Loading ...

Play interactive tourEdit tour

Windows Analysis Report BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe

Overview

General Information

Sample Name:BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
Analysis ID:528679
MD5:d879bb7572225ebf68f74406710f6ea0
SHA1:c34286e6e9d1502a8e3aff050c35781aee371bbc
SHA256:b29f69052169c50b19f3f6cc8d724a228a7b378bb8e0a23c6f5b25d01c5b4e3c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1U"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1U"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeVirustotal: Detection: 53%Perma Link
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeReversingLabs: Detection: 48%
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1U
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000000.659576091.0000000000420000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNulkomponent.exe vs BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeBinary or memory string: OriginalFilenameNulkomponent.exe vs BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_004015380_2_00401538
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_004017740_2_00401774
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_004017270_2_00401727
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0216D8850_2_0216D885
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_021769650_2_02176965
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0216CADD0_2_0216CADD
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_02174BFA0_2_02174BFA
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_021714130_2_02171413
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_021741660_2_02174166
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0217659C0_2_0217659C
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0216E1990_2_0216E199
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0216D885 NtAllocateVirtualMemory,0_2_0216D885
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeProcess Stats: CPU usage > 98%
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeVirustotal: Detection: 53%
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeReversingLabs: Detection: 48%
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeFile created: C:\Users\user\AppData\Local\Temp\~DF23DE6D885E469C5F.TMPJump to behavior
    Source: classification engineClassification label: mal76.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_00406C05 push esi; retf 0_2_00406C06
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_004084FF push edi; iretd 0_2_0040850A
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0040B96F push eax; retf 0_2_0040B977
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_004091F4 push ds; retf 0_2_004091F5
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_00403999 push 00000027h; iretd 0_2_00403A72
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_00404E0F push eax; retf 0_2_00404E41
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_00404A2F push ebp; iretd 0_2_00404A51
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_00403AC3 push 00000027h; iretd 0_2_00403A72
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0216310B push es; ret 0_2_0216310C
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeRDTSC instruction interceptor: First address: 000000000216C8E2 second address: 000000000216C8E2 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 7B963D66h 0x00000007 xor eax, 1197335Eh 0x0000000c xor eax, 8E98B3CDh 0x00000011 add eax, 1B66420Ch 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1AA4D4E17Fh 0x0000001e lfence 0x00000021 mov edx, 039CDF59h 0x00000026 xor edx, 6761231Bh 0x0000002c add edx, BDE9AE69h 0x00000032 xor edx, 5D19AABFh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001A9h], 42AF7243h 0x0000004f xor dword ptr [ebp+000001A9h], 94D84AF3h 0x00000059 add dword ptr [ebp+000001A9h], EA6232A4h 0x00000063 add dword ptr [ebp+000001A9h], 3F2694ACh 0x0000006d cmp ecx, dword ptr [ebp+000001A9h] 0x00000073 jne 00007F1AA4D4E05Ah 0x00000075 mov dword ptr [ebp+0000024Fh], edi 0x0000007b mov edi, ecx 0x0000007d push edi 0x0000007e mov edi, dword ptr [ebp+0000024Fh] 0x00000084 call 00007F1AA4D4E1DDh 0x00000089 call 00007F1AA4D4E1A0h 0x0000008e lfence 0x00000091 mov edx, 039CDF59h 0x00000096 xor edx, 6761231Bh 0x0000009c add edx, BDE9AE69h 0x000000a2 xor edx, 5D19AABFh 0x000000a8 mov edx, dword ptr [edx] 0x000000aa lfence 0x000000ad ret 0x000000ae mov esi, edx 0x000000b0 pushad 0x000000b1 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0216CFD0 rdtsc 0_2_0216CFD0

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_02172648 mov eax, dword ptr fs:[00000030h]0_2_02172648
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_02174BFA mov eax, dword ptr fs:[00000030h]0_2_02174BFA
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0217309A mov eax, dword ptr fs:[00000030h]0_2_0217309A
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0216C560 mov eax, dword ptr fs:[00000030h]0_2_0216C560
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_0216CFD0 rdtsc 0_2_0216CFD0
    Source: C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exeCode function: 0_2_02176965 RtlAddVectoredExceptionHandler,0_2_02176965
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Program Manager
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe, 00000000.00000002.1183052033.0000000000C50000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe54%VirustotalBrowse
    BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe49%ReversingLabsWin32.Trojan.GuLoader

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:528679
    Start date:25.11.2021
    Start time:16:28:11
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 6s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.troj.evad.winEXE@1/1@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 42.7% (good quality ratio 13%)
    • Quality average: 17.3%
    • Quality standard deviation: 28.8%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DF23DE6D885E469C5F.TMP
    Process:C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.9277305547216628
    Encrypted:false
    SSDEEP:48:rJSq2Upu8metqPrIXHimU7zdvP1vncU7pCr8P:VSKUpACLFcUVCrG
    MD5:19809EDD1FF00A1D7C105BC58A97CD02
    SHA1:26FB6D339CF2A7474DE6F785166163FA9B2ADBB1
    SHA-256:4745D04A4BB99D70866D722394D9E71F3FAE597AA84E229A1E3B40F31521594C
    SHA-512:434722936006B56B042FB5C72CAB98D8B7615A5A0E48EE6746DD6839BE029029E3BCECF7EFA49DDC8A9DB016FA472FB9EE1CE75126C13E06D66EAA12166A38F7
    Malicious:false
    Reputation:low
    Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.77275893064669
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
    File size:131072
    MD5:d879bb7572225ebf68f74406710f6ea0
    SHA1:c34286e6e9d1502a8e3aff050c35781aee371bbc
    SHA256:b29f69052169c50b19f3f6cc8d724a228a7b378bb8e0a23c6f5b25d01c5b4e3c
    SHA512:1e53afe90647afdb80f3524965cdb3ae58938af6af3d58c642dc3dc30d47a4fb903e0fc71bee32e354c1f0843fd65bcba74cb64aef6b08ff5929943a77685992
    SSDEEP:1536:ttfDCDIBpvzJAmFeyzDoyJ/NaSubkMnYdUXXgSlTtD:tVOIB1t7IyJl16fYdUASlt
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L.....$N.....................0....................@........

    File Icon

    Icon Hash:981dca909cee36b0

    Static PE Info

    General

    Entrypoint:0x4013b4
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4E24F810 [Tue Jul 19 03:20:48 2011 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:d77040f4614bccfda7b8aa2e04863738

    Entrypoint Preview

    Instruction
    push 00401FD8h
    call 00007F1AA4BB62E5h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx-3Dh], ah
    mov byte ptr [42E36805h], al
    dec esi
    mov byte ptr [30E2B428h], dl
    pop edx
    js 00007F1AA4BB62F2h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [ecx+00h], al
    and byte ptr [eax], cl
    inc ecx
    add byte ptr [esi+4Fh], cl
    push ebp
    dec ebp
    inc ebp
    dec esi
    inc ecx
    dec esp
    dec ecx
    push esp
    pop ecx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    add eax, 02C71F93h
    sbb byte ptr [ebp+44B24CAEh], cl
    iretd
    jle 00007F1AA4BB6348h
    sub esp, dword ptr [edi]
    inc esi
    pop eax
    scasd
    add al, 48h
    jl 00007F1AA4BB636Ah
    cmpsd
    dec ebx
    mov ebx, dword ptr [ebx-5Dh]
    loopne 00007F1AA4BB635Bh
    dec esp
    scasb
    cmp bh, byte ptr [edx]
    dec edi
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    clc
    or dword ptr [eax], eax
    add byte ptr [eax], dl
    or dword ptr [eax], eax
    add byte ptr [eax], al
    add eax, 736F7200h
    jnc 00007F1AA4BB6361h
    add byte ptr [42000A01h], cl
    imul esp, dword ptr [ebp+72h], 65676E69h

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1d7e40x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000xf58.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x11c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1ccec0x1d000False0.347235317888data4.95688708171IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x1e0000x141c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x200000xf580x1000False0.337890625data3.25376572831IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    CUSTOM0x20e1a0x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
    CUSTOM0x20cdc0x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
    RT_ICON0x204340x8a8data
    RT_GROUP_ICON0x204200x14data
    RT_VERSION0x201700x2b0dataTurkmenTurkmenistan

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0442 0x04b0
    LegalCopyrightLips
    InternalNameNulkomponent
    FileVersion1.00
    CompanyNameLips
    LegalTrademarksLips
    ProductNameLips
    ProductVersion1.00
    FileDescriptionLips
    OriginalFilenameNulkomponent.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States
    TurkmenTurkmenistan

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:16:29:04
    Start date:25/11/2021
    Path:C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe"
    Imagebase:0x400000
    File size:131072 bytes
    MD5 hash:D879BB7572225EBF68F74406710F6EA0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >

