Loading ...

Play interactive tourEdit tour

Windows Analysis Report Sales Order List.exe

Overview

General Information

Sample Name:Sales Order List.exe
Analysis ID:526595
MD5:80bad0903ee7ec98805678673720cfd9
SHA1:35aecf6fe3ac24adaf16c04b787e90ac4c845eb0
SHA256:260e6b75d7616efd29c05151f1ce95bbab1aaf8703f86f62c4d9bc6d308a56b8
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Initial sample is a PE file and has a suspicious name
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • Sales Order List.exe (PID: 2260 cmdline: "C:\Users\user\Desktop\Sales Order List.exe" MD5: 80BAD0903EE7EC98805678673720CFD9)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downloads;R"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloads;R"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Sales Order List.exeReversingLabs: Detection: 40%
    Machine Learning detection for sampleShow sources
    Source: Sales Order List.exeJoe Sandbox ML: detected
    Source: Sales Order List.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downloads;R
    Source: Sales Order List.exeString found in binary or memory: http://topqualityfreeware.com
    Source: Sales Order List.exeString found in binary or memory: http://www.topqualityfreeware.com/

    System Summary:

    barindex
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: Sales Order List.exe
    Source: Sales Order List.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Sales Order List.exe, 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
    Source: Sales Order List.exeBinary or memory string: OriginalFilenameBandies.exe vs Sales Order List.exe
    Source: Sales Order List.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: Sales Order List.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02106B371_2_02106B37
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FDBA31_2_020FDBA3
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F42791_2_020F4279
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FE2951_2_020FE295
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F42A51_2_020F42A5
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F12D41_2_020F12D4
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02104F001_2_02104F00
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02102B301_2_02102B30
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FDBDF1_2_020FDBDF
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F3FD51_2_020F3FD5
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F9FE81_2_020F9FE8
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FD01F1_2_020FD01F
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02103D631_2_02103D63
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_021049931_2_02104993
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FD5FC1_2_020FD5FC
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FDBA3 NtAllocateVirtualMemory,1_2_020FDBA3
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FDBDF NtAllocateVirtualMemory,1_2_020FDBDF
    Source: C:\Users\user\Desktop\Sales Order List.exeProcess Stats: CPU usage > 98%
    Source: Sales Order List.exeReversingLabs: Detection: 40%
    Source: Sales Order List.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Sales Order List.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Sales Order List.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Sales Order List.exeFile created: C:\Users\user\AppData\Local\Temp\~DF904D784913DB7A54.TMPJump to behavior
    Source: classification engineClassification label: mal84.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_00404402 pushfd ; retf 1_2_0040441F
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_00403827 push es; ret 1_2_00403829
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004044E6 pushfd ; retf 1_2_004044E7
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040A880 pushfd ; ret 1_2_0040A894
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040A101 push edx; retf 1_2_0040A10A
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_00404585 pushfd ; retf 1_2_00404597
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040459A pushfd ; retf 1_2_004045AB
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004051BF push dword ptr [esi]; iretd 1_2_004051C6
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040665E pushfd ; retf 1_2_0040665F
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040427A pushfd ; retf 1_2_0040427B
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004062C2 pushfd ; retf 1_2_004062C3
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040A6C2 push ebx; retf 1_2_0040A6CA
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004072E2 pushfd ; retf 1_2_0040730F
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040434A pushfd ; retf 1_2_0040434B
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_00404336 pushfd ; retf 1_2_00404347
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_0040633E pushfd ; retf 1_2_0040634B
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_004067DF pushfd ; retf 1_2_004067E7
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F3FD5 push ebp; retf 67B7h1_2_020F5122
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F5FF4 push esp; iretd 1_2_020F5FF5
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F0012 push AE35C959h; retf 1_2_020F001E
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F6479 push esp; iretd 1_2_020F66CA
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F24F2 push 812B1A06h; ret 1_2_020F24FD
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F6573 push esp; iretd 1_2_020F66CA
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020F7198 pushad ; retf 1_2_020F7199
    Source: C:\Users\user\Desktop\Sales Order List.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\Sales Order List.exeRDTSC instruction interceptor: First address: 00000000021038C0 second address: 00000000021038C0 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5F6A47EFh 0x00000007 xor eax, 22268717h 0x0000000c xor eax, 5FCDF500h 0x00000011 sub eax, 228135F7h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1730B5F5D7h 0x0000001e lfence 0x00000021 mov edx, 87FFB988h 0x00000026 xor edx, 8DA6BE96h 0x0000002c add edx, 16C465BAh 0x00000032 xor edx, 5EE36CCCh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d test ah, ah 0x0000003f cmp dx, 744Ch 0x00000044 cmp ch, ah 0x00000046 test edx, edx 0x00000048 ret 0x00000049 sub edx, esi 0x0000004b ret 0x0000004c cmp ecx, ebx 0x0000004e add edi, edx 0x00000050 dec dword ptr [ebp+000000F8h] 0x00000056 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005d jne 00007F1730B5F4EAh 0x0000005f call 00007F1730B5F61Ch 0x00000064 call 00007F1730B5F5F8h 0x00000069 lfence 0x0000006c mov edx, 87FFB988h 0x00000071 xor edx, 8DA6BE96h 0x00000077 add edx, 16C465BAh 0x0000007d xor edx, 5EE36CCCh 0x00000083 mov edx, dword ptr [edx] 0x00000085 lfence 0x00000088 test ah, ah 0x0000008a cmp dx, 744Ch 0x0000008f cmp ch, ah 0x00000091 test edx, edx 0x00000093 ret 0x00000094 mov esi, edx 0x00000096 pushad 0x00000097 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02103AA0 rdtsc 1_2_02103AA0

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\Sales Order List.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02102200 mov eax, dword ptr fs:[00000030h]1_2_02102200
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_020FD2AD mov eax, dword ptr fs:[00000030h]1_2_020FD2AD
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02104F00 mov eax, dword ptr fs:[00000030h]1_2_02104F00
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02102DB4 mov eax, dword ptr fs:[00000030h]1_2_02102DB4
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02103AA0 rdtsc 1_2_02103AA0
    Source: C:\Users\user\Desktop\Sales Order List.exeCode function: 1_2_02106B37 RtlAddVectoredExceptionHandler,1_2_02106B37
    Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Sales Order List.exe, 00000001.00000002.821708707.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Sales Order List.exe40%ReversingLabsWin32.Trojan.GuLoader
    Sales Order List.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://topqualityfreeware.com0%Avira URL Cloudsafe
    http://www.topqualityfreeware.com/0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://topqualityfreeware.comSales Order List.exefalse
    • Avira URL Cloud: safe
    unknown
    http://www.topqualityfreeware.com/Sales Order List.exefalse
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:526595
    Start date:22.11.2021
    Start time:19:29:31
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 30s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Sales Order List.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:19
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal84.troj.evad.winEXE@1/1@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 61% (good quality ratio 46.8%)
    • Quality average: 49.1%
    • Quality standard deviation: 35.6%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DF904D784913DB7A54.TMP
    Process:C:\Users\user\Desktop\Sales Order List.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):4.01191323271951
    Encrypted:false
    SSDEEP:384:wcZ0tADSVlx6JQhynrV7Vr9wrCIM/ZUYVPzBAPN:wcZeADSV/6qhynrV7VxwrrMvqPN
    MD5:6C4C01A4316CD9338DE51EC175EBF11D
    SHA1:8C5D5B07E0ED6AAC72705F516E25BEAEA891EFA0
    SHA-256:95876F7C1242672418DB201C02D70276EE9CC4345394DEAD3500619A39DA28F0
    SHA-512:9F60729E865B0414DB4792F76465EDCE1595D22E884D01C07389A312474D1CE916E4CF73275D5AA0CB411D8EBB0617EF661CD10467AD838FD1B0B388C44823D5
    Malicious:false
    Reputation:low
    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):5.002958856412811
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Sales Order List.exe
    File size:192512
    MD5:80bad0903ee7ec98805678673720cfd9
    SHA1:35aecf6fe3ac24adaf16c04b787e90ac4c845eb0
    SHA256:260e6b75d7616efd29c05151f1ce95bbab1aaf8703f86f62c4d9bc6d308a56b8
    SHA512:9a88b4ea27bbc8b83c0722c715c12b3667d6138d27d2fabb315a8a8c4ddcb020962625d1aa75c56d7e2082bbded7ffaa3512b482f1a4ba138d1877a55e848e9b
    SSDEEP:3072:trejCYyLGrRxfFNEv6QN744ndRkHDwLVly5Mrc0yvhXeJ:treiGrRNFMjN6jIVCMrcbeJ
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L......G.................0..........L........@....@........

    File Icon

    Icon Hash:0ceefedec6f67c0c

    Static PE Info

    General

    Entrypoint:0x40134c
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x47ABAEC7 [Fri Feb 8 01:22:15 2008 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:f27a613fda76c14f4eab7dc0085d799e

    Entrypoint Preview

    Instruction
    push 00407ED4h
    call 00007F17307E2FF3h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx+1Bh], bl
    inc eax
    or ch, FFFFFFE7h
    jc 00007F17307E3047h
    mov ds, word ptr [esi-04881682h]
    cmc
    loop 00007F17307E3002h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax+72h], dh
    outsd
    outsw
    jc 00007F17307E306Fh
    popad
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    add eax, B2E49462h
    outsd
    enter 431Fh, A9h
    pop ebx
    add bl, dh
    jl 00007F17307E2FF1h
    jno 00007F17307E2F92h
    test edi, edx
    and dword ptr [edi], esi
    push ds
    xchg eax, ebp
    pop edx
    dec esi
    xor dword ptr [edx+esi*8-7E5EB600h], 7Eh
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xchg dword ptr [ecx+00h], ebp
    add byte ptr [ebp+00000068h], bl
    or byte ptr [eax], al
    jne 00007F17307E3070h
    je 00007F17307E3063h
    arpl word ptr [ebx+6Ch], bp
    add byte ptr [66000B01h], cl
    imul ebp, dword ptr [edx+6Ch], 00006B6Fh

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x23b140x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x260000x90bd.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x100.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x22f6c0x23000False0.367292131696data5.18350124338IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x240000x13f00x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x260000x90bd0xa000False0.346240234375data4.35051738239IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    CUSTOM0x2e7ff0x8beMS Windows icon resource - 1 icon, 32x32, 8 bits/pixelEnglishUnited States
    INSTALL0x2d3850x8beMS Windows icon resource - 1 icon, 32x32EnglishUnited States
    INSTALL0x2ce820x503ISO-8859 text, with CRLF line terminatorsEnglishUnited States
    SETUP0x2e5010x2feMS Windows icon resource - 1 icon, 32x32, 16 colorsEnglishUnited States
    SETUP0x2dc430x8beMS Windows icon resource - 1 icon, 32x32EnglishUnited States
    RT_ICON0x2bfda0xea8data
    RT_ICON0x2b7320x8a8data
    RT_ICON0x2b06a0x6c8data
    RT_ICON0x2ab020x568GLS_BINARY_LSB_FIRST
    RT_ICON0x2855a0x25a8dBase III DBT, version number 0, next free block index 40
    RT_ICON0x274b20x10a8dBase III DBT, version number 0, next free block index 40
    RT_ICON0x26b2a0x988dBase III DBT, version number 0, next free block index 40
    RT_ICON0x266c20x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x2664c0x76data
    RT_VERSION0x263a00x2acdataTurkmenTurkmenistan

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaVar2Vec, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0442 0x04b0
    LegalCopyrightIdentiv
    InternalNameBandies
    FileVersion1.00
    CompanyNameIdentiv
    LegalTrademarksIdentiv
    ProductNameIdentiv
    ProductVersion1.00
    FileDescriptionIdentiv
    OriginalFilenameBandies.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States
    TurkmenTurkmenistan

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:19:30:31
    Start date:22/11/2021
    Path:C:\Users\user\Desktop\Sales Order List.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\Sales Order List.exe"
    Imagebase:0x400000
    File size:192512 bytes
    MD5 hash:80BAD0903EE7EC98805678673720CFD9
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >

