Play interactive tour

Edit tour

Analysis Report Lista produkt#U00f3w.exe

Overview

General Information

Sample Name:	Lista produkt#U00f3w.exe
Analysis ID:	411100
MD5:	c7f305d2e4f5e91e8118ac32ec796b0c
SHA1:	c477a3d238b96c2a58e77bb7c818775e23f7d656
SHA256:	0d28b94959edb70309a2754a83f2c9230b3176618ab571995d81955751ca2dbe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Lista produkt#U00f3w.exe (PID: 2412 cmdline: 'C:\Users\user\Desktop\Lista produkt#U00f3w.exe' MD5: C7F305D2E4F5E91E8118AC32EC796B0C)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: Lista produkt#U00f3w.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y"}

Multi AV Scanner detection for submitted file

Show sources

Source: Lista produkt#U00f3w.exe	Virustotal: Detection: 34%			Perma Link
Source: Lista produkt#U00f3w.exe	ReversingLabs: Detection: 17%

Source: Lista produkt#U00f3w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=17FenSUBd1a7PqzhRX-elu4bxZvs0LF9Y

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B1B3F NtAllocateVirtualMemory,		0_2_022B1B3F
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B33E1 NtProtectVirtualMemory,		0_2_022B33E1

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00407206	0_2_00407206
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00407246	0_2_00407246
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040176F	0_2_0040176F
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00401580	0_2_00401580
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_004017BC	0_2_004017BC

Source: Lista produkt#U00f3w.exe, 00000000.00000000.209614944.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFarveskrmene.exe vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1290593504.0000000002280000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1292000983.0000000002A20000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFarveskrmene.exeFE2X~~ vs Lista produkt#U00f3w.exe
Source: Lista produkt#U00f3w.exe	Binary or memory string: OriginalFilenameFarveskrmene.exe vs Lista produkt#U00f3w.exe

Source: Lista produkt#U00f3w.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4627E9014B595615.TMP

Jump to behavior

Source: Lista produkt#U00f3w.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lista produkt#U00f3w.exe	Virustotal: Detection: 34%
Source: Lista produkt#U00f3w.exe	ReversingLabs: Detection: 17%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00406613 push edx; ret	0_2_00406614
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00405A15 push esp; ret	0_2_00405A20
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00405889 push eax; ret	0_2_0040588C
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040576B push edi; retf	0_2_004057A0
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_00404B1B push esp; retn 0000h	0_2_00404B1D
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_0040459E pushfd ; ret	0_2_004045A0
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B1B3F pushfd ; iretd	0_2_022B1CAC
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B1CA1 pushfd ; iretd	0_2_022B1CAC

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B0C5E	0_2_022B0C5E
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B1301	0_2_022B1301
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B0511	0_2_022B0511
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B0D16	0_2_022B0D16

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

RDTSC instruction interceptor: First address: 00000000022B1972 second address: 00000000022B1972 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FD3E4D6E2EAh 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 cmp bx, ax 0x00000023 dec ecx 0x00000024 cmp dh, ah 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FD3E4D6E2CAh 0x0000002b push ecx 0x0000002c cmp bl, al 0x0000002e cmp bl, cl 0x00000030 call 00007FD3E4D6E2FFh 0x00000035 call 00007FD3E4D6E2FAh 0x0000003a lfence 0x0000003d mov edx, dword ptr [7FFE0014h] 0x00000043 lfence 0x00000046 ret 0x00000047 mov esi, edx 0x00000049 pushad 0x0000004a rdtsc

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_022B122C rdtsc

0_2_022B122C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_022B122C rdtsc

0_2_022B122C

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B30ED mov eax, dword ptr fs:[00000030h]	0_2_022B30ED
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B18E2 mov eax, dword ptr fs:[00000030h]	0_2_022B18E2
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B111A mov eax, dword ptr fs:[00000030h]	0_2_022B111A
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B0D16 mov eax, dword ptr fs:[00000030h]	0_2_022B0D16
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B2D69 mov eax, dword ptr fs:[00000030h]	0_2_022B2D69
Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe	Code function: 0_2_022B2B82 mov eax, dword ptr fs:[00000030h]	0_2_022B2B82

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Lista produkt#U00f3w.exe, 00000000.00000002.1289894220.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1289894220.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1289894220.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Lista produkt#U00f3w.exe, 00000000.00000002.1289894220.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Lista produkt#U00f3w.exe

Code function: 0_2_022B1B3F cpuid

0_2_022B1B3F

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Lista produkt#U00f3w.exe	34%	Virustotal		Browse
Lista produkt#U00f3w.exe	17%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411100
Start date:	11.05.2021
Start time:	16:24:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Lista produkt#U00f3w.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 34.1% (good quality ratio 19.8%) Quality average: 29.8% Quality standard deviation: 31.6%
HCA Information:	Successful, ratio: 53% Number of executed functions: 20 Number of non-executed functions: 20
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.711108381776406
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Lista produkt#U00f3w.exe
File size:	81920
MD5:	c7f305d2e4f5e91e8118ac32ec796b0c
SHA1:	c477a3d238b96c2a58e77bb7c818775e23f7d656
SHA256:	0d28b94959edb70309a2754a83f2c9230b3176618ab571995d81955751ca2dbe
SHA512:	6eebcaff0963b5a69f574ceb0eb11f07ac1e6a195476c32b863e026f825f563e6b2406f7e6f34cc2ade6515cb14980e2be471a010fc8c8cf8727faa4f1421b56
SSDEEP:	1536:cDMp+5asYexpjWzziwuVlCqRryDqRZkD:cV57+iwuV9RZk
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......`.....................0............... ....@................

File Icon


Icon Hash:	b09298b8cc8a19c6

Static PE Info

General
Entrypoint:	0x4013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6099DDA9 [Tue May 11 01:28:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ec8e962978786706cf0189109090c85e

Entrypoint Preview

Instruction
push 00401F34h
call 00007FD3E4BEEB23h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+ecx*2-47h], cl
aas
mov byte ptr [ebx+0Bh], dh
inc edi
mov eax, 8AB5048Eh
les ecx, fword ptr [edx+09h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
call 00007FD430C1F8C4h
push ebp
dec ebp
dec ecx
dec esi
dec ecx
inc esi
dec ecx
inc ebx
inc ebp
dec esi
push esp
add byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
push es
into
sbb bh, byte ptr [esi]
or esp, dword ptr [eax+56B54785h]
jnp 00007FD3E4BEEB93h
or eax, dword ptr [edi+33h]
push ebp
jc 00007FD3E4BEEAF5h
sub dword ptr [esi-6Eh], edx
xchg byte ptr [edi+eax*2], dh
xchg dword ptr [ebp-3B91C6C1h], edx
push ebp
pop eax
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [edx], cl
add byte ptr [eax], al
and al, 09h
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [edx+65h], al
arpl word ptr [ebp+72h], si
jnc 00007FD3E4BEEB97h
add byte ptr [47001201h], cl
jc 00007FD3E4BEEBA7h
jo 00007FD3E4BEEBA2h
jnc 00007FD3E4BEEB94h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x111d4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0xc1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x158	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x107d4	0x11000	False	0.422291475184	data	6.18941304283	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x11f4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0xc1c	0x1000	False	0.291015625	data	3.0223027499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x14374	0x8a8	data
RT_GROUP_ICON	0x14360	0x14	data
RT_VERSION	0x140f0	0x270	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	Farveskrmene
FileVersion	1.00
CompanyName	Asso Filler
ProductName	Asso Filler
ProductVersion	1.00
FileDescription	Asso Filler
OriginalFilename	Farveskrmene.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Lista produkt#U00f3w.exe PID: 2412 Parent PID: 5760

General

Start time:	16:25:09
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\Lista produkt#U00f3w.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Lista produkt#U00f3w.exe'
Imagebase:	0x400000
File size:	81920 bytes
MD5 hash:	C7F305D2E4F5E91E8118AC32EC796B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Lista produkt#U00f3w.exe PID: 2412 Parent PID: 5760 Lista produkt#U00f3w.exeCOMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	75.2%
Signature Coverage:	21.8%
Total number of Nodes:	879
Total number of Limit Nodes:	25

Executed Functions

Function 022B1B3F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000), ref: 022B1BF4

Strings

fel, xrefs: 022B1B81

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: fel
API String ID: 2167126740-998966389
Opcode ID: 9a3c85134a3d365950eb5d71adbce10e784b8a870bffcdea00dba4eba8e0cf75
Instruction ID: b0aae35a627d5d03e85f7c427f6ec1cb29ce5c9d22afc529e99d21314b72a047
Opcode Fuzzy Hash: 9a3c85134a3d365950eb5d71adbce10e784b8a870bffcdea00dba4eba8e0cf75
Instruction Fuzzy Hash: BB21D4B15007499FEB325F38CC51BDE36A2EF45354F508628ED8D9B2A5D7748A818B42

Uniqueness

Uniqueness Score: -1.00%

Function 00407206, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

], xrefs: 004072E2

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-1813045944
Opcode ID: 0ed6bdb513bd94b69ad78142c241a7ca4e1d67942e1e0807a5d8e35ee95db196
Instruction ID: 0654c5c579814525cd69a9c404a01ecbc6dc6d6fb0272bf24d6b79db9abba7be
Opcode Fuzzy Hash: 0ed6bdb513bd94b69ad78142c241a7ca4e1d67942e1e0807a5d8e35ee95db196
Instruction Fuzzy Hash: CA813562F18B1185FF352128C9E056C6502DBD2344F32873BCD6A33DC55B3E16C6265B

Uniqueness

Uniqueness Score: -1.00%

Function 00407246, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 241
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Strings

], xrefs: 004072E2

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID: ]
API String ID: 4275171209-1813045944
Opcode ID: 2107def32f4d190f21624457edce8cc9f0d855102c199a55899f6ea0447b6c5b
Instruction ID: 37cc49b4028cb5ee1b2d669398556f8c8fdcfddf01ea1d6de6b56072586c2096
Opcode Fuzzy Hash: 2107def32f4d190f21624457edce8cc9f0d855102c199a55899f6ea0447b6c5b
Instruction Fuzzy Hash: 8F811462F18B5185FF362128C9E056D6502EF96340F32873BCD6A33DC55B3E16C6269B

Uniqueness

Uniqueness Score: -1.00%

Function 022B33E1, Relevance: 1.5, APIs: 1, Instructions: 13
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,022B3169,00000040,022B132A,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 022B33FA

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00408444, Relevance: 198.8, APIs: 104, Strings: 9, Instructions: 1073
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00408444(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v48;
				short _v72;
				void* _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				long long _v116;
				signed int _v120;
				intOrPtr _v124;
				long long _v136;
				char _v140;
				short _v144;
				char _v164;
				short _v168;
				short _v180;
				void* _v184;
				void* _v192;
				long long _v800;
				long long _v808;
				void* _v812;
				intOrPtr _v820;
				char _v828;
				void* _v832;
				signed int _v836;
				char _v840;
				char _v848;
				signed int _v852;
				intOrPtr _v864;
				char _v872;
				char _v888;
				intOrPtr _v916;
				char _v924;
				char _v944;
				signed int _v948;
				char _v952;
				intOrPtr _v956;
				long long _v960;
				intOrPtr _v964;
				char _v968;
				signed int _v972;
				signed int _v976;
				signed int _v980;
				signed int _v984;
				signed int _v1320;
				signed int _v1324;
				signed int _v1328;
				signed int _v1332;
				signed int _v1336;
				signed int _v1364;
				intOrPtr* _v1368;
				signed int _v1372;
				signed int _v1376;
				intOrPtr* _v1380;
				signed int _v1384;
				signed int _v1388;
				intOrPtr* _v1392;
				signed int _v1396;
				signed int _v1400;
				intOrPtr* _v1404;
				signed int _v1408;
				signed int _v1412;
				intOrPtr* _v1416;
				signed int _v1420;
				intOrPtr* _v1424;
				signed int _v1428;
				signed int _v1432;
				intOrPtr* _v1436;
				signed int _v1440;
				signed int _v1444;
				intOrPtr* _v1448;
				signed int _v1452;
				signed int _v1456;
				signed int _v1460;
				signed int _v1464;
				signed int _v1468;
				signed int _v1472;
				intOrPtr* _v1476;
				signed int _v1480;
				signed int _v1484;
				intOrPtr* _v1488;
				signed int _v1492;
				signed int _v1496;
				signed int _v1500;
				intOrPtr* _v1504;
				signed int _v1508;
				signed int _v1512;
				intOrPtr* _v1516;
				signed int _v1520;
				signed int _v1524;
				char* _t588;
				signed int _t592;
				signed int _t597;
				signed int _t611;
				signed int _t617;
				signed int _t622;
				signed int _t627;
				signed int _t631;
				signed int _t635;
				char* _t640;
				signed int _t644;
				signed int _t651;
				signed int _t655;
				signed int _t657;
				signed int _t664;
				signed int _t670;
				signed int _t674;
				signed int _t678;
				signed int _t684;
				signed int _t688;
				signed int _t692;
				signed int _t698;
				char* _t703;
				signed int _t710;
				signed int _t715;
				signed int _t722;
				signed int _t727;
				signed int _t734;
				signed int _t739;
				signed int _t745;
				signed int _t750;
				char* _t754;
				signed int _t762;
				signed int _t767;
				signed int _t774;
				signed int _t779;
				signed int _t786;
				signed int _t792;
				char* _t796;
				signed int _t799;
				void* _t800;
				void* _t857;
				void* _t861;
				intOrPtr _t866;
				long long _t919;