      Executed Functions

      APIs
      • RtlAddVectoredExceptionHandler.NTDLL ref: 0217778A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID: ExceptionHandlerVectored
      • String ID: kzXl$~d^&
      • API String ID: 3310709589-1827219150
      • Opcode ID: 1fa4cbce1aa120045253b67bc3d649d4087a45c7cf51706ca715279bd1435b3e
      • Instruction ID: e185d9bc1d00077a2b156173cebf9bfd5b33c966989f8d432b051c3a48f13589
      • Opcode Fuzzy Hash: 1fa4cbce1aa120045253b67bc3d649d4087a45c7cf51706ca715279bd1435b3e
      • Instruction Fuzzy Hash: E3A13671684285CFCB38DE28C9687EA7BB2AFD5350F55812EDC5A8F394DB309942CB41
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • NtAllocateVirtualMemory.NTDLL(ECA1B8D5,?,114831BC), ref: 0216DC32
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: l=KD
      • API String ID: 2167126740-507245091
      • Opcode ID: 14d82e105955986c5e53dc1e221f237099c00fa189c3518ac391f94ab6d1d6a2
      • Instruction ID: 72eef28b4e2c1d19a0b1df4343ceb59fc38222901862b8c185dd3c0655fe89ad
      • Opcode Fuzzy Hash: 14d82e105955986c5e53dc1e221f237099c00fa189c3518ac391f94ab6d1d6a2
      • Instruction Fuzzy Hash: 9A4104B69452A88FCB309F689C547EE37E6AB49720F020619EC1CAB761D7315F458BC1
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 55%
      			E0041C004(void* __ebx, void* __edi, void* __esi, signed int _a4) {
      				signed int _v8;
      				signed int _v16;
      				signed int _v20;
      				intOrPtr _v24;
      				intOrPtr _v28;
      				short _v40;
      				void* _v44;
      				void* _v48;
      				void* _v52;
      				short _v56;
      				void* _v60;
      				void* _v64;
      				void* _v68;
      				void* _v72;
      				short _v76;
      				char _v136;
      				intOrPtr _v140;
      				void* _v144;
      				intOrPtr _v148;
      				intOrPtr _v152;
      				signed int _v156;
      				char _v160;
      				char _v164;
      				char _v168;
      				char _v172;
      				signed int _v180;
      				signed int _v188;
      				signed int _v196;
      				char _v204;
      				signed int _v212;
      				char _v220;
      				signed int _v228;
      				char _v236;
      				signed int _v244;
      				signed int _v252;
      				void* _v304;
      				char _v308;
      				intOrPtr _v312;
      				intOrPtr _v316;
      				char _v320;
      				intOrPtr _v324;
      				char _v328;
      				signed int _v332;
      				signed int _v336;
      				void* _v340;
      				signed int _v344;
      				char _v404;
      				signed int _v428;
      				signed int _v432;
      				signed int _v436;
      				intOrPtr* _v440;
      				signed int _v444;
      				signed int _v448;
      				signed int _v452;
      				intOrPtr* _v456;
      				signed int _v460;
      				signed int _v464;
      				intOrPtr* _v468;
      				signed int _v472;
      				signed int _v476;
      				intOrPtr* _v480;
      				signed int _v484;
      				signed int _v488;
      				intOrPtr* _v492;
      				signed int _v496;
      				signed int _v500;
      				intOrPtr* _v504;
      				signed int _v508;
      				signed int _v512;
      				intOrPtr* _v516;
      				signed int _v520;
      				signed int _v524;
      				intOrPtr* _v528;
      				signed int _v532;
      				signed int _v536;
      				signed int _v540;
      				void* _t466;
      				char* _t469;
      				signed int _t471;
      				signed int _t475;
      				signed int _t486;
      				char* _t488;
      				signed int _t489;
      				signed int _t496;
      				signed int* _t500;
      				char* _t503;
      				char* _t504;
      				short _t511;
      				char* _t513;
      				signed int* _t520;
      				char* _t526;
      				signed int _t544;
      				signed int _t549;
      				signed int _t556;
      				void* _t558;
      				char* _t559;
      				signed int _t562;
      				signed int _t570;
      				signed int _t575;
      				signed int _t583;
      				signed int _t588;
      				signed int _t595;
      				signed int _t600;
      				signed int _t607;
      				signed int _t612;
      				signed int _t622;
      				signed int _t627;
      				signed int _t633;
      				signed int _t638;
      				void* _t697;
      				void* _t699;
      				intOrPtr _t700;
      