      Executed Functions

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %
      • API String ID: 0-1703841086
      • Opcode ID: aa42cfa934b4fc1f0f68717fefb4238eceec3c9b98d31950341398e6c1ade1c8
      • Instruction ID: 005291d74a6c0d1a312280e236e85230f2800a912d13e4728d7520dbbbeaa4a7
      • Opcode Fuzzy Hash: aa42cfa934b4fc1f0f68717fefb4238eceec3c9b98d31950341398e6c1ade1c8
      • Instruction Fuzzy Hash: B902467168478A8FCBB18E69CD517EE3BE2FF49350F04412DCE898B651E3718A42EB41
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • RtlAddVectoredExceptionHandler.NTDLL ref: 021077C9
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID: ExceptionHandlerVectored
      • String ID: ^*I+
      • API String ID: 3310709589-2991286711
      • Opcode ID: 2d0fd0364df44222028e96a39d2c9d011c6e449773f519597e30e97ff8a89c63
      • Instruction ID: 6dfe3816b2c4bd7970683e3f9b2d03e232818c70828050a4c61effecfaebe9f1
      • Opcode Fuzzy Hash: 2d0fd0364df44222028e96a39d2c9d011c6e449773f519597e30e97ff8a89c63
      • Instruction Fuzzy Hash: 3861F371645248CFEB78DF28CDE4BEABBA2BF48350F11456ACD4A8B2D4D370A601CB11
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • NtAllocateVirtualMemory.NTDLL ref: 020FDF2B
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 23ba60c57d36d64d541450b9bbbaaeb2881377b9e8db6d379399a53c625df002
      • Instruction ID: 0ff0513db626862d250d3dd73a7e88beb7ee8bc634cbb219b0891f43bf94920e
      • Opcode Fuzzy Hash: 23ba60c57d36d64d541450b9bbbaaeb2881377b9e8db6d379399a53c625df002
      • Instruction Fuzzy Hash: CDD18AB25C8B8017CBE7855AD56A37C7F92F747630F042559CB894AAB3F3635982B202
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 55%
      			E00422A7C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v16;
      				intOrPtr _v20;
      				intOrPtr _v24;
      				intOrPtr _v28;
      				char _v40;
      				void* _v44;
      				intOrPtr _v48;
      				void* _v52;
      				signed int _v56;
      				char _v60;
      				intOrPtr _v68;
      				char _v76;
      				char _v92;
      				char _v96;
      				char* _v104;
      				char _v112;
      				void* _v116;
      				signed int _v120;
      				intOrPtr* _v124;
      				signed int _v128;
      				signed int _v152;
      				signed int _v156;
      				intOrPtr* _v160;
      				signed int _v164;
      				signed int _v168;
      				intOrPtr* _v172;
      				signed int _v176;
      				intOrPtr* _v180;
      				signed int _v184;
      				char* _t126;
      				char* _t128;
      				signed int _t136;
      				signed int _t141;
      				char* _t146;
      				signed int _t150;
      				signed int _t160;
      				void* _t192;
      				void* _t194;
      				intOrPtr _t195;
      
      				_t195 = _t194 - 0x18;
      				 *[fs:0x0] = _t195;
      				L004011D0();
      				_v28 = _t195;
      				_v24 = 0x401120;
      				_v20 = 0;
      				_v16 = 0;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011d6, _t192);
      				_v8 = 1;
      				_v8 = 2;
      				_v104 = L"1-1-1";
      				_v112 = 8;
      				L004012F6();
      				_t126 =  &_v76;
      				_push(_t126); // executed
      				L004012C6(); // executed
      				_v116 =  ~(0 | _t126 != 0x0000ffff);
      				L00401314();
      				if(_v116 != 0) {
      					_v8 = 3;
      					_push(0);
      					L004012C0();
      					_v8 = 4;
      					_push(1);
      					_push(1);
      					_push(1);
      					_push( &_v76);
      					L004012B4();
      					_push( &_v76);
      					L004012BA();
      					L00401302();
      					L00401314();
      					_v8 = 5;
      					_push(0xffffffff);
      					L004012C0();
      					_v8 = 6;
      					if( *0x4245b4 != 0) {
      						_v160 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v160 = 0x4245b4;
      					}
      					_v116 =  *_v160;
      					_t136 =  *((intOrPtr*)( *_v116 + 0x14))(_v116,  &_v60);
      					asm("fclex");
      					_v120 = _t136;
      					if(_v120 >= 0) {
      						_v164 = _v164 & 0x00000000;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v116);
      						_push(_v120);
      						L0040132C();
      						_v164 = _t136;
      					}
      					_v124 = _v60;
      					_t141 =  *((intOrPtr*)( *_v124 + 0xe8))(_v124,  &_v56);
      					asm("fclex");
      					_v128 = _t141;
      					if(_v128 >= 0) {
      						_v168 = _v168 & 0x00000000;
      					} else {
      						_push(0xe8);
      						_push(0x408cbc);
      						_push(_v124);
      						_push(_v128);
      						L0040132C();
      						_v168 = _t141;
      					}
      					_v152 = _v56;
      					_v56 = _v56 & 0x00000000;
      					L00401302();
      					L004012EA();
      					_v8 = 7;
      					_v8 = 8;
      					if( *0x424010 != 0) {
      						_v172 = 0x424010;
      					} else {
      						_push(0x424010);
      						_push(0x4083f4);
      						L00401320();
      						_v172 = 0x424010;
      					}
      					_t146 =  &_v60;
      					L00401326();
      					_v116 = _t146;
      					_t150 =  *((intOrPtr*)( *_v116 + 0x170))(_v116,  &_v56, _t146,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x30c))( *_v172));
      					asm("fclex");
      					_v120 = _t150;
      					if(_v120 >= 0) {
      						_v176 = _v176 & 0x00000000;
      					} else {
      						_push(0x170);
      						_push(0x408cf0);
      						_push(_v116);
      						_push(_v120);
      						L0040132C();
      						_v176 = _t150;
      					}
      					if( *0x4245b4 != 0) {
      						_v180 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v180 = 0x4245b4;
      					}
      					_v124 =  *_v180;
      					_v156 = _v56;
      					_v56 = _v56 & 0x00000000;
      					_v68 = _v156;
      					_v76 = 8;
      					_v104 = 0xc4;
      					_v112 = 2;
      					L004011D0();
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					L004011D0();
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					_t160 =  *((intOrPtr*)( *_v124 + 0x38))(_v124, 0x10, 0x10,  &_v92);
      					asm("fclex");
      					_v128 = _t160;
      					if(_v128 >= 0) {
      						_v184 = _v184 & 0x00000000;
      					} else {
      						_push(0x38);
      						_push(0x408c9c);
      						_push(_v124);
      						_push(_v128);
      						L0040132C();
      						_v184 = _t160;
      					}
      					_push( &_v92);
      					_push( &_v96);
      					L004012A8();
      					_push( &_v96);
      					_push( &_v40);
      					L004012AE();
      					L004012EA();
      					_push( &_v92);
      					_push( &_v76);
      					_push(2);
      					L004012CC();
      				}
      				_v8 = 0xa;
      				_v48 = 0x78a6b3;
      				_push(0x422e41);
      				_t128 =  &_v40;
      				_push(_t128);
      				_push(0);
      				L004012A2();
      				L004012F0();
      				L004012F0();
      				return _t128;
      			}











































      0x00422a7f
      0x00422a8e
      0x00422a9a
      0x00422aa2
      0x00422aa5
      0x00422aac
      0x00422ab3
      0x00422ac2
      0x00422ac5
      0x00422acc
      0x00422ad3
      0x00422ada
      0x00422ae7
      0x00422aec
      0x00422aef
      0x00422af0
      0x00422b00
      0x00422b07
      0x00422b12
      0x00422b18
      0x00422b1f
      0x00422b21
      0x00422b26
      0x00422b2d
      0x00422b2f
      0x00422b31
      0x00422b36
      0x00422b37
      0x00422b3f
      0x00422b40
      0x00422b4a
      0x00422b52
      0x00422b57
      0x00422b5e
      0x00422b60
      0x00422b65
      0x00422b73
      0x00422b90
      0x00422b75
      0x00422b75
      0x00422b7a
      0x00422b7f
      0x00422b84
      0x00422b84
      0x00422ba2
      0x00422bb1
      0x00422bb4
      0x00422bb6
      0x00422bbd
      0x00422bd9
      0x00422bbf
      0x00422bbf
      0x00422bc1
      0x00422bc6
      0x00422bc9
      0x00422bcc
      0x00422bd1
      0x00422bd1
      0x00422be3
      0x00422bf2
      0x00422bf8
      0x00422bfa
      0x00422c01
      0x00422c20
      0x00422c03
      0x00422c03
      0x00422c08
      0x00422c0d
      0x00422c10
      0x00422c13
      0x00422c18
      0x00422c18
      0x00422c2a
      0x00422c30
      0x00422c3d
      0x00422c45
      0x00422c4a
      0x00422c51
      0x00422c5f
      0x00422c7c
      0x00422c61
      0x00422c61
      0x00422c66
      0x00422c6b
      0x00422c70
      0x00422c70
      0x00422ca0
      0x00422ca4
      0x00422ca9
      0x00422cb8
      0x00422cbe
      0x00422cc0
      0x00422cc7
      0x00422ce6
      0x00422cc9
      0x00422cc9
      0x00422cce
      0x00422cd3
      0x00422cd6
      0x00422cd9
      0x00422cde
      0x00422cde
      0x00422cf4
      0x00422d11
      0x00422cf6
      0x00422cf6
      0x00422cfb
      0x00422d00
      0x00422d05
      0x00422d05
      0x00422d23
      0x00422d29
      0x00422d2f
      0x00422d39
      0x00422d3c
      0x00422d43
      0x00422d4a
      0x00422d58
      0x00422d62
      0x00422d63
      0x00422d64
      0x00422d65
      0x00422d69
      0x00422d73
      0x00422d74
      0x00422d75
      0x00422d76
      0x00422d7f
      0x00422d82
      0x00422d84
      0x00422d8b
      0x00422da7
      0x00422d8d
      0x00422d8d
      0x00422d8f
      0x00422d94
      0x00422d97
      0x00422d9a
      0x00422d9f
      0x00422d9f
      0x00422db1
      0x00422db5
      0x00422db6
      0x00422dbe
      0x00422dc2
      0x00422dc3
      0x00422dcb
      0x00422dd3
      0x00422dd7
      0x00422dd8
      0x00422dda
      0x00422ddf
      0x00422de2
      0x00422de9
      0x00422df0
      0x00422e25
      0x00422e28
      0x00422e29
      0x00422e2b
      0x00422e33
      0x00422e3b
      0x00422e40

      APIs
      • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00422A9A
      • __vbaVarDup.MSVBVM60 ref: 00422AE7
      • #557.MSVBVM60(?), ref: 00422AF0
      • __vbaFreeVar.MSVBVM60(?), ref: 00422B07
      • __vbaOnError.MSVBVM60(00000000,?), ref: 00422B21
      • #539.MSVBVM60(?,00000001,00000001,00000001,00000000,?), ref: 00422B37
      • __vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,00000000,?), ref: 00422B40
      • __vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,00000000,?), ref: 00422B4A
      • __vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,00000000,?), ref: 00422B52
      • __vbaOnError.MSVBVM60(000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422B60
      • __vbaNew2.MSVBVM60(00408CAC,004245B4,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422B7F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C9C,00000014,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422BCC
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,000000E8,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422C13
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422C3D
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422C45
      • __vbaNew2.MSVBVM60(004083F4,00424010,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422C6B
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422CA4
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CF0,00000170,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001), ref: 00422CD9
      • __vbaNew2.MSVBVM60(00408CAC,004245B4,?,?,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001), ref: 00422D00
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000), ref: 00422D58
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000), ref: 00422D69
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C9C,00000038,?,?,?,?,?,?,?,?,000000FF,?,?,00000001), ref: 00422D9A
      • __vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,000000FF,?,?,00000001), ref: 00422DB6
      • __vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,?), ref: 00422DC3
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,?), ref: 00422DCB
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?), ref: 00422DDA
      • __vbaAryDestruct.MSVBVM60(00000000,?,00422E41,?), ref: 00422E2B
      • __vbaFreeStr.MSVBVM60(00000000,?,00422E41,?), ref: 00422E33
      • __vbaFreeStr.MSVBVM60(00000000,?,00422E41,?), ref: 00422E3B
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresultMove$ChkstkNew2$Error$#539#557DestructListVar2
      • String ID: 1-1-1
      • API String ID: 3049740634-1550238906
      • Opcode ID: 8289d84fa327fda93b6e5fc61f43223ccaf17ff287e9e600aff7ca42e2cdab33
      • Instruction ID: 4e3134afd626c44e288c54c7b3f32ea1da9953a145a84173d30bce572be3c5fa
      • Opcode Fuzzy Hash: 8289d84fa327fda93b6e5fc61f43223ccaf17ff287e9e600aff7ca42e2cdab33
      • Instruction Fuzzy Hash: D8B1FB70900218EFDB10DFA1D945BDDBBB4BF08304F60406EE505BB2A2D7B95A85DF59
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 59%
      			E00422244(void* __ebx, void* __edi, void* __esi, signed int _a4) {
      				signed int _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				short _v28;
      				signed int _v32;
      				char _v36;
      				char _v40;
      				char _v56;
      				char _v60;
      				char _v64;
      				signed int _v68;
      				char _v72;
      				signed int _v76;
      				signed int _v80;
      				intOrPtr* _v84;
      				signed int _v88;
      				signed int _v92;
      				signed int _v104;
      				signed int _v108;
      				signed int _v112;
      				intOrPtr* _v116;
      				signed int _v120;
      				intOrPtr* _v124;
      				signed int _v128;
      				signed int _v132;
      				signed int _v136;
      				signed int _t136;
      				signed int _t140;
      				signed int _t143;
      				signed int _t147;
      				signed int _t151;
      				char* _t155;
      				signed int _t159;
      				signed int _t165;
      				signed int _t171;
      				intOrPtr _t178;
      				void* _t182;
      				void* _t184;
      				intOrPtr _t185;
      
