v332 = 0;
				_v348 = 0;
				_v364 = 0;
				_v368 = 0;
				L0040159E();
				_t691 =  &_v316;
				_push(_t691);
				_v308 = 0x3076;
				_v316 = 2;
				L00401460();
				asm("sbb esi, esi");
				L00401550();
				__eflags =  ~( ~0x00000000);
				if( ~( ~0x00000000) == 0) {
					_t851 = _v0;
					_t951 = 0x40397c;
					goto L157;
				} else {
					__eflags =  *0x43039c; // 0x227e9a4
					if(__eflags == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t964 =  *0x43039c; // 0x227e9a4
					_t711 =  *((intOrPtr*)( *_t964 + 0x14))(_t964,  &_v72);
					asm("fclex");
					__eflags = _t711;
					if(_t711 >= 0) {
						_t951 = 0x40397c;
					} else {
						_push(0x14);
						_t951 = 0x40397c;
						_push(0x40397c);
						_push(_t964);
						_push(_t711);
						L0040158C();
					}
					_t712 = _v72;
					_t965 = _t712;
					_t713 =  *((intOrPtr*)( *_t712 + 0xc0))(_t712,  &_v140);
					asm("fclex");
					__eflags = _t713;
					if(_t713 >= 0) {
						_t852 = 0x40399c;
					} else {
						_push(0xc0);
						_t852 = 0x40399c;
						_push(0x40399c);
						_push(_t965);
						_push(_t713);
						L0040158C();
					}
					L00401586();
					__eflags =  *0x43039c;
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t966 =  *0x43039c; // 0x227e9a4
					_t715 =  *((intOrPtr*)( *_t966 + 0x14))(_t966,  &_v72);
					asm("fclex");
					__eflags = _t715;
					if(_t715 < 0) {
						_push(0x14);
						_push(_t951);
						_push(_t966);
						_push(_t715);
						L0040158C();
					}
					_t716 = _v72;
					_t967 = _t716;
					_t717 =  *((intOrPtr*)( *_t716 + 0xe0))(_t716,  &_v64);
					asm("fclex");
					__eflags = _t717;
					if(_t717 < 0) {
						_push(0xe0);
						_push(_t852);
						_push(_t967);
						_push(_t717);
						L0040158C();
					}
					_v64 = _v64 & 0x00000000;
					L00401598();
					L00401586();
					__eflags =  *0x43039c;
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t968 =  *0x43039c; // 0x227e9a4
					_t719 =  *((intOrPtr*)( *_t968 + 0x14))(_t968,  &_v72);
					asm("fclex");
					__eflags = _t719;
					if(_t719 < 0) {
						_push(0x14);
						_push(_t951);
						_push(_t968);
						_push(_t719);
						L0040158C();
					}
					_t720 = _v72;
					_t969 = _t720;
					_t721 =  *((intOrPtr*)( *_t720 + 0x60))(_t720,  &_v64);
					asm("fclex");
					__eflags = _t721;
					if(_t721 < 0) {
						_push(0x60);
						_push(_t852);
						_push(_t969);
						_push(_t721);
						L0040158C();
					}
					_v64 = _v64 & 0x00000000;
					L00401598();
					L00401586();
					_t986 =  *0x401338;
					_t851 = _v0;
					_t895 =  *_t851;
					asm("fnstsw ax");
					__eflags = _t721 & 0x0000000d;
					if((_t721 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					} else {
						_v180 = _t986;
						_v476 = _v180;
						_t691 =  *((intOrPtr*)(_t895 + 0x84))(_t851, _t895);
						asm("fclex");
						__eflags = _t691;
						if(_t691 < 0) {
							_push(0x84);
							_push(0x4034b4);
							_push(_t851);
							_push(_t691);
							L0040158C();
						}
						L157:
						_push(0x403a84);
						_push(0x403a8c);
						L00401532();
						L00401598();
						_push(_t691);
						_push(L"-10-");
						L00401532();
						L00401598();
						_push(_t691);
						_push(0x403bb8);
						L00401532();
						_v80 = _t691;
						_push( &_v88);
						_push( &_v104);
						_v88 = 8;
						L004014D8();
						_push( &_v104);
						_t695 =  &_v136;
						_push(_t695);
						_v128 = 0xa;
						_v136 = 0x8002;
						L004014DE();
						_push( &_v68);
						_push( &_v64);
						_push(2);
						L004014D2();
						_push( &_v104);
						_t699 =  &_v88;
						_push(_t699);
						_push(2);
						L00401562();
						__eflags = _t695;
						if(_t695 != 0) {
							__eflags =  *0x43039c;
							if( *0x43039c == 0) {
								_push(0x43039c);
								_push(0x40398c);
								L00401592();
							}
							_t959 =  *0x43039c; // 0x227e9a4
							_t701 =  *((intOrPtr*)( *_t959 + 0x14))(_t959,  &_v72);
							asm("fclex");
							__eflags = _t701;
							if(_t701 < 0) {
								_push(0x14);
								_push(_t951);
								_push(_t959);
								_push(_t701);
								L0040158C();
							}
							_t702 = _v72;
							_t960 = _t702;
							_t703 =  *((intOrPtr*)( *_t702 + 0xf8))(_t702,  &_v64);
							asm("fclex");
							__eflags = _t703;
							if(_t703 < 0) {
								_push(0xf8);
								_push(0x40399c);
								_push(_t960);
								_push(_t703);
								L0040158C();
							}
							_v64 = _v64 & 0x00000000;
							L00401598();
							L00401586();
							_push(1);
							_push(1);
							_push(1);
							_push( &_v88);
							L004014CC();
							_push( &_v88);
							L0040156E();
							L00401598();
							L00401550();
							__eflags =  *0x43039c;
							if( *0x43039c == 0) {
								_push(0x43039c);
								_push(0x40398c);
								L00401592();
							}
							_t961 =  *0x43039c; // 0x227e9a4
							_t707 =  *((intOrPtr*)( *_t961 + 0x14))(_t961,  &_v72);
							asm("fclex");
							__eflags = _t707;
							if(_t707 < 0) {
								_push(0x14);
								_push(_t951);
								_push(_t961);
								_push(_t707);
								L0040158C();
							}
							_t708 = _v72;
							_t962 = _t708;
							_t709 =  *((intOrPtr*)( *_t708 + 0xf0))(_t708,  &_v64);
							asm("fclex");
							__eflags = _t709;
							if(_t709 < 0) {
								_push(0xf0);
								_push(0x40399c);
								_push(_t962);
								_push(_t709);
								L0040158C();
							}
							_v64 = _v64 & 0x00000000;
							L00401598();
							L00401586();
							L004014C6();
							_t699 =  *((intOrPtr*)( *_t851 + 0x64))(_t851, _t709);
							asm("fclex");
							__eflags = _t699;
							if(_t699 < 0) {
								_push(0x64);
								_push(0x4034b4);
								_push(_t851);
								_push(_t699);
								L0040158C();
							}
						}
						_v44 = 0xea8c9360;
						asm("wait");
						_v40 = 0x5b07;
						_push(0x42f320);
						L0040154A();
						L0040154A();
						L0040154A();
						L0040154A();
						L0040154A();
						L0040154A();
						return _t699;
					}
				}
			}