      				_t700 = _t699 - 0x18;
      				 *[fs:0x0] = _t700;
      				L00401210();
      				_v28 = _t700;
      				_v24 = E00401120;
      				_v20 = _a4 & 0x00000001;
      				_a4 = _a4 & 0xfffffffe;
      				_v16 = 0;
      				_t466 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t697);
      				_v8 = 1;
      				_v8 = 2;
      				_push(2);
      				_push(0x403078);
      				_push(0x403084);
      				L0040138A();
      				L00401390();
      				_push(_t466);
      				_push(0x403084);
      				_push(0);
      				L00401396();
      				_v332 =  ~(0 | _t466 != 0x00000003);
      				L00401384();
      				if(_v332 != 0) {
      					_v8 = 3;
      					_push(0xffffffff);
      					L0040137E();
      					_v8 = 4;
      					_push(0xffffffff);
      					L0040137E();
      					_v8 = 5;
      					if( *0x41e5f0 != 0) {
      						_v440 = 0x41e5f0;
      					} else {
      						_push(0x41e5f0);
      						_push(0x4030a8);
      						L00401378();
      						_v440 = 0x41e5f0;
      					}
      					_v332 =  *_v440;
      					_t633 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
      					asm("fclex");
      					_v336 = _t633;
      					if(_v336 >= 0) {
      						_v444 = _v444 & 0x00000000;
      					} else {
      						_push(0x4c);
      						_push(0x403098);
      						_push(_v332);
      						_push(_v336);
      						L00401372();
      						_v444 = _t633;
      					}
      					_v340 = _v168;
      					_v244 = _v244 & 0x00000000;
      					_v252 = 2;
      					L00401210();
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					asm("movsd");
      					_t638 =  *((intOrPtr*)( *_v340 + 0x2c))(_v340, 0x10);
      					asm("fclex");
      					_v344 = _t638;
      					if(_v344 >= 0) {
      						_v448 = _v448 & 0x00000000;
      					} else {
      						_push(0x2c);
      						_push(0x4030b8);
      						_push(_v340);
      						_push(_v344);
      						L00401372();
      						_v448 = _t638;
      					}
      					L0040136C();
      				}
      				_v8 = 7;
      				_v180 = 0x4b;
      				_v188 = 2;
      				_push( &_v188);
      				_t469 =  &_v204;
      				_push(_t469);
      				L00401360();
      				_push(0x4030cc);
      				_push(0x4030d4);
      				L0040138A();
      				_v212 = _t469;
      				_v220 = 0x8008;
      				_push( &_v204);
      				_t471 =  &_v220;
      				_push(_t471);
      				L00401366();
      				_v332 = _t471;
      				_push( &_v220);
      				_push( &_v204);
      				_push( &_v188);
      				_push(3);
      				L0040135A();
      				_t475 = _v332;
      				if(_t475 != 0) {
      					_v8 = 8;
      					L00401354();
      					_v8 = 9;
      					L0040134E();
      					L00401390();
      					_v8 = 0xa;
      					L00401342();
      					_t489 =  &_v168;
      					L00401348();
      					_v332 = _t489;
      					_v228 = 0x80020004;
      					_v236 = 0xa;
      					_v212 = 0x80020004;
      					_v220 = 0xa;
      					_v196 = 0x80020004;
      					_v204 = 0xa;
      					_v180 = 0x80020004;
      					_v188 = 0xa;
      					_t496 =  *((intOrPtr*)( *_v332 + 0x44))(_v332, 0x291f,  &_v188,  &_v204,  &_v220,  &_v236, _t489, _t475);
      					asm("fclex");
      					_v336 = _t496;
      					if(_v336 >= 0) {
      						_v452 = _v452 & 0x00000000;
      					} else {
      						_push(0x44);
      						_push(0x4030d8);
      						_push(_v332);
      						_push(_v336);
      						L00401372();
      						_v452 = _t496;
      					}
      					L0040136C();
      					_push( &_v236);
      					_push( &_v220);
      					_push( &_v204);
      					_t500 =  &_v188;
      					_push(_t500);
      					_push(4);
      					L0040135A();
      					_v8 = 0xb;
      					_v308 = 0x6317b;
      					L00401336();
      					_push(_t500);
      					_push( &_v160);
      					L0040133C();
      					_push( &_v308);
      					_push(0x297142);
      					_push(L"ANDREWARTHA");
      					_t503 =  &_v164;
      					_push(_t503);
      					L0040133C();
      					_push(_t503);
      					_t504 =  &_v160;
      					_push(_t504);
      					E00402F38();
      					_v312 = _t504;
      					L00401330();
      					_v332 =  ~(0 | _v312 == 0x001b827e);
      					_push( &_v164);
      					_push( &_v160);
      					_push( &_v156);
      					_push(3);
      					L0040132A();
      					_t511 = _v332;
      					if(_t511 != 0) {
      						_v8 = 0xc;
      						_push(0x40312c);
      						_push("4:4");
      						L0040138A();
      						L00401390();
      						_push(_t511);
      						_push( &_v188);
      						L0040131E();
      						_push( &_v188);
      						L00401324();
      						L00401390();
      						L00401384();
      						L00401318();
      						_v8 = 0xd;
      						_v180 = 1;
      						_v188 = 2;
      						_push(0xfffffffe);
      						_push(0xfffffffe);
      						_push(0xfffffffe);
      						_push(0xffffffff);
      						_push( &_v188);
      						L00401312();
      						L00401390();
      						L00401318();
      						_v8 = 0xe;
      						_v8 = 0xf;
      						if( *0x41e5f0 != 0) {
      							_v456 = 0x41e5f0;
      						} else {
      							_push(0x41e5f0);
      							_push(0x4030a8);
      							L00401378();
      							_v456 = 0x41e5f0;
      						}
      						_v332 =  *_v456;
      						_t622 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t622;
      						if(_v336 >= 0) {
      							_v460 = _v460 & 0x00000000;
      						} else {
      							_push(0x1c);
      							_push(0x403098);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v460 = _t622;
      						}
      						_v340 = _v168;
      						_t627 =  *((intOrPtr*)( *_v340 + 0x64))(_v340, 1,  &_v304);
      						asm("fclex");
      						_v344 = _t627;
      						if(_v344 >= 0) {
      							_v464 = _v464 & 0x00000000;
      						} else {
      							_push(0x64);
      							_push(0x403140);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v464 = _t627;
      						}
      						_t511 = _v304;
      						_v56 = _t511;
      						L0040136C();
      					}
      					_v8 = 0x11;
      					L00401336();
      					_push(_t511);
      					_push( &_v160);
      					L0040133C();
      					_t513 =  &_v160;
      					_push(_t513);
      					_push(0x83bcf2);
      					_push(0x2ea394);
      					_push(0x59ae9b);
      					_push(0x4f0673);
      					E00402F8C();
      					_v308 = _t513;
      					L00401330();
      					_v332 =  ~(0 | _v308 == 0x0066f1e8);
      					_push( &_v160);
      					_push( &_v156);
      					_push(2);
      					L0040132A();
      					if(_v332 != 0) {
      						_v8 = 0x12;
      						if( *0x41e5f0 != 0) {
      							_v468 = 0x41e5f0;
      						} else {
      							_push(0x41e5f0);
      							_push(0x4030a8);
      							L00401378();
      							_v468 = 0x41e5f0;
      						}
      						_v332 =  *_v468;
      						_t595 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t595;
      						if(_v336 >= 0) {
      							_v472 = _v472 & 0x00000000;
      						} else {
      							_push(0x14);
      							_push(0x403098);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v472 = _t595;
      						}
      						_v340 = _v168;
      						_t600 =  *((intOrPtr*)( *_v340 + 0x60))(_v340,  &_v156);
      						asm("fclex");
      						_v344 = _t600;
      						if(_v344 >= 0) {
      							_v476 = _v476 & 0x00000000;
      						} else {
      							_push(0x60);
      							_push(0x403168);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v476 = _t600;
      						}
      						_v428 = _v156;
      						_v156 = _v156 & 0x00000000;
      						L00401390();
      						L0040136C();
      						_v8 = 0x13;
      						if( *0x41e5f0 != 0) {
      							_v480 = 0x41e5f0;
      						} else {
      							_push(0x41e5f0);
      							_push(0x4030a8);
      							L00401378();
      							_v480 = 0x41e5f0;
      						}
      						_v332 =  *_v480;
      						_t607 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t607;
      						if(_v336 >= 0) {
      							_v484 = _v484 & 0x00000000;
      						} else {
      							_push(0x14);
      							_push(0x403098);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v484 = _t607;
      						}
      						_v340 = _v168;
      						_t612 =  *((intOrPtr*)( *_v340 + 0x140))(_v340,  &_v304);
      						asm("fclex");
      						_v344 = _t612;
      						if(_v344 >= 0) {
      							_v488 = _v488 & 0x00000000;
      						} else {
      							_push(0x140);
      							_push(0x403168);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v488 = _t612;
      						}
      						_v76 = _v304;
      						L0040136C();
      						_v8 = 0x14;
      						L0040130C();
      					}
      					_v8 = 0x16;
      					_push(L"Contangoes3");
      					_t520 =  &_v156;
      					_push(_t520);
      					L0040133C();
      					_push(_t520);
      					E00402FE8();
      					_v308 = _t520;
      					L00401330();
      					_v332 =  ~(0 | _v308 == 0x003c82f5);
      					L00401384();
      					if(_v332 != 0) {
      						_v8 = 0x17;
      						if( *0x41e5f0 != 0) {
      							_v492 = 0x41e5f0;
      						} else {
      							_push(0x41e5f0);
      							_push(0x4030a8);
      							L00401378();
      							_v492 = 0x41e5f0;
      						}
      						_v332 =  *_v492;
      						_t570 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t570;
      						if(_v336 >= 0) {
      							_v496 = _v496 & 0x00000000;
      						} else {
      							_push(0x14);
      							_push(0x403098);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v496 = _t570;
      						}
      						_v340 = _v168;
      						_t575 =  *((intOrPtr*)( *_v340 + 0x130))(_v340,  &_v156);
      						asm("fclex");
      						_v344 = _t575;
      						if(_v344 >= 0) {
      							_v500 = _v500 & 0x00000000;
      						} else {
      							_push(0x130);
      							_push(0x403168);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v500 = _t575;
      						}
      						_v432 = _v156;
      						_v156 = _v156 & 0x00000000;
      						L00401390();
      						L0040136C();
      						_v8 = 0x18;
      						_v180 = 2;
      						_v188 = 2;
      						_push( &_v188);
      						L00401306();
      						L00401390();
      						L00401318();
      						_v8 = 0x19;
      						_v8 = 0x1a;
      						if( *0x41e5f0 != 0) {
      							_v504 = 0x41e5f0;
      						} else {
      							_push(0x41e5f0);
      							_push(0x4030a8);
      							L00401378();
      							_v504 = 0x41e5f0;
      						}
      						_v332 =  *_v504;
      						_t583 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t583;
      						if(_v336 >= 0) {
      							_v508 = _v508 & 0x00000000;
      						} else {
      							_push(0x4c);
      							_push(0x403098);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v508 = _t583;
      						}
      						_v340 = _v168;
      						_t588 =  *((intOrPtr*)( *_v340 + 0x24))(_v340, L"iliau", L"Lstes8",  &_v156);
      						asm("fclex");
      						_v344 = _t588;
      						if(_v344 >= 0) {
      							_v512 = _v512 & 0x00000000;
      						} else {
      							_push(0x24);
      							_push(0x4030b8);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v512 = _t588;
      						}
      						_v436 = _v156;
      						_v156 = _v156 & 0x00000000;
      						L00401390();
      						L0040136C();
      					}
      					_v8 = 0x1c;
      					_push( &_v136);
      					_t526 =  &_v404;
      					_push(_t526);
      					_push(0x402e88);
      					L00401300();
      					_push(_t526);
      					E00403044();
      					_v308 = _t526;
      					L00401330();
      					_push( &_v404);
      					_push( &_v136);
      					_push(0x402e88);
      					L004012FA();
      					_v332 =  ~(0 | _v308 == 0x0028d15d);
      					_push( &_v404);
      					_push(0x402e88);
      					L004012F4();
      					if(_v332 != 0) {
      						_v8 = 0x1d;
      						_v180 = 2;
      						_v188 = 2;
      						_push( &_v188);
      						_push( &_v204);
      						L004012EE();
      						_push( &_v204);
      						L00401324();
      						L00401390();
      						_push( &_v204);
      						_push( &_v188);
      						_push(2);
      						L0040135A();
      						_v8 = 0x1e;
      						if( *0x41e5f0 != 0) {
      							_v516 = 0x41e5f0;
      						} else {
      							_push(0x41e5f0);
      							_push(0x4030a8);
      							L00401378();
      							_v516 = 0x41e5f0;
      						}
      						_v332 =  *_v516;
      						_t544 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t544;
      						if(_v336 >= 0) {
      							_v520 = _v520 & 0x00000000;
      						} else {
      							_push(0x14);
      							_push(0x403098);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v520 = _t544;
      						}
      						_v340 = _v168;
      						_t549 =  *((intOrPtr*)( *_v340 + 0x78))(_v340,  &_v304);
      						asm("fclex");
      						_v344 = _t549;
      						if(_v344 >= 0) {
      							_v524 = _v524 & 0x00000000;
      						} else {
      							_push(0x78);
      							_push(0x403168);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v524 = _t549;
      						}
      						_v40 = _v304;
      						L0040136C();
      						_v8 = 0x1f;
      						_v8 = 0x20;
      						if( *0x41e5f0 != 0) {
      							_v528 = 0x41e5f0;
      						} else {
      							_push(0x41e5f0);
      							_push(0x4030a8);
      							L00401378();
      							_v528 = 0x41e5f0;
      						}
      						_v332 =  *_v528;
      						_t556 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
      						asm("fclex");
      						_v336 = _t556;
      						if(_v336 >= 0) {
      							_v532 = _v532 & 0x00000000;
      						} else {
      							_push(0x1c);
      							_push(0x403098);
      							_push(_v332);
      							_push(_v336);
      							L00401372();
      							_v532 = _t556;
      						}
      						_v340 = _v168;
      						_v244 = 1;
      						_v252 = 2;
      						_t558 = 0x10;
      						L00401210();
      						asm("movsd");
      						asm("movsd");
      						asm("movsd");
      						asm("movsd");
      						L004012E8();
      						_t559 =  &_v172;
      						L00401348();
      						_t562 =  *((intOrPtr*)( *_v340 + 0x58))(_v340, _t559, _t559, _t558, _v140, 0x4031b8);
      						asm("fclex");
      						_v344 = _t562;
      						if(_v344 >= 0) {
      							_v536 = _v536 & 0x00000000;
      						} else {
      							_push(0x58);
      							_push(0x403140);
      							_push(_v340);
      							_push(_v344);
      							L00401372();
      							_v536 = _t562;
      						}
      						_push( &_v168);
      						_push( &_v172);
      						_push(2);
      						L004012E2();
      					}
      				}
      				_v8 = 0x23;
      				_v320 = 0x1ee95e40;
      				_v316 = 0x5b03;
      				 *((intOrPtr*)( *_a4 + 0x700))(_a4, L"stretchier",  &_v320, 0x2277,  &_v328);
      				_v152 = _v328;
      				_v148 = _v324;
      				_v8 = 0x24;
      				_t486 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v188);
      				_v332 = _t486;
      				if(_v332 >= 0) {
      					_v540 = _v540 & 0x00000000;
      				} else {
      					_push(0x6f8);
      					_push(0x402db8);
      					_push(_a4);
      					_push(_v332);
      					L00401372();
      					_v540 = _t486;
      				}
      				L00401318();
      				_v20 = 0;
      				_push(0x41d070);
      				_push( &_v404);
      				_push(0x402e88);
      				L004012F4();
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				_t488 =  &_v136;
      				_push(_t488);
      				_push(0x402e88);
      				L004012DC();
      				L0040136C();
      				L00401384();
      				return _t488;
      			}



















































































































