Play interactive tour

Edit tour

Analysis Report dt9XEhpeQQ

Overview

General Information

Sample Name:	dt9XEhpeQQ (renamed file extension from none to exe)
Analysis ID:	431849
MD5:	5423976b486afd6a8dad047fb947b190
SHA1:	f04947aa1b4e9500e4b31d2365ac886447ba4427
SHA256:	e73ecaf549049b8c4f8701e55c95220e09890df2d93ef52465ccd4b448a6d19f
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Potential malicious icon found

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

dt9XEhpeQQ.exe (PID: 3924 cmdline: 'C:\Users\user\Desktop\dt9XEhpeQQ.exe' MD5: 5423976B486AFD6A8DAD047FB947B190)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Machine Learning detection for sample

Show sources

Source: dt9XEhpeQQ.exe

Joe Sandbox ML: detected

Source: dt9XEhpeQQ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe

Code function: 0_2_0227578F NtAllocateVirtualMemory,

0_2_0227578F

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00401368	0_2_00401368
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227578F	0_2_0227578F
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02274A31	0_2_02274A31
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02272A05	0_2_02272A05
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227127D	0_2_0227127D
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02270247	0_2_02270247
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022782E3	0_2_022782E3
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022776CE	0_2_022776CE
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02271F06	0_2_02271F06
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02272F01	0_2_02272F01
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02274700	0_2_02274700
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02271F11	0_2_02271F11
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02270763	0_2_02270763
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02278F6A	0_2_02278F6A
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227737E	0_2_0227737E
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02278F7C	0_2_02278F7C
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02274B5A	0_2_02274B5A
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022723A5	0_2_022723A5
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022717A4	0_2_022717A4
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02270F82	0_2_02270F82
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02271389	0_2_02271389
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02271793	0_2_02271793
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022783EB	0_2_022783EB
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227282E	0_2_0227282E
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227903F	0_2_0227903F
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227541A	0_2_0227541A
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02272869	0_2_02272869
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02273041	0_2_02273041
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02272CBB	0_2_02272CBB
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02271C8D	0_2_02271C8D
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227389C	0_2_0227389C
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02271498	0_2_02271498
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022784E9	0_2_022784E9
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022730D6	0_2_022730D6
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02274922	0_2_02274922
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227452A	0_2_0227452A
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02277929	0_2_02277929
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022741B9	0_2_022741B9
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022725ED	0_2_022725ED
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022705C4	0_2_022705C4

Source: dt9XEhpeQQ.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: dt9XEhpeQQ.exe, 00000000.00000002.730326538.0000000002B90000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSkiftela2.exeFE2XG vs dt9XEhpeQQ.exe
Source: dt9XEhpeQQ.exe, 00000000.00000000.197757674.0000000000431000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSkiftela2.exe vs dt9XEhpeQQ.exe
Source: dt9XEhpeQQ.exe	Binary or memory string: OriginalFilenameSkiftela2.exe vs dt9XEhpeQQ.exe

Source: dt9XEhpeQQ.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.rans.troj.evad.winEXE@1/0@0/0

Source: dt9XEhpeQQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_004190F0 push eax; retf	0_2_004190FB
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0041B14B push cs; retf	0_2_0041B156
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0041DB0B push es; iretd	0_2_0041DB0C
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00419F95 push cs; retf	0_2_00419F9A
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_006215F3 push edx; ret	0_2_00621621
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00623063 push edx; ret	0_2_00623091
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00621863 push edx; ret	0_2_00621891
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00624863 push edx; ret	0_2_00624891
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00626065 push edx; ret	0_2_00626091
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00620068 push edx; ret	0_2_00620091
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00622074 push edx; ret	0_2_006220A1
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00623874 push edx; ret	0_2_006238A1
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00625074 push edx; ret	0_2_006250A1
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00626875 push edx; ret	0_2_006268A1
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00620878 push edx; ret	0_2_006208A1
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00620843 push edx; ret	0_2_00620871
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00622043 push edx; ret	0_2_00622071
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00623843 push edx; ret	0_2_00623871
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00625043 push edx; ret	0_2_00625071
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00626844 push edx; ret	0_2_00626871
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00621054 push edx; ret	0_2_00621081
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00622854 push edx; ret	0_2_00622881
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00624054 push edx; ret	0_2_00624081
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00625854 push edx; ret	0_2_00625881
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00627054 push edx; ret	0_2_00627081
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00621023 push edx; ret	0_2_00621051
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00622823 push edx; ret	0_2_00622851
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00624023 push edx; ret	0_2_00624051
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00627024 push edx; ret	0_2_00627051
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00625825 push edx; ret	0_2_00625851
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_00624833 push edx; ret	0_2_00624861