0x0042cd3c
0x0042cd3c
0x0042cd3c
0x0042cd3d
0x0042cd3f
0x0042cd4e
0x0042cd5a
0x0042cd62
0x0042cd65
0x0042cd72
0x0042cd7b
0x0042cd7e
0x0042cd8d
0x0042cd90
0x0042cd97
0x0042cda5
0x0042cdc2
0x0042cda7
0x0042cda7
0x0042cdac
0x0042cdb1
0x0042cdb6
0x0042cdb6
0x0042cdd4
0x0042cdef
0x0042cdf2
0x0042cdf4
0x0042cdfa
0x0042ce01
0x0042ce23
0x0042ce23
0x0042ce23
0x0042ce03
0x0042ce03
0x0042ce05
0x0042ce0a
0x0042ce10
0x0042ce16
0x0042ce1b
0x0042ce1b
0x0042ce30
0x0042ce4b
0x0042ce51
0x0042ce53
0x0042ce59
0x0042ce60
0x0042ce85
0x0042ce85
0x0042ce85
0x0042ce62
0x0042ce62
0x0042ce67
0x0042ce6c
0x0042ce72
0x0042ce78
0x0042ce7d
0x0042ce7d
0x0042ce8e
0x0042ce9d
0x0042ceaa
0x0042ceaf
0x0042ceb6
0x0042ceb8
0x0042cebe
0x0042cec5
0x0042cecc
0x0042cee9
0x0042cece
0x0042cece
0x0042ced3
0x0042ced8
0x0042cedd
0x0042cedd
0x0042cefb
0x0042cf16
0x0042cf19
0x0042cf1b
0x0042cf21
0x0042cf28
0x0042cf4a
0x0042cf4a
0x0042cf4a
0x0042cf2a
0x0042cf2a
0x0042cf2c
0x0042cf31
0x0042cf37
0x0042cf3d
0x0042cf42
0x0042cf42
0x0042cf57
0x0042cf72
0x0042cf78
0x0042cf7a
0x0042cf80
0x0042cf87
0x0042cfac
0x0042cfac
0x0042cfac
0x0042cf89
0x0042cf89
0x0042cf8e
0x0042cf93
0x0042cf99
0x0042cf9f
0x0042cfa4
0x0042cfa4
0x0042cfb9
0x0042cfbe
0x0042cfc5
0x0042cfcc
0x0042cfe9
0x0042cfce
0x0042cfce
0x0042cfd3
0x0042cfd8
0x0042cfdd
0x0042cfdd
0x0042cffb
0x0042d016
0x0042d019
0x0042d01b
0x0042d021
0x0042d028
0x0042d04a
0x0042d04a
0x0042d04a
0x0042d02a
0x0042d02a
0x0042d02c
0x0042d031
0x0042d037
0x0042d03d
0x0042d042
0x0042d042
0x0042d057
0x0042d072
0x0042d078
0x0042d07a
0x0042d080
0x0042d087
0x0042d0ac
0x0042d0ac
0x0042d0ac
0x0042d089
0x0042d089
0x0042d08e
0x0042d093
0x0042d099
0x0042d09f
0x0042d0a4
0x0042d0a4
0x0042d0ba
0x0042d0c4
0x0042d0c9
0x0042d0d0
0x0042d0d7
0x0042d0f4
0x0042d0d9
0x0042d0d9
0x0042d0de
0x0042d0e3
0x0042d0e8
0x0042d0e8
0x0042d106
0x0042d121
0x0042d124
0x0042d126
0x0042d12c
0x0042d133
0x0042d155
0x0042d155
0x0042d155
0x0042d135
0x0042d135
0x0042d137
0x0042d13c
0x0042d142
0x0042d148
0x0042d14d
0x0042d14d
0x0042d162
0x0042d17d
0x0042d180
0x0042d182
0x0042d188
0x0042d18f
0x0042d1b1
0x0042d1b1
0x0042d1b1
0x0042d191
0x0042d191
0x0042d193
0x0042d198
0x0042d19e
0x0042d1a4
0x0042d1a9
0x0042d1a9
0x0042d1b8
0x0042d1bf
0x0042d1c9
0x0042d1ce
0x0042d1d5
0x0042d1da
0x0042d1da
0x0042d1df
0x0042d1e6
0x0042d1eb
0x0042d1f0
0x0042d1fd
0x0042d202
0x0042d203
0x0042d208
0x0042d215
0x0042d21a
0x0042d21b
0x0042d220
0x0042d22d
0x0042d232
0x0042d233
0x0042d238
0x0042d245
0x0042d24a
0x0042d24b
0x0042d250
0x0042d255
0x0042d25b
0x0042d26b
0x0042d272
0x0042d273
0x0042d278
0x0042d282
0x0042d292
0x0042d293
0x0042d299
0x0042d29a
0x0042d29f
0x0042d2ac
0x0042d2b3
0x0042d2ba
0x0042d2c1
0x0042d2c2
0x0042d2c4
0x0042d2d2
0x0042d2d9
0x0042d2da
0x0042d2dc
0x0042d2e1
0x0042d2e4
0x0042d2eb
0x0042d2ed
0x0042d2f3
0x0042d2fa
0x0042d301
0x0042d31e
0x0042d303
0x0042d303
0x0042d308
0x0042d30d
0x0042d312
0x0042d312
0x0042d330
0x0042d34b
0x0042d34e
0x0042d350
0x0042d356
0x0042d35d
0x0042d37f
0x0042d37f
0x0042d37f
0x0042d35f
0x0042d35f
0x0042d361
0x0042d366
0x0042d36c
0x0042d372
0x0042d377
0x0042d377
0x0042d38c
0x0042d3a7
0x0042d3ad
0x0042d3af
0x0042d3b5
0x0042d3bc
0x0042d3e1
0x0042d3e1
0x0042d3e1
0x0042d3be
0x0042d3be
0x0042d3c3
0x0042d3c8
0x0042d3ce
0x0042d3d4
0x0042d3d9
0x0042d3d9
0x0042d3ee
0x0042d3f4
0x0042d404
0x0042d40f
0x0042d414
0x0042d41b
0x0042d41d
0x0042d41f
0x0042d427
0x0042d428
0x0042d433
0x0042d434
0x0042d43e
0x0042d449
0x0042d44e
0x0042d455
0x0042d45c
0x0042d479
0x0042d45e
0x0042d45e
0x0042d463
0x0042d468
0x0042d46d
0x0042d46d
0x0042d48b
0x0042d4a6
0x0042d4a9
0x0042d4ab
0x0042d4b1
0x0042d4b8
0x0042d4da
0x0042d4da
0x0042d4da
0x0042d4ba
0x0042d4ba
0x0042d4bc
0x0042d4c1
0x0042d4c7
0x0042d4cd
0x0042d4d2
0x0042d4d2
0x0042d4e7
0x0042d502
0x0042d508
0x0042d50a
0x0042d510
0x0042d517
0x0042d53c
0x0042d53c
0x0042d53c
0x0042d519
0x0042d519
0x0042d51e
0x0042d523
0x0042d529
0x0042d52f
0x0042d534
0x0042d534
0x0042d543
0x0042d549
0x0042d54f
0x0042d562
0x0042d56d
0x0042d572
0x0042d57f
0x0042d58d
0x0042d590
0x0042d592
0x0042d598
0x0042d59f
0x0042d5be
0x0042d5be
0x0042d5be
0x0042d5a1
0x0042d5a1
0x0042d5a3
0x0042d5a8
0x0042d5ab
0x0042d5b1
0x0042d5b6
0x0042d5b6
0x0042d59f
0x0042d5c5
0x0042d5cc
0x0042d5d1
0x0042d5d7
0x0042d5dc
0x0042d5e6
0x0042d5ec
0x0042d5f3
0x0042d5fa
0x0042d617
0x0042d5fc
0x0042d5fc
0x0042d601
0x0042d606
0x0042d60b
0x0042d60b
0x0042d629
0x0042d644
0x0042d647
0x0042d649
0x0042d64f
0x0042d656
0x0042d678
0x0042d678
0x0042d678
0x0042d658
0x0042d658
0x0042d65a
0x0042d65f
0x0042d665
0x0042d66b
0x0042d670
0x0042d670
0x0042d685
0x0042d6a0
0x0042d6a6
0x0042d6a8
0x0042d6ae
0x0042d6b5
0x0042d6da
0x0042d6da
0x0042d6da
0x0042d6b7
0x0042d6b7
0x0042d6bc
0x0042d6c1
0x0042d6c7
0x0042d6cd
0x0042d6d2
0x0042d6d2
0x0042d6e8
0x0042d6f2
0x0042d6f7
0x0042d6fe
0x0042d70b
0x0042d710
0x0042d717
0x0042d71c
0x0042d723
0x0042d72a
0x0042d747
0x0042d72c
0x0042d72c
0x0042d731
0x0042d736
0x0042d73b
0x0042d73b
0x0042d759
0x0042d774
0x0042d777
0x0042d779
0x0042d77f
0x0042d786
0x0042d7a8
0x0042d7a8
0x0042d7a8
0x0042d788
0x0042d788
0x0042d78a
0x0042d78f
0x0042d795
0x0042d79b
0x0042d7a0
0x0042d7a0
0x0042d7b5
0x0042d7c9
0x0042d7cc
0x0042d7ce
0x0042d7d4
0x0042d7db
0x0042d7fd
0x0042d7fd
0x0042d7fd
0x0042d7dd
0x0042d7dd
0x0042d7df
0x0042d7e4
0x0042d7ea
0x0042d7f0
0x0042d7f5
0x0042d7f5
0x0042d80a
0x0042d80a
0x0042d80f
0x0042d816
0x0042d81b
0x0042d820
0x0042d82d
0x0042d832
0x0042d833
0x0042d838
0x0042d839
0x0042d846
0x0042d84b
0x0042d84c
0x0042d851
0x0042d858
0x0042d85e
0x0042d86b
0x0042d872
0x0042d873
0x0042d875
0x0042d87a
0x0042d87d
0x0042d884
0x0042d886
0x0042d88c
0x0042d893
0x0042d89d
0x0042d8a2
0x0042d8a9
0x0042d8a9
0x0042d8a9
0x0042d8b0
0x0042d8ba
0x0042d8bc
0x0042d8be
0x0042d8c0
0x0042d8c8
0x0042d8c9
0x0042d8d3
0x0042d8de
0x0042d8e3
0x0042d8ea
0x0042d8f4
0x0042d8fe
0x0042d904
0x0042d905
0x0042d90f
0x0042d91a
0x0042d91f
0x0042d926
0x0042d92d
0x0042d92f
0x0042d934
0x0042d934
0x0042d93a
0x0042d941
0x0042d946
0x0042d94c
0x0042d951
0x0042d95b
0x0042d961
0x0042d968
0x0042d96f
0x0042d98c
0x0042d971
0x0042d971
0x0042d976
0x0042d97b
0x0042d980
0x0042d980
0x0042d99e
0x0042d9b9
0x0042d9bc
0x0042d9be
0x0042d9c4
0x0042d9cb
0x0042d9ed
0x0042d9ed
0x0042d9ed
0x0042d9cd
0x0042d9cd
0x0042d9cf
0x0042d9d4
0x0042d9da
0x0042d9e0
0x0042d9e5
0x0042d9e5
0x0042d9fa
0x0042da15
0x0042da1b
0x0042da1d
0x0042da23
0x0042da2a
0x0042da4f
0x0042da4f
0x0042da4f
0x0042da2c
0x0042da2c
0x0042da31
0x0042da36
0x0042da3c
0x0042da42
0x0042da47
0x0042da47
0x0042da5d
0x0042da6a
0x0042da6f
0x0042da76
0x0042da80
0x0042da85
0x0042da8c
0x0042da91
0x0042da98
0x0042da9f
0x0042dabc
0x0042daa1
0x0042daa1
0x0042daa6
0x0042daab
0x0042dab0
0x0042dab0
0x0042dace
0x0042dae9
0x0042daec
0x0042daee
0x0042daf4
0x0042dafb
0x0042db1d
0x0042db1d
0x0042db1d
0x0042dafd
0x0042dafd
0x0042daff
0x0042db04
0x0042db0a
0x0042db10
0x0042db15
0x0042db15
0x0042db2a
0x0042db3e
0x0042db41
0x0042db43
0x0042db49
0x0042db50
0x0042db72
0x0042db72
0x0042db72
0x0042db52
0x0042db52
0x0042db54
0x0042db59
0x0042db5f
0x0042db65
0x0042db6a
0x0042db6a
0x0042db7f
0x0042db7f
0x0042db84
0x0042db8b
0x0042db90
0x0042db96
0x0042db9b
0x0042dba5
0x0042dbab
0x0042dbb2
0x0042dbb9
0x0042dbd6
0x0042dbbb
0x0042dbbb
0x0042dbc0
0x0042dbc5
0x0042dbca
0x0042dbca
0x0042dbe8
0x0042dc03
0x0042dc06
0x0042dc08
0x0042dc0e
0x0042dc15
0x0042dc37
0x0042dc37
0x0042dc37
0x0042dc17
0x0042dc17
0x0042dc19
0x0042dc1e
0x0042dc24
0x0042dc2a
0x0042dc2f
0x0042dc2f
0x0042dc44
0x0042dc5f
0x0042dc65
0x0042dc67
0x0042dc6d
0x0042dc74
0x0042dc99
0x0042dc99
0x0042dc99
0x0042dc76
0x0042dc76
0x0042dc7b
0x0042dc80
0x0042dc86
0x0042dc8c
0x0042dc91
0x0042dc91
0x0042dca7
0x0042dcb1
0x0042dcb6
0x0042dcbd
0x0042dcca
0x0042dccf
0x0042dcd6
0x0042dcdb
0x0042dce2
0x0042dce9
0x0042dd06
0x0042dceb
0x0042dceb
0x0042dcf0
0x0042dcf5
0x0042dcfa
0x0042dcfa
0x0042dd18
0x0042dd33
0x0042dd36
0x0042dd38
0x0042dd3e
0x0042dd45
0x0042dd67
0x0042dd67
0x0042dd67
0x0042dd47
0x0042dd47
0x0042dd49
0x0042dd4e
0x0042dd54
0x0042dd5a
0x0042dd5f
0x0042dd5f
0x0042dd74
0x0042dd88
0x0042dd8b
0x0042dd8d
0x0042dd93
0x0042dd9a
0x0042ddbc
0x0042ddbc
0x0042ddbc
0x0042dd9c
0x0042dd9c
0x0042dd9e
0x0042dda3
0x0042dda9
0x0042ddaf
0x0042ddb4
0x0042ddb4
0x0042ddc9
0x0042ddc9
0x0042ddce
0x0042dddb
0x0042ddec
0x0042ddf1
0x0042de42
0x0042de4e
0x0042de57
0x0042de60
0x0042de65
0x0042de7b
0x0042de87
0x0042de8a
0x0042de9c
0x0042dea7
0x0042ded9
0x0042dedf
0x0042dee5
0x0042deec
0x0042df0e
0x0042df0e
0x0042df0e
0x0042deee
0x0042deee
0x0042def3
0x0042def8
0x0042defb
0x0042df01
0x0042df06
0x0042df06
0x0042df1b
0x0042df21
0x0042df27
0x0042df2c
0x0042df2c
0x0042df36
0x0042df36
0x0042df39
0x00000000
0x00000000
0x0042df3f
0x0042df42
0x0042df49
0x0042df50
0x0042df54
0x0042df5b
0x0042df5d
0x0042df67
0x0042df68
0x0042df69
0x0042df6b
0x0042df6d
0x0042df6f
0x0042df6f
0x0042df52
0x0042ee82
0x0042ee87
0x0042ee8a
0x0042ee8b
0x0042ee8c
0x0042ee97
0x0042ee98
0x0042eea5
0x0042eea6
0x0042eea7
0x0042eea8
0x0042eeab
0x0042eeba
0x0042eebd
0x0042eec0
0x0042eec3
0x0042eec6
0x0042eec9
0x0042eecc
0x0042eecf
0x0042eed2
0x0042eed5
0x0042eed8
0x0042eedb
0x0042eede
0x0042eee1
0x0042eee7
0x0042eeec
0x0042eeef
0x0042eef0
0x0042eef7
0x0042eefe
0x0042ef0e
0x0042ef14
0x0042ef19
0x0042ef1c
0x0042f0c8
0x0042f0cb
0x00000000
0x0042ef22
0x0042ef22
0x0042ef28
0x0042ef2a
0x0042ef2f
0x0042ef34
0x0042ef34
0x0042ef39
0x0042ef46
0x0042ef49
0x0042ef4b
0x0042ef4d
0x0042ef60
0x0042ef4f
0x0042ef4f
0x0042ef51
0x0042ef56
0x0042ef57
0x0042ef58
0x0042ef59
0x0042ef59
0x0042ef65
0x0042ef72
0x0042ef74
0x0042ef7a
0x0042ef7c
0x0042ef7e
0x0042ef94
0x0042ef80
0x0042ef80
0x0042ef85
0x0042ef8a
0x0042ef8b
0x0042ef8c
0x0042ef8d
0x0042ef8d
0x0042ef9c
0x0042efa1
0x0042efa8
0x0042efaa
0x0042efaf
0x0042efb4
0x0042efb4
0x0042efb9
0x0042efc6
0x0042efc9
0x0042efcb
0x0042efcd
0x0042efcf
0x0042efd1
0x0042efd2
0x0042efd3
0x0042efd4
0x0042efd4
0x0042efd9
0x0042efe3
0x0042efe5
0x0042efeb
0x0042efed
0x0042efef
0x0042eff1
0x0042eff6
0x0042eff7
0x0042eff8
0x0042eff9
0x0042eff9
0x0042f001
0x0042f008
0x0042f010
0x0042f015
0x0042f01c
0x0042f01e
0x0042f023
0x0042f028
0x0042f028
0x0042f02d
0x0042f03a
0x0042f03d
0x0042f03f
0x0042f041
0x0042f043
0x0042f045
0x0042f046
0x0042f047
0x0042f048
0x0042f048
0x0042f04d
0x0042f057
0x0042f059
0x0042f05c
0x0042f05e
0x0042f060
0x0042f062
0x0042f064
0x0042f065
0x0042f066
0x0042f067
0x0042f067
0x0042f06f
0x0042f076
0x0042f07e
0x0042f083
0x0042f089
0x0042f08c
0x0042f08e
0x0042f090
0x0042f092
0x004013ac
0x0042f098
0x0042f098
0x0042f0a5
0x0042f0a9
0x0042f0af
0x0042f0b1
0x0042f0b3
0x0042f0b5
0x0042f0ba
0x0042f0bf
0x0042f0c0
0x0042f0c1
0x0042f0c1
0x0042f0d0
0x0042f0d0
0x0042f0d5
0x0042f0da
0x0042f0e4
0x0042f0e9
0x0042f0ea
0x0042f0ef
0x0042f0f9
0x0042f0fe
0x0042f0ff
0x0042f104
0x0042f109
0x0042f10f
0x0042f113
0x0042f114
0x0042f11b
0x0042f123
0x0042f124
0x0042f127
0x0042f128
0x0042f12f
0x0042f136
0x0042f141
0x0042f145
0x0042f146
0x0042f148
0x0042f150
0x0042f151
0x0042f154
0x0042f155
0x0042f157
0x0042f15f
0x0042f162
0x0042f168
0x0042f16f
0x0042f171
0x0042f176
0x0042f17b
0x0042f17b
0x0042f180
0x0042f18d
0x0042f190
0x0042f192
0x0042f194
0x0042f196
0x0042f198
0x0042f199
0x0042f19a
0x0042f19b
0x0042f19b
0x0042f1a0
0x0042f1aa
0x0042f1ac
0x0042f1b2
0x0042f1b4
0x0042f1b6
0x0042f1b8
0x0042f1bd
0x0042f1c2
0x0042f1c3
0x0042f1c4
0x0042f1c4
0x0042f1cc
0x0042f1d3
0x0042f1db
0x0042f1e0
0x0042f1e2
0x0042f1e4
0x0042f1e9
0x0042f1ea
0x0042f1f2
0x0042f1f3
0x0042f1fd
0x0042f205
0x0042f20a
0x0042f211
0x0042f213
0x0042f218
0x0042f21d
0x0042f21d
0x0042f222
0x0042f22f
0x0042f232
0x0042f234
0x0042f236
0x0042f238
0x0042f23a
0x0042f23b
0x0042f23c
0x0042f23d
0x0042f23d
0x0042f242
0x0042f24c
0x0042f24e
0x0042f254
0x0042f256
0x0042f258
0x0042f25a
0x0042f25f
0x0042f264
0x0042f265
0x0042f266
0x0042f266
0x0042f26e
0x0042f275
0x0042f27d
0x0042f28a
0x0042f291
0x0042f294
0x0042f296
0x0042f298
0x0042f29a
0x0042f29c
0x0042f2a1
0x0042f2a2
0x0042f2a3
0x0042f2a3
0x0042f298
0x0042f2a8
0x0042f2af
0x0042f2b0
0x0042f2b7
0x0042f2f2
0x0042f2fa
0x0042f302
0x0042f30a
0x0042f312
0x0042f31a
0x0042f31f
0x0042f31f
0x0042f092