				 *[fs:0x0] = _t866;
				L004011F0();
				_v16 = _t866;
				_v12 = 0x401180;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t857, _t861, _t800,  *[fs:0x0], 0x4011f6);
				_push(3);
				_push(0x4031f4);
				_t588 =  &_v48;
				_push(_t588);
				L004013D0();
				_push(0x402fe0);
				_push(0x402fe0);
				L004013BE();
				_v864 = _t588;
				_v872 = 8;
				_push(1);
				_push( &_v872);
				_push( &_v888);
				L004013C4();
				_v916 = 0x402fe0;
				_v924 = 0x8008;
				_push( &_v888);
				_t592 =  &_v924;
				_push(_t592);
				L004013CA();
				_v972 = _t592;
				_push( &_v888);
				_push( &_v872);
				_push(2);
				L004013B8();
				if(_v972 != 0) {
					_v864 = 2;
					_v872 = 2;
					L004013AC();
					L004013B2();
					L004013A6();
					_v864 = 1;
					_v872 = 2;
					_t796 =  &_v872;
					L004013A0();
					L004013B2();
					L004013A6();
					_t919 =  *0x401178;
					L0040139A();
					_t799 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t796, _t796, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe,  &_v872);
					asm("fclex");
					_v972 = _t799;
					if(_v972 >= 0) {
						_v1364 = _v1364 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x402ae0);
						_push(_a4);
						_push(_v972);
						L00401394();
						_v1364 = _t799;
					}
				}
				_v864 = 2;
				_v872 = 2;
				_push( &_v872);
				L004013AC();
				L004013B2();
				L004013A6();
				_t597 =  &_v828;
				_push(_t597);
				E00402D94();
				_v948 = _t597;
				L0040138E();
				if(_v948 == 0x58) {
					if( *0x4123c0 != 0) {
						_v1368 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1368 = 0x4123c0;
					}
					_v972 =  *_v1368;
					_t762 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t762;
					if(_v976 >= 0) {
						_v1372 = _v1372 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1372 = _t762;
					}
					_v980 = _v848;
					_t767 =  *((intOrPtr*)( *_v980 + 0xc0))(_v980,  &_v944);
					asm("fclex");
					_v984 = _t767;
					if(_v984 >= 0) {
						_v1376 = _v1376 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1376 = _t767;
					}
					_v168 = _v944;
					L00401382();
					if( *0x4123c0 != 0) {
						_v1380 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1380 = 0x4123c0;
					}
					_v972 =  *_v1380;
					_t774 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t774;
					if(_v976 >= 0) {
						_v1384 = _v1384 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1384 = _t774;
					}
					_v980 = _v848;
					_t779 =  *((intOrPtr*)( *_v980 + 0xf8))(_v980,  &_v836);
					asm("fclex");
					_v984 = _t779;
					if(_v984 >= 0) {
						_v1388 = _v1388 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1388 = _t779;
					}
					_v1320 = _v836;
					_v836 = _v836 & 0x00000000;
					L004013B2();
					L00401382();
					if( *0x4123c0 != 0) {
						_v1392 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1392 = 0x4123c0;
					}
					_v972 =  *_v1392;
					_t786 =  *((intOrPtr*)( *_v972 + 0x1c))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t786;
					if(_v976 >= 0) {
						_v1396 = _v1396 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1396 = _t786;
					}
					_v980 = _v848;
					_v916 = 0x80020004;
					_v924 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t792 =  *((intOrPtr*)( *_v980 + 0x54))(_v980, 0x10,  &_v852);
					asm("fclex");
					_v984 = _t792;
					if(_v984 >= 0) {
						_v1400 = _v1400 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x403024);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1400 = _t792;
					}
					_v1324 = _v852;
					_v852 = _v852 & 0x00000000;
					_v864 = _v1324;
					_v872 = 9;
					_t597 = 0x10;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v820);
					L0040137C();
					L00401382();
					L004013A6();
				}
				_push(0x8966da);
				E00402EBC();
				_v948 = _t597;
				L0040138E();
				if(_v948 == 0x1e61) {
					if( *0x4123c0 != 0) {
						_v1404 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1404 = 0x4123c0;
					}
					_v972 =  *_v1404;
					_t745 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t745;
					if(_v976 >= 0) {
						_v1408 = _v1408 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1408 = _t745;
					}
					_v980 = _v848;
					_t750 =  *((intOrPtr*)( *_v980 + 0x110))(_v980,  &_v836);
					asm("fclex");
					_v984 = _t750;
					if(_v984 >= 0) {
						_v1412 = _v1412 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1412 = _t750;
					}
					_v1328 = _v836;
					_v836 = _v836 & 0x00000000;
					L004013B2();
					L00401382();
					L00401376();
					_v124 = _t919;
					if( *0x4123c0 != 0) {
						_v1416 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1416 = 0x4123c0;
					}
					_v972 =  *_v1416;
					_t754 =  &_v848;
					L00401370();
					_t597 =  *((intOrPtr*)( *_v972 + 0x10))(_v972, _t754, _t754, _a4);
					asm("fclex");
					_v976 = _t597;
					if(_v976 >= 0) {
						_v1420 = _v1420 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1420 = _t597;
					}
					L00401382();
				}
				_push(0x4c5969);
				E00402EFC();
				_v948 = _t597;
				L0040138E();
				if(_v948 == 0x1e60) {
					if( *0x4123c0 != 0) {
						_v1424 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1424 = 0x4123c0;
					}
					_v972 =  *_v1424;
					_t710 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t710;
					if(_v976 >= 0) {
						_v1428 = _v1428 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1428 = _t710;
					}
					_v980 = _v848;
					_t715 =  *((intOrPtr*)( *_v980 + 0x108))(_v980,  &_v944);
					asm("fclex");
					_v984 = _t715;
					if(_v984 >= 0) {
						_v1432 = _v1432 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1432 = _t715;
					}
					_v72 = _v944;
					L00401382();
					if( *0x4123c0 != 0) {
						_v1436 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1436 = 0x4123c0;
					}
					_v972 =  *_v1436;
					_t722 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t722;
					if(_v976 >= 0) {
						_v1440 = _v1440 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1440 = _t722;
					}
					_v980 = _v848;
					_t727 =  *((intOrPtr*)( *_v980 + 0xc8))(_v980,  &_v944);
					asm("fclex");
					_v984 = _t727;
					if(_v984 >= 0) {
						_v1444 = _v1444 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1444 = _t727;
					}
					_v144 = _v944;
					L00401382();
					if( *0x4123c0 != 0) {
						_v1448 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1448 = 0x4123c0;
					}
					_v972 =  *_v1448;
					_t734 =  *((intOrPtr*)( *_v972 + 0x1c))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t734;
					if(_v976 >= 0) {
						_v1452 = _v1452 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1452 = _t734;
					}
					_v980 = _v848;
					_v916 = 0x80020004;
					_v924 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t739 =  *((intOrPtr*)( *_v980 + 0x60))(_v980, L"Receptionsassistenter4", 0x10);
					asm("fclex");
					_v984 = _t739;
					if(_v984 >= 0) {
						_v1456 = _v1456 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403024);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1456 = _t739;
					}
					L00401382();
				}
				_v968 = 0x8b685910;
				_v964 = 0x5afc;
				_v960 = 0xe92196e0;
				_v956 = 0x5af5;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4, L"Enervous", 0x69ca,  &_v960,  &_v968,  &_v944);
				_v180 = _v944;
				_v968 = 0x4e4866f0;
				_v964 = 0x5b02;
				_v960 =  *0x401170;
				_v948 = 0x1d68ea;
				_t611 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v948, L"Holmberry5",  &_v960,  &_v968,  &_v952);
				_v972 = _t611;
				if(_v972 >= 0) {
					_v1460 = _v1460 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402b10);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1460 = _t611;
				}
				_v140 = _v952;
				_v944 = 0x5fc6;
				_t617 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, L"disuniter",  &_v944,  &_v948);
				_v972 = _t617;
				if(_v972 >= 0) {
					_v1464 = _v1464 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402b10);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1464 = _t617;
				}
				_v120 = _v948;
				L0040136A();
				_t622 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v836, 0xe1,  &_v960);
				_v972 = _t622;
				if(_v972 >= 0) {
					_v1468 = _v1468 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402b10);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1468 = _t622;
				}
				_v136 = _v960;
				L00401364();
				L0040136A();
				_t627 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v836, 0x5188,  &_v960);
				_v972 = _t627;
				if(_v972 >= 0) {
					_v1472 = _v1472 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402b10);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1472 = _t627;
				}
				_v808 = _v960;
				L00401364();
				if( *0x412010 != 0) {
					_v1476 = 0x412010;
				} else {
					_push("P G");
					_push(0x40246c);
					L00401388();
					_v1476 = 0x412010;
				}
				_t631 =  &_v848;
				L00401358();
				_v972 = _t631;
				_t635 =  *((intOrPtr*)( *_v972 + 0x1b8))(_v972,  &_v852, _t631,  *((intOrPtr*)( *((intOrPtr*)( *_v1476)) + 0x304))( *_v1476));
				asm("fclex");
				_v976 = _t635;
				if(_v976 >= 0) {
					_v1480 = _v1480 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x4030dc);
					_push(_v972);
					_push(_v976);
					L00401394();
					_v1480 = _t635;
				}
				L0040135E(); // executed
				_v968 = 0x5f6bf5a0;
				_v964 = 0x5af8;
				_v960 =  *0x401168;
				_v948 = 0x841700;
				_t640 =  &_v872;
				L00401352();
				L004013B2();
				_t644 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v948, _t640, _t640,  &_v960,  &_v968,  &_v952,  &_v872, _v852, 0, 0);
				_v980 = _t644;
				if(_v980 >= 0) {
					_v1484 = _v1484 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402b10);
					_push(_a4);
					_push(_v980);
					L00401394();
					_v1484 = _t644;
				}
				_v92 = _v952;
				L00401364();
				_push( &_v852);
				_push( &_v848);
				_push(2);
				L0040134C();
				L004013A6();
				if( *0x412010 != 0) {
					_v1488 = 0x412010;
				} else {
					_push("P G");
					_push(0x40246c);
					L00401388();
					_v1488 = 0x412010;
				}
				_t651 =  &_v848;
				L00401358();
				_v972 = _t651;
				_t655 =  *((intOrPtr*)( *_v972 + 0x100))(_v972,  &_v852, _t651,  *((intOrPtr*)( *((intOrPtr*)( *_v1488)) + 0x300))( *_v1488));
				asm("fclex");
				_v976 = _t655;
				if(_v976 >= 0) {
					_v1492 = _v1492 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x4030ec);
					_push(_v972);
					_push(_v976);
					L00401394();
					_v1492 = _t655;
				}
				L0040135E();
				_v968 = 0xef1aa800;
				_v964 = 0x5afc;
				_v960 =  *0x401160;
				_t657 =  &_v872;
				L00401346();
				_v948 = _t657;
				_t664 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v948, L"SLAVESJLENE",  &_v960,  &_v968,  &_v952, _t657,  &_v872, _v852, 0, 0);
				_v980 = _t664;
				if(_v980 >= 0) {
					_v1496 = _v1496 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402b10);
					_push(_a4);
					_push(_v980);
					L00401394();
					_v1496 = _t664;
				}
				_v88 = _v952;
				L0040134C();
				L004013A6();
				_t670 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v848,  &_v852);
				asm("fclex");
				_v972 = _t670;
				if(_v972 >= 0) {
					_v1500 = _v1500 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402ae0);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1500 = _t670;
				}
				L112:
				L112:
				if( *0x412010 != 0) {
					_v1504 = 0x412010;
				} else {
					_push("P G");
					_push(0x40246c);
					L00401388();
					_v1504 = 0x412010;
				}
				_t674 =  &_v848;
				L00401358();
				_v972 = _t674;
				_t678 =  *((intOrPtr*)( *_v972 + 0x150))(_v972,  &_v836, _t674,  *((intOrPtr*)( *((intOrPtr*)( *_v1504)) + 0x308))( *_v1504));
				asm("fclex");
				_v976 = _t678;
				if(_v976 >= 0) {
					_v1508 = _v1508 & 0x00000000;
				} else {
					_push(0x150);
					_push(0x4030dc);
					_push(_v972);
					_push(_v976);
					L00401394();
					_v1508 = _t678;
				}
				_v1332 = _v836;
				_v836 = _v836 & 0x00000000;
				L004013B2();
				_t684 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v840, 0x55c3,  &_v960);
				_v980 = _t684;
				if(_v980 >= 0) {
					_v1512 = _v1512 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402b10);
					_push(_a4);
					_push(_v980);
					L00401394();
					_v1512 = _t684;
				}
				_v800 = _v960;
				L00401364();
				L00401382();
				if( *0x412010 != 0) {
					_v1516 = 0x412010;
				} else {
					_push("P G");
					_push(0x40246c);
					L00401388();
					_v1516 = 0x412010;
				}
				_t688 =  &_v848;
				L00401358();
				_v972 = _t688;
				_t692 =  *((intOrPtr*)( *_v972 + 0x150))(_v972,  &_v836, _t688,  *((intOrPtr*)( *((intOrPtr*)( *_v1516)) + 0x304))( *_v1516));
				asm("fclex");
				_v976 = _t692;
				if(_v976 >= 0) {
					_v1520 = _v1520 & 0x00000000;
				} else {
					_push(0x150);
					_push(0x4030dc);
					_push(_v972);
					_push(_v976);
					L00401394();
					_v1520 = _t692;
				}
				_v1336 = _v836;
				_v836 = _v836 & 0x00000000;
				L004013B2();
				_t698 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v840, 0x5e86,  &_v960);
				_v980 = _t698;
				if(_v980 >= 0) {
					_v1524 = _v1524 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402b10);
					_push(_a4);
					_push(_v980);
					L00401394();
					_v1524 = _t698;
				}
				_v116 = _v960;
				L00401364();
				L00401382();
				_v916 = 1;
				_v924 = 2;
				_push( &_v164);
				_push( &_v924);
				_push( &_v872);
				L0040133A();
				L00401340();
				_v916 = 0x1ffff;
				_v924 = 0x8003;
				_push( &_v164);
				_t703 =  &_v924;
				_push(_t703);
				L00401334();
				if(_t703 == 0) {
					goto L132;
				}
				goto L112;
				L132:
				_v84 = 0;
				_push(0x407269);
				goto ( *__edx);
			}