      				_t185 = _t184 - 0xc;
      				 *[fs:0x0] = _t185;
      				L004011D0();
      				_v16 = _t185;
      				_v12 = 0x401100;
      				_v8 = _a4 & 0x00000001;
      				_a4 = _a4 & 0xfffffffe;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x4011d6, _t182);
      				_v68 = 0x429ee4;
      				 *((intOrPtr*)( *_a4 + 0x710))(_a4, 0x3b28, 0xa572be70, 0x5b03,  &_v68,  &_v60);
      				_v28 = _v60;
      				_t136 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v68);
      				_v76 = _t136;
      				if(_v76 >= 0) {
      					_v104 = _v104 & 0x00000000;
      				} else {
      					_push(0x6f8);
      					_push(0x408b28);
      					_push(_a4);
      					_push(_v76);
      					L0040132C();
      					_v104 = _t136;
      				}
      				_v32 = _v68;
      				_t140 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4);
      				_v76 = _t140;
      				if(_v76 >= 0) {
      					_v108 = _v108 & 0x00000000;
      				} else {
      					_push(0x6fc);
      					_push(0x408b28);
      					_push(_a4);
      					_push(_v76);
      					L0040132C();
      					_v108 = _t140;
      				}
      				_t143 =  *((intOrPtr*)( *_a4 + 0x700))(_a4);
      				_v76 = _t143;
      				if(_v76 >= 0) {
      					_v112 = _v112 & 0x00000000;
      				} else {
      					_push(0x700);
      					_push(0x408b28);
      					_push(_a4);
      					_push(_v76);
      					L0040132C();
      					_v112 = _t143;
      				}
      				if( *0x424010 != 0) {
      					_v116 = 0x424010;
      				} else {
      					_push(0x424010);
      					_push(0x4083f4);
      					L00401320();
      					_v116 = 0x424010;
      				}
      				_t147 =  &_v36;
      				L00401326();
      				_v76 = _t147;
      				_t151 =  *((intOrPtr*)( *_v76 + 0x1f0))(_v76,  &_v60, _t147,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x300))( *_v116));
      				asm("fclex");
      				_v80 = _t151;
      				if(_v80 >= 0) {
      					_v120 = _v120 & 0x00000000;
      				} else {
      					_push(0x1f0);
      					_push(0x408c70);
      					_push(_v76);
      					_push(_v80);
      					L0040132C();
      					_v120 = _t151;
      				}
      				if( *0x424010 != 0) {
      					_v124 = 0x424010;
      				} else {
      					_push(0x424010);
      					_push(0x4083f4);
      					L00401320();
      					_v124 = 0x424010;
      				}
      				_t178 =  *((intOrPtr*)( *_v124));
      				_t155 =  &_v40;
      				L00401326();
      				_v84 = _t155;
      				_t159 =  *((intOrPtr*)( *_v84 + 0x68))(_v84,  &_v68, _t155,  *((intOrPtr*)(_t178 + 0x2fc))( *_v124));
      				asm("fclex");
      				_v88 = _t159;
      				if(_v88 >= 0) {
      					_v128 = _v128 & 0x00000000;
      				} else {
      					_push(0x68);
      					_push(0x408c70);
      					_push(_v84);
      					_push(_v88);
      					L0040132C();
      					_v128 = _t159;
      				}
      				_v72 = 1;
      				_v64 = _v60;
      				_v128 = _v68;
      				_t165 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v64, _t178,  &_v72);
      				_v92 = _t165;
      				if(_v92 >= 0) {
      					_v132 = _v132 & 0x00000000;
      				} else {
      					_push(0x704);
      					_push(0x408b28);
      					_push(_a4);
      					_push(_v92);
      					L0040132C();
      					_v132 = _t165;
      				}
      				L0040131A();
      				_t171 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v56, 2,  &_v36,  &_v40);
      				_v76 = _t171;
      				if(_v76 >= 0) {
      					_v136 = _v136 & 0x00000000;
      				} else {
      					_push(0x708);
      					_push(0x408b28);
      					_push(_a4);
      					_push(_v76);
      					L0040132C();
      					_v136 = _t171;
      				}
      				L00401314();
      				_v8 = 0;
      				asm("wait");
      				_push(0x422543);
      				return _t171;
      			}










































      0x00422247
      0x00422256
      0x00422260
      0x00422268
      0x0042226b
      0x00422278
      0x00422281
      0x0042228c
      0x0042228f
      0x004222b5
      0x004222bf
      0x004222cf
      0x004222d5
      0x004222dc
      0x004222f8
      0x004222de
      0x004222de
      0x004222e3
      0x004222e8
      0x004222eb
      0x004222ee
      0x004222f3
      0x004222f3
      0x004222ff
      0x0042230a
      0x00422310
      0x00422317
      0x00422333
      0x00422319
      0x00422319
      0x0042231e
      0x00422323
      0x00422326
      0x00422329
      0x0042232e
      0x0042232e
      0x0042233f
      0x00422345
      0x0042234c
      0x00422368
      0x0042234e
      0x0042234e
      0x00422353
      0x00422358
      0x0042235b
      0x0042235e
      0x00422363
      0x00422363
      0x00422373
      0x0042238d
      0x00422375
      0x00422375
      0x0042237a
      0x0042237f
      0x00422384
      0x00422384
      0x004223a8
      0x004223ac
      0x004223b1
      0x004223c0
      0x004223c6
      0x004223c8
      0x004223cf
      0x004223eb
      0x004223d1
      0x004223d1
      0x004223d6
      0x004223db
      0x004223de
      0x004223e1
      0x004223e6
      0x004223e6
      0x004223f6
      0x00422410
      0x004223f8
      0x004223f8
      0x004223fd
      0x00422402
      0x00422407
      0x00422407
      0x00422421
      0x0042242b
      0x0042242f
      0x00422434
      0x00422443
      0x00422446
      0x00422448
      0x0042244f
      0x00422468
      0x00422451
      0x00422451
      0x00422453
      0x00422458
      0x0042245b
      0x0042245e
      0x00422463
      0x00422463
      0x0042246c
      0x00422477
      0x00422483
      0x00422492
      0x00422498
      0x0042249f
      0x004224bb
      0x004224a1
      0x004224a1
      0x004224a6
      0x004224ab
      0x004224ae
      0x004224b1
      0x004224b6
      0x004224b6
      0x004224c9
      0x004224dd
      0x004224e3
      0x004224ea
      0x00422509
      0x004224ec
      0x004224ec
      0x004224f1
      0x004224f6
      0x004224f9
      0x004224fc
      0x00422501
      0x00422501
      0x00422513
      0x00422518
      0x0042251f
      0x00422520
      0x00000000

      APIs
      • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00422260
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B28,000006F8), ref: 004222EE
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B28,000006FC), ref: 00422329
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B28,00000700), ref: 0042235E
      • __vbaNew2.MSVBVM60(004083F4,00424010), ref: 0042237F
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004223AC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C70,000001F0), ref: 004223E1
      • __vbaNew2.MSVBVM60(004083F4,00424010), ref: 00422402
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0042242F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C70,00000068), ref: 0042245E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B28,00000704,?,00000001), ref: 004224B1
      • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000001), ref: 004224C9
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B28,00000708), ref: 004224FC
      • __vbaFreeVar.MSVBVM60(00000000,00401100,00408B28,00000708), ref: 00422513
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$CheckHresult$FreeNew2$ChkstkList
      • String ID:
      • API String ID: 3534970231-0
      • Opcode ID: 697585648fb6386f5e5ebecc943820df79a3bab7f95c54a004c606c167a5a12e
      • Instruction ID: 362f5535003ea26561ce290810f9ccf2a6ccfba8f50352797758a47fdc3380f0
      • Opcode Fuzzy Hash: 697585648fb6386f5e5ebecc943820df79a3bab7f95c54a004c606c167a5a12e
      • Instruction Fuzzy Hash: A2A1F374A00218EFDB10DFA0D949BDDBBB4FF08305F60406AF905AB2A1C7B96985DF58
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 54%
      			E0042377D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				char _v24;
      				intOrPtr _v28;
      				intOrPtr _v32;
      				char _v36;
      				intOrPtr _v44;
      				intOrPtr _v52;
      				intOrPtr _v60;
      				intOrPtr _v68;
      				char _v72;
      				signed int _v76;
      				signed int _v84;
      				signed int _v88;
      				signed int _t50;
      				signed int _t62;
      				void* _t67;
      				void* _t74;
      				intOrPtr _t76;
      
      				_t67 = __edx;
      				 *[fs:0x0] = _t76;
      				L004011D0();
      				_v12 = _t76;
      				_v8 = 0x4011b8;
      				L00401266();
      				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x4011d6, __ecx, __ecx, _t74);
      				asm("fclex");
      				_v76 = _t50;
      				if(_v76 >= 0) {
      					_v84 = _v84 & 0x00000000;
      				} else {
      					_push(0x58);
      					_push(0x408af8);
      					_push(_a4);
      					_push(_v76);
      					L0040132C();
      					_v84 = _t50;
      				}
      				_v32 = _v72;
      				L00401266();
      				L00401260();
      				_v28 = E0042392D( &_v36);
      				L004012EA();
      				_v32 = E0042392D(_v28) + 0x2b0;
      				E004239E4(_t67, _v32, _a8);
      				_v60 = 0x80020004;
      				_v68 = 0xa;
      				_v44 = 0x80020004;
      				_v52 = 0xa;
      				L004011D0();
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				L004011D0();
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
      				asm("fclex");
      				_v76 = _t62;
      				if(_v76 >= 0) {
      					_v88 = _v88 & 0x00000000;
      				} else {
      					_push(0x2b0);
      					_push(0x408af8);
      					_push(_a4);
      					_push(_v76);
      					L0040132C();
      					_v88 = _t62;
      				}
      				_push(0x4238c0);
      				L004012EA();
      				return _t62;
      			}






















      0x0042377d
      0x0042378e
      0x00423798
      0x004237a0
      0x004237a3
      0x004237b1
      0x004237c2
      0x004237c5
      0x004237c7
      0x004237ce
      0x004237e7
      0x004237d0
      0x004237d0
      0x004237d2
      0x004237d7
      0x004237da
      0x004237dd
      0x004237e2
      0x004237e2
      0x004237ee
      0x004237f8
      0x00423801
      0x0042380c
      0x00423812
      0x00423824
      0x0042382d
      0x00423832
      0x00423839
      0x00423840
      0x00423847
      0x00423851
      0x0042385b
      0x0042385c
      0x0042385d
      0x0042385e
      0x00423862
      0x0042386c
      0x0042386d
      0x0042386e
      0x0042386f
      0x00423878
      0x0042387e
      0x00423880
      0x00423887
      0x004238a3
      0x00423889
      0x00423889
      0x0042388e
      0x00423893
      0x00423896
      0x00423899
      0x0042389e
      0x0042389e
      0x004238a7
      0x004238ba
      0x004238bf

      APIs
      • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00423798
      • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,004011D6), ref: 004237B1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408AF8,00000058), ref: 004237DD
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 004237F8
      • #644.MSVBVM60(?,?,?), ref: 00423801
      • __vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 00423812
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00423851
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00423862
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408AF8,000002B0), ref: 00423899
      • __vbaFreeObj.MSVBVM60(004238C0), ref: 004238BA
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
      • String ID:
      • API String ID: 1032928638-0
      • Opcode ID: fd2483462af37a4493efebddf5acafb1263c853b5a530182b9c9080521bf8ff9
      • Instruction ID: be32d4f7997b24bdd8f7623c0f1caf92c41181636c1eeec608087b89cdf7e5d7
      • Opcode Fuzzy Hash: fd2483462af37a4493efebddf5acafb1263c853b5a530182b9c9080521bf8ff9
      • Instruction Fuzzy Hash: 5A4109B1900619AFDF01EFA1D846B9EBBB5FF08305F10402AF500BB1A1C7BD5645DB58
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 77%
      			E00423647(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				char _v40;
      				char _v72;
      				char _v88;
      				intOrPtr _v96;
      				intOrPtr _v104;
      				signed int _v108;
      				signed int _v120;
      				signed int _t42;
      				char* _t46;
      				void* _t49;
      				void* _t59;
      				void* _t61;
      				intOrPtr _t62;
      
      				_t62 = _t61 - 0xc;
      				 *[fs:0x0] = _t62;
      				L004011D0();
      				_v16 = _t62;
      				_v12 = 0x4011a8;
      				_v8 = 0;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x4011d6, _t59);
      				 *_a8 =  *_a8 & 0x00000000;
      				_t42 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
      				asm("fclex");
      				_v108 = _t42;
      				if(_v108 >= 0) {
      					_v120 = _v120 & 0x00000000;
      				} else {
      					_push(0x2b4);
      					_push(0x408af8);
      					_push(_a4);
      					_push(_v108);
      					L0040132C();
      					_v120 = _t42;
      				}
      				E0042396D();
      				_v96 = 2;
      				_v104 = 2;
      				L004012E4();
      				_v96 = 0x812390;
      				_v104 = 3;
      				L004012E4();
      				_t46 =  &_v88;
      				L0040126C();
      				L00401272();
      				_t49 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, _t46, _t46, _t46,  &_v40,  &_v72);
      				_push(0x423754);
      				L00401314();
      				L00401314();
      				return _t49;
      			}



