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227578F NtAllocateVirtualMemory,	0_2_0227578F
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022782E3	0_2_022782E3
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02272F01	0_2_02272F01
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02274700	0_2_02274700
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02278F6A	0_2_02278F6A
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022723A5	0_2_022723A5
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02270F82	0_2_02270F82
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022783EB	0_2_022783EB
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227282E	0_2_0227282E
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02273041	0_2_02273041
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02272CBB	0_2_02272CBB
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022784E9	0_2_022784E9
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022730D6	0_2_022730D6
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227452A	0_2_0227452A
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02277929	0_2_02277929
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022741B9	0_2_022741B9

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	RDTSC instruction interceptor: First address: 00000000022759C0 second address: 00000000022759C0 instructions:
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	RDTSC instruction interceptor: First address: 0000000002277E3F second address: 0000000002277E3F instructions:
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	RDTSC instruction interceptor: First address: 0000000002279186 second address: 0000000002279186 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	RDTSC instruction interceptor: First address: 00000000022759C0 second address: 00000000022759C0 instructions:
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	RDTSC instruction interceptor: First address: 0000000002277E3F second address: 0000000002277E3F instructions:
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	RDTSC instruction interceptor: First address: 0000000002279186 second address: 0000000002279186 instructions:
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	RDTSC instruction interceptor: First address: 0000000002277B34 second address: 0000000002277B34 instructions: 0x00000000 rdtsc 0x00000002 mov eax, A61B5935h 0x00000007 sub eax, 0A56D0FAh 0x0000000c sub eax, E6EE1F05h 0x00000011 sub eax, B4D66935h 0x00000016 cpuid 0x00000018 cmp ax, bx 0x0000001b popad 0x0000001c call 00007F8C6CD58698h 0x00000021 lfence 0x00000024 mov edx, DFDCCA82h 0x00000029 add edx, 10E79E27h 0x0000002f add edx, 1BD31F13h 0x00000035 xor edx, 736987A8h 0x0000003b mov edx, dword ptr [edx] 0x0000003d lfence 0x00000040 cmp edx, edx 0x00000042 cmp ch, dh 0x00000044 cmp ah, dh 0x00000046 test dh, 00000068h 0x00000049 test dl, cl 0x0000004b ret 0x0000004c sub edx, esi 0x0000004e ret 0x0000004f add edi, edx 0x00000051 test bl, FFFFFFB5h 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a test dx, dx 0x0000005d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000064 jne 00007F8C6CD58672h 0x00000066 test dl, al 0x00000068 cmp bh, bh 0x0000006a call 00007F8C6CD586B9h 0x0000006f call 00007F8C6CD586BCh 0x00000074 lfence 0x00000077 mov edx, DFDCCA82h 0x0000007c add edx, 10E79E27h 0x00000082 add edx, 1BD31F13h 0x00000088 xor edx, 736987A8h 0x0000008e mov edx, dword ptr [edx] 0x00000090 lfence 0x00000093 cmp edx, edx 0x00000095 cmp ch, dh 0x00000097 cmp ah, dh 0x00000099 test dh, 00000068h 0x0000009c test dl, cl 0x0000009e ret 0x0000009f mov esi, edx 0x000000a1 pushad 0x000000a2 rdtsc

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe

Code function: 0_2_0227578F rdtsc

0_2_0227578F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe

Code function: 0_2_0227578F rdtsc

0_2_0227578F

Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_022782E3 mov eax, dword ptr fs:[00000030h]	0_2_022782E3
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02275346 mov eax, dword ptr fs:[00000030h]	0_2_02275346
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02277390 mov eax, dword ptr fs:[00000030h]	0_2_02277390
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227787F mov eax, dword ptr fs:[00000030h]	0_2_0227787F
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_02272CBB mov eax, dword ptr fs:[00000030h]	0_2_02272CBB
Source: C:\Users\user\Desktop\dt9XEhpeQQ.exe	Code function: 0_2_0227389C mov eax, dword ptr fs:[00000030h]	0_2_0227389C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: dt9XEhpeQQ.exe, 00000000.00000002.726264180.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: dt9XEhpeQQ.exe, 00000000.00000002.726264180.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: dt9XEhpeQQ.exe, 00000000.00000002.726264180.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: dt9XEhpeQQ.exe, 00000000.00000002.726264180.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dt9XEhpeQQ.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	431849
Start date:	09.06.2021
Start time:	12:54:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dt9XEhpeQQ (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 0.3% (good quality ratio 0.3%) Quality average: 50.2% Quality standard deviation: 2.2%
HCA Information:	Successful, ratio: 52% Number of executed functions: 7 Number of non-executed functions: 43
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, wermgr.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	3.8630055260118947
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dt9XEhpeQQ.exe
File size:	204800
MD5:	5423976b486afd6a8dad047fb947b190
SHA1:	f04947aa1b4e9500e4b31d2365ac886447ba4427
SHA256:	e73ecaf549049b8c4f8701e55c95220e09890df2d93ef52465ccd4b448a6d19f
SHA512:	8b4e3e0110d9a24efc2b4fd4ba79bc9aa5dfedb0d567259cd7068d361d7a1f85bfb55dca921700bb90faf3ade1820ce87b6b8e60f9436dff0b90780e084b1dd6
SSDEEP:	1536:9hWwhz1ljHnmEik/dZNgmZZfOc7Gec1GvI5wumCWC0tkC:+whR/dZNgmz2Qq1GUwumCWC0tV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L....4DK..................... ......h.............@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401368
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B443402 [Wed Jan 6 06:56:02 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b2e3727c442d471988cc35e3702b319a