0x00408456
0x00408462
0x0040846a
0x0040846d
0x0040847a
0x00408483
0x0040848e
0x00408491
0x00408493
0x00408498
0x0040849b
0x0040849c
0x004084a1
0x004084a6
0x004084ab
0x004084b0
0x004084b6
0x004084c0
0x004084c8
0x004084cf
0x004084d0
0x004084d5
0x004084df
0x004084ef
0x004084f0
0x004084f6
0x004084f7
0x004084fc
0x00408509
0x00408510
0x00408511
0x00408513
0x00408524
0x0040852a
0x00408534
0x00408545
0x00408552
0x0040855d
0x00408562
0x0040856c
0x0040857e
0x00408585
0x0040858f
0x0040859a
0x0040859f
0x004085a5
0x004085b3
0x004085b6
0x004085b8
0x004085c5
0x004085e4
0x004085c7
0x004085c7
0x004085c9
0x004085ce
0x004085d1
0x004085d7
0x004085dc
0x004085dc
0x004085c5
0x004085eb
0x004085f5
0x00408605
0x00408606
0x00408613
0x0040861e
0x00408623
0x00408629
0x0040862a
0x0040862f
0x00408635
0x00408641
0x0040864e
0x0040866b
0x00408650
0x00408650
0x00408655
0x0040865a
0x0040865f
0x0040865f
0x0040867d
0x00408698
0x0040869b
0x0040869d
0x004086aa
0x004086cc
0x004086ac
0x004086ac
0x004086ae
0x004086b3
0x004086b9
0x004086bf
0x004086c4
0x004086c4
0x004086d9
0x004086f4
0x004086fa
0x004086fc
0x00408709
0x0040872e
0x0040870b
0x0040870b
0x00408710
0x00408715
0x0040871b
0x00408721
0x00408726
0x00408726
0x0040873c
0x00408749
0x00408755
0x00408772
0x00408757
0x00408757
0x0040875c
0x00408761
0x00408766
0x00408766
0x00408784
0x0040879f
0x004087a2
0x004087a4
0x004087b1
0x004087d3
0x004087b3
0x004087b3
0x004087b5
0x004087ba
0x004087c0
0x004087c6
0x004087cb
0x004087cb
0x004087e0
0x004087fb
0x00408801
0x00408803
0x00408810
0x00408835
0x00408812
0x00408812
0x00408817
0x0040881c
0x00408822
0x00408828
0x0040882d
0x0040882d
0x00408842
0x00408848
0x0040885b
0x00408866
0x00408872
0x0040888f
0x00408874
0x00408874
0x00408879
0x0040887e
0x00408883
0x00408883
0x004088a1
0x004088bc
0x004088bf
0x004088c1
0x004088ce
0x004088f0
0x004088d0
0x004088d0
0x004088d2
0x004088d7
0x004088dd
0x004088e3
0x004088e8
0x004088e8
0x004088fd
0x00408903
0x0040890d
0x00408921
0x0040892e
0x0040892f
0x00408930
0x00408931
0x00408940
0x00408943
0x00408945
0x00408952
0x00408974
0x00408954
0x00408954
0x00408956
0x0040895b
0x00408961
0x00408967
0x0040896c
0x0040896c
0x00408981
0x00408987
0x00408994
0x0040899a
0x004089a6
0x004089a7
0x004089b4
0x004089b5
0x004089b6
0x004089b7
0x004089b8
0x004089ba
0x004089c0
0x004089cb
0x004089d6
0x004089d6
0x004089db
0x004089e0
0x004089e5
0x004089eb
0x004089fa
0x00408a07
0x00408a24
0x00408a09
0x00408a09
0x00408a0e
0x00408a13
0x00408a18
0x00408a18
0x00408a36
0x00408a51
0x00408a54
0x00408a56
0x00408a63
0x00408a85
0x00408a65
0x00408a65
0x00408a67
0x00408a6c
0x00408a72
0x00408a78
0x00408a7d
0x00408a7d
0x00408a92
0x00408aad
0x00408ab3
0x00408ab5
0x00408ac2
0x00408ae7
0x00408ac4
0x00408ac4
0x00408ac9
0x00408ace
0x00408ad4
0x00408ada
0x00408adf
0x00408adf
0x00408af4
0x00408afa
0x00408b0d
0x00408b18
0x00408b1d
0x00408b22
0x00408b2c
0x00408b49
0x00408b2e
0x00408b2e
0x00408b33
0x00408b38
0x00408b3d
0x00408b3d
0x00408b5b
0x00408b64
0x00408b6b
0x00408b7f
0x00408b82
0x00408b84
0x00408b91
0x00408bb3
0x00408b93
0x00408b93
0x00408b95
0x00408b9a
0x00408ba0
0x00408ba6
0x00408bab
0x00408bab
0x00408bc0
0x00408bc0
0x00408bc5
0x00408bca
0x00408bcf
0x00408bd5
0x00408be4
0x00408bf1
0x00408c0e
0x00408bf3
0x00408bf3
0x00408bf8
0x00408bfd
0x00408c02
0x00408c02
0x00408c20
0x00408c3b
0x00408c3e
0x00408c40
0x00408c4d
0x00408c6f
0x00408c4f
0x00408c4f
0x00408c51
0x00408c56
0x00408c5c
0x00408c62
0x00408c67
0x00408c67
0x00408c7c
0x00408c97
0x00408c9d
0x00408c9f
0x00408cac
0x00408cd1
0x00408cae
0x00408cae
0x00408cb3
0x00408cb8
0x00408cbe
0x00408cc4
0x00408cc9
0x00408cc9
0x00408cdf
0x00408ce9
0x00408cf5
0x00408d12
0x00408cf7
0x00408cf7
0x00408cfc
0x00408d01
0x00408d06
0x00408d06
0x00408d24
0x00408d3f
0x00408d42
0x00408d44
0x00408d51
0x00408d73
0x00408d53
0x00408d53
0x00408d55
0x00408d5a
0x00408d60
0x00408d66
0x00408d6b
0x00408d6b
0x00408d80
0x00408d9b
0x00408da1
0x00408da3
0x00408db0
0x00408dd5
0x00408db2
0x00408db2
0x00408db7
0x00408dbc
0x00408dc2
0x00408dc8
0x00408dcd
0x00408dcd
0x00408de3
0x00408df0
0x00408dfc
0x00408e19
0x00408dfe
0x00408dfe
0x00408e03
0x00408e08
0x00408e0d
0x00408e0d
0x00408e2b
0x00408e46
0x00408e49
0x00408e4b
0x00408e58
0x00408e7a
0x00408e5a
0x00408e5a
0x00408e5c
0x00408e61
0x00408e67
0x00408e6d
0x00408e72
0x00408e72
0x00408e87
0x00408e8d
0x00408e97
0x00408ea4
0x00408eb1
0x00408eb2
0x00408eb3
0x00408eb4
0x00408ec8
0x00408ecb
0x00408ecd
0x00408eda
0x00408efc
0x00408edc
0x00408edc
0x00408ede
0x00408ee3
0x00408ee9
0x00408eef
0x00408ef4
0x00408ef4
0x00408f09
0x00408f09
0x00408f0e
0x00408f18
0x00408f22
0x00408f2c
0x00408f5d
0x00408f6a
0x00408f71
0x00408f7b
0x00408f8b
0x00408f91
0x00408fc4
0x00408fca
0x00408fd7
0x00408ff9
0x00408fd9
0x00408fd9
0x00408fde
0x00408fe3
0x00408fe6
0x00408fec
0x00408ff1
0x00408ff1
0x00409006
0x0040900c
0x00409030
0x00409036
0x00409043
0x00409065
0x00409045
0x00409045
0x0040904a
0x0040904f
0x00409052
0x00409058
0x0040905d
0x0040905d
0x00409072
0x00409080
0x004090a0
0x004090a6
0x004090b3
0x004090d5
0x004090b5
0x004090b5
0x004090ba
0x004090bf
0x004090c2
0x004090c8
0x004090cd
0x004090cd
0x004090e2
0x004090ee
0x004090fe
0x0040911e
0x00409124
0x00409131
0x00409153
0x00409133
0x00409133
0x00409138
0x0040913d
0x00409140
0x00409146
0x0040914b
0x0040914b
0x00409160
0x0040916c
0x00409178
0x00409195
0x0040917a
0x0040917a
0x0040917f
0x00409184
0x00409189
0x00409189
0x004091b9
0x004091c0
0x004091c5
0x004091e0
0x004091e6
0x004091e8
0x004091f5
0x0040921a
0x004091f7
0x004091f7
0x004091fc
0x00409201
0x00409207
0x0040920d
0x00409212
0x00409212
0x00409232
0x0040923a
0x00409244
0x00409254
0x0040925a
0x00409279
0x00409280
0x0040928d
0x004092a2
0x004092a8
0x004092b5
0x004092d7
0x004092b7
0x004092b7
0x004092bc
0x004092c1
0x004092c4
0x004092ca
0x004092cf
0x004092cf
0x004092e4
0x004092ed
0x004092f8
0x004092ff
0x00409300
0x00409302
0x00409310
0x0040931c
0x00409339
0x0040931e
0x0040931e
0x00409323
0x00409328
0x0040932d
0x0040932d
0x0040935d
0x00409364
0x00409369
0x00409384
0x0040938a
0x0040938c
0x00409399
0x004093be
0x0040939b
0x0040939b
0x004093a0
0x004093a5
0x004093ab
0x004093b1
0x004093b6
0x004093b6
0x004093d6
0x004093de
0x004093e8
0x004093f8
0x004093fe
0x00409405
0x0040940a
0x00409439
0x0040943f
0x0040944c
0x0040946e
0x0040944e
0x0040944e
0x00409453
0x00409458
0x0040945b
0x00409461
0x00409466
0x00409466
0x0040947b
0x0040948e
0x0040949c
0x004094a9
0x004094af
0x004094b1
0x004094be
0x004094e0
0x004094c0
0x004094c0
0x004094c5
0x004094ca
0x004094cd
0x004094d3
0x004094d8
0x004094d8
0x00000000
0x004094e7
0x004094ee
0x0040950b
0x004094f0
0x004094f0
0x004094f5
0x004094fa
0x004094ff
0x004094ff
0x0040952f
0x00409536
0x0040953b
0x00409556
0x0040955c
0x0040955e
0x0040956b
0x00409590
0x0040956d
0x0040956d
0x00409572
0x00409577
0x0040957d
0x00409583
0x00409588
0x00409588
0x0040959d
0x004095a3
0x004095b6
0x004095d6
0x004095dc
0x004095e9
0x0040960b
0x004095eb
0x004095eb
0x004095f0
0x004095f5
0x004095f8
0x004095fe
0x00409603
0x00409603
0x00409618
0x00409624
0x0040962f
0x0040963b
0x00409658
0x0040963d
0x0040963d
0x00409642
0x00409647
0x0040964c
0x0040964c
0x0040967c
0x00409683
0x00409688
0x004096a3
0x004096a9
0x004096ab
0x004096b8
0x004096dd
0x004096ba
0x004096ba
0x004096bf
0x004096c4
0x004096ca
0x004096d0
0x004096d5
0x004096d5
0x004096ea
0x004096f0
0x00409703
0x00409723
0x00409729
0x00409736
0x00409758
0x00409738
0x00409738
0x0040973d
0x00409742
0x00409745
0x0040974b
0x00409750
0x00409750
0x00409765
0x0040976e
0x00409779
0x0040977e
0x00409788
0x00409798
0x0040979f
0x004097a6
0x004097a7
0x004097b4
0x004097b9
0x004097c3
0x004097d3
0x004097d4
0x004097da
0x004097db
0x004097e5
0x00000000
0x00000000
0x00000000
0x004097ec
0x004097ec
0x004097f8
0x004097fb