      0x0042364a
      0x00423659
      0x00423663
      0x0042366b
      0x0042366e
      0x00423675
      0x00423684
      0x0042368a
      0x00423695
      0x0042369b
      0x0042369d
      0x004236a4
      0x004236c0
      0x004236a6
      0x004236a6
      0x004236ab
      0x004236b0
      0x004236b3
      0x004236b6
      0x004236bb
      0x004236bb
      0x004236c4
      0x004236c9
      0x004236d0
      0x004236dd
      0x004236e2
      0x004236e9
      0x004236f6
      0x00423703
      0x00423707
      0x0042370d
      0x0042371b
      0x00423721
      0x00423746
      0x0042374e
      0x00423753

      APIs
      • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00423663
      • __vbaHresultCheckObj.MSVBVM60(00000000,004011A8,00408AF8,000002B4), ref: 004236B6
      • __vbaVarMove.MSVBVM60(00000000,004011A8,00408AF8,000002B4), ref: 004236DD
      • __vbaVarMove.MSVBVM60(00000000,004011A8,00408AF8,000002B4), ref: 004236F6
      • __vbaVarIdiv.MSVBVM60(?,?,?), ref: 00423707
      • __vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0042370D
      • __vbaFreeVar.MSVBVM60(00423754), ref: 00423746
      • __vbaFreeVar.MSVBVM60(00423754), ref: 0042374E
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$FreeMove$CheckChkstkHresultIdiv
      • String ID:
      • API String ID: 3577542843-0
      • Opcode ID: 62af55b937da4704ba8e5d57ec6a01f7b6c6b376cb2e7cbe6282b890398f861a
      • Instruction ID: a8443ba4ad4fae42731f565af1ac580ae5b3f90a7c74495a7dc8c3ec517f3709
      • Opcode Fuzzy Hash: 62af55b937da4704ba8e5d57ec6a01f7b6c6b376cb2e7cbe6282b890398f861a
      • Instruction Fuzzy Hash: A231E871900208AFDF00EFA5C949BCDBBB8BF04705F50806AF505BB2A1C778AA45CF58
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 18%
      			_entry_(signed int __eax, signed int __ebx, signed int __ecx, void* __edx, intOrPtr* __edi, void* __esi) {
      				intOrPtr* _t128;
      				void* _t129;
      				intOrPtr* _t131;
      				signed char _t132;
      				signed int _t133;
      				signed char _t134;
      				signed char _t135;
      				signed int _t146;
      				intOrPtr* _t148;
      				signed char _t158;
      				intOrPtr* _t159;
      				signed int _t161;
      				signed char _t166;
      				void* _t167;
      				intOrPtr* _t168;
      				intOrPtr* _t170;
      				void* _t171;
      				void* _t177;
      				signed int _t178;
      				intOrPtr* _t181;
      				signed int _t183;
      				void* _t185;
      
      				_t177 = __esi;
      				_t170 = __edi;
      				_t146 = __ebx;
      				_push("VB5!6&*"); // executed
      				L2(); // executed
      				 *__eax =  *__eax + __eax;
      				 *__eax =  *__eax + __eax;
      				 *__eax =  *__eax + __eax;
      				 *__eax =  *__eax ^ __eax;
      				 *__eax =  *__eax + __eax;
      				_t128 = __eax + 1;
      				 *_t128 =  *_t128 + _t128;
      				 *_t128 =  *_t128 + _t128;
      				 *_t128 =  *_t128 + _t128;
      				 *((intOrPtr*)(__ecx + 0x1b)) =  *((intOrPtr*)(__ecx + 0x1b)) + __ebx;
      				_t129 = _t128 + 1;
      				_t158 = __ecx | 0x000000e7;
      				if(_t158 < 0) {
      					L8:
      					_t166 = ds;
      					_t178 = _t177 - 1;
      					 *(_t166 + _t178 * 8 - 0x7e5eb600) =  *(_t166 + _t178 * 8 - 0x7e5eb600) ^ 0x0000007e;
      					__eflags = _t158 -  *((intOrPtr*)(_t170 - 0x53));
      					_t131 = _t181;
      					asm("stosb");
      					 *((intOrPtr*)(_t131 - 0x2d)) =  *((intOrPtr*)(_t131 - 0x2d)) + _t131;
      					_t132 = _t146 ^  *(_t158 - 0x48ee309a);
      					_t148 = _t131;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 + _t132;
      					_t183 =  *_t158;
      					 *_t158 = _t129;
      					_t21 = _t183 + 0x68;
      					 *_t21 =  *(_t183 + 0x68) + _t148;
      					__eflags =  *_t21;
      				} else {
      					ds =  *((intOrPtr*)(__esi - 0x4881682));
      					asm("cmc");
      					asm("loop 0x2");
      					 *__eax =  *__eax + __al;
      					 *__eax =  *__eax + __al;
      					 *__ecx =  *__ecx + __al;
      					 *__eax =  *__eax + __al;
      					 *__eax =  *__eax + __al;
      					 *__eax =  *__eax + __al;
      					 *__eax =  *__eax + __al;
      					_t4 = __eax + 0x72;
      					 *_t4 =  *(__eax + 0x72) + __dh;
      					__eflags =  *_t4;
      					asm("outsd");
      					asm("outsw");
      					if( *_t4 >= 0) {
      						asm("popad");
      						 *__eax =  *__eax + __al;
      						 *__eax =  *__eax + __al;
      						 *__eax =  *__eax + __al;
      						 *__eax =  *__eax + __al;
      						 *__eax =  *__eax + __al;
      						 *__eax =  *__eax + __al;
      						__eflags =  *__eax;
      						__esp = __esp - 1;
      						do {
      							 *__eax =  *__eax ^ __eax;
      							__eax = __eax + 0xb2e49462;
      							asm("outsd");
      							asm("enter 0x431f, 0xa9");
      							_pop(__ebx);
      							__bl = __bl + __dh;
      							__eflags = __bl;
      						} while (__eflags < 0);
      						if(__eflags >= 0) {
      							asm("adc [eax], al");
      							return __imp__#100();
      						}
      						__eflags = __edi & __edx;
      						 *__edi =  *__edi & __esi;
      						__eflags =  *__edi;
      						goto L8;
      					}
      				}
      				 *_t132 =  *_t132 + _t132;
      				 *_t132 =  *_t132 | _t132;
      				__eflags =  *_t132;
      				if(__eflags == 0) {
      					if(__eflags != 0) {
      						asm("arpl [ebx+0x6c], bp");
      						 *[gs:0x66000b01] =  *[gs:0x66000b01] + _t158;
      						_t183 =  *(_t166 + 0x6c) * 0x656b6b6f;
      						asm("outsb");
      						 *[gs:ecx] =  *[gs:ecx] + _t148;
      						 *_t132 =  *_t132 + _t132;
      						_t166 = _t166 + 1;
      						 *_t148 =  *_t148 + _t132;
      						_push(0x746c0000);
      						 *_t132 =  *_t132 + _t132;
      						_t178 = _t178 - 1 + 1;
      						 *_t132 =  *_t132 + _t132;
      						 *_t132 =  *_t132 | _t132;
      						 *_t132 =  *_t132 ^ _t166;
      						 *_t132 =  *_t132 + _t132;
      						 *_t132 =  *_t132 + _t132;
      						 *_t132 =  *_t132 | _t132;
      						__eflags = _t132 & 0x0000000e;
      						 *_t132 =  *_t132 + _t132;
      						_t26 = _t132;
      						_t132 =  *_t132;
      						 *_t132 = _t26;
      						 *_t132 =  *_t132 + _t132;
      						 *_t132 =  *_t132 & _t132;
      						 *_t132 =  *_t132 + _t132;
      						 *_t132 =  *_t132 + _t132;
      						 *_t132 =  *_t132 | _t132;
      						__eflags = _t132 & 0x00000008;
      						 *_t132 =  *_t132 + _t132;
      						asm("sldt word [cs:eax]");
      						asm("sbb [eax], bl");
      						 *_t132 =  *_t132 + _t132;
      						 *_t132 =  *_t132 + _t132;
      						 *_t132 =  *_t132 | _t132;
      						asm("enter 0x6, 0x0");
      						asm("salc");
      						ss = 0;
      						 *_t132 =  *_t132 + _t132;
      						asm("adc [eax], dl");
      						 *_t132 =  *_t132 + _t132;
      						__eflags =  *_t132;
      					}
      					 *_t132 =  *_t132 + _t132;
      					 *_t132 =  *_t132 | _t132;
      					_push(0x9e000005);
      					_push(ds);
      					 *_t132 =  *_t132 + _t132;
      					__eflags =  *_t132;
      				}
      				 *_t132 =  *_t132 + _t166;
      				 *_t132 =  *_t132 ^ _t132;
      				 *_t158 =  *_t158 + _t132;
      				 *_t132 =  *_t132 + _t132;
      				 *((intOrPtr*)(_t132 + 0x6000025)) =  *((intOrPtr*)(_t132 + 0x6000025)) + _t158;
      				_t133 = _t132 & 0x00000000;
      				 *_t133 =  *_t133 + _t133;
      				 *_t133 =  *_t133 & _t133;
      				 *_t158 =  *_t158 + _t133;
      				 *_t133 =  *_t133 + _t133;
      				 *((intOrPtr*)(_t133 - 0x51fffff0)) =  *((intOrPtr*)(_t133 - 0x51fffff0)) + _t158;
      				_t159 = _t158 - 1;
      				 *_t133 =  *_t133 + _t133;
      				asm("sbb [eax], bl");
      				 *_t133 =  *_t133 + _t133;
      				__eflags =  *_t133;
      				do {
      					 *_t159 =  *_t159 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *((intOrPtr*)(_t133 + 0x56000009)) =  *((intOrPtr*)(_t133 + 0x56000009)) + _t159;
      					_pop(_t167);
      					 *_t133 =  *_t133 + _t133;
      					asm("adc [eax], dl");
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 & _t133;
      					_push(0xde000004);
      					asm("arpl [eax], ax");
      					 *_t133 =  *_t133 + _t159;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t167;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 | _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *((intOrPtr*)(_t185 + _t133 * 4)) =  *((intOrPtr*)(_t185 + _t133 * 4)) + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *_t133 =  *_t133 + _t133;
      					 *((intOrPtr*)(_t159 - 0x479eff32)) =  *((intOrPtr*)(_t159 - 0x479eff32)) + _t133;
      					asm("aam 0x0");
      					 *((intOrPtr*)(_t167 - 0x1038ff4b)) =  *((intOrPtr*)(_t167 - 0x1038ff4b)) + _t159;
      					asm("cli");
      					 *_t159 =  *_t159 + _t159;
      					asm("invalid");
      					 *_t133 =  *_t133 + _t133;
      					__eflags =  *_t133;
      				} while ( *_t133 != 0);
      				 *_t133 =  *_t133 + _t133;
      				__eflags =  *_t133;
      				_t168 = _t167 + _t133;
      				asm("stc");
      				 *((intOrPtr*)(_t168 + 0x3100f1e1)) =  *((intOrPtr*)(_t168 + 0x3100f1e1)) + _t159;
      				_t134 =  *0xde5b00c6;
      				 *_t134 =  *_t134 + 1;
      				 *((intOrPtr*)(_t183 + _t134 * 8 - 0xc8c00)) =  *((intOrPtr*)(_t183 + _t134 * 8 - 0xc8c00)) + _t168;
      				 *_t159 =  *_t159 + _t134;
      				asm("iretd");
      				asm("cmc");
      				 *_t134 =  *_t134 + _t134;
      				 *_t134 =  *_t134 + _t134;
      				 *((char*)(_t134 - 0x520ba00)) =  *((char*)(_t134 - 0x520ba00));
      				_t135 = _t134 ^ 0x000000c2;
      				goto 0xef1b7028;
      				 *_t170 =  *_t170 + 0xe1;
      				_t171 = _t135 - 0xf9500;
      				 *_t135 =  *_t135 + _t135;
      				_t161 =  *(_t135 + _t135 + 0xc89a00) * 0x1d;
      				 *_t168 =  *_t168 + _t168;
      				 *_t135 =  *_t135 + _t135;
      				asm("invalid");
      				 *((intOrPtr*)(_t183 - 0x1c)) =  *((intOrPtr*)(_t183 - 0x1c)) + _t168;
      				 *_t135 =  *_t135 + 1;
      				asm("aam 0xe7");
      				goto L18;
      				asm("in al, 0xff");
      			}

