Entrypoint Preview

Instruction
push 00429D64h
call 00007F8C6CD67A43h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc bh, bl
fstp tbyte ptr [ebx+497210B7h]
mov bl, 10h
lds eax, fword ptr [esi-14E51407h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
test al, 58h
adc al, 03h
je 00007F8C6CD67AB7h
jc 00007F8C6CD67AC4h
popad
outsb
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
adc byte ptr [esi], dl
push edi
pushfd
sbb al, ah
sbb eax, 59A949B2h
clc
or al, F3h
test byte ptr [edi], ch
outsd
inc ebx
push FFFFFFC0h
add bl, dl
jbe 00007F8C6CD679ECh
dec esp
mov ebx, 622546F3h
dec esi
jnle 00007F8C6CD67A8Dh
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov eax, 43000288h
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 56445200h
dec ecx
dec esi
add byte ptr [48000801h], cl
outsd
insd
bound esp, dword ptr [ecx+6Eh]
imul eax, dword ptr [eax], 19h
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah
add byte ptr [eax+ecx], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2f214	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31000	0x994	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x128	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e6ec	0x2f000	False	0.229549326795	data	3.95505433936	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x30000	0xa7c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x31000	0x994	0x1000	False	0.17919921875	data	2.11718629693	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x31864	0x130	data
RT_ICON	0x3157c	0x2e8	data
RT_ICON	0x31454	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x31424	0x30	data
RT_VERSION	0x31150	0x2d4	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	CInc.
InternalName	Skiftela2
FileVersion	1.00
CompanyName	Jummes
LegalTrademarks	CInc.
Comments	Jummes
ProductName	Jummes
ProductVersion	1.00
FileDescription	Jummes
OriginalFilename	Skiftela2.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: dt9XEhpeQQ.exe PID: 3924 Parent PID: 5716

General

Start time:	12:55:39
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\dt9XEhpeQQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\dt9XEhpeQQ.exe'
Imagebase:	0x400000
File size:	204800 bytes
MD5 hash:	5423976B486AFD6A8DAD047FB947B190
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: dt9XEhpeQQ.exe PID: 3924 Parent PID: 5716 dt9XEhpeQQ.exeCOMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	68.8%
Signature Coverage:	36.8%
Total number of Nodes:	516
Total number of Limit Nodes:	49

Executed Functions

Function 0227578F, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 838
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(-46541699), ref: 022758EE

Strings

p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: p;n$p;n
API String ID: 2167126740-1709402006
Opcode ID: 185e9c1fa2b62da8d0f2f14abb3b68a96c258a620a56f4a6ff5e76cd74aa6c36
Instruction ID: 0da28e372aeb58e360231520a0c5fd4aa7f710f48876496f47467af95bf10a89
Opcode Fuzzy Hash: 185e9c1fa2b62da8d0f2f14abb3b68a96c258a620a56f4a6ff5e76cd74aa6c36
Instruction Fuzzy Hash: 6B62317160434A9FDF349E78C9947DABBB2FF49350F96822DDC899B214D7348A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00401368, Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6%*), ref: 0040136D

Strings

VB5!6%*, xrefs: 00401368

Memory Dump Source

Source File: 00000000.00000002.725071696.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.725054128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.725085018.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725105961.0000000000429000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725129355.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.725156948.0000000000431000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_dt9XEhpeQQ.jbxd

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: d8f09e2abcda61aae2f4526eb9802073176670922c8ff69983277ba7f9b365b5
Instruction ID: 1463aece003620141514fbe2cd762383060c3a52b2492c2f080a4c39440e4f81
Opcode Fuzzy Hash: d8f09e2abcda61aae2f4526eb9802073176670922c8ff69983277ba7f9b365b5
Instruction Fuzzy Hash: B3E1983144E3D19FD7038B709CA65A27FB4EE1321471E46DBD8C28F0B3E2285A5AD766