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00408462
__vbaAryConstruct2.MSVBVM60(?,004031F4,00000003,?,?,?,?,004011F6), ref: 0040849C
__vbaStrCat.MSVBVM60(00402FE0,00402FE0,?,004031F4,00000003,?,?,?,?,004011F6), ref: 004084AB
#617.MSVBVM60(?,00000008,00000001), ref: 004084D0
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,00000008,00000001), ref: 004084F7
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408513
#536.MSVBVM60(00000002), ref: 00408545
__vbaStrMove.MSVBVM60(00000002), ref: 00408552
__vbaFreeVar.MSVBVM60(00000002), ref: 0040855D
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 00408585
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 0040858F
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 0040859A
__vbaFpI4.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 004085A5
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AE0,00000064), ref: 004085D7
#536.MSVBVM60(00000002), ref: 00408606
__vbaStrMove.MSVBVM60(00000002), ref: 00408613
__vbaFreeVar.MSVBVM60(00000002), ref: 0040861E
__vbaSetSystemError.MSVBVM60(?,00000002), ref: 00408635
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 0040865A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 004086BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000C0), ref: 00408721
__vbaFreeObj.MSVBVM60(00000000,?,00403014,000000C0), ref: 00408749
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00408761
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 004087C6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000F8), ref: 00408828
__vbaStrMove.MSVBVM60(00000000,?,00403014,000000F8), ref: 0040885B
__vbaFreeObj.MSVBVM60(00000000,?,00403014,000000F8), ref: 00408866
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 0040887E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,0000001C), ref: 004088E3
__vbaChkstk.MSVBVM60(?), ref: 00408921
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403024,00000054), ref: 00408967
__vbaChkstk.MSVBVM60(00000000,?,00403024,00000054), ref: 004089A7
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 004089C0
__vbaFreeObj.MSVBVM60(?,00000000), ref: 004089CB
__vbaFreeVar.MSVBVM60(?,00000000), ref: 004089D6
__vbaSetSystemError.MSVBVM60(008966DA), ref: 004089EB
__vbaNew2.MSVBVM60(00403004,004123C0,008966DA), ref: 00408A13
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00408A78
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,00000110), ref: 00408ADA
__vbaStrMove.MSVBVM60(00000000,?,00403014,00000110), ref: 00408B0D
__vbaFreeObj.MSVBVM60(00000000,?,00403014,00000110), ref: 00408B18
#535.MSVBVM60(00000000,?,00403014,00000110), ref: 00408B1D
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00408B38
__vbaObjSetAddref.MSVBVM60(?,00401180), ref: 00408B6B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000010), ref: 00408BA6
__vbaFreeObj.MSVBVM60(00000000,?,00402FF4,00000010), ref: 00408BC0
__vbaSetSystemError.MSVBVM60(004C5969,008966DA), ref: 00408BD5
__vbaNew2.MSVBVM60(00403004,004123C0,004C5969,008966DA), ref: 00408BFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00408C62
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,00000108), ref: 00408CC4
__vbaFreeObj.MSVBVM60(00000000,?,00403014,00000108), ref: 00408CE9
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00408D01
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00408D66
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000C8), ref: 00408DC8
__vbaFreeObj.MSVBVM60(00000000,?,00403014,000000C8), ref: 00408DF0
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00408E08
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,0000001C), ref: 00408E6D
__vbaChkstk.MSVBVM60(00000000,?,00402FF4,0000001C), ref: 00408EA4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403024,00000060), ref: 00408EEF
__vbaFreeObj.MSVBVM60(00000000,?,00403024,00000060), ref: 00408F09
__vbaHresultCheckObj.MSVBVM60(?,00401180,00402B10,000006FC,?,?,?,004C5969,008966DA), ref: 00408FEC
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B10,000006F8), ref: 00409058
__vbaStrCopy.MSVBVM60(00000000,00401180,00402B10,000006F8), ref: 00409080
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 004090C8
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 004090EE
__vbaStrCopy.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 004090FE
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 00409146
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 0040916C
__vbaNew2.MSVBVM60(0040246C,P G), ref: 00409184
__vbaObjSet.MSVBVM60(?,00000000), ref: 004091C0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030DC,000001B8), ref: 0040920D
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 00409232
__vbaStrVarMove.MSVBVM60(?,?,5F6BF5A0,?), ref: 00409280
__vbaStrMove.MSVBVM60(?,?,5F6BF5A0,?), ref: 0040928D
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B10,000006FC), ref: 004092CA
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B10,000006FC), ref: 004092ED
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00409302
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,004011F6), ref: 00409310
__vbaNew2.MSVBVM60(0040246C,P G,?,?,?,?,?,?,?,?,?,004011F6), ref: 00409328
__vbaObjSet.MSVBVM60(?,00000000), ref: 00409364
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030EC,00000100), ref: 004093B1
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004093D6
__vbaI4Var.MSVBVM60(?), ref: 00409405
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B10,000006FC), ref: 00409461
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040948E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,0040246C,P G), ref: 0040949C
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402AE0,000002B4), ref: 004094D3
__vbaNew2.MSVBVM60(0040246C,P G,00008003,?,?,00000002,?), ref: 004094FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00409536
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030DC,00000150), ref: 00409583
__vbaStrMove.MSVBVM60(00000000,00000000,004030DC,00000150), ref: 004095B6
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 004095FE
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 00409624
__vbaFreeObj.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 0040962F
__vbaNew2.MSVBVM60(0040246C,P G,00000000,00401180,00402B10,00000700), ref: 00409647
__vbaObjSet.MSVBVM60(?,00000000), ref: 00409683
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030DC,00000150), ref: 004096D0
__vbaStrMove.MSVBVM60(00000000,00000000,004030DC,00000150), ref: 00409703
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 0040974B
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 0040976E
__vbaFreeObj.MSVBVM60(00000000,00401180,00402B10,00000700), ref: 00409779
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 004097A7
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 004097B4
__vbaVarTstLt.MSVBVM60(00008003,?,?,00000002,?), ref: 004097DB

Strings

X, xrefs: 0040863A
disuniter, xrefs: 00409023
Receptionsassistenter4, xrefs: 00408EB5
SLAVESJLENE, xrefs: 00409425
JUVENILT, xrefs: 00409075
Holmberry5, xrefs: 00408FB0
P G, xrefs: 00409171, 0040917A, 00409189, 00409195, 00409315, 0040931E, 0040932D, 00409339, 004094E7, 004094F0, 004094FF, 0040950B, 00409634, 0040963D, 0040964C, 00409658
Enervous, xrefs: 00408F50
LYDIA, xrefs: 004090F3

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$CheckHresult$Free$New2$Move$Chkstk$ErrorLateListSystem$#536CallCopy$#535#617#703AddrefConstruct2
String ID: Enervous$Holmberry5$JUVENILT$LYDIA$P G$Receptionsassistenter4$SLAVESJLENE$X$disuniter
API String ID: 2543599168-1522717280
Opcode ID: 84ef98b712c1bb61970680905bcf3bc2b3ce1b077cc75f9bdc71affb8e2a378c
Instruction ID: 6c77439a6440881836e68b9f9d37a3359eac8e5b2e9e6199c05848038b12c06f
Opcode Fuzzy Hash: 84ef98b712c1bb61970680905bcf3bc2b3ce1b077cc75f9bdc71affb8e2a378c
Instruction Fuzzy Hash: 4BB216709016289FEB22DF50CD45BDABBB8BF08705F0050EAE509B62A1DBB85F94DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00410546, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00410546(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				void* _v3;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				char _v52;
				char* _v60;
				void* _v68;
				void* _t22;
				char* _t24;
				void* _t38;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L004011F0();
				_v16 = _t42;
				_v12 = 0x401198;
				_v8 = 0;
				_t22 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4011f6, _t38);
				L0040136A();
				_v60 = L"TINCHILL";
				_t23 = _t22 + 1;
				asm("ror byte [eax], 0x0");
				 *_t23 =  *(_t22 + 1) + _t22 + 1;
				L004012CE();
				_push(0);
				_t24 =  &_v52;
				_push(_t24); // executed
				L004012D4(); // executed
				L004013B2();
				L004013A6();
				_v32 =  *0x401190;
				asm("wait");
				_push(0x4105f2);
				L00401364();
				L00401364();
				return _t24;
			}

0x00410549
0x00410558
0x00410562
0x0041056a
0x0041056d
0x00410574
0x00410583
0x0041058c
0x00410591
0x00410596
0x0041059a
0x0041059d
0x004105a5
0x004105aa
0x004105ac
0x004105af
0x004105b0
0x004105ba
0x004105c2
0x004105cd
0x004105d0
0x004105d1
0x004105e4
0x004105ec
0x004105f1

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410562
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0041058C
__vbaVarDup.MSVBVM60 ref: 004105A5
#645.MSVBVM60(?,00000000), ref: 004105B0
__vbaStrMove.MSVBVM60(?,00000000), ref: 004105BA
__vbaFreeVar.MSVBVM60(?,00000000), ref: 004105C2
__vbaFreeStr.MSVBVM60(004105F2,?,00000000), ref: 004105E4
__vbaFreeStr.MSVBVM60(004105F2,?,00000000), ref: 004105EC

Strings

TINCHILL, xrefs: 00410591

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$Free$#645ChkstkCopyMove
String ID: TINCHILL
API String ID: 2239900635-1301385301
Opcode ID: 30e086ac958ae0ac4c1e3400a4321b77ebbd695e6547cc46355ccc177ddcde3b
Instruction ID: 73f56eb3243ecec4c2652903b943d6a510d45a39f948da130470c44d69a4370f
Opcode Fuzzy Hash: 30e086ac958ae0ac4c1e3400a4321b77ebbd695e6547cc46355ccc177ddcde3b
Instruction Fuzzy Hash: 17111870900209ABDB04EF91C886BDEBB78FF04704F40842AF501BB1A1DB786945CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00401B8D, Relevance: 9.0, APIs: 6, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 21%

			E00401B8D(intOrPtr* __eax, void* __ebx, void* __ecx) {
				void* _t10;
				void* _t12;
				void* _t24;
				void* _t25;

				asm("in eax, dx");
				asm("in eax, dx");
				asm("in eax, dx");
				asm("in eax, dx");
				asm("in eax, dx");
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				_t10 = __eax + __ecx + __ecx;
				0xe73b0289();
				asm("out 0xfa, al");
				0xe826038f();
				_t11 = _t10 + 1;
				_t25 = _t24 + 1;
				asm("ror byte [eax], 0x0");
				 *_t11 =  *(_t10 + 1) + _t10 + 1;
				L004012CE();
				_push(0);
				_t12 = _t25 - 0x30;
				_push(_t12); // executed
				L004012D4(); // executed
				L004013B2();
				L004013A6();
				 *((intOrPtr*)(_t25 - 0x1c)) =  *0x401190;
				asm("wait");
				_push(0x4105f2);
				L00401364();
				L00401364();
				return _t12;
			}

0x00401b8f
0x00401b90
0x00401b91
0x00401b92
0x00401b93
0x00401b94
0x00401b96
0x00401b98
0x00401b9a
0x00401b9c
0x00401ba1
0x00401ba3
0x00410596
0x00410599
0x0041059a
0x0041059d
0x004105a5
0x004105aa
0x004105ac
0x004105af
0x004105b0
0x004105ba
0x004105c2
0x004105cd
0x004105d0
0x004105d1
0x004105e4
0x004105ec
0x004105f1

APIs

__vbaVarDup.MSVBVM60 ref: 004105A5
#645.MSVBVM60(?,00000000), ref: 004105B0
__vbaStrMove.MSVBVM60(?,00000000), ref: 004105BA
__vbaFreeVar.MSVBVM60(?,00000000), ref: 004105C2
__vbaFreeStr.MSVBVM60(004105F2,?,00000000), ref: 004105E4
__vbaFreeStr.MSVBVM60(004105F2,?,00000000), ref: 004105EC

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$Free$#645Move
String ID:
API String ID: 3481341938-0
Opcode ID: 2573991e60ae7dc378292da41cd709ca0806f0de5aa67fefd2c848887fcc2e6c
Instruction ID: a96e80991ef884d3133b544aac1d5ec382cac5ea011f1be37a79e5a1b3ef65dc
Opcode Fuzzy Hash: 2573991e60ae7dc378292da41cd709ca0806f0de5aa67fefd2c848887fcc2e6c
Instruction Fuzzy Hash: 65F08130D192899EDB01E7A1DC51AED7B70AF11320F4402ABE062B74F2DE7C188ACB19

Uniqueness

Uniqueness Score: -1.00%

Function 004013F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			_entry_() {
				signed char _t44;
				intOrPtr* _t45;
				signed int _t46;
				signed char _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				signed int _t50;
				signed int _t51;
				signed char _t52;
				signed int _t53;
				signed int _t57;
				void* _t61;
				signed int _t63;
				void* _t65;
				intOrPtr* _t66;
				void* _t68;
				void* _t71;
				signed int _t73;
				intOrPtr _t80;