      0x0040134c
      0x0040134c
      0x0040134c
      0x0040134c
      0x00401351
      0x00401356
      0x00401358
      0x0040135a
      0x0040135c
      0x0040135e
      0x00401360
      0x00401361
      0x00401363
      0x00401365
      0x00401367
      0x0040136a
      0x0040136b
      0x0040136e
      0x004013b5
      0x004013b7
      0x004013b8
      0x004013b9
      0x004013c1
      0x004013ca
      0x004013cc
      0x004013cd
      0x004013d0
      0x004013d0
      0x004013d1
      0x004013d3
      0x004013d5
      0x004013d7
      0x004013d9
      0x004013db
      0x004013dd
      0x004013df
      0x004013e1
      0x004013e3
      0x004013e5
      0x004013e7
      0x004013e9
      0x004013eb
      0x004013ed
      0x004013ef
      0x004013f1
      0x004013f3
      0x004013f5
      0x004013f5
      0x004013f8
      0x004013f8
      0x004013f8
      0x00401370
      0x00401370
      0x00401376
      0x00401377
      0x00401379
      0x0040137b
      0x0040137d
      0x0040137f
      0x00401381
      0x00401383
      0x00401385
      0x00401387
      0x00401387
      0x00401387
      0x0040138a
      0x0040138b
      0x0040138d
      0x0040138f
      0x00401390
      0x00401392
      0x00401394
      0x00401396
      0x00401398
      0x0040139a
      0x0040139a
      0x0040139c
      0x0040139e
      0x0040139e
      0x004013a0
      0x004013a5
      0x004013a6
      0x004013aa
      0x004013ab
      0x004013ab
      0x004013ab
      0x004013af
      0x00401341
      0x00401344
      0x00401344
      0x004013b1
      0x004013b3
      0x004013b3
      0x00000000
      0x004013b3
      0x0040138d
      0x004013fc
      0x004013fe
      0x004013fe
      0x00401400
      0x00401402
      0x00401404
      0x00401407
      0x0040140e
      0x00401416
      0x00401417
      0x0040141a
      0x0040141c
      0x0040141d
      0x00401420
      0x00401425
      0x00401427
      0x0040142d
      0x0040142f
      0x00401431
      0x00401433
      0x00401435
      0x00401437
      0x00401439
      0x0040143b
      0x0040143d
      0x0040143d
      0x0040143d
      0x0040143f
      0x00401441
      0x00401443
      0x00401445
      0x00401447
      0x00401449
      0x0040144b
      0x0040144d
      0x00401451
      0x00401453
      0x00401455
      0x00401457
      0x00401459
      0x0040145d
      0x0040145e
      0x0040145f
      0x00401461
      0x00401463
      0x00401463
      0x00401463
      0x00401465
      0x00401467
      0x00401469
      0x0040146e
      0x0040146f
      0x0040146f
      0x0040146f
      0x00401470
      0x00401472
      0x00401474
      0x00401476
      0x00401478
      0x0040147e
      0x00401480
      0x00401482
      0x00401484
      0x00401486
      0x00401488
      0x0040148e
      0x0040148f
      0x00401491
      0x00401493
      0x00401493
      0x00401494
      0x00401494
      0x00401496
      0x00401498
      0x0040149e
      0x0040149f
      0x004014a1
      0x004014a3
      0x004014a5
      0x004014a7
      0x004014a9
      0x004014ae
      0x004014b0
      0x004014b2
      0x004014b4
      0x004014b6
      0x004014b8
      0x004014bb
      0x004014bd
      0x004014bf
      0x004014c1
      0x004014c3
      0x004014c5
      0x004014c7
      0x004014c9
      0x004014cb
      0x004014cd
      0x004014cf
      0x004014d1
      0x004014d3
      0x004014d5
      0x004014d7
      0x004014d9
      0x004014dd
      0x004014df
      0x004014e1
      0x004014e7
      0x004014e9
      0x004014ef
      0x004014f0
      0x004014f2
      0x004014f4
      0x004014f4
      0x004014f4
      0x004014f8
      0x004014f8
      0x004014f9
      0x004014fb
      0x004014fc
      0x00401502
      0x00401507
      0x00401509
      0x00401510
      0x00401512
      0x00401513
      0x00401514
      0x00401518
      0x0040151a
      0x00401521
      0x00401523
      0x00401528
      0x0040152a
      0x00401530
      0x00401532
      0x0040153c
      0x00401540
      0x00401542
      0x00401548
      0x0040154b
      0x0040154e
      0x0040154e
      0x0040156a

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: efbc5c7c447029e0e10a218b5baae883019fb37178c65b83399d8f8c2fe3fd76
      • Instruction ID: 35f6d6db25b76f1fdb74004f19b296e2a50ce65d1b76654e15e4d8efe6688e8a
      • Opcode Fuzzy Hash: efbc5c7c447029e0e10a218b5baae883019fb37178c65b83399d8f8c2fe3fd76
      • Instruction Fuzzy Hash: CE51846248E3C05FD3435B74982A5967F70AE5322971B81EBC8C1DF5B3E2690E0AC776
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %(m $C$P+^$i"]^$k=+$rS$w-:g
      • API String ID: 0-1568359141
      • Opcode ID: 2d78ffde76a25762f174db580aae2b9918464ac975771d7b1989e9112f4a0eea
      • Instruction ID: ab4fa4084eb8a8f69d9ae83843580a1cc7a03ddc35c5eef5407b75c71ae61125
      • Opcode Fuzzy Hash: 2d78ffde76a25762f174db580aae2b9918464ac975771d7b1989e9112f4a0eea
      • Instruction Fuzzy Hash: CFC22271648389DFDB75CF38CC887DABBA2BF55310F45822ADC898B295D7709A41CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: C$P+^$i"]^$rS$w-:g
      • API String ID: 0-3740240710
      • Opcode ID: 3b50896ae3ca0926bfd3f1b3c08405ff7d6e0a1ab2c72bc106db7d6d846ad6ad
      • Instruction ID: 7cfb9141b342538b5b4cf9a78b40a34c9ff215ab66e1f882069a3caf2640fe34
      • Opcode Fuzzy Hash: 3b50896ae3ca0926bfd3f1b3c08405ff7d6e0a1ab2c72bc106db7d6d846ad6ad
      • Instruction Fuzzy Hash: 9882FEB2644349DFDB749F28C8857EABBA2FF48340F51812EDD899B650D7709A81CF42
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: C$P+^$i"]^$rS$w-:g
      • API String ID: 2167126740-3740240710
      • Opcode ID: 8bf33dfbe6115b38cb3f8abbfbdbf20e60abfa5e843607ce16a9471319c55d9a
      • Instruction ID: ec1a6654e55f6c476899536a46bd3ce8d9be9dfa537889ece98b432a6afd4e7b
      • Opcode Fuzzy Hash: 8bf33dfbe6115b38cb3f8abbfbdbf20e60abfa5e843607ce16a9471319c55d9a
      • Instruction Fuzzy Hash: 0662EDB16443499FDBB49F38CC85BEABBA2FF49300F51812ADD899B650D7305A81CF46
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: C$P+^$i"]^$rS$w-:g
      • API String ID: 0-3740240710
      • Opcode ID: cb1719ed1091fe013711d2581d198663e99ce333f15b357ab505486e067edea2
      • Instruction ID: 234834647d2484859f0349ca52d9b286fec7ec613a45f9be0a50772186cc1f05
      • Opcode Fuzzy Hash: cb1719ed1091fe013711d2581d198663e99ce333f15b357ab505486e067edea2
      • Instruction Fuzzy Hash: A02188B1740209CFDB39DE38CAB47FA76A2AF94350F54421DD88B87784EB708A828601
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: 5u+d${;
      • API String ID: 0-2885711555
      • Opcode ID: 3086f9937cce903280afb2426c67d997418d991509fccdbd9ad228a4ad59e85e
      • Instruction ID: 47bd7c8cc8668edda5cc3d9322f3c525a53091bfa983d61d99734f1beab5fa09
      • Opcode Fuzzy Hash: 3086f9937cce903280afb2426c67d997418d991509fccdbd9ad228a4ad59e85e
      • Instruction Fuzzy Hash: 7C91AB620C87829BCBD78D79B4963BA7B92FB42274B151509DF94CAE13E3234483E702
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: 5u+d${;
      • API String ID: 0-2885711555
      • Opcode ID: fd5e23f6b49fb5a5652c40bf2108645d5ac3d7b95dc67e90e8a7d8bb90bb78dd
      • Instruction ID: f061ba1732e65208e1b0ac7177996663cebe231c8588d72068cf9ba82b3465e0
      • Opcode Fuzzy Hash: fd5e23f6b49fb5a5652c40bf2108645d5ac3d7b95dc67e90e8a7d8bb90bb78dd
      • Instruction Fuzzy Hash: D651DA7108C385CFCBA59F7888496EA7BE1EF02310F16041EDA95CAA13D7328586DB13
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: {;
      • API String ID: 0-3259316422
      • Opcode ID: 18370d5612738d38366369b04347914b245e9cc2908b6a47eeb4ee31d7b8a454
      • Instruction ID: 463972104572f827a0b569c4ef3bdccada159d9f037597809146e0d3edf55c76
      • Opcode Fuzzy Hash: 18370d5612738d38366369b04347914b245e9cc2908b6a47eeb4ee31d7b8a454
      • Instruction Fuzzy Hash: 4181C9A25C83C05FCBE38A78D8653EA7FA1FB53224F45069ADF848BD53E7225502D312
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %
      • API String ID: 0-1703841086
      • Opcode ID: 776917bec6d86b0a9e11a65b2144e6dd26cefa0d87537b78c9a44d58b91a264e
      • Instruction ID: aa5c692cf1b7fd58ec7e4b1fe0a800a285fd84810233cd5f3340c54f6ce9ecb8
      • Opcode Fuzzy Hash: 776917bec6d86b0a9e11a65b2144e6dd26cefa0d87537b78c9a44d58b91a264e
      • Instruction Fuzzy Hash: C8B1E071684389CFDFB49E64CD84BEE37A6BF48340F05802ADD4EAB660E3308A45DB51
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: (
      • API String ID: 0-3887548279
      • Opcode ID: 6bf6b2c834cca5790326b6ad6ea63efa5ae38ccfbb88c9ffc9a78a7662755d23
      • Instruction ID: 9f81fc496fbebc52b2b6882a098d5cf1424c2800b163591ee875782a654885ae
      • Opcode Fuzzy Hash: 6bf6b2c834cca5790326b6ad6ea63efa5ae38ccfbb88c9ffc9a78a7662755d23
      • Instruction Fuzzy Hash: 9D51D0B16443049FD7649F38C888BDAB7A5FF08364F42425AD8569B6A1C3B4D980CF52
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 57bbe75d13fd92fd218508da2ddf66033b59e515c4ce2c41f6de7852022a1853
      • Instruction ID: c6873a1450b69bf2887c032f54692d35c0c1a5b5352f3ee9f6a643861eca3c6d
      • Opcode Fuzzy Hash: 57bbe75d13fd92fd218508da2ddf66033b59e515c4ce2c41f6de7852022a1853
      • Instruction Fuzzy Hash: CB61ABB64C4B81E6CFEB8999E5E27B9FBD6EB035307102149D74E4AE43A3931943B241
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f45527a6739341f3fdc746298bb852402cb3bb34bb73e60d6c19ac27faf0b597
      • Instruction ID: 0e48d748d4c50cb8baf8bd65a08991d4e0df765725d43aca3aaddb0e402b177d
      • Opcode Fuzzy Hash: f45527a6739341f3fdc746298bb852402cb3bb34bb73e60d6c19ac27faf0b597
      • Instruction Fuzzy Hash: 8E315171A80288DFCB31DF28C8C8BDE77E1AB49360F554026EC1D9B2A1D3B49A81DB11
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 664118f8780e6677c3774cd8b19100f504c17c2525df4492adda7a68ee8ab574
      • Instruction ID: f6fa19a7503bb5ccd68dc5e379e4c1665d6dc83fc3d3ceb1a49f8ba4c6553ee5
      • Opcode Fuzzy Hash: 664118f8780e6677c3774cd8b19100f504c17c2525df4492adda7a68ee8ab574
      • Instruction Fuzzy Hash: 3021833428838BDACB38DF28C9D47E637A1BF5A744F494259ECA58B245E3B05941C745
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 01e48cbcb5f74d082a78f52baf1ae15b19b31481686d6ef47f4bbde934856b26
      • Instruction ID: f97555ad3c0cc855f2b23a37762d75dab5b88b9ef64417691f582962f17bde6f
      • Opcode Fuzzy Hash: 01e48cbcb5f74d082a78f52baf1ae15b19b31481686d6ef47f4bbde934856b26
      • Instruction Fuzzy Hash: 28118F77948394DFDB64AE35CD056EEB6B2BFA0350F17081D88CAA7120D3745982CF52
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d620160d6f051ceaed531eb02d653b52bfb99c3d27d3d07699ac8bd531be981f
      • Instruction ID: 640b50339e5e98c66cfcc2ee9a118d784137e052378f0b041021a6291cae6188
      • Opcode Fuzzy Hash: d620160d6f051ceaed531eb02d653b52bfb99c3d27d3d07699ac8bd531be981f
      • Instruction Fuzzy Hash: A4C092BAB42682CFFB45DF08C881B4073B4FF18A88F8C0490E802CF712C228E900CB04
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
      • Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction Fuzzy Hash:
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000001.00000002.821817884.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
      • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
      • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
      • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 57%
      			E00422562(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				void* _v24;
      				short _v28;
      				void* _v32;
      				void* _v48;
      				long long _v56;
      				signed int _v60;
      				short _v64;
      				signed int _v68;
      				char _v72;
      				char _v88;
      				char _v104;
      				char* _v112;
      				intOrPtr _v120;
      				void* _v124;
      				void* _v128;
      				signed int _v132;
      				signed int _v136;
      				void* _v140;
      				signed int _v144;
      				signed int _v152;
      				signed int _v156;
      				signed int _v160;
      				intOrPtr* _v164;
      				signed int _v168;
      				signed int _v172;
      				intOrPtr* _v176;
      				signed int _v180;
      				signed int _v184;
      				intOrPtr* _v188;
      				signed int _v192;
      				signed int _v196;
      				intOrPtr* _v200;
      				signed int _v204;
      				signed int _t169;
      				signed int _t170;
      				signed int _t178;
      				signed int _t182;
      				short _t183;
      				signed int _t189;
      				signed int _t194;
      				signed int _t201;
      				signed int _t206;
      				signed int _t213;
      				signed int _t218;
      				void* _t254;
      				intOrPtr _t256;
      				long long _t271;
      