Uniqueness

Uniqueness Score: -1.00%

Function 0042B834, Relevance: 248.0, APIs: 136, Strings: 5, Instructions: 1279
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042B834(signed int _a4, intOrPtr _a678) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v52;
				char _v64;
				char _v68;
				char _v96;
				char _v104;
				char _v108;
				char _v116;
				char _v120;
				char _v144;
				char _v152;
				char _v160;
				char _v164;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				intOrPtr _v236;
				char _v244;
				intOrPtr _v252;
				char _v260;
				intOrPtr _v268;
				char _v276;
				intOrPtr _v284;
				char _v292;
				intOrPtr _v300;
				char _v308;
				char _v360;
				char _v364;
				char _v368;
				char _v372;
				char _v376;
				char _v380;
				char _v384;
				char* _t333;
				char* _t337;
				intOrPtr* _t340;
				intOrPtr* _t342;
				void* _t344;
				intOrPtr* _t345;
				intOrPtr* _t347;
				void* _t349;
				intOrPtr* _t350;
				intOrPtr* _t352;
				void* _t354;
				char* _t355;
				char* _t356;
				char* _t366;
				intOrPtr* _t370;
				intOrPtr* _t372;
				void* _t374;
				char* _t376;
				void* _t378;
				intOrPtr* _t381;
				intOrPtr* _t383;
				void* _t385;
				intOrPtr* _t389;
				intOrPtr* _t391;
				void* _t393;
				intOrPtr* _t394;
				intOrPtr* _t396;
				intOrPtr* _t398;
				void* _t400;
				intOrPtr* _t401;
				intOrPtr* _t403;
				void* _t405;
				intOrPtr* _t406;
				intOrPtr* _t410;
				intOrPtr* _t412;
				void* _t414;
				intOrPtr* _t416;
				intOrPtr* _t418;
				void* _t420;
				intOrPtr* _t421;
				intOrPtr* _t423;
				void* _t425;
				intOrPtr* _t426;
				intOrPtr* _t428;
				void* _t430;
				intOrPtr* _t431;
				intOrPtr* _t433;
				void* _t435;
				char* _t437;
				void* _t438;
				intOrPtr* _t449;
				intOrPtr* _t451;
				void* _t453;
				void* _t455;
				intOrPtr* _t456;
				intOrPtr* _t458;
				void* _t460;
				intOrPtr* _t461;
				intOrPtr* _t463;
				void* _t465;
				void* _t468;
				intOrPtr* _t473;
				intOrPtr* _t475;
				void* _t477;
				intOrPtr* _t478;
				intOrPtr* _t480;
				void* _t482;
				intOrPtr* _t483;
				intOrPtr* _t485;
				void* _t487;
				void* _t491;
				void* _t495;
				void* _t502;
				intOrPtr* _t503;
				void* _t504;
				intOrPtr* _t505;
				intOrPtr* _t507;
				void* _t509;
				intOrPtr* _t511;
				intOrPtr* _t513;
				void* _t515;
				void* _t517;
				intOrPtr* _t518;
				void* _t519;
				intOrPtr* _t522;
				intOrPtr* _t524;
				void* _t526;
				void* _t528;
				intOrPtr* _t529;
				void* _t530;
				char* _t533;
				char* _t534;
				void* _t535;
				void* _t537;
				char* _t550;
				char* _t583;
				char* _t592;
				char* _t604;
				void* _t636;
				void* _t640;
				signed int _t641;
				signed int _t642;
				void* _t644;
				intOrPtr* _t645;
				intOrPtr _t647;
				void* _t649;
				void* _t651;
				intOrPtr* _t654;
				intOrPtr* _t655;
				intOrPtr* _t656;
				intOrPtr* _t659;
				intOrPtr* _t660;
				intOrPtr* _t661;
				intOrPtr* _t662;
				intOrPtr* _t663;
				intOrPtr* _t664;
				intOrPtr* _t665;
				intOrPtr* _t666;
				intOrPtr* _t667;
				intOrPtr* _t668;
				intOrPtr* _t670;
				intOrPtr* _t671;
				intOrPtr* _t672;
				intOrPtr* _t673;
				intOrPtr* _t674;
				intOrPtr* _t675;
				intOrPtr* _t676;
				signed int _t677;
				void* _t678;
				intOrPtr* _t679;
				intOrPtr* _t680;
				intOrPtr* _t681;
				intOrPtr* _t683;
				intOrPtr* _t684;
				intOrPtr* _t685;
				intOrPtr* _t686;
				intOrPtr* _t687;
				intOrPtr* _t688;
				intOrPtr* _t689;
				intOrPtr _t690;
				intOrPtr _t691;
				void* _t692;
				void* _t693;
				long long* _t694;
				void* _t695;
				void* _t696;
				intOrPtr* _t697;
				long long* _t698;
				long long* _t699;
				void* _t701;
				void* _t702;
				intOrPtr _t714;
				intOrPtr _t719;
				intOrPtr _t722;
				intOrPtr _t726;