				_push("VB5!6&*"); // executed
				L004013E8(); // executed
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 ^ _t44;
				 *_t44 =  *_t44 + _t44;
				_t45 = _t44 + 1;
				 *_t45 =  *_t45 + _t45;
				 *_t45 =  *_t45 + _t45;
				 *_t45 =  *_t45 + _t45;
				 *((intOrPtr*)(_t63 + _t57 * 2 - 0x47)) =  *((intOrPtr*)(_t63 + _t57 * 2 - 0x47)) + _t57;
				asm("aas");
				 *(_t53 + 0xb) = _t63;
				_t66 = _t65 + 1;
				_t46 = 0x8ab5048e;
				asm("les ecx, [edx+0x9]");
				while(1) {
					_t63 = _t63 - 1;
					 *_t46 =  *_t46 | _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t57 =  *_t57 + _t46;
					 *_t46 =  *_t46 + _t46;
					 *_t46 =  *_t46 + _t46;
					_t47 = _t46 + _t57;
					asm("invalid");
					_t61 = _t57 +  *((intOrPtr*)(_t71 + 0x4d + _t63 * 2)) - 0xffffffffffffffff;
					_t71 = _t71 + 1;
					_t68 = _t68 - 1 + 1 - 1;
					_push(_t73);
					 *_t47 =  *_t47 + _t61;
					_t57 = _t61 + 1;
					 *_t47 =  *_t47 + _t47;
					 *_t47 =  *_t47 + _t47;
					_t53 = _t53 + 1 + _t53 + 1;
					asm("int3");
					 *_t47 =  *_t47 ^ _t47;
					_push(es);
					asm("into");
					asm("sbb bh, [esi]");
					_t73 = _t73 |  *(_t47 + 0x56b54785);
					if(_t73 != 0) {
						break;
					}
					_t46 = _t47 |  *(_t66 + 0x33);
					_push(_t71);
					if(_t46 < 0) {
						continue;
					}
					 *((intOrPtr*)(_t68 - 0x6e)) =  *((intOrPtr*)(_t68 - 0x6e)) - _t63;
					_t15 = _t66 + _t46 * 2;
					 *_t15 = _t63;
					_t18 = _t71 - 0x3b91c6c1;
					_t63 =  *_t18;
					 *_t18 =  *_t15;
					_t50 = _t71;
					_t51 = _t50;
					asm("stosb");
					 *((intOrPtr*)(_t51 - 0x2d)) =  *((intOrPtr*)(_t51 - 0x2d)) + _t51;
					_t52 = _t53 ^  *(_t57 - 0x48ee309a);
					_t53 = _t51;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					 *_t52 =  *_t52 + _t52;
					_t47 = _t52 & 0x00000009;
					 *_t47 =  *_t47 + _t47;
					 *_t66 =  *_t66 + _t47;
					_t25 = _t63 + 0x65;
					 *_t25 =  *((intOrPtr*)(_t63 + 0x65)) + _t47;
					asm("arpl [ebp+0x72], si");
					if( *_t25 >= 0) {
						L13:
						 *_t47 =  *_t47 + _t47;
						 *_t47 =  *_t47 + _t47;
						 *_t47 =  *_t47 + _t47;
						 *_t47 =  *_t47 + _t47;
						 *_t47 =  *_t47 + _t47;
						L14:
						 *_t47 =  *_t47 + _t47;
						L15:
						 *_t47 =  *_t47;
						 *_t47 =  *_t47;
						 *((intOrPtr*)(_t47 + 0x800080)) =  *((intOrPtr*)(_t47 + 0x800080)) + _t47;
						L16:
						 *((intOrPtr*)(_t47 - 0x80000000)) =  *((intOrPtr*)(_t47 - 0x80000000)) + _t47;
						L17:
						 *_t47 =  *_t47;
						L18:
						 *((intOrPtr*)(_t47 - 0x7fff8000)) =  *((intOrPtr*)(_t47 - 0x7fff8000)) + _t47;
						 *_t47 =  *_t47;
						asm("rol al, 0xc0");
						L19:
						asm("rol al, 0x0");
						asm("rcr ah, 0xc0");
						_t48 = _t47 + _t63;
						asm("retf 0xa6");
						asm("int3");
						asm("invalid");
						 *((intOrPtr*)(_t57 + 0x6600ffff)) =  *((intOrPtr*)(_t57 + 0x6600ffff)) + _t53;
						asm("invalid");
						 *_t53 =  *_t53 + _t63;
						 *_t48 =  *_t48 + 1;
						 *_t48 =  *_t48 + 1;
						asm("int3");
						asm("int3");
						 *_t48 =  *_t48 + 1;
						asm("cdq");
						asm("int3");
						 *_t48 =  *_t48 + 1;
						asm("o16 int3");
						 *_t48 =  *_t48 + 1;
						 *_t48 =  *_t48 + 1;
						_t49 = _t48 + (_t57 ^ _t73 - 0x00000001);
						 *_t49 =  *_t49 + 1;
						[far dword [ecx-0x6633ff01]();
						 *_t49 =  *_t49 + 1;
						asm("cdq");
						asm("cdq");
						 *_t49 =  *_t49 + 1;
						asm("cwd");
						 *_t49 =  *_t49 + 1;
						 *_t49 =  *_t49 + 1;
						goto ( *((intOrPtr*)(_t68 - 1)));
					}
					 *0x47001201 =  *0x47001201 + _t57;
					_t80 =  *0x47001201;
					if (_t80 < 0) goto L18;
					break;
				}
				if(_t80 != 0) {
					goto L18;
				}
				if(_t80 < 0) {
					goto L16;
				}
				if(_t80 < 0) {
					goto L17;
				}
				if(_t80 >= 0) {
					goto L15;
				}
				if(_t80 >= 0) {
					goto L14;
				}
				asm("insd");
				asm("insd");
				asm("gs outsb");
				if(_t80 >= 0) {
					goto L19;
				}
				asm("outsb");
				_t63 = _t63 + 1;
				 *_t63 =  *_t63 + _t47;
				 *_t53 =  *_t53 + _t73;
				asm("invalid");
				 *_t47 =  *_t47 + _t47;
				asm("insb");
				if ( *_t47 == 0) goto L12;
				 *((intOrPtr*)(_t68 + 8)) =  *((intOrPtr*)(_t68 + 8)) + _t53;
				 *_t57 =  *_t57 + _t47;
				 *_t57 =  *_t57 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 & _t47;
				 *_t57 =  *_t57 + _t47;
				 *_t47 =  *_t47 + _t57;
				 *((intOrPtr*)(_t47 + 0x16000008)) =  *((intOrPtr*)(_t47 + 0x16000008)) + _t57;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t57;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 | _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *((char*)(_t47 + _t47)) =  *((char*)(_t47 + _t47));
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t57 =  *_t57 + _t47;
				 *_t47 =  *_t47 + _t47;
				goto L13;
			}

0x004013f0
0x004013f5
0x004013fa
0x004013fc
0x004013fe
0x00401400
0x00401402
0x00401404
0x00401405
0x00401407
0x00401409
0x0040140b
0x0040140f
0x00401410
0x00401413
0x00401414
0x00401419
0x0040141a
0x0040141a
0x0040141b
0x0040141d
0x0040141f
0x00401421
0x00401423
0x00401425
0x00401427
0x00401429
0x00401433
0x00401435
0x00401436
0x00401437
0x00401438
0x0040143a
0x0040143b
0x0040143d
0x0040143f
0x00401441
0x00401442
0x00401444
0x00401445
0x00401446
0x00401448
0x0040144f
0x00000000
0x00000000
0x00401451
0x00401454
0x00401455
0x00000000
0x00000000
0x00401457
0x0040145a
0x0040145a
0x0040145d
0x0040145d
0x0040145d
0x00401464
0x0040146e
0x00401470
0x00401471
0x00401474
0x00401474
0x00401475
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401483
0x00401485
0x00401487
0x00401489
0x0040148b
0x0040148d
0x0040148f
0x00401491
0x00401493
0x00401495
0x00401497
0x0040149b
0x0040149d
0x0040149f
0x004014a1
0x004014a3
0x004014a3
0x004014a6
0x004014a9
0x00401510
0x00401510
0x00401512
0x00401514
0x00401516
0x00401518
0x00401519
0x00401519
0x0040151b
0x0040151b
0x0040151e
0x00401521
0x00401524
0x00401524
0x00401525
0x00401525
0x00401528
0x00401528
0x0040152e
0x00401531
0x00401532
0x00401532
0x00401535
0x00401538
0x0040153a
0x0040153d
0x0040153e
0x00401540
0x00401546
0x00401548
0x0040154b
0x0040154f
0x00401551
0x00401552
0x00401553
0x00401555
0x00401556
0x00401557
0x00401559
0x0040155b
0x0040155f
0x00401561
0x00401563
0x00401565
0x0040156b
0x0040156d
0x0040156e
0x0040156f
0x00401571
0x00401573
0x0040157b
0x0040157d
0x0040157d
0x004014ab
0x004014ab
0x004014b1
0x00000000
0x004014b1
0x004014b2
0x00000000
0x00000000
0x004014b3
0x00000000
0x00000000
0x004014b4
0x00000000
0x00000000
0x004014b5
0x00000000
0x00000000
0x004014b6
0x00000000
0x00000000
0x004014b8
0x004014b9
0x004014ba
0x004014bc
0x00000000
0x00000000
0x004014be
0x004014c6
0x004014c7
0x004014c9
0x004014cb
0x004014cd
0x004014cf
0x004014d0
0x004014d2
0x004014d8
0x004014da
0x004014dc
0x004014de
0x004014e0
0x004014e2
0x004014e4
0x004014ea
0x004014ec
0x004014ee
0x004014f0
0x004014f2
0x004014f4
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401505
0x00401507
0x00401509
0x0040150b
0x0040150d
0x0040150f
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013F5

Strings

VB5!6&*, xrefs: 004013F0

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 605976478f3439c3e8fee535f61cf35f13009986f664e7087156937f1c5b5280
Instruction ID: 9fab2b6fabe600f068c2f63924970bbf018eec735d31a0b40c771a2bf6c28a58
Opcode Fuzzy Hash: 605976478f3439c3e8fee535f61cf35f13009986f664e7087156937f1c5b5280
Instruction Fuzzy Hash: ED41EC6144E7C15FD713877499296917FB0AF93214F0A46EBC0C1CE0F3E66C085AC726

Uniqueness

Uniqueness Score: -1.00%

Function 004072F2, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

], xrefs: 004072E2

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID:
String ID: ]
API String ID: 0-1813045944
Opcode ID: 026f9062b31725f4c66f7ce4a0c0791d29cda6018883c4b2a0cbbc7fdb149a4e
Instruction ID: 5cb936610358edf67e69ebdada450720991b8b7aa82f53928fa75916d53864f3
Opcode Fuzzy Hash: 026f9062b31725f4c66f7ce4a0c0791d29cda6018883c4b2a0cbbc7fdb149a4e
Instruction Fuzzy Hash: CD71F362F1CB1185FF362128C9E056D6502DB92340F32873BCE1A33DC55B3E1AC6265B

Uniqueness

Uniqueness Score: -1.00%

Function 0040729B, Relevance: 1.5, APIs: 1, Instructions: 235
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b14317a1b95eb7fb6f98b90cde7b908e5267775d6f79e6cde9a64cc7a6d4b340
Instruction ID: bf29c1fa0c6e9e411c278d4fae329d64b8795db5c212fe72bb17e34f809f6fc5
Opcode Fuzzy Hash: b14317a1b95eb7fb6f98b90cde7b908e5267775d6f79e6cde9a64cc7a6d4b340
Instruction Fuzzy Hash: 90711222F1CB518AFF322168C8E452C6512DF92344F36873BCD6A338C65B3E16C6665B

Uniqueness

Uniqueness Score: -1.00%

Function 00407343, Relevance: 1.5, APIs: 1, Instructions: 210
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cd606f3dea50bf9def4e8435a9b48599cee8ad992a80da5c0ec11a71d66edc4b
Instruction ID: 11e62355e28bf5b0b5eb84a69bb6a926bd9fe31704dbc57449b658905cdd9b02
Opcode Fuzzy Hash: cd606f3dea50bf9def4e8435a9b48599cee8ad992a80da5c0ec11a71d66edc4b
Instruction Fuzzy Hash: DC615622F1D75189FF362168C9E442C6912DF92344F36867BCE5A32CC6473E1AC6265B

Uniqueness

Uniqueness Score: -1.00%

Function 004073E0, Relevance: 1.5, APIs: 1, Instructions: 205
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c464b8f69c8da1a10573afe0e2bed3b1c333b402504d6f4180088321439afa6
Instruction ID: 2a78bffd9da8c5cd6a95bbbd3bc339c4bcd3bb774dd5b2c75ea8e3e25570884b
Opcode Fuzzy Hash: 1c464b8f69c8da1a10573afe0e2bed3b1c333b402504d6f4180088321439afa6
Instruction Fuzzy Hash: 18510362F19B2189FF352168C9E056D6502DBD6345F32873BCD6A33CC4573E1AC2269B

Uniqueness

Uniqueness Score: -1.00%

Function 0040742D, Relevance: 1.4, APIs: 1, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a99b25fc36ebd9df1612c21b476e4fa4a7eb669fba86b00a6caf90fc3b11fd
Instruction ID: a360e645ff9bd5e24e0a4946c0fe720855bc71e37bc55657463ebb657b5c4ded
Opcode Fuzzy Hash: b8a99b25fc36ebd9df1612c21b476e4fa4a7eb669fba86b00a6caf90fc3b11fd
Instruction Fuzzy Hash: 13510262F19B1185FF352068C9E056D6402DBD6344F32873BCE6A33CC51B3E2AC6269B

Uniqueness

Uniqueness Score: -1.00%

Function 004074D9, Relevance: 1.4, APIs: 1, Instructions: 171
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b22397b0fcf65feab463d9bccd4747f20ddeb3385f6ca212c33f01e1a97c3f1e
Instruction ID: 4fe24c6d73bb709be309c73bf8fdc04b21a3f237e4a2d25d0b51aeb91469d2ba
Opcode Fuzzy Hash: b22397b0fcf65feab463d9bccd4747f20ddeb3385f6ca212c33f01e1a97c3f1e
Instruction Fuzzy Hash: E641D262F19B5189FF352168C9E057D6002DB92345F32873BCE6A33CC51A3E16C6269B

Uniqueness

Uniqueness Score: -1.00%

Function 00407483, Relevance: 1.4, APIs: 1, Instructions: 163
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e572bebdb34add92f2f4c9be5cbf09df24f40f7c8ed96bccb0f513679d5213f5
Instruction ID: 154b30db0a55406d83b5b8e193aeae642a6a5a3c2202c726383ed4df5e56d3d4
Opcode Fuzzy Hash: e572bebdb34add92f2f4c9be5cbf09df24f40f7c8ed96bccb0f513679d5213f5
Instruction Fuzzy Hash: C1511362F19B5189FF362068C9E046D6402DB92344F33873BCE6A33CC55B3E16C6269B

Uniqueness

Uniqueness Score: -1.00%

Function 0040752A, Relevance: 1.4, APIs: 1, Instructions: 161
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4f1b998a34c6b5a0a635c7623959a6862db6684b8fe20d6913213713a5b9f8cf
Instruction ID: 96614bbff12802478ec3d2f3d8fcfdd40b4236943381960600768c07c7496fef
Opcode Fuzzy Hash: 4f1b998a34c6b5a0a635c7623959a6862db6684b8fe20d6913213713a5b9f8cf
Instruction Fuzzy Hash: 7641E462F19B1189FF762068CDE457D5402DB92345F33863BCE6A33CC51A3E16C6269B

Uniqueness

Uniqueness Score: -1.00%

Function 004075D5, Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ac639d5a7f0f5546f6f0157c6f0b1d7803887e482175168b4989e784691b4e2f
Instruction ID: ec914b86d1bb50d9ed2413c39d3d729a4bf9be374acd605a14455209d6e39d1a
Opcode Fuzzy Hash: ac639d5a7f0f5546f6f0157c6f0b1d7803887e482175168b4989e784691b4e2f
Instruction Fuzzy Hash: 9D310562F19B1189FF362078C9E457D6402DB91345F33863BCD6A73CC51A3E1AC6269B