      				 *[fs:0x0] = _t256;
      				L004011D0();
      				_v12 = _t256;
      				_v8 = 0x401110;
      				_t169 =  *((intOrPtr*)( *_a4 + 0xe8))(_a4,  &_v128, __edi, __esi, __ebx,  *[fs:0x0], 0x4011d6, __ecx, __ecx, _t254);
      				asm("fclex");
      				_v132 = _t169;
      				if(_v132 >= 0) {
      					_v160 = _v160 & 0x00000000;
      				} else {
      					_push(0xe8);
      					_push(0x408af8);
      					_push(_a4);
      					_push(_v132);
      					L0040132C();
      					_v160 = _t169;
      				}
      				_t271 = _v128;
      				L0040130E();
      				_v60 = _t169;
      				_v112 = 0x408c84;
      				_v120 = 8;
      				L004012F6();
      				_t170 =  &_v88;
      				_push(_t170);
      				L004012FC();
      				L00401302();
      				_push(_t170);
      				_push(0);
      				L00401308();
      				asm("sbb eax, eax");
      				_v132 =  ~( ~_t170 + 1);
      				L004012F0();
      				L00401314();
      				if(_v132 != 0) {
      					if( *0x4245b4 != 0) {
      						_v164 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v164 = 0x4245b4;
      					}
      					_v132 =  *_v164;
      					_t189 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v72);
      					asm("fclex");
      					_v136 = _t189;
      					if(_v136 >= 0) {
      						_v168 = _v168 & 0x00000000;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v132);
      						_push(_v136);
      						L0040132C();
      						_v168 = _t189;
      					}
      					_v140 = _v72;
      					_t194 =  *((intOrPtr*)( *_v140 + 0x68))(_v140,  &_v124);
      					asm("fclex");
      					_v144 = _t194;
      					if(_v144 >= 0) {
      						_v172 = _v172 & 0x00000000;
      					} else {
      						_push(0x68);
      						_push(0x408cbc);
      						_push(_v140);
      						_push(_v144);
      						L0040132C();
      						_v172 = _t194;
      					}
      					_v64 = _v124;
      					L004012EA();
      					if( *0x4245b4 != 0) {
      						_v176 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v176 = 0x4245b4;
      					}
      					_v132 =  *_v176;
      					_t201 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v72);
      					asm("fclex");
      					_v136 = _t201;
      					if(_v136 >= 0) {
      						_v180 = _v180 & 0x00000000;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v132);
      						_push(_v136);
      						L0040132C();
      						_v180 = _t201;
      					}
      					_v140 = _v72;
      					_t206 =  *((intOrPtr*)( *_v140 + 0xd0))(_v140,  &_v68);
      					asm("fclex");
      					_v144 = _t206;
      					if(_v144 >= 0) {
      						_v184 = _v184 & 0x00000000;
      					} else {
      						_push(0xd0);
      						_push(0x408cbc);
      						_push(_v140);
      						_push(_v144);
      						L0040132C();
      						_v184 = _t206;
      					}
      					_v152 = _v68;
      					_v68 = _v68 & 0x00000000;
      					L00401302();
      					L004012EA();
      					if( *0x4245b4 != 0) {
      						_v188 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v188 = 0x4245b4;
      					}
      					_v132 =  *_v188;
      					_t213 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v72);
      					asm("fclex");
      					_v136 = _t213;
      					if(_v136 >= 0) {
      						_v192 = _v192 & 0x00000000;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v132);
      						_push(_v136);
      						L0040132C();
      						_v192 = _t213;
      					}
      					_v140 = _v72;
      					_t218 =  *((intOrPtr*)( *_v140 + 0x110))(_v140,  &_v68);
      					asm("fclex");
      					_v144 = _t218;
      					if(_v144 >= 0) {
      						_v196 = _v196 & 0x00000000;
      					} else {
      						_push(0x110);
      						_push(0x408cbc);
      						_push(_v140);
      						_push(_v144);
      						L0040132C();
      						_v196 = _t218;
      					}
      					_v156 = _v68;
      					_v68 = _v68 & 0x00000000;
      					L00401302();
      					L004012EA();
      					_push( &_v88);
      					L004012D8();
      					_push(1);
      					_push( &_v88);
      					_push( &_v104);
      					L004012DE();
      					L004012E4();
      					L00401314();
      					_v112 = L"UNCHIC";
      					_v120 = 8;
      					L004012F6();
      					_push(2);
      					_push( &_v88);
      					L004012D2();
      					_v56 = _t271;
      					L00401314();
      				}
      				if( *0x424010 != 0) {
      					_v200 = 0x424010;
      				} else {
      					_push(0x424010);
      					_push(0x4083f4);
      					L00401320();
      					_v200 = 0x424010;
      				}
      				_t178 =  &_v72;
      				L00401326();
      				_v132 = _t178;
      				_t182 =  *((intOrPtr*)( *_v132 + 0xf8))(_v132,  &_v124, _t178,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x2fc))( *_v200));
      				asm("fclex");
      				_v136 = _t182;
      				if(_v136 >= 0) {
      					_v204 = _v204 & 0x00000000;
      				} else {
      					_push(0xf8);
      					_push(0x408c70);
      					_push(_v132);
      					_push(_v136);
      					L0040132C();
      					_v204 = _t182;
      				}
      				_t183 = _v124;
      				_v28 = _t183;
      				L004012EA();
      				asm("wait");
      				_push(0x422a5f);
      				L004012F0();
      				L004012F0();
      				L00401314();
      				return _t183;
      			}




















































      0x00422573
      0x0042257f
      0x00422587
      0x0042258a
      0x0042259d
      0x004225a3
      0x004225a5
      0x004225ac
      0x004225cb
      0x004225ae
      0x004225ae
      0x004225b3
      0x004225b8
      0x004225bb
      0x004225be
      0x004225c3
      0x004225c3
      0x004225d2
      0x004225d5
      0x004225da
      0x004225dd
      0x004225e4
      0x004225f1
      0x004225f6
      0x004225f9
      0x004225fa
      0x00422604
      0x00422609
      0x0042260a
      0x0042260c
      0x00422613
      0x00422618
      0x0042261f
      0x00422627
      0x00422632
      0x0042263f
      0x0042265c
      0x00422641
      0x00422641
      0x00422646
      0x0042264b
      0x00422650
      0x00422650
      0x0042266e
      0x0042267d
      0x00422680
      0x00422682
      0x0042268f
      0x004226ae
      0x00422691
      0x00422691
      0x00422693
      0x00422698
      0x0042269b
      0x004226a1
      0x004226a6
      0x004226a6
      0x004226b8
      0x004226d0
      0x004226d3
      0x004226d5
      0x004226e2
      0x00422704
      0x004226e4
      0x004226e4
      0x004226e6
      0x004226eb
      0x004226f1
      0x004226f7
      0x004226fc
      0x004226fc
      0x0042270f
      0x00422716
      0x00422722
      0x0042273f
      0x00422724
      0x00422724
      0x00422729
      0x0042272e
      0x00422733
      0x00422733
      0x00422751
      0x00422760
      0x00422763
      0x00422765
      0x00422772
      0x00422791
      0x00422774
      0x00422774
      0x00422776
      0x0042277b
      0x0042277e
      0x00422784
      0x00422789
      0x00422789
      0x0042279b
      0x004227b3
      0x004227b9
      0x004227bb
      0x004227c8
      0x004227ed
      0x004227ca
      0x004227ca
      0x004227cf
      0x004227d4
      0x004227da
      0x004227e0
      0x004227e5
      0x004227e5
      0x004227f7
      0x004227fd
      0x0042280a
      0x00422812
      0x0042281e
      0x0042283b
      0x00422820
      0x00422820
      0x00422825
      0x0042282a
      0x0042282f
      0x0042282f
      0x0042284d
      0x0042285c
      0x0042285f
      0x00422861
      0x0042286e
      0x0042288d
      0x00422870
      0x00422870
      0x00422872
      0x00422877
      0x0042287a
      0x00422880
      0x00422885
      0x00422885
      0x00422897
      0x004228af
      0x004228b5
      0x004228b7
      0x004228c4
      0x004228e9
      0x004228c6
      0x004228c6
      0x004228cb
      0x004228d0
      0x004228d6
      0x004228dc
      0x004228e1
      0x004228e1
      0x004228f3
      0x004228f9
      0x00422906
      0x0042290e
      0x00422916
      0x00422917
      0x0042291c
      0x00422921
      0x00422925
      0x00422926
      0x00422931
      0x00422939
      0x0042293e
      0x00422945
      0x00422952
      0x00422957
      0x0042295c
      0x0042295d
      0x00422962
      0x00422968
      0x00422968
      0x00422974
      0x00422991
      0x00422976
      0x00422976
      0x0042297b
      0x00422980
      0x00422985
      0x00422985
      0x004229b5
      0x004229b9
      0x004229be
      0x004229cd
      0x004229d3
      0x004229d5
      0x004229e2
      0x00422a04
      0x004229e4
      0x004229e4
      0x004229e9
      0x004229ee
      0x004229f1
      0x004229f7
      0x004229fc
      0x004229fc
      0x00422a0b
      0x00422a0f
      0x00422a16
      0x00422a1b
      0x00422a1c
      0x00422a49
      0x00422a51
      0x00422a59
      0x00422a5e

      APIs
      • __vbaChkstk.MSVBVM60(?,004011D6), ref: 0042257F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408AF8,000000E8), ref: 004225BE
      • __vbaFpI4.MSVBVM60(00000000,?,00408AF8,000000E8), ref: 004225D5
      • __vbaVarDup.MSVBVM60(00000000,?,00408AF8,000000E8), ref: 004225F1
      • #667.MSVBVM60(?), ref: 004225FA
      • __vbaStrMove.MSVBVM60(?), ref: 00422604
      • __vbaStrCmp.MSVBVM60(00000000,00000000,?), ref: 0042260C
      • __vbaFreeStr.MSVBVM60(00000000,00000000,?), ref: 0042261F
      • __vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 00422627
      • __vbaNew2.MSVBVM60(00408CAC,004245B4,00000000,00000000,?), ref: 0042264B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C9C,00000014), ref: 004226A1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,00000068), ref: 004226F7
      • __vbaFreeObj.MSVBVM60(00000000,?,00408CBC,00000068), ref: 00422716
      • __vbaNew2.MSVBVM60(00408CAC,004245B4), ref: 0042272E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C9C,00000014), ref: 00422784
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,000000D0), ref: 004227E0
      • __vbaStrMove.MSVBVM60(00000000,?,00408CBC,000000D0), ref: 0042280A
      • __vbaFreeObj.MSVBVM60(00000000,?,00408CBC,000000D0), ref: 00422812
      • __vbaNew2.MSVBVM60(00408CAC,004245B4), ref: 0042282A
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C9C,00000014), ref: 00422880
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,00000110), ref: 004228DC
      • __vbaStrMove.MSVBVM60(00000000,?,00408CBC,00000110), ref: 00422906
      • __vbaFreeObj.MSVBVM60(00000000,?,00408CBC,00000110), ref: 0042290E
      • #610.MSVBVM60(?), ref: 00422917
      • #552.MSVBVM60(?,?,00000001,?), ref: 00422926
      • __vbaVarMove.MSVBVM60(?,?,00000001,?), ref: 00422931
      • __vbaFreeVar.MSVBVM60(?,?,00000001,?), ref: 00422939
      • __vbaVarDup.MSVBVM60(?,?,00000001,?), ref: 00422952
      • #600.MSVBVM60(?,00000002,?,?,00000001,?), ref: 0042295D
      • __vbaFreeVar.MSVBVM60(?,00000002,?,?,00000001,?), ref: 00422968
      • __vbaNew2.MSVBVM60(004083F4,00424010,00000000,00000000,?), ref: 00422980
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004229B9
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C70,000000F8,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004229F7
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422A16
      • __vbaFreeStr.MSVBVM60(00422A5F,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422A49
      • __vbaFreeStr.MSVBVM60(00422A5F,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422A51
      • __vbaFreeVar.MSVBVM60(00422A5F,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422A59
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresult$MoveNew2$#552#600#610#667Chkstk
      • String ID: UNCHIC$tmp
      • API String ID: 1871007200-2985027313
      • Opcode ID: e8ed69c5d4cb3e5641430d0c5eb1099dd350815be80d91f22b9016e797b022d2
      • Instruction ID: 4689f02a586e35509ea4660b7499a8e4416324732cf26f479c06a7db82230cc1
      • Opcode Fuzzy Hash: e8ed69c5d4cb3e5641430d0c5eb1099dd350815be80d91f22b9016e797b022d2
      • Instruction Fuzzy Hash: F1E1EA70A00228EFDB20EFA5DD45BDDB7B4BF14308F5080AAE549B71A1DB785A85DF18
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 59%
      			E00423303(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				void* _v28;
      				short _v32;
      				void* _v36;
      				signed int _v40;
      				char _v44;
      				intOrPtr _v52;
      				char _v60;
      				void* _v80;
      				void* _v84;
      				signed int _v88;
      				void* _v92;
      				signed int _v96;
      				signed int _v108;
      				signed int _v112;
      				intOrPtr* _v116;
      				signed int _v120;
      				signed int _v124;
      				intOrPtr* _v128;
      				signed int _v132;
      				signed int _v136;
      				intOrPtr* _v140;
      				signed int _v144;
      				signed int _t117;
      				char* _t121;
      				signed int _t127;
      				signed int _t132;
      				signed int _t139;
      				signed int _t144;
      				char* _t149;
      				signed int _t153;
      				void* _t176;
      				void* _t178;
      				intOrPtr _t179;
      