APIs

__vbaChkstk.MSVBVM60(?,004013A6), ref: 0042CD5A
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,?,?,004013A6), ref: 0042CDB1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042CE16
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000100), ref: 0042CE78
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000100), ref: 0042CEAA
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042CED8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042CF3D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000138), ref: 0042CF9F
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000138), ref: 0042CFB9
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042CFD8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D03D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000140), ref: 0042D09F
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000140), ref: 0042D0C4
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042D0E3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D148
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000068), ref: 0042D1A4
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000068), ref: 0042D1C9
#531.MSVBVM60(Austrogaean3), ref: 0042D1DA
__vbaStrCat.MSVBVM60(00403A8C,00403A84), ref: 0042D1F0
__vbaStrMove.MSVBVM60(00403A8C,00403A84), ref: 0042D1FD
__vbaStrCat.MSVBVM60(00403A94,00000000,00403A8C,00403A84), ref: 0042D208
__vbaStrMove.MSVBVM60(00403A94,00000000,00403A8C,00403A84), ref: 0042D215
__vbaStrCat.MSVBVM60(00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D220
__vbaStrMove.MSVBVM60(00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D22D
__vbaStrCat.MSVBVM60(00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D238
__vbaStrMove.MSVBVM60(00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D245
__vbaStrCat.MSVBVM60(00403A8C,00000000,00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D250
#542.MSVBVM60(?,00000008,00403A8C,00000000,00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D273
__vbaVarTstNe.MSVBVM60(00008002,?,?,00000008,00403A8C,00000000,00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D29A
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00008002,?,?,00000008,00403A8C,00000000,00403A84,00000000,00403AA0,00000000,00403A94), ref: 0042D2C4
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,004013A6), ref: 0042D2DC
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,?,?,?,?,?,004013A6), ref: 0042D30D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D372
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042D3D4
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042D404
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042D40F
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042D428
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042D434
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042D43E
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042D449
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,00000001,00000001,00000001), ref: 0042D468
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D4CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F0), ref: 0042D52F
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F0), ref: 0042D562
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F0), ref: 0042D56D
__vbaFpI4.MSVBVM60(00000000,?,0040399C,000000F0), ref: 0042D57F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004034B4,00000064), ref: 0042D5B1
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,004013A6), ref: 0042D5D7
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042D606
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D66B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D6CD
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D6F2
#611.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D6FE
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D70B
#598.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D717
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042D736
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,0000001C), ref: 0042D79B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042D7F0
__vbaFreeObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042D80A
__vbaStrCat.MSVBVM60(00403AB4,00403AAC), ref: 0042D820
__vbaStrMove.MSVBVM60(00403AB4,00403AAC), ref: 0042D82D
__vbaI4Str.MSVBVM60(00000000,00403AB4,00403AAC), ref: 0042D833
#537.MSVBVM60(00000000,00000000,00403AB4,00403AAC), ref: 0042D839
__vbaStrMove.MSVBVM60(00000000,00000000,00403AB4,00403AAC), ref: 0042D846
__vbaStrCmp.MSVBVM60(00403ABC,00000000,00000000,00000000,00403AB4,00403AAC), ref: 0042D851
__vbaFreeStrList.MSVBVM60(00000002,?,?,00403ABC,00000000,00000000,00000000,00403AB4,00403AAC), ref: 0042D875
#611.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004013A6), ref: 0042D893
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004013A6), ref: 0042D89D
#704.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D8C9
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D8D3
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D8DE
#536.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D905
__vbaStrMove.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D90F
__vbaFreeVar.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D91A
#570.MSVBVM60(0000007B,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D92F
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004013A6), ref: 0042D94C
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042D97B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D9E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA42
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA6A
#611.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA76
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA80
#598.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA8C
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042DAAB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,0000001C), ref: 0042DB10
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042DB65
__vbaFreeObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042DB7F
__vbaSetSystemError.MSVBVM60 ref: 0042DB96
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042DBC5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042DC2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DC8C
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DCB1
#611.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DCBD
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DCCA
#598.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DCD6
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042DCF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,0000001C), ref: 0042DD5A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042DDAF
__vbaFreeObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042DDC9
__vbaStrCopy.MSVBVM60 ref: 0042DDEC
__vbaFreeStr.MSVBVM60 ref: 0042DE60
__vbaStrCopy.MSVBVM60 ref: 0042DE9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004034E4,000006FC), ref: 0042DF01
__vbaFreeStr.MSVBVM60(00000000,?,004034E4,000006FC), ref: 0042DF27

Strings

ABILDGRAAT, xrefs: 0042DEC5
/, xrefs: 0042DF54
-10-, xrefs: 0042F0EA
elektronikeren, xrefs: 0042DDE1
Hvalrostand, xrefs: 0042DE91
SYLFIDENS, xrefs: 0042CF5F
v0, xrefs: 0042EEF0
milksop, xrefs: 0042DE13
Austrogaean3, xrefs: 0042D1D5

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$Move$New2$#611$#598ErrorListSystem$Copy$#531#536#537#539#542#570#704Chkstk
String ID: -10-$/$ABILDGRAAT$Austrogaean3$Hvalrostand$SYLFIDENS$elektronikeren$milksop$v0
API String ID: 3053149553-1130596020
Opcode ID: 9681fa0cc00db675b47a266f6b558bb7180c7ba768c7ae03e7f2cdcf5c8ec85b
Instruction ID: 9573f704782a9446ba78c8fb62b04fb03fadd54eb05aabf694fabb64ab2e83d7
Opcode Fuzzy Hash: 9681fa0cc00db675b47a266f6b558bb7180c7ba768c7ae03e7f2cdcf5c8ec85b
Instruction Fuzzy Hash: E3D20B70900228AFDB20EF51CC45BDDBBB4BF08305F5085EAE50ABB1A1DB785A85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004015BC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 73%

			_entry_() {
				signed char _t53;
				signed char _t54;
				signed int _t56;
				signed int _t57;
				signed char _t58;
				signed char _t59;
				signed int _t61;
				signed char _t62;
				void* _t67;
				signed char _t68;
				signed char _t73;
				void* _t75;
				intOrPtr* _t76;
				void* _t77;
				intOrPtr* _t78;
				void* _t79;
				void* _t83;

				_push("VB5!6&*"); // executed
				L004015B6(); // executed
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 ^ _t53;
				 *_t53 =  *_t53 + _t53;
				_t54 = _t53 + 1;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *((intOrPtr*)(_t75 + 0x6a214ed7)) =  *((intOrPtr*)(_t75 + 0x6a214ed7)) + _t54;
				_t3 = _t79 + 0x48;
				 *_t3 =  *(_t79 + 0x48) >> _t68;
				if( *_t3 < 0) {
					_t68 = _t68 + 1;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					_t61 = _t61 + _t61;
					asm("int3");
					 *_t54 =  *_t54 ^ _t54;
					asm("in al, dx");
					asm("out 0x9d, eax");
					asm("sahf");
					_t54 = _t54 | 0x00000041 |  *(_t75 - 0x4d);
					asm("cmpsd");
					asm("adc [edx-0x2e], edi");
					_t78 = _t78 + 1;
					asm("wait");
					if(_t78 <= 0) {
						L2:
						asm("invalid");
						_t68 = _t68 +  *((intOrPtr*)(_t61 + 0x75));
						asm("insb");
					}
					 *(_t68 + 0x44c5f4ef) =  *(_t68 + 0x44c5f4ef) | _t68;
					_t56 = _t61;
					_t62 = _t54;
					 *0x33ad4f3a = _t56;
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					_push(_t83);
					asm("adc [eax], al");
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *0x49 =  *0x49 + 0xf3;
					 *((intOrPtr*)(_t62 + 0x61)) =  *((intOrPtr*)(_t62 + 0x61)) + 0x49;
					asm("outsb");
					asm("a16 gs outsb");
					asm("arpl [edi+0x61], bp");
					_t57 = _t56 ^ 0x05010d00;
					 *0x00000141 =  *((intOrPtr*)(0x141)) + _t57;
					_push(_t62);
					_t76 = _t75 + 1;
					 *0x000000F2 =  *0x000000F2 + _t62;
					 *_t57 =  *_t57 + _t57;
					 *0x0000004A =  *((intOrPtr*)(0x4a)) + _t57;
					 *_t62 =  *_t62 + _t83;
					 *_t57 =  *_t57 + _t57;
					asm("insb");
					if ( *_t57 == 0) goto L7;
					 *_t78 =  *_t78 + 0x4a;
					 *_t57 =  *_t57 + _t57;
					 *_t57 =  *_t57 + _t57;
					 *_t57 =  *_t57 + _t57;
					_t58 = _t57 +  *_t57;
					 *_t58 =  *_t58 & _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 | _t58;
					 *_t58 =  *_t58 + _t58;
					 *[es:eax] =  *[es:eax] + _t58;
					 *_t58 =  *_t58 + 0x4a;
					asm("adc [eax], al");
					 *0x000000F2 =  *0x000000F2 + _t58;
					 *_t58 = 0xf2 +  *_t58;
					 *((intOrPtr*)(_t58 + 5)) =  *((intOrPtr*)(_t58 + 5)) + 0xf2;
					 *_t58 =  *_t58 + _t58;
					asm("into");
					 *_t58 =  *_t58 | _t58;
					 *_t58 = 0xf2 +  *_t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 | _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *((char*)(_t58 + _t58)) =  *((char*)(_t58 + _t58));
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *0x000000F2 =  *0x000000F2 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58;
					 *_t58 =  *_t58;
					 *((intOrPtr*)(_t58 + 0x800080)) =  *((intOrPtr*)(_t58 + 0x800080)) + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + 0x80;
					 *((intOrPtr*)(_t58 - 0x3fffff80)) =  *((intOrPtr*)(_t58 - 0x3fffff80)) + _t58;
					asm("rol al, 0x0");
					 *((char*)(_t58 + 0x80)) =  *((char*)(_t58 + 0x80)) + 0xff;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + 1;
					 *_t58 =  *_t58 + _t58;
					asm("invalid");
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + 1;
					_t67 = _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62;
					asm("invalid");
					 *0x000000F2 = 0xf2 +  *0x000000F2;
					 *0x000000F2 =  *0x000000F2 | 0xf2;
					 *((intOrPtr*)(0x4a)) =  *((intOrPtr*)(0x4a)) + 0x4a;
					asm("adc dl, [edx]");
					 *_t76 =  *_t76 + _t67;
					ds = cs;
					ds = cs;
					 *((intOrPtr*)(_t83 + _t79)) =  *((intOrPtr*)(_t83 + _t79)) + 0xf2;
					_t59 = _t58;
					 *0x0000009C =  *((intOrPtr*)(0x9c)) + 0x4a;
					_push(0x4a);
					 *((intOrPtr*)(_t76 + 0x5f)) =  *((intOrPtr*)(_t76 + 0x5f)) + _t67;
					_pop(_t77);
					 *((intOrPtr*)(_t83 + 0x6c + (_t79 + 3) * 2)) =  *((intOrPtr*)(_t83 + 0x6c + (_t79 + 3) * 2)) + 0xf2;
					_t43 = _t59 + 0x78;
					 *_t43 =  *((intOrPtr*)(_t59 + 0x78)) + _t67;
					if ( *_t43 < 0) goto L8;
					_t73 = _t59;
					 *((intOrPtr*)(_t77 - 0x54ff6061)) =  *((intOrPtr*)(_t77 - 0x54ff6061)) + _t67;
					asm("stosd");
					L9:
					asm("stosd");
					 *0xFFFFFFFFC500B902 =  *((intOrPtr*)(0xffffffffc500b902)) + _t67;
					asm("invalid");
					asm("rcl dl, cl");
					_t73 = _t73 + _t73 + _t67;
					asm("invalid");
					_t67 = _t67 + 0xf2;
					goto L9;
				}
				asm("invalid");
				asm("lodsb");
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				_t54 = 0x8f;
				goto L2;
			}

0x004015bc
0x004015c1
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015ce
0x004015d0
0x004015d1
0x004015d3
0x004015d5
0x004015d7
0x004015dd
0x004015dd
0x004015e2
0x00401606
0x00401607
0x00401609
0x0040160b
0x0040160d
0x0040160e
0x00401612
0x00401613
0x00401615
0x00401617
0x0040161a
0x0040161b
0x0040161e
0x0040161f
0x00401621
0x004015f5
0x004015f5
0x004015f7
0x004015fa
0x004015fa
0x00401623
0x0040162b
0x0040162b
0x00401630
0x00401635
0x00401636
0x00401638
0x0040163e
0x0040163f
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401663
0x00401665
0x00401666
0x00401667
0x0040166b
0x0040166d
0x0040166f
0x00401672
0x00401673
0x00401676
0x00401679
0x0040167e
0x00401681
0x00401683
0x00401684
0x00401686
0x00401689
0x0040168b
0x0040168f
0x00401691
0x00401692
0x00401694
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a9
0x004016ab
0x004016ae
0x004016b0
0x004016b2
0x004016b4
0x004016b6
0x004016b9
0x004016bb
0x004016bc
0x004016be
0x004016c0
0x004016c2
0x004016c4
0x004016c6
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016f0
0x004016f3
0x004016f9
0x004016fb
0x004016fe
0x00401704
0x00401707
0x0040170e
0x00401710
0x00401712
0x00401714
0x00401718
0x00401720
0x00401722
0x00401724
0x00401726
0x00401728
0x0040172a
0x0040172c
0x0040172e
0x00401730
0x00401731
0x00401732
0x00401735
0x0040173e
0x00401741
0x00401742
0x00401745
0x00401746
0x0040174a
0x0040174a
0x0040174d
0x00401755
0x00401756
0x0040175c
0x0040175d
0x0040175d
0x0040175e
0x00401764
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00000000
0x0040176e
0x004015e4
0x004015e7
0x004015e8
0x004015ea
0x004015ec
0x004015ee
0x004015f0
0x004015f2
0x004015f4
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015C1

Strings

VB5!6&*, xrefs: 004015BC

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 1d0d04d0404642e5ff7a44ced5c493b44ba8de2fce4c898ac3752dbd1a3b9abe
Instruction ID: 2a5778685384b7196082f20862d814ddbea10ece043f128a3edb852ac32da917
Opcode Fuzzy Hash: 1d0d04d0404642e5ff7a44ced5c493b44ba8de2fce4c898ac3752dbd1a3b9abe
Instruction Fuzzy Hash: B25142A144E7C15FC3035BB49C652957FB0AE23228B1E06EBC5C0CF0F3E269095AD722

Uniqueness

Uniqueness Score: -1.00%

Function 00403914, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

@8@, xrefs: 0040391F

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @8@
API String ID: 0-4002982329
Opcode ID: 4b20f67c5f4853ad92112b5fae9707a4f70cbce8bab6a7839320699f00142512
Instruction ID: 7d94ae4bf9e6686b0e62ca8903539ad8ded7d6b7987f5f131a15180056ff973c
Opcode Fuzzy Hash: 4b20f67c5f4853ad92112b5fae9707a4f70cbce8bab6a7839320699f00142512
Instruction Fuzzy Hash: 87B012103942459FD2105B584C0252126D4E3807813604E33F441F21F0CB78CF00413D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021F5521, Relevance: 1.8, Strings: 1, Instructions: 574COMMON

Download Yara Rule

Strings

3rWA, xrefs: 021F5B33

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID: 3rWA
API String ID: 0-1619955448
Opcode ID: 6a7cf78fc3a4938e477288c00e78d1c57433fe5689651e7d6bcfd2a51dbda6e1
Instruction ID: 7c8e8b2de2bbcc1cb5e138958ccff4073ce135e72f200498f1238bb60dcd2fb9
Opcode Fuzzy Hash: 6a7cf78fc3a4938e477288c00e78d1c57433fe5689651e7d6bcfd2a51dbda6e1
Instruction Fuzzy Hash: 5822227174478A9FDB34CF28CC94BDA77E2BF89350F95812ADC988B245D7319946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 021F5574, Relevance: 1.7, Strings: 1, Instructions: 456COMMON

Download Yara Rule

Strings

3rWA, xrefs: 021F5B33

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID: 3rWA
API String ID: 0-1619955448
Opcode ID: f58dda7b902fe1395e0ad6fb252c539dfb39d19ad9a11ad9dcdff15be0461af5
Instruction ID: c6d0c2bec3054eaa3233315ce4ca230d76c69b0a55fa041a77eccb61185d638a
Opcode Fuzzy Hash: f58dda7b902fe1395e0ad6fb252c539dfb39d19ad9a11ad9dcdff15be0461af5
Instruction Fuzzy Hash: FBE1597264424AAFDB74CE28DC90BFB77B6FF85750F84812ADD598B700D73199428B90

Uniqueness

Uniqueness Score: -1.00%

Function 021F59CC, Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

3rWA, xrefs: 021F5B33

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID: 3rWA
API String ID: 0-1619955448
Opcode ID: dbeef93592da752cc6b40137ecd6144b9cd381b9c567ab13d2f69fc2805bd344
Instruction ID: 4d7ceae1cdd9267536987a7bb55ca6ee4372133c8aa2021f5870398f4237a9f3
Opcode Fuzzy Hash: dbeef93592da752cc6b40137ecd6144b9cd381b9c567ab13d2f69fc2805bd344
Instruction Fuzzy Hash: 0391693664025AAFCB648E289C90BF777BAFF86754F448017DDAA8B700D7319C5686E0