Uniqueness

Uniqueness Score: -1.00%

Function 00407629, Relevance: 1.4, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4211a8b13cb5a03b99393e97fb5f05f8aa6699327dea4a784de2692920dbf2aa
Instruction ID: e2ef045f04a7ef4f914fe40045dbe9312fff5e6d1d9282fb5b22ca9b7b84ad95
Opcode Fuzzy Hash: 4211a8b13cb5a03b99393e97fb5f05f8aa6699327dea4a784de2692920dbf2aa
Instruction Fuzzy Hash: A0310462F19B5189FF352068C9E457D6502DB92341F33863BCDAA73CC51A3E1AC2269B

Uniqueness

Uniqueness Score: -1.00%

Function 00407726, Relevance: 1.3, APIs: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4c19a3d13d2586d80cc479228ecea574a31d6a3adfc4845765ef646fa3922d80
Instruction ID: 119c0e4d5293e96035be259592eea929490109dbbe2b0fa615fb94458560f716
Opcode Fuzzy Hash: 4c19a3d13d2586d80cc479228ecea574a31d6a3adfc4845765ef646fa3922d80
Instruction Fuzzy Hash: BE110B72F18B1045FF753174C9E457D6012CB81382F32863BC91772CC56A3D1AC6669B

Uniqueness

Uniqueness Score: -1.00%

Function 004076E0, Relevance: 1.3, APIs: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-0015EB41,00008000,-00000001000243A3,FFE81172), ref: 0040775A

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0d8a7d25b81f7e0da7e097ea3b033bcec0974285829d66699d24c562e75006aa
Instruction ID: 6358c9dda5d0c3c0788fe4e698052f47d0b53466e4a241c1b359710df31892a1
Opcode Fuzzy Hash: 0d8a7d25b81f7e0da7e097ea3b033bcec0974285829d66699d24c562e75006aa
Instruction Fuzzy Hash: B821D862F18B6149FF763064C9E457D6002DB91381F32863BCD6A33DC52A3D1AC2669B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022B0D16, Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338cd700dafa85d28a21a5e6048444be05e774746d51bbc5070abe4758e59dac
Instruction ID: 606c3c6ac0668f28998fd446dd0a5b942ad9ecba98991728839d9a4bff288305
Opcode Fuzzy Hash: 338cd700dafa85d28a21a5e6048444be05e774746d51bbc5070abe4758e59dac
Instruction Fuzzy Hash: 95223775710306AFEB269F68CC94BD577A6FF45390F148228FD8C97284DBB5E8948B80

Uniqueness

Uniqueness Score: -1.00%

Function 022B0C5E, Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a696b7d2e043c66f55c1d75c2f528d2a8a44a069570125f8798bd606199034
Instruction ID: 7a087933a30b398d7b76b756ca993826f31e0dc36c84914560a85f6bf1a7f841
Opcode Fuzzy Hash: 48a696b7d2e043c66f55c1d75c2f528d2a8a44a069570125f8798bd606199034
Instruction Fuzzy Hash: 6EB135753403066FFB320EA4CD45BEA3A62FF45790F248128FE48AB1C4D7B99C949B45

Uniqueness

Uniqueness Score: -1.00%

Function 022B0511, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7225ce9cde987dee87723e84a231c2bf4940d8c792584c2a9e85917153cd1595
Instruction ID: 60757b43463d84c34fdcaffbb23e97d4398fa49095d8a27a4e8946da23c27ae4
Opcode Fuzzy Hash: 7225ce9cde987dee87723e84a231c2bf4940d8c792584c2a9e85917153cd1595
Instruction Fuzzy Hash: 1381AB31B60306AFEF3329B48C94BEE22539F817D4F684515ED45A75DCCB38C9C18A12

Uniqueness

Uniqueness Score: -1.00%

Function 022B30ED, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6658ee675f6920bbec426edf19c1f2665f5b4bc048cb6e138b2c2339fc3823fc
Instruction ID: 59b0a1bfacfec2c1daa814f333c8078172f94b015c76c62ee6c0a95ac4e27c01
Opcode Fuzzy Hash: 6658ee675f6920bbec426edf19c1f2665f5b4bc048cb6e138b2c2339fc3823fc
Instruction Fuzzy Hash: C691C524E14792CEDF26CF7888D476AB6919F42364F5882ADC8568F2DAC770C885C762

Uniqueness

Uniqueness Score: -1.00%

Function 00401580, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 004017BC, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 022B111A, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9720079b849dba400cdbbf8af391647b1446028a555134c1ba22bcdff7311e
Instruction ID: 457696347808e66b24d3763cda437023b14da9756088056f90dc5c874b41749f
Opcode Fuzzy Hash: 7d9720079b849dba400cdbbf8af391647b1446028a555134c1ba22bcdff7311e
Instruction Fuzzy Hash: B211C634754345EEEB26AFA8CC99BE477A1FF05780F944055ED899B2D0D7B4A880CA01

Uniqueness

Uniqueness Score: -1.00%

Function 022B122C, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c65bb945ec971bedb6627883249dc79a85f6729972dda0e13b55acd54b35294
Instruction ID: 6e0695b0f67e64c03ff0ab53164e472b8a9db2176dedad7b1bf2c1d791f5e763
Opcode Fuzzy Hash: 2c65bb945ec971bedb6627883249dc79a85f6729972dda0e13b55acd54b35294
Instruction Fuzzy Hash: F6115674925721DAEB354D9682353A272D56F0A789F040A3E998F9689CD3F854A0CF0D

Uniqueness

Uniqueness Score: -1.00%

Function 022B1301, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 840743c67f0bd0d27897af866c60fac6b062514697fcef8ec613a3bd75331dc4
Instruction ID: 6fe88d88c4cc246639aa36394fc57ebf53cc404f25642a491cb8ab73cd7da4f8
Opcode Fuzzy Hash: 840743c67f0bd0d27897af866c60fac6b062514697fcef8ec613a3bd75331dc4
Instruction Fuzzy Hash: C101A4B57803013EF7210A248D46FD539676F81F44F318124FF0C3A1C4D3FA98595658

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 022B2D69, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa056a3f69428cb5e79cee73a04be43d8af45d6f3c72fa794b1767a239001c8
Instruction ID: a8d71f49d5050e47a49f529aed62b318b739561853a619dafa934654d221c7c8
Opcode Fuzzy Hash: 9fa056a3f69428cb5e79cee73a04be43d8af45d6f3c72fa794b1767a239001c8
Instruction Fuzzy Hash: 9AF03930221703CFC716DB58C9D4F9673A5AF69790F418766FD01CB269C334E840CA10

Uniqueness

Uniqueness Score: -1.00%

Function 022B18E2, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 022B2B82, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1290634519.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22b0000_Lista produkt#U00f3w.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00410619, Relevance: 68.6, APIs: 38, Strings: 1, Instructions: 368
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00410619(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, intOrPtr _a23) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				char _v48;
				char _v52;
				char _v56;
				void* _v64;
				void* _v72;
				void* _v80;
				void* _v88;
				void* _v96;
				void* _v104;
				void* _v112;
				void* _v120;
				void* _v128;
				void* _v136;
				void* _v144;
				void* _v152;
				void* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v204;
				void* _v208;
				void* _v212;
				intOrPtr* _v216;
				signed int _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				intOrPtr* _v236;
				signed int _v240;
				signed int _v244;
				void* _v248;
				void* _v252;
				void* _v256;
				void* _v260;
				signed int _t174;
				short _t180;
				signed int _t186;
				signed int _t191;
				char* _t196;
				signed int _t200;
				signed int _t206;
				signed int _t210;
				intOrPtr _t258;
				void* _t273;
				void* _t275;
				intOrPtr _t276;

				_t276 = _t275 - 0xc;
				 *[fs:0x0] = _t276;
				L004011F0();
				_v16 = _t276;
				_v12 = 0x4011a8;
				_v8 = 0;
				_t174 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t273);
				L0040136A();
				_push(1);
				_push(0x402fe0);
				_push(0x402fe0);
				L004013BE();
				L004013B2();
				_push(_t174);
				L004012C2();
				L004013B2();
				_push(_t174);
				_push(0x402fe0);
				L004012C8();
				asm("sbb eax, eax");
				_v172 =  ~( ~( ~_t174));
				_push( &_v48);
				_push( &_v44);
				_push(2);
				L0040131C();
				_t180 = _v172;
				if(_t180 != 0) {
					if( *0x4123c0 != 0) {
						_v216 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v216 = 0x4123c0;
					}
					_v172 =  *_v216;
					_t186 =  *((intOrPtr*)( *_v172 + 0x14))(_v172,  &_v52);
					asm("fclex");
					_v176 = _t186;
					if(_v176 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v172);
						_push(_v176);
						L00401394();
						_v220 = _t186;
					}
					_v180 = _v52;
					_t191 =  *((intOrPtr*)( *_v180 + 0xe0))(_v180,  &_v44);
					asm("fclex");
					_v184 = _t191;
					if(_v184 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0xe0);
						_push(0x403014);
						_push(_v180);
						_push(_v184);
						L00401394();
						_v224 = _t191;
					}
					_v204 = _v44;
					_v44 = _v44 & 0x00000000;
					_t258 = _v204;
					L004013B2();
					L00401382();
					if( *0x412010 != 0) {
						_v228 = 0x412010;
					} else {
						_push("P G");
						_push(0x40246c);
						L00401388();
						_v228 = 0x412010;
					}
					_t196 =  &_v52;
					L00401358();
					_v172 = _t196;
					_t200 =  *((intOrPtr*)( *_v172 + 0x48))(_v172,  &_v44, _t196,  *((intOrPtr*)( *((intOrPtr*)( *_v228)) + 0x30c))( *_v228));
					asm("fclex");
					_v176 = _t200;
					if(_v176 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403168);
						_push(_v172);
						_push(_v176);
						L00401394();
						_v232 = _t200;
					}
					if( *0x4123c0 != 0) {
						_v236 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v236 = 0x4123c0;
					}
					_v180 =  *_v236;
					_t206 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v56);
					asm("fclex");
					_v184 = _t206;
					if(_v184 >= 0) {
						_v240 = _v240 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v180);
						_push(_v184);
						L00401394();
						_v240 = _t206;
					}
					_v188 = _v56;
					_t210 =  *((intOrPtr*)( *_v188 + 0x138))(_v188, _v44, 1);
					asm("fclex");
					_v192 = _t210;
					if(_v192 >= 0) {
						_v244 = _v244 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x403014);
						_push(_v188);
						_push(_v192);
						L00401394();
						_v244 = _t210;
					}
					L00401364();
					_push( &_v56);
					_push( &_v52);
					_push(2);
					L0040134C();
					asm("les ecx, [ebx+eax*4]");
					_a23 = _a23 + _t258;
				}
				_v32 = 0x485fa3;
				_push(0x410c0e);
				L00401364();
				L00401364();
				L00401382();
				return _t180;
			}

0x0041061c
0x0041062b
0x00410637
0x0041063f
0x00410642
0x00410649
0x00410658
0x00410661
0x00410666
0x00410668
0x0041066d
0x00410672
0x0041067c
0x00410681
0x00410682
0x0041068c
0x00410691
0x00410692
0x00410697
0x0041069e
0x004106a4
0x004106ae
0x004106b2
0x004106b3
0x004106b5
0x004106bd
0x004106c6
0x004106d3
0x004106f0
0x004106d5
0x004106d5
0x004106da
0x004106df
0x004106e4
0x004106e4
0x00410702
0x0041071a
0x0041071d
0x0041071f
0x0041072c
0x0041074e
0x0041072e
0x0041072e
0x00410730
0x00410735
0x0041073b
0x00410741
0x00410746
0x00410746
0x00410758
0x00410770
0x00410776
0x00410778
0x00410785
0x004107aa
0x00410787
0x00410787
0x0041078c
0x00410791
0x00410797
0x0041079d
0x004107a2
0x004107a2
0x004107b4
0x004107ba
0x004107be
0x004107c7
0x004107cf
0x004107db
0x004107f8
0x004107dd
0x004107dd
0x004107e2
0x004107e7
0x004107ec
0x004107ec
0x0041081c
0x00410820
0x00410825
0x0041083d
0x00410840
0x00410842
0x0041084f
0x00410871
0x00410851
0x00410851
0x00410853
0x00410858
0x0041085e
0x00410864
0x00410869
0x00410869
0x0041087f
0x0041089c
0x00410881
0x00410881
0x00410886
0x0041088b
0x00410890
0x00410890
0x004108ae
0x004108c6
0x004108c9
0x004108cb
0x004108d8
0x004108fa
0x004108da
0x004108da
0x004108dc
0x004108e1
0x004108e7
0x004108ed
0x004108f2
0x004108f2
0x00410904
0x0041091d
0x00410923
0x00410925
0x00410932
0x00410957
0x00410934
0x00410934
0x00410939
0x0041093e
0x00410944
0x0041094a
0x0041094f
0x0041094f
0x00410961
0x00410969
0x0041096d
0x0041096e
0x00410970
0x00410976
0x0041097e
0x0041097e
0x00410bb0
0x00410bb7
0x00410bf8
0x00410c00
0x00410c08
0x00410c0d