      				_t179 = _t178 - 0xc;
      				 *[fs:0x0] = _t179;
      				L004011D0();
      				_v16 = _t179;
      				_v12 = 0x401198;
      				_v8 = 0;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x4011d6, _t176);
      				_v52 = 0x4b;
      				_v60 = 2;
      				_t117 =  &_v60;
      				_push(_t117);
      				L00401284();
      				L00401302();
      				_push(_t117);
      				_push(0x408d0c);
      				L00401308();
      				asm("sbb eax, eax");
      				_v84 =  ~( ~( ~_t117));
      				L004012F0();
      				L00401314();
      				_t121 = _v84;
      				if(_t121 != 0) {
      					_push(L"COINVENTORS");
      					_push(L"Teknologiseringers2");
      					_push(L"ACHOO");
      					_push(L"garantien");
      					L0040127E();
      					L00401278();
      					if( *0x4245b4 != 0) {
      						_v116 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v116 = 0x4245b4;
      					}
      					_v84 =  *_v116;
      					_t127 =  *((intOrPtr*)( *_v84 + 0x14))(_v84,  &_v44);
      					asm("fclex");
      					_v88 = _t127;
      					if(_v88 >= 0) {
      						_v120 = _v120 & 0x00000000;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v84);
      						_push(_v88);
      						L0040132C();
      						_v120 = _t127;
      					}
      					_v92 = _v44;
      					_t132 =  *((intOrPtr*)( *_v92 + 0x78))(_v92,  &_v80);
      					asm("fclex");
      					_v96 = _t132;
      					if(_v96 >= 0) {
      						_v124 = _v124 & 0x00000000;
      					} else {
      						_push(0x78);
      						_push(0x408cbc);
      						_push(_v92);
      						_push(_v96);
      						L0040132C();
      						_v124 = _t132;
      					}
      					_v32 = _v80;
      					L004012EA();
      					if( *0x4245b4 != 0) {
      						_v128 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v128 = 0x4245b4;
      					}
      					_v84 =  *_v128;
      					_t139 =  *((intOrPtr*)( *_v84 + 0x14))(_v84,  &_v44);
      					asm("fclex");
      					_v88 = _t139;
      					if(_v88 >= 0) {
      						_v132 = _v132 & 0x00000000;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v84);
      						_push(_v88);
      						L0040132C();
      						_v132 = _t139;
      					}
      					_v92 = _v44;
      					_t144 =  *((intOrPtr*)( *_v92 + 0x110))(_v92,  &_v40);
      					asm("fclex");
      					_v96 = _t144;
      					if(_v96 >= 0) {
      						_v136 = _v136 & 0x00000000;
      					} else {
      						_push(0x110);
      						_push(0x408cbc);
      						_push(_v92);
      						_push(_v96);
      						L0040132C();
      						_v136 = _t144;
      					}
      					_v108 = _v40;
      					_v40 = _v40 & 0x00000000;
      					L00401302();
      					L004012EA();
      					if( *0x424010 != 0) {
      						_v140 = 0x424010;
      					} else {
      						_push(0x424010);
      						_push(0x4083f4);
      						L00401320();
      						_v140 = 0x424010;
      					}
      					_t149 =  &_v44;
      					L00401326();
      					_v84 = _t149;
      					_t153 =  *((intOrPtr*)( *_v84 + 0x50))(_v84,  &_v40, _t149,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x304))( *_v140));
      					asm("fclex");
      					_v88 = _t153;
      					if(_v88 >= 0) {
      						_v144 = _v144 & 0x00000000;
      					} else {
      						_push(0x50);
      						_push(0x408cf0);
      						_push(_v84);
      						_push(_v88);
      						L0040132C();
      						_v144 = _t153;
      					}
      					_v112 = _v40;
      					_v40 = _v40 & 0x00000000;
      					_v52 = _v112;
      					_v60 = 8;
      					_t121 =  &_v60;
      					_push(_t121);
      					L004012FC();
      					L00401302();
      					L004012EA();
      					L00401314();
      				}
      				_push(0x423628);
      				L004012F0();
      				L004012F0();
      				return _t121;
      			}







































      0x00423306
      0x00423315
      0x0042331f
      0x00423327
      0x0042332a
      0x00423331
      0x00423340
      0x00423343
      0x0042334a
      0x00423351
      0x00423354
      0x00423355
      0x0042335f
      0x00423364
      0x00423365
      0x0042336a
      0x00423371
      0x00423377
      0x0042337e
      0x00423386
      0x0042338b
      0x00423391
      0x00423397
      0x0042339c
      0x004233a1
      0x004233a6
      0x004233ab
      0x004233b0
      0x004233bc
      0x004233d6
      0x004233be
      0x004233be
      0x004233c3
      0x004233c8
      0x004233cd
      0x004233cd
      0x004233e2
      0x004233f1
      0x004233f4
      0x004233f6
      0x004233fd
      0x00423416
      0x004233ff
      0x004233ff
      0x00423401
      0x00423406
      0x00423409
      0x0042340c
      0x00423411
      0x00423411
      0x0042341d
      0x0042342c
      0x0042342f
      0x00423431
      0x00423438
      0x00423451
      0x0042343a
      0x0042343a
      0x0042343c
      0x00423441
      0x00423444
      0x00423447
      0x0042344c
      0x0042344c
      0x00423459
      0x00423460
      0x0042346c
      0x00423486
      0x0042346e
      0x0042346e
      0x00423473
      0x00423478
      0x0042347d
      0x0042347d
      0x00423492
      0x004234a1
      0x004234a4
      0x004234a6
      0x004234ad
      0x004234c6
      0x004234af
      0x004234af
      0x004234b1
      0x004234b6
      0x004234b9
      0x004234bc
      0x004234c1
      0x004234c1
      0x004234cd
      0x004234dc
      0x004234e2
      0x004234e4
      0x004234eb
      0x0042350a
      0x004234ed
      0x004234ed
      0x004234f2
      0x004234f7
      0x004234fa
      0x004234fd
      0x00423502
      0x00423502
      0x00423514
      0x00423517
      0x00423521
      0x00423529
      0x00423535
      0x00423552
      0x00423537
      0x00423537
      0x0042353c
      0x00423541
      0x00423546
      0x00423546
      0x00423576
      0x0042357a
      0x0042357f
      0x0042358e
      0x00423591
      0x00423593
      0x0042359a
      0x004235b6
      0x0042359c
      0x0042359c
      0x0042359e
      0x004235a3
      0x004235a6
      0x004235a9
      0x004235ae
      0x004235ae
      0x004235c0
      0x004235c3
      0x004235ca
      0x004235cd
      0x004235d4
      0x004235d7
      0x004235d8
      0x004235e2
      0x004235ea
      0x004235f2
      0x004235f2
      0x004235f7
      0x0042361a
      0x00423622
      0x00423627

      APIs
      • __vbaChkstk.MSVBVM60(?,004011D6), ref: 0042331F
      • #572.MSVBVM60(00000002), ref: 00423355
      • __vbaStrMove.MSVBVM60(00000002), ref: 0042335F
      • __vbaStrCmp.MSVBVM60(00408D0C,00000000,00000002), ref: 0042336A
      • __vbaFreeStr.MSVBVM60(00408D0C,00000000,00000002), ref: 0042337E
      • __vbaFreeVar.MSVBVM60(00408D0C,00000000,00000002), ref: 00423386
      • #690.MSVBVM60(garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C,00000000,00000002), ref: 004233AB
      • #598.MSVBVM60(garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C,00000000,00000002), ref: 004233B0
      • __vbaNew2.MSVBVM60(00408CAC,004245B4,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C,00000000,00000002), ref: 004233C8
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C9C,00000014,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C), ref: 0042340C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,00000078,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C), ref: 00423447
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C,00000000,00000002), ref: 00423460
      • __vbaNew2.MSVBVM60(00408CAC,004245B4,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C), ref: 00423478
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C9C,00000014,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2), ref: 004234BC
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,00000110,?,?,?,?,?,?,?,?,?,?,?,garantien), ref: 004234FD
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C), ref: 00423521
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408D0C), ref: 00423529
      • __vbaNew2.MSVBVM60(004083F4,00424010,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2), ref: 00423541
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien), ref: 0042357A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CF0,00000050), ref: 004235A9
      • #667.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO), ref: 004235D8
      • __vbaStrMove.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO), ref: 004235E2
      • __vbaFreeObj.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO), ref: 004235EA
      • __vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO), ref: 004235F2
      • __vbaFreeStr.MSVBVM60(00423628,00408D0C,00000000,00000002), ref: 0042361A
      • __vbaFreeStr.MSVBVM60(00423628,00408D0C,00000000,00000002), ref: 00423622
      Strings
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresult$MoveNew2$#572#598#667#690Chkstk
      • String ID: ACHOO$COINVENTORS$K$Teknologiseringers2$garantien
      • API String ID: 2768728735-653337235
      • Opcode ID: e0c7effd40f1e602d5c1833b37d52e3fdfb37a4c060fa4507d036ed1f9e73562
      • Instruction ID: c8adc35408966f17a1de5218ef6fea9da14c1706d310ef83fe10dc0c9503d920
      • Opcode Fuzzy Hash: e0c7effd40f1e602d5c1833b37d52e3fdfb37a4c060fa4507d036ed1f9e73562
      • Instruction Fuzzy Hash: 77A1E070A00218AFDB10EFE1D945BDDBBB4BF08305F60406AE541BB2A5DB785A89DF58
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 59%
      			E00422F7A(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				void* _v28;
      				short _v32;
      				short _v36;
      				short _v40;
      				signed int _v44;
      				char _v48;
      				void* _v52;
      				void* _v56;
      				intOrPtr* _v60;
      				signed int _v64;
      				void* _v68;
      				signed int _v72;
      				signed int _v84;
      				intOrPtr* _v88;
      				signed int _v92;
      				signed int _v96;
      				intOrPtr* _v100;
      				signed int _v104;
      				signed int _v108;
      				intOrPtr* _v112;
      				signed int _v116;
      				signed int _v120;
      				intOrPtr* _v124;
      				signed int _v128;
      				signed int _v132;
      				short _t140;
      				signed int _t146;
      				signed int _t151;
      				signed int _t158;
      				signed int _t163;
      				signed int _t170;
      				signed int _t175;
      				signed int _t182;
      				signed int _t187;
      				void* _t198;
      				void* _t200;
      				intOrPtr _t201;
      