Uniqueness

Uniqueness Score: -1.00%

Function 021FE347, Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

BW/, xrefs: 021FE39B, 021FE3AB

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID: BW/
API String ID: 0-107654674
Opcode ID: f6504f954e9aae13ed21c41ce24aee47f9f04d8def36fdaeb76af0bbe6c18fd8
Instruction ID: fb45a1b8811cd3cf48cf1175e63aa668e770e603dd4d94f97df42b923524b798
Opcode Fuzzy Hash: f6504f954e9aae13ed21c41ce24aee47f9f04d8def36fdaeb76af0bbe6c18fd8
Instruction Fuzzy Hash: 6601E2762896988FCB74CF29C998ACA73B5FB58310F054059EA19DB221C730EA90CB11

Uniqueness

Uniqueness Score: -1.00%

Function 021F4DBE, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9c95f882e7b58ae06bd805de629a0c6cdd9cb0bc2c157eb5af15c799c472acb
Instruction ID: 0b5979ec1903134ac1588958de70f4e66ee4685ff379746717941809fe60c4f9
Opcode Fuzzy Hash: a9c95f882e7b58ae06bd805de629a0c6cdd9cb0bc2c157eb5af15c799c472acb
Instruction Fuzzy Hash: 109103B62462F7AFC342AE34DC512D3FF75FFAB259BA90581D59157812D33208A2CB11

Uniqueness

Uniqueness Score: -1.00%

Function 021F4F09, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e44d7f33c165416353f01c0ae63c369b7d9cef7856494dd051ca45c79b068403
Instruction ID: 961022e6f0c06719bc46cd867c3d3e708324a3527551525ccc0cc99707a75c05
Opcode Fuzzy Hash: e44d7f33c165416353f01c0ae63c369b7d9cef7856494dd051ca45c79b068403
Instruction Fuzzy Hash: AB511EB22093F6AFC311AE38CC517D7BFA5FFAB295B990596D99157812C3320992CB01

Uniqueness

Uniqueness Score: -1.00%

Function 021F7A3A, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e393e9a883f8edff40204b6126c557518d38e61cfc3734df0d6893df5d7787ba
Instruction ID: 2b5a49d9e3a288b109aabb1f050062ac7d0983a8daa3e7610bd0cd5fc49027e2
Opcode Fuzzy Hash: e393e9a883f8edff40204b6126c557518d38e61cfc3734df0d6893df5d7787ba
Instruction Fuzzy Hash: FD31E1B22862E7AFC382AF74DC556D3FF64FE6B2597A90595C26147822C7230893CB50

Uniqueness

Uniqueness Score: -1.00%

Function 021F70E7, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05c21cd3e46535bd7212f5981cef8020ed3251936aa66fc54fa7470a659149fc
Instruction ID: 7d5047ef9d8f8ce3e7fafb0bd51aed5c1c53e6db52cc6c04d64bc9cc1e3d507d
Opcode Fuzzy Hash: 05c21cd3e46535bd7212f5981cef8020ed3251936aa66fc54fa7470a659149fc
Instruction Fuzzy Hash: 8831D1B62466F7AFC342BF389C155C3FF68BD6B11A3A805A0D1615B812C72308A3DB15

Uniqueness

Uniqueness Score: -1.00%

Function 021F7A68, Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f33945e35e8741176214a9ec14b53c7541b8efad86cd2d735d8d24d588f239
Instruction ID: 27c8cef4856ba03d2f3f8c615b08b5ea91af9c4fcf170030c0a1a759e692efc3
Opcode Fuzzy Hash: c7f33945e35e8741176214a9ec14b53c7541b8efad86cd2d735d8d24d588f239
Instruction Fuzzy Hash: 7131A0B22467E7AFC381BF35DC456D3FFA8BE6B11A3A90591D15157812D72308A3DB10

Uniqueness

Uniqueness Score: -1.00%

Function 021FD52B, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd43fc398285e0e96256b9043c10940268db1cf7750f28207d8a1e9e4e0359c
Instruction ID: e07993cc4b6c4703e497f3d85695826452eed38f39c9980431ec5da0a5a19fbd
Opcode Fuzzy Hash: dfd43fc398285e0e96256b9043c10940268db1cf7750f28207d8a1e9e4e0359c
Instruction Fuzzy Hash: 3D317CB170028E4FDB76CE3889947E63BA2AF96350F44416EED5C8F241D774CA81C760

Uniqueness

Uniqueness Score: -1.00%

Function 021F78FC, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f1b2d2a07644119a47a5803df87c4b96e621fca1c3efba931689823a436235
Instruction ID: e7425a6c0dd61b7e7385ab681090cc76a8a495d5989e35b6adc8efbafe2314ef
Opcode Fuzzy Hash: 01f1b2d2a07644119a47a5803df87c4b96e621fca1c3efba931689823a436235
Instruction Fuzzy Hash: BA21ACAB2466F7AFD342BE34AC551D3FF78BD6B11A3A80591D1519B813C72308A3CB15

Uniqueness

Uniqueness Score: -1.00%

Function 021FCE12, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.757618401.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98373db4aa5bbfef307ba4d70072eb71b83c2197c879fec2a0cc6e541cc85c20
Instruction ID: d5055f27ebdd69e232db9ebb92bfb7346c6dd0eef9a72d4524be9980aa6dbd6b
Opcode Fuzzy Hash: 98373db4aa5bbfef307ba4d70072eb71b83c2197c879fec2a0cc6e541cc85c20
Instruction Fuzzy Hash: 4101F5652883428BCB7E9F20A9E53FA36B2AFA7350F66406CDD534B644D7244500C701

Uniqueness

Uniqueness Score: -1.00%

Function 004032C4, Relevance: 89.6, APIs: 49, Strings: 2, Instructions: 361
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E004032C4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr* _v12;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				void* _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				signed int _v116;
				intOrPtr _v124;
				char _v132;
				char _v136;
				intOrPtr _v176;
				char* _t106;
				char* _t110;
				char* _t114;
				void* _t116;
				intOrPtr* _t117;
				void* _t118;
				void* _t122;
				intOrPtr* _t123;
				void* _t124;
				void* _t126;
				intOrPtr* _t127;
				void* _t128;
				void* _t130;
				intOrPtr* _t131;
				void* _t132;
				void* _t134;
				intOrPtr* _t135;
				signed char _t136;
				intOrPtr* _t140;
				void* _t141;
				intOrPtr _t174;
				void* _t189;
				intOrPtr* _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t202;
				intOrPtr* _t203;
				intOrPtr* _t204;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr _t210;
				intOrPtr* _t211;
				intOrPtr _t214;
				long long _t234;

				_a4 = _a4 - 0xffff;
				_push(0x4013a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t211 = _t210 - 0x9c;
				_v12 = _t211;
				_v8 = 0x401340;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v84 = 0;
				_v100 = 0;
				_v116 = 0;
				_v132 = 0;
				_v136 = 0;
				L0040159E();
				_t106 =  &_v84;
				_push(_t106);
				_v76 = 0x3076;
				_v84 = 2;
				L00401460();
				asm("sbb esi, esi");
				L00401550();
				if( ~( ~0x00000000) == 0) {
					_t140 = _a4;
					_t189 = 0x40397c;
				} else {
					_t214 =  *0x43039c; // 0x227e9a4
					if(_t214 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t202 =  *0x43039c; // 0x227e9a4
					_t126 =  *((intOrPtr*)( *_t202 + 0x14))(_t202,  &_v68);
					asm("fclex");
					if(_t126 >= 0) {
						_t189 = 0x40397c;
					} else {
						_push(0x14);
						_t189 = 0x40397c;
						_push(0x40397c);
						_push(_t202);
						_push(_t126);
						L0040158C();
					}
					_t127 = _v68;
					_t203 = _t127;
					_t128 =  *((intOrPtr*)( *_t127 + 0xc0))(_t127,  &_v136);
					asm("fclex");
					if(_t128 >= 0) {
						_t141 = 0x40399c;
					} else {
						_push(0xc0);
						_t141 = 0x40399c;
						_push(0x40399c);
						_push(_t203);
						_push(_t128);
						L0040158C();
					}
					L00401586();
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t204 =  *0x43039c; // 0x227e9a4
					_t130 =  *((intOrPtr*)( *_t204 + 0x14))(_t204,  &_v68);
					asm("fclex");
					if(_t130 < 0) {
						_push(0x14);
						_push(_t189);
						_push(_t204);
						_push(_t130);
						L0040158C();
					}
					_t131 = _v68;
					_t205 = _t131;
					_t132 =  *((intOrPtr*)( *_t131 + 0xe0))(_t131,  &_v60);
					asm("fclex");
					if(_t132 < 0) {
						_push(0xe0);
						_push(_t141);
						_push(_t205);
						_push(_t132);
						L0040158C();
					}
					_v60 = _v60 & 0x00000000;
					L00401598();
					L00401586();
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t206 =  *0x43039c; // 0x227e9a4
					_t134 =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  &_v68);
					asm("fclex");
					if(_t134 < 0) {
						_push(0x14);
						_push(_t189);
						_push(_t206);
						_push(_t134);
						L0040158C();
					}
					_t135 = _v68;
					_t207 = _t135;
					_t136 =  *((intOrPtr*)( *_t135 + 0x60))(_t135,  &_v60);
					asm("fclex");
					if(_t136 < 0) {
						_push(0x60);
						_push(_t141);
						_push(_t207);
						_push(_t136);
						L0040158C();
					}
					_v60 = _v60 & 0x00000000;
					L00401598();
					L00401586();
					_t234 =  *0x401338;
					_t140 = _a4;
					_t174 =  *_t140;
					asm("fnstsw ax");
					if((_t136 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v176 = _t234;
					 *_t211 = _v176;
					_t106 =  *((intOrPtr*)(_t174 + 0x84))(_t140, _t174);
					asm("fclex");
					if(_t106 < 0) {
						_push(0x84);
						_push(0x4034b4);
						_push(_t140);
						_push(_t106);
						L0040158C();
					}
				}
				_push(0x403a84);
				_push(0x403a8c);
				L00401532();
				L00401598();
				_push(_t106);
				_push(L"-10-");
				L00401532();
				L00401598();
				_push(_t106);
				_push(0x403bb8);
				L00401532();
				_v76 = _t106;
				_push( &_v84);
				_push( &_v100);
				_v84 = 8;
				L004014D8();
				_push( &_v100);
				_t110 =  &_v132;
				_push(_t110);
				_v124 = 0xa;
				_v132 = 0x8002;
				L004014DE();
				_push( &_v64);
				_push( &_v60);
				_push(2);
				L004014D2();
				_push( &_v100);
				_t114 =  &_v84;
				_push(_t114);
				_push(2);
				L00401562();
				if(_t110 != 0) {
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t197 =  *0x43039c; // 0x227e9a4
					_t116 =  *((intOrPtr*)( *_t197 + 0x14))(_t197,  &_v68);
					asm("fclex");
					if(_t116 < 0) {
						_push(0x14);
						_push(_t189);
						_push(_t197);
						_push(_t116);
						L0040158C();
					}
					_t117 = _v68;
					_t198 = _t117;
					_t118 =  *((intOrPtr*)( *_t117 + 0xf8))(_t117,  &_v60);
					asm("fclex");
					if(_t118 < 0) {
						_push(0xf8);
						_push(0x40399c);
						_push(_t198);
						_push(_t118);
						L0040158C();
					}
					_v60 = _v60 & 0x00000000;
					L00401598();
					L00401586();
					_push(1);
					_push(1);
					_push(1);
					_push( &_v84);
					L004014CC();
					_push( &_v84);
					L0040156E();
					L00401598();
					L00401550();
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t199 =  *0x43039c; // 0x227e9a4
					_t122 =  *((intOrPtr*)( *_t199 + 0x14))(_t199,  &_v68);
					asm("fclex");
					if(_t122 < 0) {
						_push(0x14);
						_push(_t189);
						_push(_t199);
						_push(_t122);
						L0040158C();
					}
					_t123 = _v68;
					_t200 = _t123;
					_t124 =  *((intOrPtr*)( *_t123 + 0xf0))(_t123,  &_v60);
					asm("fclex");
					if(_t124 < 0) {
						_push(0xf0);
						_push(0x40399c);
						_push(_t200);
						_push(_t124);
						L0040158C();
					}
					_v60 = _v60 & 0x00000000;
					L00401598();
					L00401586();
					L004014C6();
					_t114 =  *((intOrPtr*)( *_t140 + 0x64))(_t140, _t124);
					asm("fclex");
					if(_t114 < 0) {
						_push(0x64);
						_push(0x4034b4);
						_push(_t140);
						_push(_t114);
						L0040158C();
					}
				}
				_v40 = 0xea8c9360;
				asm("wait");
				_v36 = 0x5b07;
				_push(0x42f320);
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				return _t114;
			}