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410637
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 00410661
__vbaStrCat.MSVBVM60(00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 00410672
__vbaStrMove.MSVBVM60(00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 0041067C
#616.MSVBVM60(00000000,00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 00410682
__vbaStrMove.MSVBVM60(00000000,00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 0041068C
__vbaStrCmp.MSVBVM60(00402FE0,00000000,00000000,00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 00410697
__vbaFreeStrList.MSVBVM60(00000002,00402FE0,00402FE0,00402FE0,00000000,00000000,00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 004106B5
__vbaNew2.MSVBVM60(00403004,004123C0,?,?,004011F6), ref: 004106DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00410741
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000E0), ref: 0041079D
__vbaStrMove.MSVBVM60(00000000,?,00403014,000000E0), ref: 004107C7
__vbaFreeObj.MSVBVM60(00000000,?,00403014,000000E0), ref: 004107CF
__vbaNew2.MSVBVM60(0040246C,P G), ref: 004107E7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410820
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000048), ref: 00410864
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 0041088B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 004108ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,00000138), ref: 0041094A
__vbaFreeStr.MSVBVM60(00000000,?,00403014,00000138), ref: 00410961
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410970
__vbaNew2.MSVBVM60(0040246C,P G,?,?,?,?,?,004011F6), ref: 0041098B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004109C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000050), ref: 00410A08
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00410A2F
__vbaChkstk.MSVBVM60(?), ref: 00410ABD
__vbaChkstk.MSVBVM60(?), ref: 00410AD1
__vbaChkstk.MSVBVM60(?), ref: 00410AE5
__vbaChkstk.MSVBVM60(?), ref: 00410AF6
__vbaChkstk.MSVBVM60(?), ref: 00410B07
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000044), ref: 00410B4A
__vbaChkstk.MSVBVM60(00000000,?,00402FF4,00000044), ref: 00410B7E
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00410B91
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00410B99
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000009,?,00000000), ref: 00410BA8
__vbaFreeStr.MSVBVM60(00410C0E), ref: 00410BF8
__vbaFreeStr.MSVBVM60(00410C0E), ref: 00410C00
__vbaFreeObj.MSVBVM60(00410C0E), ref: 00410C08

Strings

P G, xrefs: 004107D4, 004107DD, 004107EC, 004107F8, 00410978, 00410981, 00410990, 0041099C

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$Free$CheckChkstkHresult$New2$ListMove$#616CopyLate
String ID: P G
API String ID: 709077215-4005627699
Opcode ID: 616164fadd98097fbc4bfed8f0a863bcc30ecb5f2947d3a91ddc1f49f9f9be98
Instruction ID: 28d57b1b4e2b041cb69e3cba8c6e5e7c1691930446970aabda1e8d473d8c4b44
Opcode Fuzzy Hash: 616164fadd98097fbc4bfed8f0a863bcc30ecb5f2947d3a91ddc1f49f9f9be98
Instruction Fuzzy Hash: 25F14670900318EFDB20DFA1C945BDDBBB5BF09304F1040AAE909BB2A1D7B85AD49F59

Uniqueness

Uniqueness Score: -1.00%

Function 00401B65, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040246C,P G,?,?,?,?,?,004011F6), ref: 0041098B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004109C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403168,00000050), ref: 00410A08
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00410A2F
__vbaChkstk.MSVBVM60(?), ref: 00410ABD
__vbaChkstk.MSVBVM60(?), ref: 00410AD1
__vbaChkstk.MSVBVM60(?), ref: 00410AE5
__vbaChkstk.MSVBVM60(?), ref: 00410AF6
__vbaChkstk.MSVBVM60(?), ref: 00410B07
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000044), ref: 00410B4A
__vbaChkstk.MSVBVM60(00000000,?,00402FF4,00000044), ref: 00410B7E

Strings

P G, xrefs: 00410979, 00410981, 00410990

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$Chkstk$CheckHresultNew2
String ID: P G
API String ID: 3535372409-4005627699
Opcode ID: 5257360313e534e33858a43a1890e6df24cae7f9ad2a4105235e79355f173a39
Instruction ID: 98c73b30c2f382c11d38a88712cfbaaea9eeadb122e3cc0462137c722bdf7083
Opcode Fuzzy Hash: 5257360313e534e33858a43a1890e6df24cae7f9ad2a4105235e79355f173a39
Instruction Fuzzy Hash: 60616D31900318DFDB21DFA1C945BDDBBB2BF09304F1044AAFA08BB292D7B95A859F55

Uniqueness

Uniqueness Score: -1.00%

Function 0041107C, Relevance: 31.6, APIs: 21, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0041107C(void* __eax) {
				intOrPtr _t51;
				void* _t53;
				short _t57;
				intOrPtr _t72;
				void* _t77;
				void* _t89;
				void* _t90;

				L0:
				while(1) {
					L0:
					_t51 = _t89 - 0x24;
					_push(_t51);
					L0040128C();
					 *((intOrPtr*)(_t89 - 0x124)) = _t51;
					L2:
					if( *((intOrPtr*)(_t89 - 0x124)) != 0) {
						L1:
						 *((intOrPtr*)(_t89 - 0x80)) = 1;
						 *((intOrPtr*)(_t89 - 0x88)) = 2;
						_push(_t89 - 0x88);
						_t53 = _t89 - 0x24;
						_push(_t53);
						L00401346();
						_push(_t53);
						_push(_t89 - 0x74);
						_push(_t89 - 0x98);
						L00401292();
						_push(_t89 - 0x98);
						_t57 = _t89 - 0x78;
						_push(_t57);
						L00401298();
						_push(_t57);
						L0040129E();
						 *((short*)(_t89 - 0xa0)) = _t57;
						 *((intOrPtr*)(_t89 - 0xa8)) = 2;
						_push(_t89 - 0xa8);
						_push(_t89 - 0xb8);
						L004012A4();
						_push(_t89 - 0x34);
						_push(_t89 - 0xb8);
						_push(_t89 - 0xc8);
						L0040133A();
						L00401340();
						L00401364();
						_push(_t89 - 0xb8);
						_push(_t89 - 0xa8);
						_push(_t89 - 0x98);
						_push(_t89 - 0x88);
						_push(4);
						L004013B8();
						_t90 = _t90 + 0x14;
						_push(_t89 - 0x118);
						continue;
					}
					L3:
					 *((intOrPtr*)(_t89 - 0x90)) = 0x80020004;
					 *((intOrPtr*)(_t89 - 0x98)) = 0xa;
					 *((intOrPtr*)(_t89 - 0xd0)) = 0x403228;
					 *((intOrPtr*)(_t89 - 0xd8)) = 8;
					_push(1);
					_push(1);
					_push(_t89 - 0x98);
					_push(_t89 - 0xd8);
					_push(_t89 - 0x34);
					_t72 = _t89 - 0x88;
					_push(_t72);
					L0040133A();
					_push(_t72);
					L00401286();
					 *((intOrPtr*)(_t89 - 0xa0)) = _t72;
					 *((intOrPtr*)(_t89 - 0xa8)) = 8;
					L00401340();
					_push(_t89 - 0x98);
					_push(_t89 - 0x88);
					_push(2);
					L004013B8();
					L4:
					_push(0x4111ac);
					L5:
					_push(_t89 - 0x118);
					_push(_t89 - 0x108);
					_t77 = _t89 - 0xf8;
					_push(_t77);
					_push(3);
					L004013B8();
					L004013A6();
					L004013A6();
					L004013A6();
					L004013A6();
					L004013A6();
					L004013A6();
					return _t77;
					L6:
				}
			}

0x0041107c
0x0041107c
0x0041107c
0x0041107d
0x00411080
0x00411081
0x00411086
0x0041108c
0x00411093
0x00410fb4
0x00410fb4
0x00410fbb
0x00410fcb
0x00410fcc
0x00410fcf
0x00410fd0
0x00410fd5
0x00410fd9
0x00410fe0
0x00410fe1
0x00410fec
0x00410fed
0x00410ff0
0x00410ff1
0x00410ff6
0x00410ff7
0x00410ffc
0x00411003
0x00411013
0x0041101a
0x0041101b
0x00411023
0x0041102a
0x00411031
0x00411032
0x0041103c
0x00411044
0x0041104f
0x00411056
0x0041105d
0x00411064
0x00411065
0x00411067
0x0041106c
0x00411075
0x00000000
0x00411076
0x00411099
0x00411099
0x004110a3
0x004110ad
0x004110b7
0x004110c1
0x004110c3
0x004110cb
0x004110d2
0x004110d6
0x004110d7
0x004110dd
0x004110de
0x004110e3
0x004110e4
0x004110e9
0x004110ef
0x00411102
0x0041110d
0x00411114
0x00411115
0x00411117
0x0041111f
0x0041111f
0x0041115c
0x00411162
0x00411169
0x0041116a
0x00411170
0x00411171
0x00411173
0x0041117e
0x00411186
0x0041118e
0x00411196
0x0041119e
0x004111a6
0x004111ab
0x00000000
0x004111ab

APIs

__vbaI4Var.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000002), ref: 00410FD0
#632.MSVBVM60(?,?,00000000,?,00000002,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410FE1
__vbaStrVarVal.MSVBVM60(?,?,?,?,00000000,?,00000002,?,?,?,?,?,?,?,?,?), ref: 00410FF1
#516.MSVBVM60(00000000,?,?,?,?,00000000,?,00000002,?,?,?,?,?,?,?,?), ref: 00410FF7
#573.MSVBVM60(?,00000002,00000000,?,?,?,?,00000000,?,00000002), ref: 0041101B
__vbaVarAdd.MSVBVM60(?,?,?,?,00000002,00000000,?,?,?,?,00000000,?,00000002), ref: 00411032
__vbaVarMove.MSVBVM60(?,?,?,?,00000002,00000000,?,?,?,?,00000000,?,00000002), ref: 0041103C
__vbaFreeStr.MSVBVM60(?,?,?,?,00000002,00000000,?,?,?,?,00000000,?,00000002), ref: 00411044
__vbaFreeVarList.MSVBVM60(00000004,00000002,?,00000002,?,?,?,?,?,00000002,00000000,?,?,?,?,00000000), ref: 00411067
__vbaVarForNext.MSVBVM60(?,?,?,?,?,?,?,004011F6), ref: 00411081
__vbaVarAdd.MSVBVM60(?,?,00000008,0000000A,00000001,00000001), ref: 004110DE
#650.MSVBVM60(00000000,?,?,00000008,0000000A,00000001,00000001), ref: 004110E4
__vbaVarMove.MSVBVM60(00000000,?,?,00000008,0000000A,00000001,00000001), ref: 00411102
__vbaFreeVarList.MSVBVM60(00000002,?,0000000A,00000000,?,?,00000008,0000000A,00000001,00000001), ref: 00411117
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,004111AC,?,?,?,?,?,?,?,?,004011F6), ref: 00411173
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 0041117E
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00411186
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 0041118E

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$Free$List$Move$#516#573#632#650Next
String ID:
API String ID: 1850725036-0
Opcode ID: 4cd3c86d69642dcd301a213dfd13ac64d2e7440048f37005a743a34362f7c2c1
Instruction ID: 9228b074edff6c7148bfddd31f03498038a44a97c51c4c87e5559b8c814fbbe8
Opcode Fuzzy Hash: 4cd3c86d69642dcd301a213dfd13ac64d2e7440048f37005a743a34362f7c2c1
Instruction Fuzzy Hash: 36419DB2C0021CAADB51EB91CC86FDEB37CAB14304F5041EBA549F2191EF786B898F55

Uniqueness

Uniqueness Score: -1.00%

Function 00410C35, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00410C35(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				void* _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				void* _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _t70;
				signed int _t75;
				char* _t80;
				signed int _t84;
				short _t85;
				intOrPtr _t103;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t103;
				_push(0x44);
				L004011F0();
				_v12 = _t103;
				_v8 = 0x4011b8;
				L0040136A();
				if( *0x4123c0 != 0) {
					_v72 = 0x4123c0;
				} else {
					_push(0x4123c0);
					_push(0x403004);
					L00401388();
					_v72 = 0x4123c0;
				}
				_v48 =  *_v72;
				_t70 =  *((intOrPtr*)( *_v48 + 0x14))(_v48,  &_v40);
				asm("fclex");
				_v52 = _t70;
				if(_v52 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402ff4);
					_push(_v48);
					_push(_v52);
					L00401394();
					_v76 = _t70;
				}
				_v56 = _v40;
				_t75 =  *((intOrPtr*)( *_v56 + 0xe8))(_v56,  &_v36);
				asm("fclex");
				_v60 = _t75;
				if(_v60 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x403014);
					_push(_v56);
					_push(_v60);
					L00401394();
					_v80 = _t75;
				}
				_v68 = _v36;
				_v36 = _v36 & 0x00000000;
				L004013B2();
				L00401382();
				if( *0x412010 != 0) {
					_v84 = 0x412010;
				} else {
					_push("P G");
					_push(0x40246c);
					L00401388();
					_v84 = 0x412010;
				}
				_t80 =  &_v40;
				L00401358();
				_v48 = _t80;
				_t84 =  *((intOrPtr*)( *_v48 + 0xf8))(_v48,  &_v44, _t80,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x300))( *_v84));
				asm("fclex");
				_v52 = _t84;
				if(_v52 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x4030ec);
					_push(_v48);
					_push(_v52);
					L00401394();
					_v88 = _t84;
				}
				_t85 = _v44;
				_v24 = _t85;
				L00401382();
				_push(0x410dec);
				L00401364();
				L00401364();
				return _t85;
			}

0x00410c3a
0x00410c45
0x00410c46
0x00410c4d
0x00410c50
0x00410c58
0x00410c5b
0x00410c68
0x00410c74
0x00410c8e
0x00410c76
0x00410c76
0x00410c7b
0x00410c80
0x00410c85
0x00410c85
0x00410c9a
0x00410ca9
0x00410cac
0x00410cae
0x00410cb5
0x00410cce
0x00410cb7
0x00410cb7
0x00410cb9
0x00410cbe
0x00410cc1
0x00410cc4
0x00410cc9
0x00410cc9
0x00410cd5
0x00410ce4
0x00410cea
0x00410cec
0x00410cf3
0x00410d0f
0x00410cf5
0x00410cf5
0x00410cfa
0x00410cff
0x00410d02
0x00410d05
0x00410d0a
0x00410d0a
0x00410d16
0x00410d19
0x00410d23
0x00410d2b
0x00410d37
0x00410d51
0x00410d39
0x00410d39
0x00410d3e
0x00410d43
0x00410d48
0x00410d48
0x00410d6c
0x00410d70
0x00410d75
0x00410d84
0x00410d8a
0x00410d8c
0x00410d93
0x00410daf
0x00410d95
0x00410d95
0x00410d9a
0x00410d9f
0x00410da2
0x00410da5
0x00410daa
0x00410daa
0x00410db3
0x00410db7
0x00410dbe
0x00410dc3
0x00410dde
0x00410de6
0x00410deb