      0x0041c007
      0x0041c016
      0x0041c022
      0x0041c02a
      0x0041c02d
      0x0041c03a
      0x0041c043
      0x0041c046
      0x0041c055
      0x0041c058
      0x0041c05f
      0x0041c066
      0x0041c068
      0x0041c06d
      0x0041c072
      0x0041c07f
      0x0041c084
      0x0041c085
      0x0041c08a
      0x0041c08c
      0x0041c09b
      0x0041c0a8
      0x0041c0b6
      0x0041c0bc
      0x0041c0c3
      0x0041c0c5
      0x0041c0ca
      0x0041c0d1
      0x0041c0d3
      0x0041c0d8
      0x0041c0e6
      0x0041c103
      0x0041c0e8
      0x0041c0e8
      0x0041c0ed
      0x0041c0f2
      0x0041c0f7
      0x0041c0f7
      0x0041c115
      0x0041c130
      0x0041c133
      0x0041c135
      0x0041c142
      0x0041c164
      0x0041c144
      0x0041c144
      0x0041c146
      0x0041c14b
      0x0041c151
      0x0041c157
      0x0041c15c
      0x0041c15c
      0x0041c171
      0x0041c177
      0x0041c17e
      0x0041c18b
      0x0041c198
      0x0041c199
      0x0041c19a
      0x0041c19b
      0x0041c1aa
      0x0041c1ad
      0x0041c1af
      0x0041c1bc
      0x0041c1de
      0x0041c1be
      0x0041c1be
      0x0041c1c0
      0x0041c1c5
      0x0041c1cb
      0x0041c1d1
      0x0041c1d6
      0x0041c1d6
      0x0041c1eb
      0x0041c1eb
      0x0041c1f0
      0x0041c1f7
      0x0041c201
      0x0041c211
      0x0041c212
      0x0041c218
      0x0041c219
      0x0041c21e
      0x0041c223
      0x0041c228
      0x0041c22d
      0x0041c233
      0x0041c243
      0x0041c244
      0x0041c24a
      0x0041c24b
      0x0041c250
      0x0041c25d
      0x0041c264
      0x0041c26b
      0x0041c26c
      0x0041c26e
      0x0041c276
      0x0041c27f
      0x0041c285
      0x0041c28c
      0x0041c291
      0x0041c298
      0x0041c2a2
      0x0041c2a7
      0x0041c2ae
      0x0041c2b4
      0x0041c2bb
      0x0041c2c0
      0x0041c2c6
      0x0041c2d0
      0x0041c2da
      0x0041c2e4
      0x0041c2ee
      0x0041c2f8
      0x0041c302
      0x0041c30c
      0x0041c345
      0x0041c348
      0x0041c34a
      0x0041c357
      0x0041c379
      0x0041c359
      0x0041c359
      0x0041c35b
      0x0041c360
      0x0041c366
      0x0041c36c
      0x0041c371
      0x0041c371
      0x0041c386
      0x0041c391
      0x0041c398
      0x0041c39f
      0x0041c3a0
      0x0041c3a6
      0x0041c3a7
      0x0041c3a9
      0x0041c3b1
      0x0041c3b8
      0x0041c3cd
      0x0041c3d2
      0x0041c3d9
      0x0041c3da
      0x0041c3e5
      0x0041c3e6
      0x0041c3eb
      0x0041c3f0
      0x0041c3f6
      0x0041c3f7
      0x0041c3fc
      0x0041c3fd
      0x0041c403
      0x0041c404
      0x0041c409
      0x0041c40f
      0x0041c425
      0x0041c432
      0x0041c439
      0x0041c440
      0x0041c441
      0x0041c443
      0x0041c44b
      0x0041c454
      0x0041c45a
      0x0041c461
      0x0041c466
      0x0041c46b
      0x0041c478
      0x0041c47d
      0x0041c484
      0x0041c485
      0x0041c490
      0x0041c491
      0x0041c49e
      0x0041c4a9
      0x0041c4b4
      0x0041c4b9
      0x0041c4c0
      0x0041c4ca
      0x0041c4d4
      0x0041c4d6
      0x0041c4d8
      0x0041c4da
      0x0041c4e2
      0x0041c4e3
      0x0041c4ed
      0x0041c4f8
      0x0041c4fd
      0x0041c504
      0x0041c512
      0x0041c52f
      0x0041c514
      0x0041c514
      0x0041c519
      0x0041c51e
      0x0041c523
      0x0041c523
      0x0041c541
      0x0041c55c
      0x0041c55f
      0x0041c561
      0x0041c56e
      0x0041c590
      0x0041c570
      0x0041c570
      0x0041c572
      0x0041c577
      0x0041c57d
      0x0041c583
      0x0041c588
      0x0041c588
      0x0041c59d
      0x0041c5ba
      0x0041c5bd
      0x0041c5bf
      0x0041c5cc
      0x0041c5ee
      0x0041c5ce
      0x0041c5ce
      0x0041c5d0
      0x0041c5d5
      0x0041c5db
      0x0041c5e1
      0x0041c5e6
      0x0041c5e6
      0x0041c5f5
      0x0041c5fc
      0x0041c606
      0x0041c606
      0x0041c60b
      0x0041c61d
      0x0041c622
      0x0041c629
      0x0041c62a
      0x0041c62f
      0x0041c635
      0x0041c636
      0x0041c63b
      0x0041c640
      0x0041c645
      0x0041c64a
      0x0041c64f
      0x0041c655
      0x0041c66b
      0x0041c678
      0x0041c67f
      0x0041c680
      0x0041c682
      0x0041c693
      0x0041c699
      0x0041c6a7
      0x0041c6c4
      0x0041c6a9
      0x0041c6a9
      0x0041c6ae
      0x0041c6b3
      0x0041c6b8
      0x0041c6b8
      0x0041c6d6
      0x0041c6f1
      0x0041c6f4
      0x0041c6f6
      0x0041c703
      0x0041c725
      0x0041c705
      0x0041c705
      0x0041c707
      0x0041c70c
      0x0041c712
      0x0041c718
      0x0041c71d
      0x0041c71d
      0x0041c732
      0x0041c74d
      0x0041c750
      0x0041c752
      0x0041c75f
      0x0041c781
      0x0041c761
      0x0041c761
      0x0041c763
      0x0041c768
      0x0041c76e
      0x0041c774
      0x0041c779
      0x0041c779
      0x0041c78e
      0x0041c794
      0x0041c7a4
      0x0041c7af
      0x0041c7b4
      0x0041c7c2
      0x0041c7df
      0x0041c7c4
      0x0041c7c4
      0x0041c7c9
      0x0041c7ce
      0x0041c7d3
      0x0041c7d3
      0x0041c7f1
      0x0041c80c
      0x0041c80f
      0x0041c811
      0x0041c81e
      0x0041c840
      0x0041c820
      0x0041c820
      0x0041c822
      0x0041c827
      0x0041c82d
      0x0041c833
      0x0041c838
      0x0041c838
      0x0041c84d
      0x0041c868
      0x0041c86e
      0x0041c870
      0x0041c87d
      0x0041c8a2
      0x0041c87f
      0x0041c87f
      0x0041c884
      0x0041c889
      0x0041c88f
      0x0041c895
      0x0041c89a
      0x0041c89a
      0x0041c8b0
      0x0041c8ba
      0x0041c8bf
      0x0041c8c6
      0x0041c8c6
      0x0041c8cb
      0x0041c8d2
      0x0041c8d7
      0x0041c8dd
      0x0041c8de
      0x0041c8e3
      0x0041c8e4
      0x0041c8e9
      0x0041c8ef
      0x0041c905
      0x0041c912
      0x0041c920
      0x0041c926
      0x0041c934
      0x0041c951
      0x0041c936
      0x0041c936
      0x0041c93b
      0x0041c940
      0x0041c945
      0x0041c945
      0x0041c963
      0x0041c97e
      0x0041c981
      0x0041c983
      0x0041c990
      0x0041c9b2
      0x0041c992
      0x0041c992
      0x0041c994
      0x0041c999
      0x0041c99f
      0x0041c9a5
      0x0041c9aa
      0x0041c9aa
      0x0041c9bf
      0x0041c9da
      0x0041c9e0
      0x0041c9e2
      0x0041c9ef
      0x0041ca14
      0x0041c9f1
      0x0041c9f1
      0x0041c9f6
      0x0041c9fb
      0x0041ca01
      0x0041ca07
      0x0041ca0c
      0x0041ca0c
      0x0041ca21
      0x0041ca27
      0x0041ca37
      0x0041ca42
      0x0041ca47
      0x0041ca4e
      0x0041ca58
      0x0041ca68
      0x0041ca69
      0x0041ca73
      0x0041ca7e
      0x0041ca83
      0x0041ca8a
      0x0041ca98
      0x0041cab5
      0x0041ca9a
      0x0041ca9a
      0x0041ca9f
      0x0041caa4
      0x0041caa9
      0x0041caa9
      0x0041cac7
      0x0041cae2
      0x0041cae5
      0x0041cae7
      0x0041caf4
      0x0041cb16
      0x0041caf6
      0x0041caf6
      0x0041caf8
      0x0041cafd
      0x0041cb03
      0x0041cb09
      0x0041cb0e
      0x0041cb0e
      0x0041cb23
      0x0041cb48
      0x0041cb4b
      0x0041cb4d
      0x0041cb5a
      0x0041cb7c
      0x0041cb5c
      0x0041cb5c
      0x0041cb5e
      0x0041cb63
      0x0041cb69
      0x0041cb6f
      0x0041cb74
      0x0041cb74
      0x0041cb89
      0x0041cb8f
      0x0041cb9f
      0x0041cbaa
      0x0041cbaa
      0x0041cbaf
      0x0041cbbc
      0x0041cbbd
      0x0041cbc3
      0x0041cbc4
      0x0041cbc9
      0x0041cbce
      0x0041cbcf
      0x0041cbd4
      0x0041cbda
      0x0041cbe5
      0x0041cbec
      0x0041cbed
      0x0041cbf2
      0x0041cc08
      0x0041cc15
      0x0041cc16
      0x0041cc1b
      0x0041cc29
      0x0041cc2f
      0x0041cc36
      0x0041cc40
      0x0041cc50
      0x0041cc57
      0x0041cc58
      0x0041cc63
      0x0041cc64
      0x0041cc6e
      0x0041cc79
      0x0041cc80
      0x0041cc81
      0x0041cc83
      0x0041cc8b
      0x0041cc99
      0x0041ccb6
      0x0041cc9b
      0x0041cc9b
      0x0041cca0
      0x0041cca5
      0x0041ccaa
      0x0041ccaa
      0x0041ccc8
      0x0041cce3
      0x0041cce6
      0x0041cce8
      0x0041ccf5
      0x0041cd17
      0x0041ccf7
      0x0041ccf7
      0x0041ccf9
      0x0041ccfe
      0x0041cd04
      0x0041cd0a
      0x0041cd0f
      0x0041cd0f
      0x0041cd24
      0x0041cd3f
      0x0041cd42
      0x0041cd44
      0x0041cd51
      0x0041cd73
      0x0041cd53
      0x0041cd53
      0x0041cd55
      0x0041cd5a
      0x0041cd60
      0x0041cd66
      0x0041cd6b
      0x0041cd6b
      0x0041cd81
      0x0041cd8b
      0x0041cd90
      0x0041cd97
      0x0041cda5
      0x0041cdc2
      0x0041cda7
      0x0041cda7
      0x0041cdac
      0x0041cdb1
      0x0041cdb6
      0x0041cdb6
      0x0041cdd4
      0x0041cdef
      0x0041cdf2
      0x0041cdf4
      0x0041ce01
      0x0041ce23
      0x0041ce03
      0x0041ce03
      0x0041ce05
      0x0041ce0a
      0x0041ce10
      0x0041ce16
      0x0041ce1b
      0x0041ce1b
      0x0041ce30
      0x0041ce36
      0x0041ce40
      0x0041ce4c
      0x0041ce4d
      0x0041ce5a
      0x0041ce5b
      0x0041ce5c
      0x0041ce5d
      0x0041ce69
      0x0041ce6f
      0x0041ce76
      0x0041ce8a
      0x0041ce8d
      0x0041ce8f
      0x0041ce9c
      0x0041cebe
      0x0041ce9e
      0x0041ce9e
      0x0041cea0
      0x0041cea5
      0x0041ceab
      0x0041ceb1
      0x0041ceb6
      0x0041ceb6
      0x0041cecb
      0x0041ced2
      0x0041ced3
      0x0041ced5
      0x0041ceda
      0x0041cc29
      0x0041cedd
      0x0041cee4
      0x0041ceee
      0x0041cf18
      0x0041cf24
      0x0041cf30
      0x0041cf36
      0x0041cf4c
      0x0041cf52
      0x0041cf5f
      0x0041cf81
      0x0041cf61
      0x0041cf61
      0x0041cf66
      0x0041cf6b
      0x0041cf6e
      0x0041cf74
      0x0041cf79
      0x0041cf79
      0x0041cf8e
      0x0041cf93
      0x0041cf9a
      0x0041d005
      0x0041d006
      0x0041d00b
      0x0041d013
      0x0041d01b
      0x0041d023
      0x0041d02b
      0x0041d033
      0x0041d03b
      0x0041d043
      0x0041d048
      0x0041d04e
      0x0041d04f
      0x0041d054
      0x0041d05f
      0x0041d06a
      0x0041d06f