0x004032c4
0x0042ee8c
0x0042ee97
0x0042ee98
0x0042ee9f
0x0042eea8
0x0042eeab
0x0042eeba
0x0042eebd
0x0042eec0
0x0042eec3
0x0042eec6
0x0042eec9
0x0042eecc
0x0042eecf
0x0042eed2
0x0042eed5
0x0042eed8
0x0042eedb
0x0042eede
0x0042eee1
0x0042eee7
0x0042eeec
0x0042eeef
0x0042eef0
0x0042eef7
0x0042eefe
0x0042ef0e
0x0042ef14
0x0042ef1c
0x0042f0c8
0x0042f0cb
0x0042ef22
0x0042ef22
0x0042ef28
0x0042ef2a
0x0042ef2f
0x0042ef34
0x0042ef34
0x0042ef39
0x0042ef46
0x0042ef49
0x0042ef4d
0x0042ef60
0x0042ef4f
0x0042ef4f
0x0042ef51
0x0042ef56
0x0042ef57
0x0042ef58
0x0042ef59
0x0042ef59
0x0042ef65
0x0042ef72
0x0042ef74
0x0042ef7a
0x0042ef7e
0x0042ef94
0x0042ef80
0x0042ef80
0x0042ef85
0x0042ef8a
0x0042ef8b
0x0042ef8c
0x0042ef8d
0x0042ef8d
0x0042ef9c
0x0042efa8
0x0042efaa
0x0042efaf
0x0042efb4
0x0042efb4
0x0042efb9
0x0042efc6
0x0042efc9
0x0042efcd
0x0042efcf
0x0042efd1
0x0042efd2
0x0042efd3
0x0042efd4
0x0042efd4
0x0042efd9
0x0042efe3
0x0042efe5
0x0042efeb
0x0042efef
0x0042eff1
0x0042eff6
0x0042eff7
0x0042eff8
0x0042eff9
0x0042eff9
0x0042f001
0x0042f008
0x0042f010
0x0042f01c
0x0042f01e
0x0042f023
0x0042f028
0x0042f028
0x0042f02d
0x0042f03a
0x0042f03d
0x0042f041
0x0042f043
0x0042f045
0x0042f046
0x0042f047
0x0042f048
0x0042f048
0x0042f04d
0x0042f057
0x0042f059
0x0042f05c
0x0042f060
0x0042f062
0x0042f064
0x0042f065
0x0042f066
0x0042f067
0x0042f067
0x0042f06f
0x0042f076
0x0042f07e
0x0042f083
0x0042f089
0x0042f08c
0x0042f08e
0x0042f092
0x004013ac
0x004013ac
0x0042f098
0x0042f0a5
0x0042f0a9
0x0042f0af
0x0042f0b3
0x0042f0b5
0x0042f0ba
0x0042f0bf
0x0042f0c0
0x0042f0c1
0x0042f0c1
0x0042f0b3
0x0042f0d0
0x0042f0d5
0x0042f0da
0x0042f0e4
0x0042f0e9
0x0042f0ea
0x0042f0ef
0x0042f0f9
0x0042f0fe
0x0042f0ff
0x0042f104
0x0042f109
0x0042f10f
0x0042f113
0x0042f114
0x0042f11b
0x0042f123
0x0042f124
0x0042f127
0x0042f128
0x0042f12f
0x0042f136
0x0042f141
0x0042f145
0x0042f146
0x0042f148
0x0042f150
0x0042f151
0x0042f154
0x0042f155
0x0042f157
0x0042f162
0x0042f16f
0x0042f171
0x0042f176
0x0042f17b
0x0042f17b
0x0042f180
0x0042f18d
0x0042f190
0x0042f194
0x0042f196
0x0042f198
0x0042f199
0x0042f19a
0x0042f19b
0x0042f19b
0x0042f1a0
0x0042f1aa
0x0042f1ac
0x0042f1b2
0x0042f1b6
0x0042f1b8
0x0042f1bd
0x0042f1c2
0x0042f1c3
0x0042f1c4
0x0042f1c4
0x0042f1cc
0x0042f1d3
0x0042f1db
0x0042f1e0
0x0042f1e2
0x0042f1e4
0x0042f1e9
0x0042f1ea
0x0042f1f2
0x0042f1f3
0x0042f1fd
0x0042f205
0x0042f211
0x0042f213
0x0042f218
0x0042f21d
0x0042f21d
0x0042f222
0x0042f22f
0x0042f232
0x0042f236
0x0042f238
0x0042f23a
0x0042f23b
0x0042f23c
0x0042f23d
0x0042f23d
0x0042f242
0x0042f24c
0x0042f24e
0x0042f254
0x0042f258
0x0042f25a
0x0042f25f
0x0042f264
0x0042f265
0x0042f266
0x0042f266
0x0042f26e
0x0042f275
0x0042f27d
0x0042f28a
0x0042f291
0x0042f294
0x0042f298
0x0042f29a
0x0042f29c
0x0042f2a1
0x0042f2a2
0x0042f2a3
0x0042f2a3
0x0042f298
0x0042f2a8
0x0042f2af
0x0042f2b0
0x0042f2b7
0x0042f2f2
0x0042f2fa
0x0042f302
0x0042f30a
0x0042f312
0x0042f31a
0x0042f31f

APIs

__vbaStrCopy.MSVBVM60 ref: 0042EEE7
#592.MSVBVM60(?), ref: 0042EEFE
__vbaFreeVar.MSVBVM60(?), ref: 0042EF14
__vbaNew2.MSVBVM60(0040398C,0043039C,?), ref: 0042EF34
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042EF59
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000C0), ref: 0042EF8D
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000C0), ref: 0042EF9C
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042EFB4
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042EFD4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000E0), ref: 0042EFF9
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000E0), ref: 0042F008
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000E0), ref: 0042F010
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042F028
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042F048
__vbaStrCat.MSVBVM60(00403A8C,00403A84,?), ref: 0042F0DA
__vbaStrMove.MSVBVM60(00403A8C,00403A84,?), ref: 0042F0E4
__vbaStrCat.MSVBVM60(-10-,00000000,00403A8C,00403A84,?), ref: 0042F0EF
__vbaStrMove.MSVBVM60(-10-,00000000,00403A8C,00403A84,?), ref: 0042F0F9
__vbaStrCat.MSVBVM60(00403BB8,00000000,-10-,00000000,00403A8C,00403A84,?), ref: 0042F104
#542.MSVBVM60(?,00000002,00403BB8,00000000,-10-,00000000,00403A8C,00403A84,?), ref: 0042F11B
__vbaVarTstNe.MSVBVM60(?,?,?,00000002,00403BB8,00000000,-10-,00000000,00403A8C,00403A84,?), ref: 0042F136
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000002,00403BB8,00000000,-10-,00000000,00403A8C,00403A84,?), ref: 0042F148
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00000002,?,?,?,?,?,00000002,00403BB8,00000000,-10-,00000000,00403A8C,00403A84), ref: 0042F157
__vbaNew2.MSVBVM60(0040398C,0043039C,00403A8C,00403A84,?), ref: 0042F17B
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042F19B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042F1C4
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042F1D3
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042F1DB
#539.MSVBVM60(00000008,00000001,00000001,00000001), ref: 0042F1EA
__vbaStrVarMove.MSVBVM60(00000008,00000008,00000001,00000001,00000001), ref: 0042F1F3
__vbaStrMove.MSVBVM60(00000008,00000008,00000001,00000001,00000001), ref: 0042F1FD

Strings

-10-, xrefs: 0042F0EA
v0, xrefs: 0042EEF0

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeMove$New2$List$#539#542#592Copy
String ID: -10-$v0
API String ID: 3263950706-1872862383
Opcode ID: cefb076924c299ddbe787c802b1898d05d40be0090f1a1b49214bee8b93d3a4f
Instruction ID: f5d43cd4374b218262c4b88d56efc7c9ba1f40d2704b9bc88114823afae7718b
Opcode Fuzzy Hash: cefb076924c299ddbe787c802b1898d05d40be0090f1a1b49214bee8b93d3a4f
Instruction Fuzzy Hash: FDD12071900218BBDB10EB92DC45FAEBBB8BF44708F50453EF446BB1D1DB7899098B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042C7A5, Relevance: 86.1, APIs: 46, Strings: 3, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0042C7A5(void* __ebx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				long long* _v16;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v60;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v116;
				intOrPtr* _t79;
				char* _t81;
				void* _t83;
				intOrPtr* _t84;
				void* _t85;
				char* _t88;
				char* _t89;
				void* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t96;
				intOrPtr* _t97;
				void* _t98;
				void* _t100;
				intOrPtr* _t101;
				char* _t111;
				void* _t148;
				intOrPtr* _t151;
				intOrPtr* _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t159;
				void* _t160;
				void* _t162;
				intOrPtr _t163;
				long long* _t164;
				intOrPtr _t167;
				intOrPtr _t170;
				intOrPtr _t173;
				char* _t175;
				intOrPtr _t176;
				intOrPtr _t179;
				long long _t183;

				_t163 = _t162 - 0xc;
				 *[fs:0x0] = _t163;
				_t164 = _t163 - 0x80;
				_v16 = _t164;
				_v12 = 0x401198;
				_v8 = 0;
				_t79 = _a4;
				 *((intOrPtr*)( *_t79 + 4))(_t79, __edi, __esi, __ebx,  *[fs:0x0], 0x4013a6, _t160);
				_t81 =  &_v96;
				_v96 = 0;
				_push(_t81);
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v60 = 0;
				_v68 = 0;
				_v72 = 0;
				_v76 = 0;
				_v80 = 0;
				_v116 = 0;
				_v88 = 0x80020004;
				_v96 = 0xa;
				L0040153E();
				st0 = __fp0;
				L00401550();
				_push(0x4039e8);
				_push("rue");
				L00401532();
				L00401598();
				_push(_t81);
				L00401538();
				_t111 =  &_v76;
				L0040154A();
				if( ~(0 | _t81 != 0x0000ffff) == 0) {
					_t148 = 0x40397c;
				} else {
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v96);
					_v88 = 0x17;
					_v96 = 2;
					L0040152C();
					L00401598();
					L00401550();
					_t167 =  *0x43039c; // 0x227e9a4
					if(_t167 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t154 =  *0x43039c; // 0x227e9a4
					_t92 =  *((intOrPtr*)( *_t154 + 0x14))(_t154,  &_v80);
					asm("fclex");
					if(_t92 >= 0) {
						_t148 = 0x40397c;
					} else {
						_push(0x14);
						_t148 = 0x40397c;
						_push(0x40397c);
						_push(_t154);
						_push(_t92);
						L0040158C();
					}
					_t93 = _v80;
					_t155 = _t93;
					_t94 =  *((intOrPtr*)( *_t93 + 0xf8))(_t93,  &_v76);
					asm("fclex");
					if(_t94 < 0) {
						_push(0xf8);
						_push(0x40399c);
						_push(_t155);
						_push(_t94);
						L0040158C();
					}
					_v76 = 0;
					L00401598();
					L00401586();
					_t170 =  *0x43039c; // 0x227e9a4
					if(_t170 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t156 =  *0x43039c; // 0x227e9a4
					_t96 =  *((intOrPtr*)( *_t156 + 0x14))(_t156,  &_v80);
					asm("fclex");
					if(_t96 < 0) {
						_push(0x14);
						_push(_t148);
						_push(_t156);
						_push(_t96);
						L0040158C();
					}
					_t97 = _v80;
					_t157 = _t97;
					_t98 =  *((intOrPtr*)( *_t97 + 0x58))(_t97,  &_v76);
					asm("fclex");
					if(_t98 < 0) {
						_push(0x58);
						_push(0x40399c);
						_push(_t157);
						_push(_t98);
						L0040158C();
					}
					_v76 = 0;
					L00401598();
					L00401586();
					_t173 =  *0x43039c; // 0x227e9a4
					if(_t173 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t158 =  *0x43039c; // 0x227e9a4
					_t100 =  *((intOrPtr*)( *_t158 + 0x4c))(_t158,  &_v80);
					asm("fclex");
					if(_t100 < 0) {
						_push(0x4c);
						_push(_t148);
						_push(_t158);
						_push(_t100);
						L0040158C();
					}
					_t101 = _v80;
					_t159 = _t101;
					_t81 =  *((intOrPtr*)( *_t101 + 0x24))(_t101, L"Topscorere", "TRK",  &_v76);
					asm("fclex");
					_t175 = _t81;
					if(_t175 < 0) {
						_push(0x24);
						_push(0x403a20);
						_push(_t159);
						_push(_t81);
						L0040158C();
					}
					_v76 = 0;
					L00401598();
					_t111 =  &_v80;
					L00401586();
				}
				_push(_t111);
				_push(_t111);
				 *_t164 =  *0x401190;
				_push(_t111);
				_t183 =  *0x401190;
				_push(_t111);
				 *_t164 = _t183;
				_push(_t111);
				asm("fldz");
				_push(_t111);
				 *_t164 = _t183;
				L00401520();
				L00401526();
				asm("fcomp qword [0x401188]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t175 != 0) {
					L0040151A();
					_t176 =  *0x43039c; // 0x227e9a4
					if(_t176 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t151 =  *0x43039c; // 0x227e9a4
					_t83 =  *((intOrPtr*)( *_t151 + 0x14))(_t151,  &_v80);
					asm("fclex");
					if(_t83 < 0) {
						_push(0x14);
						_push(_t148);
						_push(_t151);
						_push(_t83);
						L0040158C();
					}
					_t84 = _v80;
					_t152 = _t84;
					_t85 =  *((intOrPtr*)( *_t84 + 0xc8))(_t84,  &_v116);
					asm("fclex");
					if(_t85 < 0) {
						_push(0xc8);
						_push(0x40399c);
						_push(_t152);
						_push(_t85);
						L0040158C();
					}
					L00401586();
					_push( &_v96);
					L00401514();
					_push( &_v96);
					L0040156E();
					L00401598();
					L00401550();
					_t179 =  *0x43039c; // 0x227e9a4
					if(_t179 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t153 =  *0x43039c; // 0x227e9a4
					_t88 =  &_v40;
					L00401508();
					_t89 =  &_v80;
					L0040150E();
					_t81 =  *((intOrPtr*)( *_t153 + 0x10))(_t153, _t89, _t89, _t88, _t88);
					asm("fclex");
					if(_t81 < 0) {
						_push(0x10);
						_push(_t148);
						_push(_t153);
						_push(_t81);
						L0040158C();
					}
					L00401586();
				}
				_v60 = 0xe58c8;
				asm("wait");
				_push(0x42cb72);
				L00401550();
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				return _t81;
			}

0x0042c7a8
0x0042c7b7
0x0042c7be
0x0042c7c7
0x0042c7ca
0x0042c7d3
0x0042c7d6
0x0042c7dc
0x0042c7df
0x0042c7e2
0x0042c7e5
0x0042c7e6
0x0042c7e9
0x0042c7ec
0x0042c7ef
0x0042c7f2
0x0042c7f5
0x0042c7f8
0x0042c7fb
0x0042c7fe
0x0042c801
0x0042c804
0x0042c80b
0x0042c812
0x0042c817
0x0042c81c
0x0042c821
0x0042c826
0x0042c82b
0x0042c835
0x0042c83a
0x0042c83b
0x0042c84e
0x0042c851
0x0042c859
0x0042c9fe
0x0042c85f
0x0042c85f
0x0042c861
0x0042c863
0x0042c865
0x0042c86a
0x0042c86b
0x0042c872
0x0042c879
0x0042c883
0x0042c88b
0x0042c890
0x0042c896
0x0042c898
0x0042c89d
0x0042c8a2
0x0042c8a2
0x0042c8a7
0x0042c8b4
0x0042c8b7
0x0042c8bb
0x0042c8ce
0x0042c8bd
0x0042c8bd
0x0042c8bf
0x0042c8c4
0x0042c8c5
0x0042c8c6
0x0042c8c7
0x0042c8c7
0x0042c8d3
0x0042c8dd
0x0042c8df
0x0042c8e5
0x0042c8e9
0x0042c8eb
0x0042c8f0
0x0042c8f5
0x0042c8f6
0x0042c8f7
0x0042c8f7
0x0042c902
0x0042c905
0x0042c90d
0x0042c912
0x0042c918
0x0042c91a
0x0042c91f
0x0042c924
0x0042c924
0x0042c929
0x0042c936
0x0042c939
0x0042c93d
0x0042c93f
0x0042c941
0x0042c942
0x0042c943
0x0042c944
0x0042c944
0x0042c949
0x0042c953
0x0042c955
0x0042c958
0x0042c95c
0x0042c95e
0x0042c960
0x0042c965
0x0042c966
0x0042c967
0x0042c967
0x0042c972
0x0042c975
0x0042c97d
0x0042c982
0x0042c988
0x0042c98a
0x0042c98f
0x0042c994
0x0042c994
0x0042c999
0x0042c9a6
0x0042c9a9
0x0042c9ad
0x0042c9af
0x0042c9b1
0x0042c9b2
0x0042c9b3
0x0042c9b4
0x0042c9b4
0x0042c9b9
0x0042c9cd
0x0042c9cf
0x0042c9d2
0x0042c9d4
0x0042c9d6
0x0042c9d8
0x0042c9da
0x0042c9df
0x0042c9e0
0x0042c9e1
0x0042c9e1
0x0042c9ec
0x0042c9ef
0x0042c9f4
0x0042c9f7
0x0042c9f7
0x0042ca09
0x0042ca0a
0x0042ca0b
0x0042ca0e
0x0042ca0f
0x0042ca15
0x0042ca16
0x0042ca19
0x0042ca1a
0x0042ca1c
0x0042ca1d
0x0042ca20
0x0042ca25
0x0042ca2a
0x0042ca30
0x0042ca32
0x0042ca33
0x0042ca39
0x0042ca3e
0x0042ca44
0x0042ca46
0x0042ca4b
0x0042ca50
0x0042ca50
0x0042ca55
0x0042ca62
0x0042ca65
0x0042ca69
0x0042ca6b
0x0042ca6d
0x0042ca6e
0x0042ca6f
0x0042ca70
0x0042ca70
0x0042ca75
0x0042ca7f
0x0042ca81
0x0042ca87
0x0042ca8b
0x0042ca8d
0x0042ca92
0x0042ca97
0x0042ca98
0x0042ca99
0x0042ca99
0x0042caa1
0x0042caa9
0x0042caaa
0x0042cab2
0x0042cab3
0x0042cabd
0x0042cac5
0x0042caca
0x0042cad0
0x0042cad2
0x0042cad7
0x0042cadc
0x0042cadc
0x0042cae1
0x0042cae9
0x0042caed
0x0042caf3
0x0042caf7
0x0042cafe
0x0042cb01
0x0042cb05
0x0042cb07
0x0042cb09
0x0042cb0a
0x0042cb0b
0x0042cb0c
0x0042cb0c
0x0042cb14
0x0042cb14
0x0042cb19
0x0042cb20
0x0042cb21
0x0042cb44
0x0042cb4c
0x0042cb54
0x0042cb5c
0x0042cb64
0x0042cb6c
0x0042cb71