				 *[fs:0x0] = _t690;
				_t691 = _t690 - 0x1cc;
				_v16 = _t691;
				_v12 = 0x401158;
				_t641 = _a4;
				_v8 = _t641 & 0x00000001;
				_t642 = _t641 & 0xfffffffe;
				_a4 = _t642;
				 *((intOrPtr*)( *_t642 + 4))(_t642, _t640, _t651, _t537,  *[fs:0x0], 0x4011b6);
				_push(3);
				_push(0x42b284);
				_push( &_v96);
				_v28 = 0;
				_v52 = 0;
				_v64 = 0;
				_v68 = 0;
				_v104 = 0;
				_v108 = 0;
				_v116 = 0;
				_v120 = 0;
				_v152 = 0;
				_v160 = 0;
				_v164 = 0;
				_v172 = 0;
				_v176 = 0;
				_v180 = 0;
				_v184 = 0;
				_v188 = 0;
				_v192 = 0;
				_v196 = 0;
				_v200 = 0;
				_v204 = 0;
				_v208 = 0;
				_v212 = 0;
				_v216 = 0;
				_v220 = 0;
				_v224 = 0;
				_v228 = 0;
				_v244 = 0;
				_v260 = 0;
				_v276 = 0;
				_v292 = 0;
				_v308 = 0;
				_v360 = 0;
				_v364 = 0;
				_v368 = 0;
				_v372 = 0;
				_v376 = 0;
				_v380 = 0;
				_v384 = 0;
				L00401348();
				_push(0x11);
				_push(0x42b2a0);
				_t333 =  &_v144;
				_push(_t333);
				L00401348();
				_push(0x42b0dc);
				_push(0x42b0dc);
				L00401336();
				_v236 = _t333;
				_push(1);
				_push( &_v244);
				_push( &_v260);
				_v244 = 8;
				L0040133C();
				_push( &_v260);
				_t337 =  &_v308;
				_v300 = 0x42b0dc;
				_v308 = 0x8008;
				_push(_t337);
				L00401342();
				_push( &_v260);
				_push( &_v244);
				_push(2);
				L00401330();
				_t692 = _t691 + 0xc;
				if(_t337 != 0) {
					L0040132A();
					_push( &_v244);
					_v236 = 0x80020004;
					_v244 = 0xa;
					L00401324();
					L0040131E();
					_push(1);
					_push(L"Smaaartikler4");
					L00401318();
				}
				_t340 =  *0x430010; // 0x4afc90
				if(_t340 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t340 =  *0x430010; // 0x4afc90
				}
				_t342 =  &_v208;
				L00401312();
				_t654 = _t342;
				_t344 =  *((intOrPtr*)( *_t654 + 0x128))(_t654, _t342,  *((intOrPtr*)( *_t340 + 0x338))(_t340));
				asm("fclex");
				if(_t344 < 0) {
					_push(0x128);
					_push(0x42b100);
					_push(_t654);
					_push(_t344);
					L00401306();
				}
				L00401300();
				_t345 =  *0x430010; // 0x4afc90
				if(_t345 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t345 =  *0x430010; // 0x4afc90
				}
				_t347 =  &_v208;
				L00401312();
				_t655 = _t347;
				_t349 =  *((intOrPtr*)( *_t655 + 0xe8))(_t655,  &_v188, _t347,  *((intOrPtr*)( *_t345 + 0x334))(_t345));
				asm("fclex");
				if(_t349 < 0) {
					_push(0xe8);
					_push(0x42b110);
					_push(_t655);
					_push(_t349);
					L00401306();
				}
				_t350 =  *0x430010; // 0x4afc90
				if(_t350 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t350 =  *0x430010; // 0x4afc90
				}
				_t352 =  &_v212;
				L00401312();
				_t656 = _t352;
				_t354 =  *((intOrPtr*)( *_t656 + 0x108))(_t656,  &_v192, _t352,  *((intOrPtr*)( *_t350 + 0x30c))(_t350));
				asm("fclex");
				if(_t354 < 0) {
					_push(0x108);
					_push(0x42b120);
					_push(_t656);
					_push(_t354);
					L00401306();
				}
				_push(0);
				_push(_v192);
				_t355 =  &_v200;
				_push(_t355);
				L004012FA();
				_push(_t355);
				_push(_v188);
				_t356 =  &_v196;
				_push(_t356);
				L004012FA();
				_push(_t356);
				E0042AE64();
				_v376 = _t356;
				L004012F4();
				_push( &_v200);
				_push( &_v192);
				_push( &_v196);
				_push( &_v188);
				_push(4);
				L004012EE();
				_push( &_v212);
				_push( &_v208);
				_push(2);
				L004012E8();
				_t693 = _t692 + 0x20;
				if( ~(0 | _v376 == 0x00001a09) != 0) {
					_t511 =  *0x430010; // 0x4afc90
					if(_t511 == 0) {
						_push(0x430010);
						_push(0x42a030);