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041C022
      • __vbaStrCat.MSVBVM60(00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C072
      • __vbaStrMove.MSVBVM60(00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C07F
      • __vbaInStr.MSVBVM60(00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C08C
      • __vbaFreeStr.MSVBVM60(00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C0A8
      • __vbaOnError.MSVBVM60(000000FF,00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C0C5
      • __vbaOnError.MSVBVM60(000000FF,000000FF,00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C0D3
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0,000000FF,000000FF,00000000,00403084,00000000,00403084,00403078,00000002,?,?,?,?,00401216), ref: 0041C0F2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,0000004C), ref: 0041C157
      • __vbaChkstk.MSVBVM60(00000000,?,00403098,0000004C), ref: 0041C18B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030B8,0000002C), ref: 0041C1D1
      • __vbaFreeObj.MSVBVM60(00000000,?,004030B8,0000002C), ref: 0041C1EB
      • #573.MSVBVM60(?,00000002), ref: 0041C219
      • __vbaStrCat.MSVBVM60(004030D4,004030CC,?,00000002), ref: 0041C228
      • __vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,004030D4,004030CC,?,00000002), ref: 0041C24B
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,00008008,00008008,?,?,?,?,?,004030D4,004030CC,?,00000002), ref: 0041C26E
      • #598.MSVBVM60(?,?,?,00401216), ref: 0041C28C
      • #611.MSVBVM60(?,?,?,00401216), ref: 0041C298
      • __vbaStrMove.MSVBVM60(?,?,?,00401216), ref: 0041C2A2
      • #685.MSVBVM60(?,?,?,00401216), ref: 0041C2AE
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00401216), ref: 0041C2BB
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030D8,00000044), ref: 0041C36C
      • __vbaFreeObj.MSVBVM60(00000000,?,004030D8,00000044), ref: 0041C386
      • __vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0041C3A9
      • __vbaStrCopy.MSVBVM60 ref: 0041C3CD
      • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041C3DA
      • __vbaStrToAnsi.MSVBVM60(?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C3F7
      • __vbaSetSystemError.MSVBVM60(?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C40F
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C443
      • __vbaStrCat.MSVBVM60(4:4,0040312C,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C46B
      • __vbaStrMove.MSVBVM60(4:4,0040312C,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C478
      • #541.MSVBVM60(?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041C485
      • __vbaStrVarMove.MSVBVM60(?,?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041C491
      • __vbaStrMove.MSVBVM60(?,?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041C49E
      • __vbaFreeStr.MSVBVM60(?,?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041C4A9
      • __vbaFreeVar.MSVBVM60(?,?,00000000,4:4,0040312C,?,?,?,?,?,?,?,?,00000000), ref: 0041C4B4
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C4E3
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C4ED
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C4F8
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C51E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,0000001C), ref: 0041C583
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403140,00000064), ref: 0041C5E1
      • __vbaFreeObj.MSVBVM60(00000000,?,00403140,00000064), ref: 0041C606
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C61D
      • __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C62A
      • __vbaSetSystemError.MSVBVM60(004F0673,0059AE9B,002EA394,0083BCF2,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041C655
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041C682
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041C6B3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014), ref: 0041C718
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000060), ref: 0041C774
      • __vbaStrMove.MSVBVM60(00000000,?,00403168,00000060), ref: 0041C7A4
      • __vbaFreeObj.MSVBVM60(00000000,?,00403168,00000060), ref: 0041C7AF
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0), ref: 0041C7CE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014), ref: 0041C833
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000140), ref: 0041C895
      • __vbaFreeObj.MSVBVM60(00000000,?,00403168,00000140), ref: 0041C8BA
      • __vbaEnd.MSVBVM60(00000000,?,00403168,00000140), ref: 0041C8C6
      • __vbaStrToAnsi.MSVBVM60(?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041C8DE
      • __vbaSetSystemError.MSVBVM60(00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041C8EF
      • __vbaFreeStr.MSVBVM60(00000000,00000000,Contangoes3), ref: 0041C912
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0), ref: 0041C940
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014), ref: 0041C9A5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000130), ref: 0041CA07
      • __vbaStrMove.MSVBVM60(00000000,?,00403168,00000130), ref: 0041CA37
      • __vbaFreeObj.MSVBVM60(00000000,?,00403168,00000130), ref: 0041CA42
      • #536.MSVBVM60(00000002), ref: 0041CA69
      • __vbaStrMove.MSVBVM60(00000002), ref: 0041CA73
      • __vbaFreeVar.MSVBVM60(00000002), ref: 0041CA7E
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0,00000002), ref: 0041CAA4
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,0000004C), ref: 0041CB09
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030B8,00000024), ref: 0041CB6F
      • __vbaStrMove.MSVBVM60(00000000,?,004030B8,00000024), ref: 0041CB9F
      • __vbaFreeObj.MSVBVM60(00000000,?,004030B8,00000024), ref: 0041CBAA
      • __vbaRecUniToAnsi.MSVBVM60(00402E88,?,?), ref: 0041CBC9
      • __vbaSetSystemError.MSVBVM60(00000000,00402E88,?,?), ref: 0041CBDA
      • __vbaRecAnsiToUni.MSVBVM60(00402E88,?,?,00000000,00402E88,?,?), ref: 0041CBF2
      • __vbaRecDestructAnsi.MSVBVM60(00402E88,?,00402E88,?,?,00000000,00402E88,?,?), ref: 0041CC1B
      • #613.MSVBVM60(?,00000002,00402E88,?,00402E88,?,?,00000000,00402E88,?,?), ref: 0041CC58
      • __vbaStrVarMove.MSVBVM60(?,?,00000002,00402E88,?,00402E88,?,?,00000000,00402E88,?,?), ref: 0041CC64
      • __vbaStrMove.MSVBVM60(?,?,00000002,00402E88,?,00402E88,?,?,00000000,00402E88,?,?), ref: 0041CC6E
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,00402E88,?,00402E88,?,?,00000000,00402E88,?,?), ref: 0041CC83
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0,00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0041CCA5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014), ref: 0041CD0A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000078), ref: 0041CD66
      • __vbaFreeObj.MSVBVM60(00000000,?,00403168,00000078), ref: 0041CD8B
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0), ref: 0041CDB1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,0000001C), ref: 0041CE16
      • __vbaChkstk.MSVBVM60(00000000,?,00403098,0000001C), ref: 0041CE4D
      • __vbaCastObj.MSVBVM60(?,004031B8), ref: 0041CE69
      • __vbaObjSet.MSVBVM60(?,00000000,?,004031B8), ref: 0041CE76
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403140,00000058), ref: 0041CEB1
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041CED5
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402DB8,000006F8), ref: 0041CF74
      • __vbaFreeVar.MSVBVM60(00000000,?,00402DB8,000006F8), ref: 0041CF8E
      • __vbaRecDestructAnsi.MSVBVM60(00402E88,?,0041D070), ref: 0041D00B
      • __vbaFreeStr.MSVBVM60(00402E88,?,0041D070), ref: 0041D013
      • __vbaFreeStr.MSVBVM60(00402E88,?,0041D070), ref: 0041D01B
      • __vbaFreeStr.MSVBVM60(00402E88,?,0041D070), ref: 0041D023
      • __vbaFreeStr.MSVBVM60(00402E88,?,0041D070), ref: 0041D02B
      • __vbaFreeStr.MSVBVM60(00402E88,?,0041D070), ref: 0041D033
      • __vbaFreeStr.MSVBVM60(00402E88,?,0041D070), ref: 0041D03B
      • __vbaFreeStr.MSVBVM60(00402E88,?,0041D070), ref: 0041D043
      • __vbaRecDestruct.MSVBVM60(00402E88,?,00402E88,?,0041D070), ref: 0041D054
      • __vbaFreeObj.MSVBVM60(00402E88,?,00402E88,?,0041D070), ref: 0041D05F
      • __vbaFreeStr.MSVBVM60(00402E88,?,00402E88,?,0041D070), ref: 0041D06A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1182890882.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1182884071.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182918193.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182923026.0000000000420000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresult$Move$AnsiNew2$ErrorList$System$ChkstkDestruct$Copy$#536#541#573#598#611#613#685#703Cast
      • String ID: $$4:4$ANDREWARTHA$Contangoes3$Dorosoma5$K$Lstes8$iliau$stretchier$thyroidization
      • API String ID: 1936441329-1455819464
      • Opcode ID: bc996ad44f567c495300dbef5230306457b2e5f31fac9f543523bc5aed4f01ab
      • Instruction ID: 487ab723a8366f8f6f0ca62fc657f69f6933d7eaef6cc0e72a9178931ef4e2d0
      • Opcode Fuzzy Hash: bc996ad44f567c495300dbef5230306457b2e5f31fac9f543523bc5aed4f01ab
      • Instruction Fuzzy Hash: 9B920571940228AFDB61DF61CC45BDDB7B4BF09309F1040EAE509BA2A1DB785BC88F59
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 52%
      			E0041D08F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v24;
      				intOrPtr _v28;
      				void* _v32;
      				void* _v36;
      				void* _v40;
      				intOrPtr _v44;
      				void* _v48;
      				signed int _v52;
      				char _v56;
      				char _v60;
      				void* _v64;
      				intOrPtr _v72;
      				char _v80;
      				char* _v88;
      				intOrPtr _v96;
      				void* _v100;
      				signed int _v104;
      				intOrPtr* _v108;
      				signed int _v112;
      				intOrPtr _v120;
      				intOrPtr* _v124;
      				signed int _v128;
      				signed int _v132;
      				signed int _t74;
      				signed int _t81;
      				signed int _t88;
      				signed int _t93;
      				intOrPtr _t124;
      