APIs

#593.MSVBVM60(?), ref: 0042C812
__vbaFreeVar.MSVBVM60(?), ref: 0042C81C
__vbaStrCat.MSVBVM60(rue,004039E8,?), ref: 0042C82B
__vbaStrMove.MSVBVM60(rue,004039E8,?), ref: 0042C835
__vbaBoolStr.MSVBVM60(00000000,rue,004039E8,?), ref: 0042C83B
__vbaFreeStr.MSVBVM60(00000000,rue,004039E8,?), ref: 0042C851
#702.MSVBVM60(0000000A,000000FF,000000FE,000000FE,000000FE,00000000,rue,004039E8,?), ref: 0042C879
__vbaStrMove.MSVBVM60(0000000A,000000FF,000000FE,000000FE,000000FE,00000000,rue,004039E8,?), ref: 0042C883
__vbaFreeVar.MSVBVM60(0000000A,000000FF,000000FE,000000FE,000000FE,00000000,rue,004039E8,?), ref: 0042C88B
__vbaNew2.MSVBVM60(0040398C,0043039C,0000000A,000000FF,000000FE,000000FE,000000FE,00000000,rue,004039E8,?), ref: 0042C8A2
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042C8C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C8F7
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C905
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C90D
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042C924
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042C944
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000058), ref: 0042C967
__vbaStrMove.MSVBVM60(00000000,?,0040399C,00000058), ref: 0042C975
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000058), ref: 0042C97D
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042C994
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,0000004C), ref: 0042C9B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A20,00000024), ref: 0042C9E1
__vbaStrMove.MSVBVM60(00000000,?,00403A20,00000024), ref: 0042C9EF
__vbaFreeObj.MSVBVM60(00000000,?,00403A20,00000024), ref: 0042C9F7
#671.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA20
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA25
#598.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA39
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA50
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA70
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000C8,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA99
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAA1
#612.MSVBVM60(0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAAA
__vbaStrVarMove.MSVBVM60(0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAB3
__vbaStrMove.MSVBVM60(0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CABD
__vbaFreeVar.MSVBVM60(0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAC5
__vbaNew2.MSVBVM60(0040398C,0043039C,0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CADC
__vbaObjVar.MSVBVM60(?,0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAED
__vbaObjSetAddref.MSVBVM60(?,00000000,?,0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAF7
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000010,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CB0C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CB14
__vbaFreeVar.MSVBVM60(0042CB72,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CB44

Strings

rue, xrefs: 0042C826
TRK, xrefs: 0042C9C2
Topscorere, xrefs: 0042C9C7

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#593#598#612#671#702AddrefBool
String ID: TRK$Topscorere$rue
API String ID: 3888035053-3396922433
Opcode ID: 0f49ca82971a7f0661ad9f2a887c72fae6437f97ab915eacf49d6f9dddc89ad6
Instruction ID: 1ab27781530c608b6d9b5123c81289e917c8808b0af9f13a988c78915457d2ed
Opcode Fuzzy Hash: 0f49ca82971a7f0661ad9f2a887c72fae6437f97ab915eacf49d6f9dddc89ad6
Instruction Fuzzy Hash: 64B151B1D00118BBCB14EFA5DC86E9EBB78AF48308F50453EF516BB1E1DA785905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042C3C4, Relevance: 70.3, APIs: 39, Strings: 1, Instructions: 304
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0042C3C4(void* __ebx, void* __edi, void* __esi, void* _a40, void* _a44) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				char _v76;
				void* _v80;
				signed int _v84;
				signed int _v92;
				char _v100;
				signed int _v108;
				char _v116;
				signed int _v124;
				char _v132;
				signed int _v140;
				signed int _v148;
				void* _t95;
				intOrPtr* _t96;
				void* _t97;
				void* _t99;
				intOrPtr* _t100;
				void* _t101;
				void* _t103;
				intOrPtr* _t104;
				void* _t105;
				void* _t118;
				intOrPtr* _t119;
				void* _t120;
				void* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				char* _t147;
				void* _t162;
				intOrPtr* _t167;
				intOrPtr* _t168;
				intOrPtr* _t169;
				intOrPtr* _t170;
				intOrPtr* _t171;
				intOrPtr* _t172;
				char _t173;
				void* _t178;
				intOrPtr _t179;
				intOrPtr _t180;
				long long* _t181;
				void* _t185;
				void* _t189;
				void* _t192;
				void* _t196;
				long long _t199;

				_t179 = _t178 - 0x10;
				_push(0x4013a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_t180 = _t179 - 0xc0;
				_v20 = _t180;
				_v16 = 0x401178;
				_t123 = 0;
				_v12 = 0;
				_v8 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v72 = 0;
				_v76 = 0;
				_v80 = 0;
				_v84 = 0;
				_v100 = 0;
				_v116 = 0;
				_v132 = 0;
				_v148 = 0;
				L0040159E();
				L0040159E();
				_t185 =  *0x43039c - _t123; // 0x227e9a4
				if(_t185 == 0) {
					_push(0x43039c);
					_push(0x40398c);
					L00401592();
				}
				_t167 =  *0x43039c; // 0x227e9a4
				_t95 =  *((intOrPtr*)( *_t167 + 0x14))(_t167,  &_v80);
				asm("fclex");
				if(_t95 < _t123) {
					_push(0x14);
					_push(0x40397c);
					_push(_t167);
					_push(_t95);
					L0040158C();
				}
				_t96 = _v80;
				_t168 = _t96;
				_t97 =  *((intOrPtr*)( *_t96 + 0xf8))(_t96,  &_v76);
				asm("fclex");
				if(_t97 < _t123) {
					_push(0xf8);
					_push(0x40399c);
					_push(_t168);
					_push(_t97);
					L0040158C();
				}
				_v76 = _t123;
				L00401598();
				L00401586();
				L00401580();
				L00401598();
				_push(_t123);
				L0040157A();
				_push(0x4039b0);
				L00401574();
				_t162 = 2;
				if(_t97 != _t162) {
					_t189 =  *0x43039c - _t123; // 0x227e9a4
					if(_t189 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t171 =  *0x43039c; // 0x227e9a4
					_t103 =  *((intOrPtr*)( *_t171 + 0x14))(_t171,  &_v80);
					asm("fclex");
					if(_t103 < _t123) {
						_push(0x14);
						_push(0x40397c);
						_push(_t171);
						_push(_t103);
						L0040158C();
					}
					_t104 = _v80;
					_t172 = _t104;
					_t105 =  *((intOrPtr*)( *_t104 + 0x138))(_t104, L"Uncourtlike9", 1);
					asm("fclex");
					if(_t105 < _t123) {
						_push(0x138);
						_push(0x40399c);
						_push(_t172);
						_push(_t105);
						L0040158C();
					}
					L00401586();
					_v92 = _t162;
					_v100 = _t162;
					_push( &_v100);
					_push( &_v116);
					L00401568();
					_push( &_v116);
					L0040156E();
					_t147 =  &_v32;
					L00401598();
					_push( &_v116);
					_push( &_v100);
					_push(_t162);
					L00401562();
					_t181 = _t180 + 0xc;
					_v124 = 0x80020004;
					_t173 = 0xa;
					_v132 = _t173;
					_v108 = 0x80020004;
					_v116 = _t173;
					_v92 = 0x80020004;
					_v100 = _t173;
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_t199 =  *0x401170;
					_push(_t147);
					_push(_t147);
					 *_t181 = _t199;
					asm("fld1");
					_push(_t147);
					_push(_t147);
					 *_t181 = _t199;
					asm("fld1");
					_push(_t147);
					_push(_t147);
					 *_t181 = _t199;
					L0040155C();
					st0 = _t199;
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_push(3);
					L00401562();
					_t192 =  *0x43039c - _t123; // 0x227e9a4
					if(_t192 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t124 =  *0x43039c; // 0x227e9a4
					_t118 =  *((intOrPtr*)( *_t124 + 0x1c))(_t124,  &_v80);
					asm("fclex");
					if(_t118 < 0) {
						_push(0x1c);
						_push(0x40397c);
						_push(_t124);
						_push(_t118);
						L0040158C();
					}
					_t119 = _v80;
					_t125 = _t119;
					_v140 = 0x80020004;
					_v148 = _t173;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t120 =  *((intOrPtr*)( *_t119 + 0x54))(_t119,  &_v84);
					asm("fclex");
					if(_t120 < 0) {
						_push(0x54);
						_push(0x4039d4);
						_push(_t125);
						_push(_t120);
						L0040158C();
					}
					_v84 = _v84 & 0x00000000;
					_v92 = _v84;
					_v100 = 9;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v60);
					L00401556();
					L00401586();
					L00401550();
					_t123 = 0;
				}
				_t196 =  *0x43039c - _t123; // 0x227e9a4
				if(_t196 == 0) {
					_push(0x43039c);
					_push(0x40398c);
					L00401592();
				}
				_t169 =  *0x43039c; // 0x227e9a4
				_t99 =  *((intOrPtr*)( *_t169 + 0x14))(_t169,  &_v80);
				asm("fclex");
				if(_t99 < _t123) {
					_push(0x14);
					_push(0x40397c);
					_push(_t169);
					_push(_t99);
					L0040158C();
				}
				_t100 = _v80;
				_t170 = _t100;
				_t101 =  *((intOrPtr*)( *_t100 + 0x60))(_t100,  &_v76);
				asm("fclex");
				if(_t101 < _t123) {
					_push(0x60);
					_push(0x40399c);
					_push(_t170);
					_push(_t101);
					L0040158C();
				}
				_v76 = _t123;
				L00401598();
				L00401586();
				_v56 = 0xb2782dd0;
				_v52 = 0x5b03;
				asm("wait");
				_push(0x42c784);
				L0040154A();
				L0040154A();
				L0040154A();
				L00401586();
				L0040154A();
				L0040154A();
				L0040154A();
				return _t101;
			}

0x0042c3c7
0x0042c3ca
0x0042c3d5
0x0042c3d6
0x0042c3dd
0x0042c3e6
0x0042c3e9
0x0042c3f0
0x0042c3f2
0x0042c3f5
0x0042c3f8
0x0042c3fb
0x0042c3fe
0x0042c401
0x0042c404
0x0042c407
0x0042c40a
0x0042c40d
0x0042c410
0x0042c413
0x0042c416
0x0042c419
0x0042c41c
0x0042c41f
0x0042c42b
0x0042c436
0x0042c43b
0x0042c441
0x0042c443
0x0042c448
0x0042c44d
0x0042c44d
0x0042c452
0x0042c45f
0x0042c462
0x0042c466
0x0042c468
0x0042c46a
0x0042c46f
0x0042c470
0x0042c471
0x0042c471
0x0042c476
0x0042c479
0x0042c482
0x0042c488
0x0042c48c
0x0042c48e
0x0042c493
0x0042c498
0x0042c499
0x0042c49a
0x0042c49a
0x0042c4a2
0x0042c4a8
0x0042c4b0
0x0042c4b5
0x0042c4bf
0x0042c4c4
0x0042c4c5
0x0042c4ca
0x0042c4cf
0x0042c4d6
0x0042c4d9
0x0042c4df
0x0042c4e5
0x0042c4e7
0x0042c4ec
0x0042c4f1
0x0042c4f1
0x0042c4f6
0x0042c503
0x0042c506
0x0042c50a
0x0042c50c
0x0042c50e
0x0042c513
0x0042c514
0x0042c515
0x0042c515
0x0042c51a
0x0042c51d
0x0042c529
0x0042c52f
0x0042c533
0x0042c535
0x0042c53a
0x0042c53f
0x0042c540
0x0042c541
0x0042c541
0x0042c549
0x0042c54e
0x0042c551
0x0042c557
0x0042c55b
0x0042c55c
0x0042c564
0x0042c565
0x0042c56c
0x0042c56f
0x0042c577
0x0042c57b
0x0042c57c
0x0042c57d
0x0042c582
0x0042c58a
0x0042c58f
0x0042c590
0x0042c593
0x0042c596
0x0042c599
0x0042c59c
0x0042c5a2
0x0042c5a6
0x0042c5aa
0x0042c5ab
0x0042c5b1
0x0042c5b2
0x0042c5b3
0x0042c5b6
0x0042c5b8
0x0042c5b9
0x0042c5ba
0x0042c5bd
0x0042c5bf
0x0042c5c0
0x0042c5c1
0x0042c5c4
0x0042c5c9
0x0042c5ce
0x0042c5d2
0x0042c5d6
0x0042c5d7
0x0042c5d9
0x0042c5e1
0x0042c5e7
0x0042c5e9
0x0042c5ee
0x0042c5f3
0x0042c5f3
0x0042c5f8
0x0042c605
0x0042c608
0x0042c60c
0x0042c60e
0x0042c610
0x0042c615
0x0042c616
0x0042c617
0x0042c617
0x0042c61c
0x0042c61f
0x0042c621
0x0042c627
0x0042c63e
0x0042c63f
0x0042c640
0x0042c641
0x0042c643
0x0042c646
0x0042c64a
0x0042c64c
0x0042c64e
0x0042c653
0x0042c654
0x0042c655
0x0042c655
0x0042c65d
0x0042c661
0x0042c664
0x0042c673
0x0042c674
0x0042c675
0x0042c676
0x0042c677
0x0042c679
0x0042c67c
0x0042c684
0x0042c68c
0x0042c691
0x0042c691
0x0042c693
0x0042c699
0x0042c69b
0x0042c6a0
0x0042c6a5
0x0042c6a5
0x0042c6aa
0x0042c6b7
0x0042c6ba
0x0042c6be
0x0042c6c0
0x0042c6c2
0x0042c6c7
0x0042c6c8
0x0042c6c9
0x0042c6c9
0x0042c6ce
0x0042c6d1
0x0042c6da
0x0042c6dd
0x0042c6e1
0x0042c6e3
0x0042c6e5
0x0042c6ea
0x0042c6eb
0x0042c6ec
0x0042c6ec
0x0042c6f4
0x0042c6fa
0x0042c702
0x0042c707
0x0042c70e
0x0042c715
0x0042c716
0x0042c74e
0x0042c756
0x0042c75e
0x0042c766
0x0042c76e
0x0042c776
0x0042c77e
0x0042c783