						L0040130C();
						_t511 =  *0x430010; // 0x4afc90
					}
					_t513 =  &_v208;
					L00401312();
					_t683 = _t513;
					_t515 =  *((intOrPtr*)( *_t683 + 0x48))(_t683,  &_v188, _t513,  *((intOrPtr*)( *_t511 + 0x2fc))(_t511));
					asm("fclex");
					if(_t515 < 0) {
						_push(0x48);
						_push(0x42b130);
						_push(_t683);
						_push(_t515);
						L00401306();
					}
					_t714 =  *0x430340; // 0x220e8b4
					if(_t714 != 0) {
						_t649 = 0x42afa0;
					} else {
						_push(0x430340);
						_t649 = 0x42afa0;
						_push(0x42afa0);
						L0040130C();
					}
					_t684 =  *0x430340; // 0x220e8b4
					_t517 =  *((intOrPtr*)( *_t684 + 0x14))(_t684,  &_v212);
					asm("fclex");
					if(_t517 < 0) {
						_push(0x14);
						_push(0x42b150);
						_push(_t684);
						_push(_t517);
						L00401306();
					}
					_t518 = _v212;
					_t685 = _t518;
					_t519 =  *((intOrPtr*)( *_t518 + 0x138))(_t518, _v188, 1);
					asm("fclex");
					if(_t519 < 0) {
						_push(0x138);
						_push(0x42ac60);
						_push(_t685);
						_push(_t519);
						L00401306();
					}
					L004012E2();
					_push( &_v212);
					_push( &_v208);
					_push(2);
					L004012E8();
					_t522 =  *0x430010; // 0x4afc90
					_t701 = _t693 + 0xc;
					if(_t522 == 0) {
						_push(0x430010);
						_push(0x42a030);
						L0040130C();
						_t522 =  *0x430010; // 0x4afc90
					}
					_t524 =  &_v208;
					L00401312();
					_t686 = _t524;
					_t526 =  *((intOrPtr*)( *_t686 + 0x48))(_t686,  &_v188, _t524,  *((intOrPtr*)( *_t522 + 0x308))(_t522));
					asm("fclex");
					if(_t526 < 0) {
						_push(0x48);
						_push(0x42b120);
						_push(_t686);
						_push(_t526);
						L00401306();
					}
					_t719 =  *0x430340; // 0x220e8b4
					if(_t719 == 0) {
						_push(0x430340);
						_push(_t649);
						L0040130C();
					}
					_t687 =  *0x430340; // 0x220e8b4
					_t528 =  *((intOrPtr*)( *_t687 + 0x14))(_t687,  &_v212);
					asm("fclex");
					if(_t528 < 0) {
						_push(0x14);
						_push(0x42b150);
						_push(_t687);
						_push(_t528);
						L00401306();
					}
					_t529 = _v212;
					_t688 = _t529;
					_t530 =  *((intOrPtr*)( *_t529 + 0x138))(_t529, _v188, 1);
					asm("fclex");
					if(_t530 < 0) {
						_push(0x138);
						_push(0x42ac60);
						_push(_t688);
						_push(_t530);
						L00401306();
					}
					L004012E2();
					_push( &_v212);
					_push( &_v208);
					_push(2);
					L004012E8();
					_t702 = _t701 + 0xc;
					_t722 =  *0x430340; // 0x220e8b4
					if(_t722 == 0) {
						_push(0x430340);
						_push(_t649);
						L0040130C();
					}
					_t689 =  *0x430340; // 0x220e8b4
					_t533 =  &_v244;
					L004012D0();
					_t693 = _t702 + 0x10;
					L004012D6();
					_t534 =  &_v208;
					L004012DC();
					_t535 =  *((intOrPtr*)( *_t689 + 0xc))(_t689, _t534, _t534, _t533, _t533, _t533, _v120, L"jHCw1jHImJpY116", 0);
					asm("fclex");
					if(_t535 < 0) {
						_push(0xc);
						_push(0x42b150);
						_push(_t689);
						_push(_t535);
						L00401306();
					}
					L00401300();
					L0040131E();
					_t642 = _a4;
				}
				_push(L"Mariamman");
				_t366 =  &_v188;
				_push(_t366);
				L004012FA();
				_push(_t366);
				E0042AEB8();
				_v376 = _t366;
				L004012F4();
				L004012E2();
				if( ~(0 | _v376 == 0x000015b2) != 0) {
					_t726 =  *0x430340; // 0x220e8b4
					if(_t726 == 0) {
						_push(0x430340);
						_push(0x42afa0);
						L0040130C();
					}
					_t679 =  *0x430340; // 0x220e8b4
					_t502 =  *((intOrPtr*)( *_t679 + 0x14))(_t679,  &_v208);
					asm("fclex");
					if(_t502 < 0) {
						_push(0x14);