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410C50
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 00410C68
__vbaNew2.MSVBVM60(00403004,004123C0,?,?,?,?,004011F6), ref: 00410C80
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00410CC4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000E8), ref: 00410D05
__vbaStrMove.MSVBVM60 ref: 00410D23
__vbaFreeObj.MSVBVM60 ref: 00410D2B
__vbaNew2.MSVBVM60(0040246C,P G), ref: 00410D43
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410D70
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030EC,000000F8), ref: 00410DA5
__vbaFreeObj.MSVBVM60 ref: 00410DBE
__vbaFreeStr.MSVBVM60(00410DEC), ref: 00410DDE
__vbaFreeStr.MSVBVM60(00410DEC), ref: 00410DE6

Strings

P G, xrefs: 00410D30, 00410D39, 00410D48, 00410D51

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$ChkstkCopyMove
String ID: P G
API String ID: 4110455518-4005627699
Opcode ID: 95300b48452b51f770d4c72b014544a06553ac77becf2c4403ea04b40c536b04
Instruction ID: 024535f1ee5fae5b6a6260df13b9132df2a30069dd4cf38f6b1a84f4d7f0ceca
Opcode Fuzzy Hash: 95300b48452b51f770d4c72b014544a06553ac77becf2c4403ea04b40c536b04
Instruction Fuzzy Hash: 0051E070900208EFDB00DFE5D985BDDBBB5BF08304F20812AE901B72A1D7B96995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00410EBC, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00410EBC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				void* _v104;
				char _v120;
				char _v124;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				short _v164;
				char _v172;
				char _v188;
				char _v204;
				signed int _v212;
				char _v220;
				intOrPtr _v228;
				char _v236;
				char _v252;
				char _v268;
				char _v284;
				intOrPtr _v296;
				char* _t83;
				char* _t86;
				char* _t90;
				char* _t94;
				char* _t97;
				char* _t99;
				short _t103;
				char* _t115;
				char* _t119;
				void* _t140;
				void* _t142;
				intOrPtr _t143;

				_t143 = _t142 - 0xc;
				 *[fs:0x0] = _t143;
				L004011F0();
				_v16 = _t143;
				_v12 = 0x4011e0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t140);
				L004012BC();
				_push( &_v252);
				_t83 =  &_v72;
				_push(_t83);
				L004012B6();
				if(_t83 == 0) {
					_push( &_v252);
					_t86 =  &_v88;
					_push(_t86);
					L004012B6();
					if(_t86 != 0) {
						_v212 = _v212 | 0xffffffff;
						_v220 = 2;
						_v228 = 1;
						_v236 = 2;
						_push( &_v220);
						_push( &_v236);
						_push( &_v120);
						_t94 =  &_v140;
						_push(_t94);
						L004012AA();
						_push(_t94);
						_push( &_v284);
						_push( &_v268);
						_t97 =  &_v40;
						_push(_t97);
						L004012B0();
						_v296 = _t97;
						while(_v296 != 0) {
							_v132 = 1;
							_v140 = 2;
							_push( &_v140);
							_t99 =  &_v40;
							_push(_t99);
							L00401346();
							_push(_t99);
							_push( &_v120);
							_push( &_v156);
							L00401292();
							_push( &_v156);
							_t103 =  &_v124;
							_push(_t103);
							L00401298();
							_push(_t103);
							L0040129E();
							_v164 = _t103;
							_v172 = 2;
							_push( &_v172);
							_push( &_v188);
							L004012A4();
							_push( &_v56);
							_push( &_v188);
							_push( &_v204);
							L0040133A();
							L00401340();
							L00401364();
							_push( &_v188);
							_push( &_v172);
							_push( &_v156);
							_push( &_v140);
							_push(4);
							L004013B8();
							_t143 = _t143 + 0x14;
							_push( &_v284);
							_push( &_v268);
							_t115 =  &_v40;
							_push(_t115);
							L0040128C();
							_v296 = _t115;
						}
						_v148 = 0x80020004;
						_v156 = 0xa;
						_v212 = 0x403228;
						_v220 = 8;
						_push(1);
						_push(1);
						_push( &_v156);
						_push( &_v220);
						_push( &_v56);
						_t119 =  &_v140;
						_push(_t119);
						L0040133A();
						_push(_t119);
						L00401286();
						_v164 = _t119;
						_v172 = 8;
						L00401340();
						_push( &_v156);
						_push( &_v140);
						_push(2);
						L004013B8();
						_t143 = _t143 + 0xc;
					}
				} else {
					L004012BC();
				}
				_push(0x4111ac);
				_push( &_v284);
				_push( &_v268);
				_t90 =  &_v252;
				_push(_t90);
				_push(3);
				L004013B8();
				L004013A6();
				L004013A6();
				L004013A6();
				L004013A6();
				L004013A6();
				L004013A6();
				return _t90;
			}

0x00410ebf
0x00410ece
0x00410eda
0x00410ee2
0x00410ee5
0x00410eec
0x00410efb
0x00410f07
0x00410f12
0x00410f13
0x00410f16
0x00410f17
0x00410f21
0x00410f39
0x00410f3a
0x00410f3d
0x00410f3e
0x00410f48
0x00410f4e
0x00410f55
0x00410f5f
0x00410f69
0x00410f79
0x00410f80
0x00410f84
0x00410f85
0x00410f8b
0x00410f8c
0x00410f91
0x00410f98
0x00410f9f
0x00410fa0
0x00410fa3
0x00410fa4
0x00410fa9
0x0041108c
0x00410fb4
0x00410fbb
0x00410fcb
0x00410fcc
0x00410fcf
0x00410fd0
0x00410fd5
0x00410fd9
0x00410fe0
0x00410fe1
0x00410fec
0x00410fed
0x00410ff0
0x00410ff1
0x00410ff6
0x00410ff7
0x00410ffc
0x00411003
0x00411013
0x0041101a
0x0041101b
0x00411023
0x0041102a
0x00411031
0x00411032
0x0041103c
0x00411044
0x0041104f
0x00411056
0x0041105d
0x00411064
0x00411065
0x00411067
0x0041106c
0x00411075
0x0041107c
0x0041107d
0x00411080
0x00411081
0x00411086
0x00411086
0x00411099
0x004110a3
0x004110ad
0x004110b7
0x004110c1
0x004110c3
0x004110cb
0x004110d2
0x004110d6
0x004110d7
0x004110dd
0x004110de
0x004110e3
0x004110e4
0x004110e9
0x004110ef
0x00411102
0x0041110d
0x00411114
0x00411115
0x00411117
0x0041111c
0x0041111c
0x00410f23
0x00410f29
0x00410f29
0x0041111f
0x00411162
0x00411169
0x0041116a
0x00411170
0x00411171
0x00411173
0x0041117e
0x00411186
0x0041118e
0x00411196
0x0041119e
0x004111a6
0x004111ab

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410EDA
__vbaVarCopy.MSVBVM60(?,?,?,?,004011F6), ref: 00410F07
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,004011F6), ref: 00410F17
__vbaVarCopy.MSVBVM60(?,?,?,?,?,?,004011F6), ref: 00410F29
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,?,?,004011F6), ref: 00410F3E
__vbaLenVar.MSVBVM60(?,?,00000002,00000002), ref: 00410F8C
__vbaVarForInit.MSVBVM60(?,?,?,00000000,?,?,00000002,00000002), ref: 00410FA4

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$Copy$ChkstkInit
String ID:
API String ID: 3826034973-0
Opcode ID: d3ced0dd5c703300f44cb424f73d22857c4db9a1b83eaae256af07889db05f3a
Instruction ID: f89c889c320f9f68246e9bd7ef3dcdbd7556e1c525a84103f408a27ce6f7dab8
Opcode Fuzzy Hash: d3ced0dd5c703300f44cb424f73d22857c4db9a1b83eaae256af07889db05f3a
Instruction Fuzzy Hash: DD21017180055DABCB11DB95C985FDEB7BCAF08304F1085ABB209F7151EB789B898F94

Uniqueness

Uniqueness Score: -1.00%

Function 00410E09, Relevance: 7.5, APIs: 5, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00410E09(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				void* _v36;
				char _v44;
				char _v52;
				char* _t19;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				L004011F0();
				_v16 = _t30;
				_v12 = 0x4011d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4011f6, _t27);
				_v44 = 2;
				_v52 = 2;
				_t19 =  &_v52;
				_push(_t19);
				L004013AC();
				L004013B2();
				L004013A6();
				_v32 =  *0x4011c8;
				asm("wait");
				_push(0x410e95);
				L00401364();
				return _t19;
			}

0x00410e0c
0x00410e1b
0x00410e25
0x00410e2d
0x00410e30
0x00410e37
0x00410e46
0x00410e49
0x00410e50
0x00410e57
0x00410e5a
0x00410e5b
0x00410e65
0x00410e6d
0x00410e78
0x00410e7b
0x00410e7c
0x00410e8f
0x00410e94

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410E25
#536.MSVBVM60(00000002), ref: 00410E5B
__vbaStrMove.MSVBVM60(00000002), ref: 00410E65
__vbaFreeVar.MSVBVM60(00000002), ref: 00410E6D
__vbaFreeStr.MSVBVM60(00410E95,00000002), ref: 00410E8F

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$Free$#536ChkstkMove
String ID:
API String ID: 2104488870-0
Opcode ID: b700f43e101432fa6fa79f13be68e8778472f4484f8dc53e7c6aad7b04ac9813
Instruction ID: 65fec2802833ff761578360ba7738edd19d08363b81867d35fb2e76992f97c1d
Opcode Fuzzy Hash: b700f43e101432fa6fa79f13be68e8778472f4484f8dc53e7c6aad7b04ac9813
Instruction Fuzzy Hash: 41014B71810208ABDB04EF96DC8AFDEBBB8BF08744F40842AF501BB5A1DBBC5544CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041040F, Relevance: 6.0, APIs: 4, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0041040F() {
				void* _t14;
				void* _t15;

				_push(3);
				L0040131C();
				_push(_t15 - 0x354);
				_push(_t15 - 0x350);
				_push(_t15 - 0x34c);
				_push(3);
				L0040134C();
				_push(_t15 - 0x384);
				_push(_t15 - 0x374);
				_push(_t15 - 0x364);
				_push(3);
				L004013B8();
				_t14 = _t15 - 0x388;
				_push(_t14);
				_push(0);
				L004012DA();
				return _t14;
			}

0x0041040f
0x00410411
0x0041041f
0x00410426
0x0041042d
0x0041042e
0x00410430
0x0041043e
0x00410445
0x0041044c
0x0041044d
0x0041044f
0x00410457
0x0041045d
0x0041045e
0x00410460
0x00410465

APIs

__vbaFreeStrList.MSVBVM60(00000003,00401C28), ref: 00410411
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00410430
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041044F
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00410460

Memory Dump Source

Source File: 00000000.00000002.1289475132.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1289445600.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1289502855.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1289522455.0000000000414000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Lista produkt#U00f3w.jbxd

Similarity

API ID: __vba$FreeList$Destruct
String ID:
API String ID: 524854962-0
Opcode ID: b58e2de8c947d5613cb7fb2b3b70ef42882ea12d68f185262f30ef51bebb3e5a
Instruction ID: 25c989454ba01100b756f1bd32ce8504364835efd1bbf0d1260096a30a35e034
Opcode Fuzzy Hash: b58e2de8c947d5613cb7fb2b3b70ef42882ea12d68f185262f30ef51bebb3e5a
Instruction Fuzzy Hash: 97F0C9B28502186BFB52E691CD42FEA737CAB14704F8401EBBA0CE5091EA356B884B61

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Lista produkt#U00f3w.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Lista produkt#U00f3w.exe PID: 2412 Parent PID: 5760

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Lista produkt#U00f3w.exe PID: 2412 Parent PID: 5760 Lista produkt#U00f3w.exeCOMMON

Execution Graph

Function 022B1B3F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 75
memorynativeCOMMON

Function 00407206, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 255
COMMON

Function 00407246, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 241
memoryCOMMON

Function 022B33E1, Relevance: 1.5, APIs: 1, Instructions: 13
nativeCOMMON

Function 00408444, Relevance: 198.8, APIs: 104, Strings: 9, Instructions: 1073
COMMON

Function 00410546, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 47
COMMON

Function 00401B8D, Relevance: 9.0, APIs: 6, Instructions: 41
COMMON

Function 004013F0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139
COMMON

Function 004072F2, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 233
COMMON

Function 0040729B, Relevance: 1.5, APIs: 1, Instructions: 235
memoryCOMMON

Function 00407343, Relevance: 1.5, APIs: 1, Instructions: 210
memoryCOMMON

Function 004073E0, Relevance: 1.5, APIs: 1, Instructions: 205
memoryCOMMON

Function 0040742D, Relevance: 1.4, APIs: 1, Instructions: 180
COMMON

Function 004074D9, Relevance: 1.4, APIs: 1, Instructions: 171
memoryCOMMON

Function 00407483, Relevance: 1.4, APIs: 1, Instructions: 163
memoryCOMMON

Function 0040752A, Relevance: 1.4, APIs: 1, Instructions: 161
memoryCOMMON

Function 00410619, Relevance: 68.6, APIs: 38, Strings: 1, Instructions: 368
COMMON

Function 0041107C, Relevance: 31.6, APIs: 21, Instructions: 113
COMMON

Function 00410C35, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 125
COMMON

Function 00410EBC, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Function 00410E09, Relevance: 7.5, APIs: 5, Instructions: 38
COMMON

Function 0041040F, Relevance: 6.0, APIs: 4, Instructions: 26
COMMON