APIs

__vbaStrCopy.MSVBVM60 ref: 0042C42B
__vbaStrCopy.MSVBVM60 ref: 0042C436
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042C44D
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042C471
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C49A
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C4A8
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C4B0
#611.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C4B5
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C4BF
__vbaOnError.MSVBVM60(00000000), ref: 0042C4C5
__vbaI4Str.MSVBVM60(004039B0,00000000), ref: 0042C4CF
__vbaNew2.MSVBVM60(0040398C,0043039C,004039B0,00000000), ref: 0042C4F1
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042C515
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000138), ref: 0042C541
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000138), ref: 0042C549
#613.MSVBVM60(?,?), ref: 0042C55C
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0042C565
__vbaStrMove.MSVBVM60(?,?,?), ref: 0042C56F
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0042C57D
#680.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0042C5C4
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C5D9
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,?,?), ref: 0042C5F3
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,0000001C,?,?,?,?), ref: 0042C617
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,00000054,?,?,?,?,?,?,?,?), ref: 0042C655
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C67C
__vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C684
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C68C
__vbaNew2.MSVBVM60(0040398C,0043039C,004039B0,00000000), ref: 0042C6A5
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042C6C9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000060), ref: 0042C6EC
__vbaStrMove.MSVBVM60(00000000,?,0040399C,00000060), ref: 0042C6FA
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000060), ref: 0042C702
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C74E
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C756
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C75E
__vbaFreeObj.MSVBVM60(0042C784), ref: 0042C766
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C76E
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C776
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C77E

Strings

Uncourtlike9, xrefs: 0042C523

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$CopyList$#611#613#680ErrorLate
String ID: Uncourtlike9
API String ID: 537582759-1924179844
Opcode ID: d5a18c9bcdca556430c448d4effe9728d11c42a747787068d2e78fcdef173869
Instruction ID: 2a9fc28456854ac6a3d4ceec8942a6ba883c861bbc18af3fc0692c5bc24ba7d6
Opcode Fuzzy Hash: d5a18c9bcdca556430c448d4effe9728d11c42a747787068d2e78fcdef173869
Instruction Fuzzy Hash: 93B10FB1D40218ABCB10EFA5CC86EEEBBB8BF54704F50452EF506BB191DB7859058F58

Uniqueness

Uniqueness Score: -1.00%

Function 0042F346, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0042F346(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				long long* _v12;
				long long _v28;
				char _v40;
				char _v44;
				char _v56;
				char _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v132;
				signed int _v140;
				char* _t54;
				void* _t58;
				intOrPtr* _t59;
				void* _t60;
				char* _t62;
				char _t89;
				intOrPtr* _t90;
				intOrPtr* _t91;
				void* _t94;
				intOrPtr _t97;
				long long* _t98;
				intOrPtr _t103;
				long long _t108;

				_push(0x4013a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t97;
				_t98 = _t97 - 0x88;
				_v12 = _t98;
				_v8 = 0x401368;
				_t108 =  *0x401360;
				_t89 = 0xa;
				_push( &_v96);
				_push( &_v80);
				 *_t98 = _t108;
				asm("fld1");
				 *_t98 = _t108;
				asm("fld1");
				 *_t98 = _t108;
				_v40 = 0;
				_v44 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v132 = 0;
				_v88 = 0x80020004;
				_v96 = _t89;
				_v72 = 0x80020004;
				_v80 = _t89;
				L0040145A();
				L00401526();
				asm("fcomp qword [0x401358]");
				asm("fnstsw ax");
				asm("sahf");
				if(0 != 0) {
					_push(1);
					_pop(0);
				}
				_v140 =  ~0x00000000;
				_push( &_v96);
				_t54 =  &_v80;
				_push(_t54);
				_push(2);
				L00401562();
				if(_v140 != 0) {
					_push( &_v80);
					_v72 = 0x80020004;
					_v80 = _t89;
					L00401454();
					L00401550();
					_push( &_v80);
					_v72 = 0x80020004;
					_v80 = _t89;
					L00401454();
					L00401550();
					_t103 =  *0x43039c; // 0x227e9a4
					if(_t103 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t90 =  *0x43039c; // 0x227e9a4
					_t58 =  *((intOrPtr*)( *_t90 + 0x14))(_t90,  &_v64);
					asm("fclex");
					if(_t58 < 0) {
						_push(0x14);
						_push(0x40397c);
						_push(_t90);
						_push(_t58);
						L0040158C();
					}
					_t59 = _v64;
					_t91 = _t59;
					_t60 =  *((intOrPtr*)( *_t59 + 0x108))(_t59,  &_v132);
					asm("fclex");
					if(_t60 < 0) {
						_push(0x108);
						_push(0x40399c);
						_push(_t91);
						_push(_t60);
						L0040158C();
					}
					L00401586();
					_push(0xd0);
					L004014A8();
					L0040159E();
					_push(_t60);
					_push( &_v60);
					L0040147E();
					_push(0x12e95b);
					_push(0x381fad);
					_t62 =  &_v60;
					_push(_t62);
					_push(0x565bc1);
					E00403708();
					L004014C0();
					_push( &_v60);
					_t54 =  &_v56;
					_push(_t54);
					_push(2);
					L004014D2();
					if( ~(0 | _t62 == 0x00800f06) != 0) {
						_push(0);
						_push(0);
						_t94 = 1;
						_push(_t94);
						L0040144E();
						L00401598();
						L004014FC();
						st0 = _t108;
						_push(_t94);
						_push(_t94);
						_push(_t94);
						_push( &_v80);
						L004014CC();
						_t54 =  &_v80;
						_push(_t54);
						L0040156E();
						L00401598();
						L00401550();
						_push(0x20);
						L00401448();
					}
				}
				_push(0x42f596);
				_v28 =  *0x401350;
				asm("wait");
				L0040154A();
				L0040154A();
				return _t54;
			}

0x0042f34b
0x0042f356
0x0042f357
0x0042f35e
0x0042f367
0x0042f36a
0x0042f371
0x0042f379
0x0042f37d
0x0042f381
0x0042f384
0x0042f389
0x0042f38b
0x0042f391
0x0042f399
0x0042f39c
0x0042f39f
0x0042f3a2
0x0042f3a5
0x0042f3a8
0x0042f3ab
0x0042f3ae
0x0042f3b1
0x0042f3b4
0x0042f3b7
0x0042f3ba
0x0042f3bf
0x0042f3c4
0x0042f3ca
0x0042f3cc
0x0042f3cd
0x0042f3cf
0x0042f3d1
0x0042f3d1
0x0042f3d8
0x0042f3e1
0x0042f3e2
0x0042f3e5
0x0042f3e6
0x0042f3e8
0x0042f3f7
0x0042f400
0x0042f401
0x0042f404
0x0042f407
0x0042f40f
0x0042f417
0x0042f418
0x0042f41b
0x0042f41e
0x0042f426
0x0042f42b
0x0042f431
0x0042f433
0x0042f438
0x0042f43d
0x0042f43d
0x0042f442
0x0042f44f
0x0042f452
0x0042f456
0x0042f458
0x0042f45a
0x0042f45f
0x0042f460
0x0042f461
0x0042f461
0x0042f466
0x0042f470
0x0042f472
0x0042f478
0x0042f47c
0x0042f47e
0x0042f483
0x0042f488
0x0042f489
0x0042f48a
0x0042f48a
0x0042f492
0x0042f497
0x0042f49c
0x0042f4a9
0x0042f4ae
0x0042f4b2
0x0042f4b3
0x0042f4b8
0x0042f4bd
0x0042f4c2
0x0042f4c5
0x0042f4c6
0x0042f4cb
0x0042f4d2
0x0042f4e9
0x0042f4ea
0x0042f4ed
0x0042f4ee
0x0042f4f0
0x0042f4fb
0x0042f4fd
0x0042f4fe
0x0042f501
0x0042f502
0x0042f503
0x0042f50d
0x0042f512
0x0042f517
0x0042f519
0x0042f51a
0x0042f51b
0x0042f51f
0x0042f520
0x0042f525
0x0042f528
0x0042f529
0x0042f533
0x0042f53b
0x0042f540
0x0042f542
0x0042f542
0x0042f4fb
0x0042f54d
0x0042f552
0x0042f555
0x0042f588
0x0042f590
0x0042f595

APIs

#677.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0042F3BA
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0042F3BF
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?), ref: 0042F3E8
#594.MSVBVM60(?), ref: 0042F407
__vbaFreeVar.MSVBVM60(?), ref: 0042F40F
#594.MSVBVM60(?,?), ref: 0042F41E
__vbaFreeVar.MSVBVM60(?,?), ref: 0042F426
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?), ref: 0042F43D
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042F461
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000108), ref: 0042F48A
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000108), ref: 0042F492
#570.MSVBVM60(000000D0), ref: 0042F49C
__vbaStrCopy.MSVBVM60(000000D0), ref: 0042F4A9
__vbaStrToAnsi.MSVBVM60(?,00000000,000000D0), ref: 0042F4B3
__vbaSetSystemError.MSVBVM60(00565BC1,?,00381FAD,0012E95B,?,00000000,000000D0), ref: 0042F4D2
__vbaFreeStrList.MSVBVM60(00000002,?,?,00565BC1,?,00381FAD,0012E95B,?,00000000,000000D0), ref: 0042F4F0
#706.MSVBVM60(00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F503
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F50D
#535.MSVBVM60(00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F512
#539.MSVBVM60(?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F520
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F529
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F533
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F53B
#569.MSVBVM60(00000020,?,?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F542
__vbaFreeStr.MSVBVM60(0042F596), ref: 0042F588
__vbaFreeStr.MSVBVM60(0042F596), ref: 0042F590

Strings

CENTERDANNELSER, xrefs: 0042F4A1

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#594CheckHresultList$#535#539#569#570#677#706AnsiCopyErrorNew2System
String ID: CENTERDANNELSER
API String ID: 2334019403-3418901058
Opcode ID: 75014a0e88d59ed38ebe08d054a911f59fe1f28a218bd01490c08c5a535e623e
Instruction ID: 5640d20c43b395a931be496d657480849ef53a4e23664c6bdc037eca2a6021f7
Opcode Fuzzy Hash: 75014a0e88d59ed38ebe08d054a911f59fe1f28a218bd01490c08c5a535e623e
Instruction Fuzzy Hash: 2A5151B1D00218BACB10FF95DC86AEEBBB8EB04704F50453FF506B71A1DA7859458B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F5B1, Relevance: 40.7, APIs: 27, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042F5B1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				long long _v48;
				char _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr* _v148;
				intOrPtr* _t65;
				intOrPtr _t66;
				char* _t68;
				char* _t70;
				char* _t73;
				void* _t75;
				intOrPtr* _t76;
				void* _t77;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t115;
				void* _t117;
				void* _t119;
				intOrPtr _t120;
				intOrPtr _t125;
				intOrPtr _t128;

				_t120 = _t119 - 0xc;
				 *[fs:0x0] = _t120;
				_v16 = _t120 - 0x8c;
				_v12 = 0x401380;
				_v8 = 0;
				_t65 = _a4;
				_t66 =  *((intOrPtr*)( *_t65 + 4))(_t65, __edi, __esi, __ebx,  *[fs:0x0], 0x4013a6, _t117);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v48 = 0;
				_v44 = 0;
				_v52 = 0;
				_v56 = 0;
				_v72 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				L0040159E();
				_push(0x403be8);
				_push(0x403bf0);
				L00401532();
				L00401598();
				_push(_t66);
				_push(0x403bf0);
				L00401532();
				_v64 = _t66;
				_push( &_v72);
				_t68 =  &_v88;
				_push(_t68);
				_v72 = 8;
				L00401442();
				_push(0x403bf0);
				_push(0x403bf0);
				L00401532();
				_v96 = _t68;
				_push( &_v88);
				_t70 =  &_v104;
				_push(_t70);
				_v104 = 0x8008;
				L004014DE();
				L0040154A();
				_push( &_v104);
				_push( &_v88);
				_t73 =  &_v72;
				_push(_t73);
				_push(3);
				L00401562();
				if(_t70 != 0) {
					L00401580();
					L00401598();
					_t125 =  *0x43039c; // 0x227e9a4
					if(_t125 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t113 =  *0x43039c; // 0x227e9a4
					_t75 =  *((intOrPtr*)( *_t113 + 0x4c))(_t113,  &_v56);
					asm("fclex");
					if(_t75 < 0) {
						_push(0x4c);
						_push(0x40397c);
						_push(_t113);
						_push(_t75);
						L0040158C();
					}
					_t76 = _v56;
					_t114 = _t76;
					_t77 =  *((intOrPtr*)( *_t76 + 0x28))(_t76);
					asm("fclex");
					if(_t77 < 0) {
						_push(0x28);
						_push(0x403a20);
						_push(_t114);
						_push(_t77);
						L0040158C();
					}
					L00401586();
					_push(0);
					_push( &_v72);
					_v64 = 1;
					_v72 = 2;
					L0040143C();
					L00401598();
					L00401550();
					_t128 =  *0x43039c; // 0x227e9a4
					if(_t128 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t115 =  *0x43039c; // 0x227e9a4
					_t80 =  *((intOrPtr*)( *_t115 + 0x1c))(_t115,  &_v56);
					asm("fclex");
					if(_t80 < 0) {
						_push(0x1c);
						_push(0x40397c);
						_push(_t115);
						_push(_t80);
						L0040158C();
					}
					_t81 = _v56;
					_v128 = 0x80020004;
					_v136 = 0xa;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v148 = _t81;
					asm("movsd");
					_t73 =  *((intOrPtr*)( *_t81 + 0x5c))(_t81,  &_v52);
					asm("fclex");
					if(_t73 < 0) {
						_push(0x5c);
						_push(0x4039d4);
						_push(_v148);
						_push(_t73);
						L0040158C();
					}
					_v52 = 0;
					L00401598();
					L00401586();
				}
				_v48 =  *0x401378;
				asm("wait");
				_push(0x42f835);
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				return _t73;
			}