      				_push(0x401216);
      				_push( *[fs:0x0]);
      				 *[fs:0x0] = _t124;
      				_push(0x70);
      				L00401210();
      				_v12 = _t124;
      				_v8 = 0x4011d8;
      				L00401336();
      				_v72 = 1;
      				_v80 = 2;
      				_push(0xfffffffe);
      				_push(0xfffffffe);
      				_push(0xfffffffe);
      				_push(0xffffffff);
      				_push( &_v80); // executed
      				L00401312(); // executed
      				L00401390();
      				L00401318();
      				_v88 = L"PRESSIE";
      				_v96 = 8;
      				L004012CA();
      				_t74 =  &_v80;
      				_push(_t74);
      				L004012D0();
      				L00401390();
      				_push(_t74);
      				_push("Str");
      				_push(0x403208);
      				L0040138A();
      				L00401390();
      				_push(_t74);
      				_push(0x403214);
      				L0040138A();
      				L00401390();
      				_push(_t74);
      				L004012D6();
      				asm("sbb eax, eax");
      				_v100 =  ~( ~( ~_t74));
      				_push( &_v60);
      				_push( &_v56);
      				_push( &_v52);
      				_push(3);
      				L0040132A();
      				L00401318();
      				_t81 = _v100;
      				if(_t81 != 0) {
      					_v72 = 1;
      					_v80 = 2;
      					_push(0xfffffffe);
      					_push(0xfffffffe);
      					_push(0xfffffffe);
      					_push(0xffffffff);
      					_push( &_v80);
      					L00401312();
      					L00401390();
      					L00401318();
      					if( *0x41e5f0 != 0) {
      						_v124 = 0x41e5f0;
      					} else {
      						_push(0x41e5f0);
      						_push(0x4030a8);
      						L00401378();
      						_v124 = 0x41e5f0;
      					}
      					_v100 =  *_v124;
      					_t88 =  *((intOrPtr*)( *_v100 + 0x14))(_v100,  &_v64);
      					asm("fclex");
      					_v104 = _t88;
      					if(_v104 >= 0) {
      						_v128 = _v128 & 0x00000000;
      					} else {
      						_push(0x14);
      						_push(0x403098);
      						_push(_v100);
      						_push(_v104);
      						L00401372();
      						_v128 = _t88;
      					}
      					_v108 = _v64;
      					_t93 =  *((intOrPtr*)( *_v108 + 0x60))(_v108,  &_v52);
      					asm("fclex");
      					_v112 = _t93;
      					if(_v112 >= 0) {
      						_v132 = _v132 & 0x00000000;
      					} else {
      						_push(0x60);
      						_push(0x403168);
      						_push(_v108);
      						_push(_v112);
      						L00401372();
      						_v132 = _t93;
      					}
      					_t81 = _v52;
      					_v120 = _t81;
      					_v52 = _v52 & 0x00000000;
      					L00401390();
      					L0040136C();
      					_push(0xe5);
      					L004012C4();
      					_v44 = _t81;
      				}
      				_v28 = 0x26222e40;
      				_v24 = 0x5afd;
      				_push(0x41d2e7);
      				L00401384();
      				L00401384();
      				L00401384();
      				L00401384();
      				return _t81;
      			}

