						_push(0x42b150);
						_push(_t679);
						_push(_t502);
						L00401306();
					}
					_t503 = _v208;
					_t680 = _t503;
					_t504 =  *((intOrPtr*)( *_t503 + 0x60))(_t503,  &_v188);
					asm("fclex");
					if(_t504 < 0) {
						_push(0x60);
						_push(0x42ac60);
						_push(_t680);
						_push(_t504);
						L00401306();
					}
					_v188 = 0;
					L004012CA();
					L00401300();
					_push(0);
					_push(0);
					_push(1);
					L004012C4();
					L004012CA();
					_t505 =  *0x430010; // 0x4afc90
					if(_t505 == 0) {
						_push(0x430010);
						_push(0x42a030);
						L0040130C();
						_t505 =  *0x430010; // 0x4afc90
					}
					_t507 =  &_v208;
					L00401312();
					_t681 = _t507;
					_t509 =  *((intOrPtr*)( *_t681 + 0x198))(_t681,  &_v188, _t507,  *((intOrPtr*)( *_t505 + 0x334))(_t505));
					asm("fclex");
					if(_t509 < 0) {
						_push(0x198);
						_push(0x42b110);
						_push(_t681);
						_push(_t509);
						L00401306();
					}
					_push(0);
					_push(_v188);
					_push( &_v244);
					L004012B8();
					_t693 = _t693 - 0x10;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v184);
					asm("movsd");
					L004012BE();
					L004012E2();
					L00401300();
					L0040131E();
					_t642 = _a4;
				}
				_t370 =  *0x430010; // 0x4afc90
				if(_t370 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t370 =  *0x430010; // 0x4afc90
				}
				_t372 =  &_v208;
				L00401312();
				_t659 = _t372;
				_t374 =  *((intOrPtr*)( *_t659 + 0x178))(_t659,  &_v212, _t372,  *((intOrPtr*)( *_t370 + 0x318))(_t370));
				asm("fclex");
				if(_t374 < 0) {
					_push(0x178);
					_push(0x42b120);
					_push(_t659);
					_push(_t374);
					L00401306();
				}
				L004012B2();
				_t694 = _t693 + 0x10;
				_t376 =  &_v244;
				L004012AC();
				_t550 =  &_v364;
				 *_t694 =  *0x401150;
				_v376 = _t376;
				_v364 = 0xfc;
				_v360 = 0xe3;
				_t378 =  *((intOrPtr*)( *_t642 + 0x6fc))(_t642,  &_v360, _t550, _t550, _t550, 0x6558,  &_v376,  &_v380, _t376,  &_v244, _v212, 0, 0);
				if(_t378 < 0) {
					_push(0x6fc);
					_push(0x42ac24);
					_push(_t642);
					_push(_t378);
					L00401306();
				}
				_push( &_v212);
				_push( &_v208);
				_push(2);
				L004012E8();
				_t695 = _t694 + 0xc;
				L0040131E();
				_t381 =  *0x430010; // 0x4afc90
				if(_t381 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t381 =  *0x430010; // 0x4afc90
				}
				_t383 =  &_v208;
				L00401312();
				_t660 = _t383;
				_t385 =  *((intOrPtr*)( *_t660 + 0xa0))(_t660,  &_v360, _t383,  *((intOrPtr*)( *_t381 + 0x310))(_t381));
				asm("fclex");
				if(_t385 < 0) {
					_push(0xa0);
					_push(0x42b120);
					_push(_t660);
					_push(_t385);
					L00401306();
				}
				_v364 = _v360;
				 *((intOrPtr*)( *_t642 + 0x704))(_t642,  &_v364, L"AMPHORAL");
				L00401300();
				_t389 =  *0x430010; // 0x4afc90
				if(_t389 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t389 =  *0x430010; // 0x4afc90
				}
				_t391 =  &_v208;
				L00401312();
				_t661 = _t391;
				_t393 =  *((intOrPtr*)( *_t661 + 0x1a0))(_t661,  &_v376, _t391,  *((intOrPtr*)( *_t389 + 0x30c))(_t389));
				asm("fclex");
				if(_t393 < 0) {
					_push(0x1a0);
					_push(0x42b120);
					_push(_t661);
					_push(_t393);
					L00401306();
				}
				_t394 = _a4;
				_v380 =  *0x401148;
				 *((intOrPtr*)( *_t394 + 0x708))(_t394,  &_v380, _v376, 0xd0ffa920, 0x5b05,  &_v360);
				L00401300();
				_t396 =  *0x430010; // 0x4afc90
				if(_t396 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t396 =  *0x430010; // 0x4afc90
				}
				_t398 =  &_v208;