0x0042f5b4
0x0042f5c3
0x0042f5d3
0x0042f5d6
0x0042f5df
0x0042f5e2
0x0042f5e8
0x0042f5f1
0x0042f5f4
0x0042f5f7
0x0042f5fa
0x0042f5fd
0x0042f600
0x0042f603
0x0042f606
0x0042f609
0x0042f60c
0x0042f60f
0x0042f612
0x0042f615
0x0042f61b
0x0042f620
0x0042f62a
0x0042f62b
0x0042f635
0x0042f63a
0x0042f63b
0x0042f63c
0x0042f641
0x0042f647
0x0042f648
0x0042f64b
0x0042f64c
0x0042f653
0x0042f658
0x0042f659
0x0042f65a
0x0042f65f
0x0042f665
0x0042f666
0x0042f669
0x0042f66a
0x0042f671
0x0042f67c
0x0042f684
0x0042f688
0x0042f689
0x0042f68c
0x0042f68d
0x0042f68f
0x0042f69a
0x0042f6a0
0x0042f6aa
0x0042f6af
0x0042f6b5
0x0042f6b7
0x0042f6bc
0x0042f6c1
0x0042f6c1
0x0042f6c6
0x0042f6d3
0x0042f6d6
0x0042f6da
0x0042f6dc
0x0042f6de
0x0042f6e3
0x0042f6e4
0x0042f6e5
0x0042f6e5
0x0042f6ea
0x0042f6f0
0x0042f6f2
0x0042f6f5
0x0042f6f9
0x0042f6fb
0x0042f6fd
0x0042f702
0x0042f703
0x0042f704
0x0042f704
0x0042f70c
0x0042f711
0x0042f715
0x0042f716
0x0042f71d
0x0042f724
0x0042f72e
0x0042f736
0x0042f73b
0x0042f741
0x0042f743
0x0042f748
0x0042f74d
0x0042f74d
0x0042f752
0x0042f75f
0x0042f762
0x0042f766
0x0042f768
0x0042f76a
0x0042f76f
0x0042f770
0x0042f771
0x0042f771
0x0042f776
0x0042f782
0x0042f789
0x0042f79b
0x0042f79c
0x0042f79d
0x0042f79f
0x0042f7a5
0x0042f7a6
0x0042f7ab
0x0042f7ad
0x0042f7af
0x0042f7b1
0x0042f7b6
0x0042f7bc
0x0042f7bd
0x0042f7bd
0x0042f7c8
0x0042f7cb
0x0042f7d3
0x0042f7d3
0x0042f7de
0x0042f7e1
0x0042f7e2
0x0042f817
0x0042f81f
0x0042f827
0x0042f82f
0x0042f834

APIs

__vbaStrCopy.MSVBVM60 ref: 0042F61B
__vbaStrCat.MSVBVM60(00403BF0,00403BE8), ref: 0042F62B
__vbaStrMove.MSVBVM60(00403BF0,00403BE8), ref: 0042F635
__vbaStrCat.MSVBVM60(00403BF0,00000000,00403BF0,00403BE8), ref: 0042F63C
#520.MSVBVM60(?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F653
__vbaStrCat.MSVBVM60(00403BF0,00403BF0,?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F65A
__vbaVarTstNe.MSVBVM60(?,?,00403BF0,00403BF0,?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F671
__vbaFreeStr.MSVBVM60(?,?,00403BF0,00403BF0,?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F67C
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,00008008,?,?,00403BF0,00403BF0,?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F68F
#611.MSVBVM60(00403BE8), ref: 0042F6A0
__vbaStrMove.MSVBVM60(00403BE8), ref: 0042F6AA
__vbaNew2.MSVBVM60(0040398C,0043039C,00403BE8), ref: 0042F6C1
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,0000004C), ref: 0042F6E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A20,00000028), ref: 0042F704
__vbaFreeObj.MSVBVM60(00000000,?,00403A20,00000028), ref: 0042F70C
#705.MSVBVM60(00000008,00000000), ref: 0042F724
__vbaStrMove.MSVBVM60(00000008,00000000), ref: 0042F72E
__vbaFreeVar.MSVBVM60(00000008,00000000), ref: 0042F736
__vbaNew2.MSVBVM60(0040398C,0043039C,00000008,00000000), ref: 0042F74D
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,0000001C), ref: 0042F771
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,0000005C,?,?,?,?,?), ref: 0042F7BD
__vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 0042F7CB
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 0042F7D3
__vbaFreeStr.MSVBVM60(0042F835,00403BE8), ref: 0042F817
__vbaFreeStr.MSVBVM60(0042F835,00403BE8), ref: 0042F81F
__vbaFreeStr.MSVBVM60(0042F835,00403BE8), ref: 0042F827
__vbaFreeStr.MSVBVM60(0042F835,00403BE8), ref: 0042F82F

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#520#611#705CopyList
String ID:
API String ID: 3525467279-0
Opcode ID: 314be69f0c9f42b8dfc18160d83e655a2504bcaf188fca841f359b88edf20cc3
Instruction ID: fe4bdecca5232cca4ad7e6b57b50f604aff24db5b98e4763db1eac3e1464df30
Opcode Fuzzy Hash: 314be69f0c9f42b8dfc18160d83e655a2504bcaf188fca841f359b88edf20cc3
Instruction Fuzzy Hash: 46610EB1D01218ABCB10EF95DD86ADEBBB8BF48304F50443EF506BB1A1DB785A058F58

Uniqueness

Uniqueness Score: -1.00%

Function 0042CB97, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042CB97(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v52;
				char _v60;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				char* _t35;
				char* _t36;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;

				_t69 = __fp0;
				_push(0x4013a6);
				_t30 =  *[fs:0x0];
				_push(_t30);
				 *[fs:0x0] = _t61;
				_v12 = _t61 - 0x50;
				_v8 = 0x4011a8;
				_push(1);
				_v24 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				L00401502();
				if(_t30 != 0x800000) {
					_t64 =  *0x43039c; // 0x227e9a4
					if(_t64 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t56 =  *0x43039c; // 0x227e9a4
					_t32 =  *((intOrPtr*)( *_t56 + 0x14))(_t56,  &_v44);
					asm("fclex");
					if(_t32 < 0) {
						_push(0x14);
						_push(0x40397c);
						_push(_t56);
						_push(_t32);
						L0040158C();
					}
					_t33 = _v44;
					_t57 = _t33;
					_t34 =  *((intOrPtr*)( *_t33 + 0xf8))(_t33,  &_v40);
					asm("fclex");
					if(_t34 < 0) {
						_push(0xf8);
						_push(0x40399c);
						_push(_t57);
						_push(_t34);
						L0040158C();
					}
					_v40 = 0;
					L00401598();
					L00401586();
					L004014FC();
					st0 = _t69;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t35 =  &_v60;
					_push(_t35);
					_v52 = 0;
					_v60 = 2;
					L004014F6();
					L00401598();
					L00401550();
					_t67 =  *0x43039c; // 0x227e9a4
					if(_t67 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t58 =  *0x43039c; // 0x227e9a4
					L004014EA();
					_t36 =  &_v44;
					L004014F0();
					_t30 =  *((intOrPtr*)( *_t58 + 0x40))(_t58, _t36, _t36, _t35, _v36, 0x403a4c, L"Postkassen5");
					asm("fclex");
					if(_t30 < 0) {
						_push(0x40);
						_push(0x40397c);
						_push(_t58);
						_push(_t30);
						L0040158C();
					}
					L00401586();
				}
				asm("wait");
				_push(0x42cd29);
				L0040154A();
				L0040154A();
				L00401586();
				return _t30;
			}

0x0042cb97
0x0042cb9c
0x0042cba1
0x0042cba7
0x0042cba8
0x0042cbb5
0x0042cbb8
0x0042cbc1
0x0042cbc3
0x0042cbc6
0x0042cbc9
0x0042cbcc
0x0042cbcf
0x0042cbd2
0x0042cbd5
0x0042cbdf
0x0042cbe5
0x0042cbeb
0x0042cbed
0x0042cbf2
0x0042cbf7
0x0042cbf7
0x0042cbfc
0x0042cc09
0x0042cc0c
0x0042cc10
0x0042cc12
0x0042cc14
0x0042cc19
0x0042cc1a
0x0042cc1b
0x0042cc1b
0x0042cc20
0x0042cc2a
0x0042cc2c
0x0042cc32
0x0042cc36
0x0042cc38
0x0042cc3d
0x0042cc42
0x0042cc43
0x0042cc44
0x0042cc44
0x0042cc4f
0x0042cc52
0x0042cc5a
0x0042cc5f
0x0042cc64
0x0042cc66
0x0042cc68
0x0042cc6a
0x0042cc6c
0x0042cc6e
0x0042cc71
0x0042cc72
0x0042cc75
0x0042cc7c
0x0042cc86
0x0042cc8e
0x0042cc93
0x0042cc99
0x0042cc9b
0x0042cca0
0x0042cca5
0x0042cca5
0x0042ccaa
0x0042ccbf
0x0042ccc5
0x0042ccc9
0x0042ccd0
0x0042ccd3
0x0042ccd7
0x0042ccd9
0x0042ccdb
0x0042cce0
0x0042cce1
0x0042cce2
0x0042cce2
0x0042ccea
0x0042ccea
0x0042ccef
0x0042ccf0
0x0042cd13
0x0042cd1b
0x0042cd23
0x0042cd28

APIs

#589.MSVBVM60(00000001), ref: 0042CBD5
__vbaNew2.MSVBVM60(0040398C,0043039C,00000001), ref: 0042CBF7
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000014), ref: 0042CC1B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042CC44
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042CC52
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042CC5A
#535.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042CC5F
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042CC7C
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042CC86
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042CC8E
__vbaNew2.MSVBVM60(0040398C,0043039C,?,000000FF,000000FE,000000FE,000000FE), ref: 0042CCA5
__vbaCastObj.MSVBVM60(?,00403A4C,Postkassen5,?,000000FF,000000FE,000000FE,000000FE), ref: 0042CCBF
__vbaObjSet.MSVBVM60(?,00000000,?,00403A4C,Postkassen5,?,000000FF,000000FE,000000FE,000000FE), ref: 0042CCC9
__vbaHresultCheckObj.MSVBVM60(00000000,0227E9A4,0040397C,00000040), ref: 0042CCE2
__vbaFreeObj.MSVBVM60(00000000,0227E9A4,0040397C,00000040), ref: 0042CCEA
__vbaFreeStr.MSVBVM60(0042CD29,00000001), ref: 0042CD13
__vbaFreeStr.MSVBVM60(0042CD29,00000001), ref: 0042CD1B
__vbaFreeObj.MSVBVM60(0042CD29,00000001), ref: 0042CD23

Strings

Postkassen5, xrefs: 0042CCB2

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#535#589#704Cast
String ID: Postkassen5
API String ID: 733272219-3167848707
Opcode ID: 9ba6050dca04e61699f552d8d7038e24c4687e4afef4584abcea8663456b806f
Instruction ID: d2fbb5e92977b8a9f76b7ed366270cce83eb5455a2f784f2b8b98039f494a740
Opcode Fuzzy Hash: 9ba6050dca04e61699f552d8d7038e24c4687e4afef4584abcea8663456b806f
Instruction Fuzzy Hash: A3416670940214BBCB10EF96CC86EEEBBB8AF98714F60052FF406771E1DB785501CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F85A, Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0042F85A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a16) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr* _t24;
				char* _t27;
				char* _t29;
				char* _t32;
				intOrPtr* _t37;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				_v16 = _t43 - 0x34;
				_v12 = 0x401390;
				_v8 = 0;
				_t24 = _a4;
				 *((intOrPtr*)( *_t24 + 4))(_t24, __edi, __esi, __ebx,  *[fs:0x0], 0x4013a6, _t40);
				_push( &_v56);
				_push(0);
				_t27 =  &_v64;
				_push(_t27);
				_v40 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				L0040147E();
				_t37 = _a16;
				_push(_t27);
				_push( &_v40);
				_push(0);
				_push( *_t37);
				_t29 =  &_v60;
				_push(_t29);
				L0040147E();
				_push(_t29);
				_push(0);
				E00403694();
				L004014C0();
				_push(_v60);
				_push(_t37);
				L00401436();
				_push(_v64);
				_push( &_v52);
				L00401436();
				_push( &_v64);
				_t32 =  &_v60;
				_push(_t32);
				_push(2);
				L004014D2();
				_push(0x42f91b);
				L0040154A();
				return _t32;
			}

0x0042f85d
0x0042f86c
0x0042f879
0x0042f87c
0x0042f885
0x0042f888
0x0042f88e
0x0042f894
0x0042f895
0x0042f896
0x0042f899
0x0042f89a
0x0042f89d
0x0042f8a0
0x0042f8a3
0x0042f8a6
0x0042f8a9
0x0042f8ac
0x0042f8b1
0x0042f8b4
0x0042f8b8
0x0042f8b9
0x0042f8ba
0x0042f8bc
0x0042f8bf
0x0042f8c0
0x0042f8c5
0x0042f8c6
0x0042f8c7
0x0042f8cc
0x0042f8d1
0x0042f8d4
0x0042f8d5
0x0042f8da
0x0042f8e0
0x0042f8e1
0x0042f8e9
0x0042f8ea
0x0042f8ed
0x0042f8ee
0x0042f8f0
0x0042f8f8
0x0042f915
0x0042f91a

APIs

__vbaStrToAnsi.MSVBVM60(?,00000000,?), ref: 0042F8AC
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00000000,?), ref: 0042F8C0
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,00000000,?,00000000,?,00000000,?), ref: 0042F8CC
__vbaStrToUnicode.MSVBVM60(?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000,?), ref: 0042F8D5
__vbaStrToUnicode.MSVBVM60(?,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000,?), ref: 0042F8E1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000), ref: 0042F8F0
__vbaFreeStr.MSVBVM60(0042F91B), ref: 0042F915

Memory Dump Source

Source File: 00000000.00000002.754988967.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.754975430.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755112323.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.755122133.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.755289932.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiFreeUnicode$ErrorListSystem
String ID:
API String ID: 2476255217-0
Opcode ID: ab57d795cc8bd06970521e6405f7bd7593b2dfef0ae907bfefcd7bfdf8111d12
Instruction ID: 31ac72f5cad0e941787232b945b7e40f42aab6f8b83ea393bdfc72019e895c12
Opcode Fuzzy Hash: ab57d795cc8bd06970521e6405f7bd7593b2dfef0ae907bfefcd7bfdf8111d12
Instruction Fuzzy Hash: CD11E7B1C10218BBCB10EFD5E946EDEBBBCAF08704F50406BF501B3161D7789A058BA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report June-July_Commission_List_Summary-2021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: June-July_Commission_List_Summary-2021.exe PID: 5756 Parent PID: 5832

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: June-July_Commission_List_Summary-2021.exe PID: 5756 Parent PID: 5832 June-July_Commission_List_Summary-2021.exeCOMMON

Executed Functions

Function 0042CD3C, Relevance: 286.6, APIs: 154, Strings: 9, Instructions: 1341COMMON

Function 004015BC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Function 00403914, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Non-executed Functions

Function 0042CD3C, Relevance: 286.6, APIs: 154, Strings: 9, Instructions: 1341
COMMON

Function 004015BC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Function 004032C4, Relevance: 89.6, APIs: 49, Strings: 2, Instructions: 361
COMMON

Function 0042C7A5, Relevance: 86.1, APIs: 46, Strings: 3, Instructions: 306
COMMON

Function 0042C3C4, Relevance: 70.3, APIs: 39, Strings: 1, Instructions: 304
COMMON

Function 0042F346, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 183
COMMON

Function 0042F5B1, Relevance: 40.7, APIs: 27, Instructions: 188
COMMON

Function 0042CB97, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 119
COMMON

Function 0042F85A, Relevance: 10.6, APIs: 7, Instructions: 63
COMMON