      0x0041d094
      0x0041d09f
      0x0041d0a0
      0x0041d0a7
      0x0041d0aa
      0x0041d0b2
      0x0041d0b5
      0x0041d0c2
      0x0041d0c7
      0x0041d0ce
      0x0041d0d5
      0x0041d0d7
      0x0041d0d9
      0x0041d0db
      0x0041d0e0
      0x0041d0e1
      0x0041d0eb
      0x0041d0f3
      0x0041d0f8
      0x0041d0ff
      0x0041d10c
      0x0041d111
      0x0041d114
      0x0041d115
      0x0041d11f
      0x0041d124
      0x0041d125
      0x0041d12a
      0x0041d12f
      0x0041d139
      0x0041d13e
      0x0041d13f
      0x0041d144
      0x0041d14e
      0x0041d153
      0x0041d154
      0x0041d15b
      0x0041d161
      0x0041d168
      0x0041d16c
      0x0041d170
      0x0041d171
      0x0041d173
      0x0041d17e
      0x0041d183
      0x0041d189
      0x0041d18f
      0x0041d196
      0x0041d19d
      0x0041d19f
      0x0041d1a1
      0x0041d1a3
      0x0041d1a8
      0x0041d1a9
      0x0041d1b3
      0x0041d1bb
      0x0041d1c7
      0x0041d1e1
      0x0041d1c9
      0x0041d1c9
      0x0041d1ce
      0x0041d1d3
      0x0041d1d8
      0x0041d1d8
      0x0041d1ed
      0x0041d1fc
      0x0041d1ff
      0x0041d201
      0x0041d208
      0x0041d221
      0x0041d20a
      0x0041d20a
      0x0041d20c
      0x0041d211
      0x0041d214
      0x0041d217
      0x0041d21c
      0x0041d21c
      0x0041d228
      0x0041d237
      0x0041d23a
      0x0041d23c
      0x0041d243
      0x0041d25c
      0x0041d245
      0x0041d245
      0x0041d247
      0x0041d24c
      0x0041d24f
      0x0041d252
      0x0041d257
      0x0041d257
      0x0041d260
      0x0041d263
      0x0041d266
      0x0041d270
      0x0041d278
      0x0041d27d
      0x0041d282
      0x0041d287
      0x0041d287
      0x0041d28a
      0x0041d291
      0x0041d298
      0x0041d2c9
      0x0041d2d1
      0x0041d2d9
      0x0041d2e1
      0x0041d2e6

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D0AA
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041D0C2
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D0E1
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D0EB
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D0F3
      • __vbaVarDup.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D10C
      • #591.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D115
      • __vbaStrMove.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D11F
      • __vbaStrCat.MSVBVM60(00403208,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D12F
      • __vbaStrMove.MSVBVM60(00403208,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D139
      • __vbaStrCat.MSVBVM60(00403214,00000000,00403208,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D144
      • __vbaStrMove.MSVBVM60(00403214,00000000,00403208,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D14E
      • __vbaStrCmp.MSVBVM60(00000000,00403214,00000000,00403208,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D154
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,00403214,00000000,00403208,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D173
      • __vbaFreeVar.MSVBVM60 ref: 0041D17E
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D1A9
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D1B3
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D1BB
      • __vbaNew2.MSVBVM60(004030A8,0041E5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D1D3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403098,00000014,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D217
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000060,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D252
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D270
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D278
      • #570.MSVBVM60(000000E5,?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D282
      • __vbaFreeStr.MSVBVM60(0041D2E7,?,?,?,00401216), ref: 0041D2C9
      • __vbaFreeStr.MSVBVM60(0041D2E7,?,?,?,00401216), ref: 0041D2D1
      • __vbaFreeStr.MSVBVM60(0041D2E7,?,?,?,00401216), ref: 0041D2D9
      • __vbaFreeStr.MSVBVM60(0041D2E7,?,?,?,00401216), ref: 0041D2E1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1182890882.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1182884071.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182918193.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182923026.0000000000420000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$#703CheckHresult$#570#591ChkstkCopyListNew2
      • String ID: @."&$PRESSIE$Str
      • API String ID: 4270550733-397218167
      • Opcode ID: b727c8dd13f78c4ecc0037f813e7cc0b5e13f54d8575e8143b019aa4d858b8af
      • Instruction ID: b60f46eb64e83113bc83e39ee1661f946a189ee73672ebf53d09fac310386abe
      • Opcode Fuzzy Hash: b727c8dd13f78c4ecc0037f813e7cc0b5e13f54d8575e8143b019aa4d858b8af
      • Instruction Fuzzy Hash: C5610A71D0021DABDB04EFE5C845ADEBBB9AF04318F20422AF421BB5E1EB785945CB58
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 54%
      			E0041D43E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				char _v24;
      				intOrPtr _v28;
      				intOrPtr _v32;
      				char _v36;
      				intOrPtr _v44;
      				intOrPtr _v52;
      				intOrPtr _v60;
      				intOrPtr _v68;
      				char _v72;
      				signed int _v76;
      				signed int _v84;
      				signed int _v88;
      				signed int _t50;
      				signed int _t62;
      				void* _t67;
      				void* _t74;
      				intOrPtr _t76;
      
      				_t67 = __edx;
      				 *[fs:0x0] = _t76;
      				L00401210();
      				_v12 = _t76;
      				_v8 = 0x4011f8;
      				L004012AC();
      				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401216, __ecx, __ecx, _t74);
      				asm("fclex");
      				_v76 = _t50;
      				if(_v76 >= 0) {
      					_v84 = _v84 & 0x00000000;
      				} else {
      					_push(0x58);
      					_push(0x402d88);
      					_push(_a4);
      					_push(_v76);
      					L00401372();
      					_v84 = _t50;
      				}
      				_v32 = _v72;
      				L004012AC();
      				L004012A6();
      				_v28 = E0041D5D4( &_v36);
      				L0040136C();
      				_v32 = E0041D5D4(_v28) + 0x2b0;
      				E0041D777(_t67, _v32, _a8);
      				_v60 = 0x80020004;
      				_v68 = 0xa;
      				_v44 = 0x80020004;
      				_v52 = 0xa;
      				L00401210();
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				L00401210();
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				asm("movsd");
      				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
      				asm("fclex");
      				_v76 = _t62;
      				if(_v76 >= 0) {
      					_v88 = _v88 & 0x00000000;
      				} else {
      					_push(0x2b0);
      					_push(0x402d88);
      					_push(_a4);
      					_push(_v76);
      					L00401372();
      					_v88 = _t62;
      				}
      				_push(0x41d581);
      				L0040136C();
      				return _t62;
      			}






















      0x0041d43e
      0x0041d44f
      0x0041d459
      0x0041d461
      0x0041d464
      0x0041d472
      0x0041d483
      0x0041d486
      0x0041d488
      0x0041d48f
      0x0041d4a8
      0x0041d491
      0x0041d491
      0x0041d493
      0x0041d498
      0x0041d49b
      0x0041d49e
      0x0041d4a3
      0x0041d4a3
      0x0041d4af
      0x0041d4b9
      0x0041d4c2
      0x0041d4cd
      0x0041d4d3
      0x0041d4e5
      0x0041d4ee
      0x0041d4f3
      0x0041d4fa
      0x0041d501
      0x0041d508
      0x0041d512
      0x0041d51c
      0x0041d51d
      0x0041d51e
      0x0041d51f
      0x0041d523
      0x0041d52d
      0x0041d52e
      0x0041d52f
      0x0041d530
      0x0041d539
      0x0041d53f
      0x0041d541
      0x0041d548
      0x0041d564
      0x0041d54a
      0x0041d54a
      0x0041d54f
      0x0041d554
      0x0041d557
      0x0041d55a
      0x0041d55f
      0x0041d55f
      0x0041d568
      0x0041d57b
      0x0041d580

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D459
      • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401216), ref: 0041D472
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D88,00000058), ref: 0041D49E
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041D4B9
      • #644.MSVBVM60(?,?,?), ref: 0041D4C2
      • __vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 0041D4D3
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041D512
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041D523
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D88,000002B0), ref: 0041D55A
      • __vbaFreeObj.MSVBVM60(0041D581), ref: 0041D57B
      Memory Dump Source
      • Source File: 00000000.00000002.1182890882.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1182884071.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182918193.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182923026.0000000000420000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
      • String ID:
      • API String ID: 1032928638-0
      • Opcode ID: 41b5f1d71f15cff36f23c64d802eaf22fe7a23beaf9be28222f8b76fdf5cbae7
      • Instruction ID: 4bf36c243b8b65c4cd22fd1962e5bbdb43e02f39e6efbcbb465cb771ef6b09a9
      • Opcode Fuzzy Hash: 41b5f1d71f15cff36f23c64d802eaf22fe7a23beaf9be28222f8b76fdf5cbae7
      • Instruction Fuzzy Hash: 0941D6B1C40608AFDF01EF91C846BDEBBB5FF15358F10442AF901BB1A1C7B999869B58
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 77%
      			E0041D308(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
      				intOrPtr _v8;
      				intOrPtr _v12;
      				intOrPtr _v16;
      				char _v40;
      				char _v72;
      				char _v88;
      				intOrPtr _v96;
      				intOrPtr _v104;
      				signed int _v108;
      				signed int _v120;
      				signed int _t42;
      				char* _t46;
      				void* _t49;
      				void* _t59;
      				void* _t61;
      				intOrPtr _t62;
      
      				_t62 = _t61 - 0xc;
      				 *[fs:0x0] = _t62;
      				L00401210();
      				_v16 = _t62;
      				_v12 = 0x4011e8;
      				_v8 = 0;
      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x401216, _t59);
      				 *_a8 =  *_a8 & 0x00000000;
      				_t42 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
      				asm("fclex");
      				_v108 = _t42;
      				if(_v108 >= 0) {
      					_v120 = _v120 & 0x00000000;
      				} else {
      					_push(0x2b4);
      					_push(0x402d88);
      					_push(_a4);
      					_push(_v108);
      					L00401372();
      					_v120 = _t42;
      				}
      				E0041D6F5();
      				_v96 = 2;
      				_v104 = 2;
      				L004012BE();
      				_v96 = 0x806db2;
      				_v104 = 3;
      				L004012BE();
      				_t46 =  &_v88;
      				L004012B2();
      				L004012B8();
      				_t49 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _t46, _t46, _t46,  &_v40,  &_v72);
      				_push(0x41d415);
      				L00401318();
      				L00401318();
      				return _t49;
      			}



