      				_t201 = _t200 - 0xc;
      				 *[fs:0x0] = _t201;
      				L004011D0();
      				_v16 = _t201;
      				_v12 = 0x401188;
      				_v8 = 0;
      				_t140 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x4011d6, _t198);
      				_push(0x408d04);
      				L0040128A();
      				L00401290();
      				L00401296();
      				asm("fcomp qword [0x401180]");
      				asm("fnstsw ax");
      				asm("sahf");
      				if(__eflags != 0) {
      					if( *0x4245b4 != 0) {
      						_v88 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v88 = 0x4245b4;
      					}
      					_v60 =  *_v88;
      					_t146 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v48);
      					asm("fclex");
      					_v64 = _t146;
      					if(_v64 >= 0) {
      						_t20 =  &_v92;
      						 *_t20 = _v92 & 0x00000000;
      						__eflags =  *_t20;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v60);
      						_push(_v64);
      						L0040132C();
      						_v92 = _t146;
      					}
      					_v68 = _v48;
      					_t151 =  *((intOrPtr*)( *_v68 + 0x140))(_v68,  &_v52);
      					asm("fclex");
      					_v72 = _t151;
      					if(_v72 >= 0) {
      						_t33 =  &_v96;
      						 *_t33 = _v96 & 0x00000000;
      						__eflags =  *_t33;
      					} else {
      						_push(0x140);
      						_push(0x408cbc);
      						_push(_v68);
      						_push(_v72);
      						L0040132C();
      						_v96 = _t151;
      					}
      					_v36 = _v52;
      					L004012EA();
      					if( *0x4245b4 != 0) {
      						_v100 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v100 = 0x4245b4;
      					}
      					_v60 =  *_v100;
      					_t158 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v48);
      					asm("fclex");
      					_v64 = _t158;
      					if(_v64 >= 0) {
      						_t51 =  &_v104;
      						 *_t51 = _v104 & 0x00000000;
      						__eflags =  *_t51;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v60);
      						_push(_v64);
      						L0040132C();
      						_v104 = _t158;
      					}
      					_v68 = _v48;
      					_t163 =  *((intOrPtr*)( *_v68 + 0x108))(_v68,  &_v52);
      					asm("fclex");
      					_v72 = _t163;
      					if(_v72 >= 0) {
      						_t64 =  &_v108;
      						 *_t64 = _v108 & 0x00000000;
      						__eflags =  *_t64;
      					} else {
      						_push(0x108);
      						_push(0x408cbc);
      						_push(_v68);
      						_push(_v72);
      						L0040132C();
      						_v108 = _t163;
      					}
      					_v32 = _v52;
      					L004012EA();
      					if( *0x4245b4 != 0) {
      						_v112 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v112 = 0x4245b4;
      					}
      					_v60 =  *_v112;
      					_t170 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v48);
      					asm("fclex");
      					_v64 = _t170;
      					if(_v64 >= 0) {
      						_t82 =  &_v116;
      						 *_t82 = _v116 & 0x00000000;
      						__eflags =  *_t82;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v60);
      						_push(_v64);
      						L0040132C();
      						_v116 = _t170;
      					}
      					_v68 = _v48;
      					_t175 =  *((intOrPtr*)( *_v68 + 0xf0))(_v68,  &_v44);
      					asm("fclex");
      					_v72 = _t175;
      					if(_v72 >= 0) {
      						_t95 =  &_v120;
      						 *_t95 = _v120 & 0x00000000;
      						__eflags =  *_t95;
      					} else {
      						_push(0xf0);
      						_push(0x408cbc);
      						_push(_v68);
      						_push(_v72);
      						L0040132C();
      						_v120 = _t175;
      					}
      					_v84 = _v44;
      					_v44 = _v44 & 0x00000000;
      					L00401302();
      					L004012EA();
      					if( *0x4245b4 != 0) {
      						_v124 = 0x4245b4;
      					} else {
      						_push(0x4245b4);
      						_push(0x408cac);
      						L00401320();
      						_v124 = 0x4245b4;
      					}
      					_v60 =  *_v124;
      					_t182 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v48);
      					asm("fclex");
      					_v64 = _t182;
      					if(_v64 >= 0) {
      						_t117 =  &_v128;
      						 *_t117 = _v128 & 0x00000000;
      						__eflags =  *_t117;
      					} else {
      						_push(0x14);
      						_push(0x408c9c);
      						_push(_v60);
      						_push(_v64);
      						L0040132C();
      						_v128 = _t182;
      					}
      					_v68 = _v48;
      					_t187 =  *((intOrPtr*)( *_v68 + 0x118))(_v68,  &_v56);
      					asm("fclex");
      					_v72 = _t187;
      					if(_v72 >= 0) {
      						_t130 =  &_v132;
      						 *_t130 = _v132 & 0x00000000;
      						__eflags =  *_t130;
      					} else {
      						_push(0x118);
      						_push(0x408cbc);
      						_push(_v68);
      						_push(_v72);
      						L0040132C();
      						_v132 = _t187;
      					}
      					_t140 = _v56;
      					_v40 = _t140;
      					L004012EA();
      				}
      				asm("wait");
      				_push(0x4232e4);
      				L004012F0();
      				return _t140;
      			}











































      0x00422f7d
      0x00422f8c
      0x00422f96
      0x00422f9e
      0x00422fa1
      0x00422fa8
      0x00422fb7
      0x00422fba
      0x00422fbf
      0x00422fc4
      0x00422fc9
      0x00422fce
      0x00422fd4
      0x00422fd6
      0x00422fd7
      0x00422fe4
      0x00422ffe
      0x00422fe6
      0x00422fe6
      0x00422feb
      0x00422ff0
      0x00422ff5
      0x00422ff5
      0x0042300a
      0x00423019
      0x0042301c
      0x0042301e
      0x00423025
      0x0042303e
      0x0042303e
      0x0042303e
      0x00423027
      0x00423027
      0x00423029
      0x0042302e
      0x00423031
      0x00423034
      0x00423039
      0x00423039
      0x00423045
      0x00423054
      0x0042305a
      0x0042305c
      0x00423063
      0x0042307f
      0x0042307f
      0x0042307f
      0x00423065
      0x00423065
      0x0042306a
      0x0042306f
      0x00423072
      0x00423075
      0x0042307a
      0x0042307a
      0x00423087
      0x0042308e
      0x0042309a
      0x004230b4
      0x0042309c
      0x0042309c
      0x004230a1
      0x004230a6
      0x004230ab
      0x004230ab
      0x004230c0
      0x004230cf
      0x004230d2
      0x004230d4
      0x004230db
      0x004230f4
      0x004230f4
      0x004230f4
      0x004230dd
      0x004230dd
      0x004230df
      0x004230e4
      0x004230e7
      0x004230ea
      0x004230ef
      0x004230ef
      0x004230fb
      0x0042310a
      0x00423110
      0x00423112
      0x00423119
      0x00423135
      0x00423135
      0x00423135
      0x0042311b
      0x0042311b
      0x00423120
      0x00423125
      0x00423128
      0x0042312b
      0x00423130
      0x00423130
      0x0042313d
      0x00423144
      0x00423150
      0x0042316a
      0x00423152
      0x00423152
      0x00423157
      0x0042315c
      0x00423161
      0x00423161
      0x00423176
      0x00423185
      0x00423188
      0x0042318a
      0x00423191
      0x004231aa
      0x004231aa
      0x004231aa
      0x00423193
      0x00423193
      0x00423195
      0x0042319a
      0x0042319d
      0x004231a0
      0x004231a5
      0x004231a5
      0x004231b1
      0x004231c0
      0x004231c6
      0x004231c8
      0x004231cf
      0x004231eb
      0x004231eb
      0x004231eb
      0x004231d1
      0x004231d1
      0x004231d6
      0x004231db
      0x004231de
      0x004231e1
      0x004231e6
      0x004231e6
      0x004231f2
      0x004231f5
      0x004231ff
      0x00423207
      0x00423213
      0x0042322d
      0x00423215
      0x00423215
      0x0042321a
      0x0042321f
      0x00423224
      0x00423224
      0x00423239
      0x00423248
      0x0042324b
      0x0042324d
      0x00423254
      0x0042326d
      0x0042326d
      0x0042326d
      0x00423256
      0x00423256
      0x00423258
      0x0042325d
      0x00423260
      0x00423263
      0x00423268
      0x00423268
      0x00423274
      0x00423283
      0x00423289
      0x0042328b
      0x00423292
      0x004232ae
      0x004232ae
      0x004232ae
      0x00423294
      0x00423294
      0x00423299
      0x0042329e
      0x004232a1
      0x004232a4
      0x004232a9
      0x004232a9
      0x004232b2
      0x004232b6
      0x004232bd
      0x004232bd
      0x004232c2
      0x004232c3
      0x004232de
      0x004232e3

      APIs
      • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00422F96
      • __vbaR8Str.MSVBVM60(00408D04,?,?,?,?,004011D6), ref: 00422FBF
      • __vbaFPFix.MSVBVM60(00408D04,?,?,?,?,004011D6), ref: 00422FC4
      • __vbaFpR8.MSVBVM60(00408D04,?,?,?,?,004011D6), ref: 00422FC9
      • __vbaNew2.MSVBVM60(00408CAC,004245B4,00408D04,?,?,?,?,004011D6), ref: 00422FF0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C9C,00000014), ref: 00423034
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,00000140), ref: 00423075
      • __vbaFreeObj.MSVBVM60(00000000,?,00408CBC,00000140), ref: 0042308E
      • __vbaNew2.MSVBVM60(00408CAC,004245B4), ref: 004230A6
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C9C,00000014), ref: 004230EA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,00000108), ref: 0042312B
      • __vbaFreeObj.MSVBVM60(00000000,?,00408CBC,00000108), ref: 00423144
      • __vbaNew2.MSVBVM60(00408CAC,004245B4), ref: 0042315C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C9C,00000014), ref: 004231A0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,000000F0), ref: 004231E1
      • __vbaStrMove.MSVBVM60(00000000,?,00408CBC,000000F0), ref: 004231FF
      • __vbaFreeObj.MSVBVM60(00000000,?,00408CBC,000000F0), ref: 00423207
      • __vbaNew2.MSVBVM60(00408CAC,004245B4), ref: 0042321F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C9C,00000014), ref: 00423263
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408CBC,00000118), ref: 004232A4
      • __vbaFreeObj.MSVBVM60(00000000,?,00408CBC,00000118), ref: 004232BD
      • __vbaFreeStr.MSVBVM60(004232E4,00408D04,?,?,?,?,004011D6), ref: 004232DE
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$CheckHresult$Free$New2$ChkstkMove
      • String ID:
      • API String ID: 1793851610-0
      • Opcode ID: b692c1e80cd069c078747108a986fd3076e08735cbe14f11d6d5090ee9a7cae0
      • Instruction ID: b64c11c8578ffe6f9e2ffcd47a48aea4cc8392facd467e8bdfc37957706d05ff
      • Opcode Fuzzy Hash: b692c1e80cd069c078747108a986fd3076e08735cbe14f11d6d5090ee9a7cae0
      • Instruction Fuzzy Hash: A6B1DF74E00218EFDB10EFA5E945BDDBBB0BF18305F60406AE501BB2A1DB785946DF68
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 64%
      			E00422E68(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				void* _v28;
      				char _v32;
      				intOrPtr* _v36;
      				signed int _v40;
      				intOrPtr* _v52;
      				signed int _v56;
      				char* _t35;
      				signed int _t38;
      				void* _t49;
      				void* _t51;
      				intOrPtr _t52;
      
      				_t52 = _t51 - 0xc;
      				 *[fs:0x0] = _t52;
      				L004011D0();
      				_v16 = _t52;
      				_v12 = 0x401170;
      				_v8 = 0;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x4011d6, _t49);
      				_push(0);
      				_push(1);
      				L0040129C();
      				L00401302();
      				if( *0x424010 != 0) {
      					_v52 = 0x424010;
      				} else {
      					_push(0x424010);
      					_push(0x4083f4);
      					L00401320();
      					_v52 = 0x424010;
      				}
      				_t35 =  &_v32;
      				L00401326();
      				_v36 = _t35;
      				_t38 =  *((intOrPtr*)( *_v36 + 0x218))(_v36, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x2fc))( *_v52));
      				asm("fclex");
      				_v40 = _t38;
      				if(_v40 >= 0) {
      					_v56 = _v56 & 0x00000000;
      				} else {
      					_push(0x218);
      					_push(0x408c70);
      					_push(_v36);
      					_push(_v40);
      					L0040132C();
      					_v56 = _t38;
      				}
      				L004012EA();
      				_push(0x422f5b);
      				L004012F0();
      				return _t38;
      			}

















      0x00422e6b
      0x00422e7a
      0x00422e84
      0x00422e8c
      0x00422e8f
      0x00422e96
      0x00422ea5
      0x00422ea8
      0x00422eaa
      0x00422eac
      0x00422eb6
      0x00422ec2
      0x00422edc
      0x00422ec4
      0x00422ec4
      0x00422ec9
      0x00422ece
      0x00422ed3
      0x00422ed3
      0x00422ef7
      0x00422efb
      0x00422f00
      0x00422f0b
      0x00422f11
      0x00422f13
      0x00422f1a
      0x00422f36
      0x00422f1c
      0x00422f1c
      0x00422f21
      0x00422f26
      0x00422f29
      0x00422f2c
      0x00422f31
      0x00422f31
      0x00422f3d
      0x00422f42
      0x00422f55
      0x00422f5a

      APIs
      • __vbaChkstk.MSVBVM60(?,004011D6), ref: 00422E84
      • #707.MSVBVM60(00000001,00000000,?,?,?,?,004011D6), ref: 00422EAC
      • __vbaStrMove.MSVBVM60(00000001,00000000,?,?,?,?,004011D6), ref: 00422EB6
      • __vbaNew2.MSVBVM60(004083F4,00424010,00000001,00000000,?,?,?,?,004011D6), ref: 00422ECE
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00422EFB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00408C70,00000218), ref: 00422F2C
      • __vbaFreeObj.MSVBVM60(00000000,?,00408C70,00000218), ref: 00422F3D
      • __vbaFreeStr.MSVBVM60(00422F5B), ref: 00422F55
      Memory Dump Source
      • Source File: 00000001.00000002.821544457.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000001.00000002.821540189.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000001.00000002.821582526.0000000000424000.00000004.00020000.sdmp Download File
      • Associated: 00000001.00000002.821587077.0000000000426000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$#707CheckChkstkHresultMoveNew2
      • String ID:
      • API String ID: 842392621-0
      • Opcode ID: 65279e97e2a2234b685565680bc9f111dd8a629ee283745259e550a4cc218af3
      • Instruction ID: 2ed9b86dc3b11b156477024ab2bc2ad04626234032807684f3f93a94999d35ee
      • Opcode Fuzzy Hash: 65279e97e2a2234b685565680bc9f111dd8a629ee283745259e550a4cc218af3
      • Instruction Fuzzy Hash: ED213D70A40218EFCB00EF91E949F9EBBB4FF08744F50406AF501BB2A1C7B95945DB58
      Uniqueness

      Uniqueness Score: -1.00%