      0x0041d30b
      0x0041d31a
      0x0041d324
      0x0041d32c
      0x0041d32f
      0x0041d336
      0x0041d345
      0x0041d34b
      0x0041d356
      0x0041d35c
      0x0041d35e
      0x0041d365
      0x0041d381
      0x0041d367
      0x0041d367
      0x0041d36c
      0x0041d371
      0x0041d374
      0x0041d377
      0x0041d37c
      0x0041d37c
      0x0041d385
      0x0041d38a
      0x0041d391
      0x0041d39e
      0x0041d3a3
      0x0041d3aa
      0x0041d3b7
      0x0041d3c4
      0x0041d3c8
      0x0041d3ce
      0x0041d3dc
      0x0041d3e2
      0x0041d407
      0x0041d40f
      0x0041d414

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D324
      • __vbaHresultCheckObj.MSVBVM60(00000000,004011E8,00402D88,000002B4), ref: 0041D377
      • __vbaVarMove.MSVBVM60(00000000,004011E8,00402D88,000002B4), ref: 0041D39E
      • __vbaVarMove.MSVBVM60(00000000,004011E8,00402D88,000002B4), ref: 0041D3B7
      • __vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041D3C8
      • __vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041D3CE
      • __vbaFreeVar.MSVBVM60(0041D415), ref: 0041D407
      • __vbaFreeVar.MSVBVM60(0041D415), ref: 0041D40F
      Memory Dump Source
      • Source File: 00000000.00000002.1182890882.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1182884071.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182918193.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182923026.0000000000420000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$FreeMove$CheckChkstkHresultIdiv
      • String ID:
      • API String ID: 3577542843-0
      • Opcode ID: cb2a9595b7213f513eef1fff702cc82ea472c0123fbb5bef121c2652e78e13cd
      • Instruction ID: 9739e00c59d18cf991b898ff5a452bc9d0eb44659245e7d3e78fc27c47fca36c
      • Opcode Fuzzy Hash: cb2a9595b7213f513eef1fff702cc82ea472c0123fbb5bef121c2652e78e13cd
      • Instruction Fuzzy Hash: 4C31B571940208EFDB00EFD5C989BDDBBB4AF04704F10416AF809BB1A1D779AA45CF94
      Uniqueness

      Uniqueness Score: -1.00%

      C-Code - Quality: 82%
      			_entry_(signed int __eax, void* __ecx) {
      				intOrPtr* _t4;
      
      				_push("VB5!6&*"); // executed
      				L004013AE(); // executed
      				 *__eax =  *__eax + __eax;
      				 *__eax =  *__eax + __eax;
      				 *__eax =  *__eax + __eax;
      				 *__eax =  *__eax ^ __eax;
      				 *__eax =  *__eax + __eax;
      				_t4 = __eax + 1;
      				 *_t4 =  *_t4 + _t4;
      				 *_t4 =  *_t4 + _t4;
      				 *_t4 =  *_t4 + _t4;
      				 *((intOrPtr*)(__ecx - 0x3d)) =  *((intOrPtr*)(__ecx - 0x3d)) + _t4;
      				asm("popad");
      				return _t4;
      			}




      0x004013b4
      0x004013b9
      0x004013be
      0x004013c0
      0x004013c2
      0x004013c4
      0x004013c6
      0x004013c8
      0x004013c9
      0x004013cb
      0x004013cd
      0x004013cf
      0x004013d0
      0x004013d1

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1182890882.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1182884071.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182918193.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182923026.0000000000420000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: 0df76eb782d2c22892386e473a21c9507da5b41c09aa4e833f6de56b301929db
      • Instruction ID: a40201fe48441e6608fe6498f9d4dbe3bf6d7d3af1405e5c97f1d28f817fd309
      • Opcode Fuzzy Hash: 0df76eb782d2c22892386e473a21c9507da5b41c09aa4e833f6de56b301929db
      • Instruction Fuzzy Hash: 9401616118E7D48FE30753B51C660513FB0881322031E45EBC0C1CA8E3D09E184EC337
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: iP`g$kzXl$~d^&
      • API String ID: 0-1733378214
      • Opcode ID: 806c612c311ff47db301ccae29d8674183ecec9a6578b51ab3426a7c202745ff
      • Instruction ID: b02c28e030c48353b9583d102c2db78392bbf31762c582ca22759b2b45606388
      • Opcode Fuzzy Hash: 806c612c311ff47db301ccae29d8674183ecec9a6578b51ab3426a7c202745ff
      • Instruction Fuzzy Hash: 79B22371648385DFDB348F38CC987EABBB2AF95310F4A816EDC999B255D3308641CB52
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: h4v1$kzXl$~d^&
      • API String ID: 0-1195003491
      • Opcode ID: 20342b7a32984072c89a8130b05e0cd01e4a0e89f9b27c6890f15e17f4062fd0
      • Instruction ID: 5aeba585a0476a8f6a69bfbec7c9870c5401236dad1b1d768472e2977c592ac1
      • Opcode Fuzzy Hash: 20342b7a32984072c89a8130b05e0cd01e4a0e89f9b27c6890f15e17f4062fd0
      • Instruction Fuzzy Hash: EA6200B16483889FDB689F34CD997EABBB2FF99300F46411DD9899B210D3345A81CB46
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: Fq.R$nR$sM2
      • API String ID: 0-1277487448
      • Opcode ID: b09c054368f1ccb945e494620007e8da4883adf449e7ac0ca69d14d2cafa864d
      • Instruction ID: b41b9deb273f5bd964f09e29b9748a5ebb4ff526917c0dfc9f75af3027c0c64f
      • Opcode Fuzzy Hash: b09c054368f1ccb945e494620007e8da4883adf449e7ac0ca69d14d2cafa864d
      • Instruction Fuzzy Hash: 95A1EC76684389CFCB749F68CD44BEE77B2AF54350F46452ADC8AAB210D3304A91CB52
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: kzXl$~d^&
      • API String ID: 0-1827219150
      • Opcode ID: 41c96b51cad6231991a2f4c7cd9211e323f4805d9bc3e6cf0bc36cc0f96a3454
      • Instruction ID: 0ed3fd14a6fb73e44815b0b82827d982e13624830e44159981e4a29fc331780f
      • Opcode Fuzzy Hash: 41c96b51cad6231991a2f4c7cd9211e323f4805d9bc3e6cf0bc36cc0f96a3454
      • Instruction Fuzzy Hash: E772CE71648349DFCB689F24CD997EABBB2BF98300F46412EDD899B210D7305A91CB46
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: `
      • API String ID: 0-1850852036
      • Opcode ID: 45328687e14ad7e3ed7640f27d21863a6d2c8aad131bde61d9065d9b47ffb7b9
      • Instruction ID: 269454961501288b643838911930cb1e670b3399bdb6860e10b2f6e387f0226c
      • Opcode Fuzzy Hash: 45328687e14ad7e3ed7640f27d21863a6d2c8aad131bde61d9065d9b47ffb7b9
      • Instruction Fuzzy Hash: 6C21F771649289CBDF389E79991C3FE36A3AF95350F62802FCC4E8B154E73152518F85
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.1182890882.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1182884071.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182918193.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182923026.0000000000420000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
      • Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
      • Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
      • Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 06e15d0ed19ce66fa58cfecfa19f4a3cb59820be8cf369ac09a7694aae1b4509
      • Instruction ID: f4ba60c52a59cd6378dbfae35d6dde77de607fee4aec30c93e69076a6af3cce5
      • Opcode Fuzzy Hash: 06e15d0ed19ce66fa58cfecfa19f4a3cb59820be8cf369ac09a7694aae1b4509
      • Instruction Fuzzy Hash: 9931B4716452489FDB38DD7899A93FB37E2EB68310F94002EE84BDB250E7749A51CB06
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.1182890882.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1182884071.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182918193.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182923026.0000000000420000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
      • Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
      • Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
      • Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ac3ea04af61e39c526eadd61d59777087c00f2d0601a5be54d46c1d78f006977
      • Instruction ID: b72815bb51b20437d5f1225aa7d462ace1243bd3b4d43245744c6268ee2862ad
      • Opcode Fuzzy Hash: ac3ea04af61e39c526eadd61d59777087c00f2d0601a5be54d46c1d78f006977
      • Instruction Fuzzy Hash: 6A113575A40385DFCB34CF29D988BD977B0BB89310F0546AADD288B260C330DA00EF50
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.1182890882.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.1182884071.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182918193.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.1182923026.0000000000420000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
      • Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
      • Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
      • Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
      • Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
      • Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction Fuzzy Hash:
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.1183142322.0000000002160000.00000040.00000001.sdmp, Offset: 02160000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e42eadbb93a8aeb7e098beaaaf5f74574a3a5a9c9637ad6dd9c5277d16fa6bed
      • Instruction ID: f5f86c4a480199c78c4540004c8a0935e20f036f0ebe22ed4a0f197a15b98037
      • Opcode Fuzzy Hash: e42eadbb93a8aeb7e098beaaaf5f74574a3a5a9c9637ad6dd9c5277d16fa6bed
      • Instruction Fuzzy Hash: DCB00136762A80CFCE96CF19D2D0F80B3B4FB55B94F5298D4E8519BB22C368E905CE00
      Uniqueness

      Uniqueness Score: -1.00%