				L00401312();
				_t662 = _t398;
				_t400 =  *((intOrPtr*)( *_t662 + 0x78))(_t662,  &_v376, _t398,  *((intOrPtr*)( *_t396 + 0x330))(_t396));
				asm("fclex");
				if(_t400 < 0) {
					_push(0x78);
					_push(0x42b110);
					_push(_t662);
					_push(_t400);
					L00401306();
				}
				_t401 =  *0x430010; // 0x4afc90
				if(_t401 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t401 =  *0x430010; // 0x4afc90
				}
				_t403 =  &_v212;
				L00401312();
				_t663 = _t403;
				_t405 =  *((intOrPtr*)( *_t663 + 0x60))(_t663,  &_v380, _t403,  *((intOrPtr*)( *_t401 + 0x314))(_t401));
				asm("fclex");
				if(_t405 < 0) {
					_push(0x60);
					_push(0x42b120);
					_push(_t663);
					_push(_t405);
					L00401306();
				}
				_t406 = _a4;
				_v384 = _v376;
				 *((intOrPtr*)( *_t406 + 0x708))(_t406,  &_v384, _v380, 0xf66cf00, 0x5b05,  &_v360);
				_push( &_v212);
				_push( &_v208);
				_push(2);
				L004012E8();
				_t410 =  *0x430010; // 0x4afc90
				_t696 = _t695 + 0xc;
				if(_t410 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t410 =  *0x430010; // 0x4afc90
				}
				_t412 =  &_v208;
				L00401312();
				_t664 = _t412;
				_t414 =  *((intOrPtr*)( *_t664 + 0x178))(_t664,  &_v212, _t412,  *((intOrPtr*)( *_t410 + 0x2fc))(_t410));
				asm("fclex");
				if(_t414 < 0) {
					_push(0x178);
					_push(0x42b130);
					_push(_t664);
					_push(_t414);
					L00401306();
				}
				_push(0);
				_push(0);
				_push(_v212);
				_push( &_v244); // executed
				L004012B2();
				_t416 =  *0x430010; // 0x4afc90
				_t697 = _t696 + 0x10;
				if(_t416 != 0) {
					_t644 = 0x42a030;
				} else {
					_push(0x430010);
					_t644 = 0x42a030;
					_push(0x42a030);
					L0040130C();
					_t416 =  *0x430010; // 0x4afc90
				}
				_t418 =  &_v216;
				L00401312();
				_t665 = _t418;
				_t420 =  *((intOrPtr*)( *_t665 + 0x68))(_t665,  &_v376, _t418,  *((intOrPtr*)( *_t416 + 0x338))(_t416));
				asm("fclex");
				if(_t420 < 0) {
					_push(0x68);
					_push(0x42b100);
					_push(_t665);
					_push(_t420);
					L00401306();
				}
				_t421 =  *0x430010; // 0x4afc90
				if(_t421 == 0) {
					_push(0x430010);
					_push(_t644);
					L0040130C();
					_t421 =  *0x430010; // 0x4afc90
				}
				_t423 =  &_v220;
				L00401312();
				_t666 = _t423;
				_t425 =  *((intOrPtr*)( *_t666 + 0xf0))(_t666,  &_v188, _t423,  *((intOrPtr*)( *_t421 + 0x334))(_t421));
				asm("fclex");
				if(_t425 < 0) {
					_push(0xf0);
					_push(0x42b110);
					_push(_t666);
					_push(_t425);
					L00401306();
				}
				_t426 =  *0x430010; // 0x4afc90
				if(_t426 == 0) {
					_push(0x430010);
					_push(_t644);
					L0040130C();
					_t426 =  *0x430010; // 0x4afc90
				}
				_t428 =  &_v224;
				L00401312();
				_t667 = _t428;
				_t430 =  *((intOrPtr*)( *_t667 + 0x50))(_t667,  &_v192, _t428,  *((intOrPtr*)( *_t426 + 0x310))(_t426));
				asm("fclex");
				if(_t430 < 0) {
					_push(0x50);
					_push(0x42b120);
					_push(_t667);
					_push(_t430);
					L00401306();
				}
				_t431 =  *0x430010; // 0x4afc90
				if(_t431 == 0) {
					_push(0x430010);
					_push(_t644);
					L0040130C();
					_t431 =  *0x430010; // 0x4afc90
				}
				_t433 =  &_v228;
				L00401312();
				_t668 = _t433;
				_t435 =  *((intOrPtr*)( *_t668 + 0xa0))(_t668,  &_v196, _t433,  *((intOrPtr*)( *_t431 + 0x334))(_t431));
				asm("fclex");
				if(_t435 < 0) {
					_push(0xa0);
					_push(0x42b110);
					_push(_t668);
					_push(_t435);
					L00401306();
				}
				_v196 = 0;
				L004012CA();
				_t645 = _a4;
				_t437 =  &_v244;
				 *_t697 = _v376;
				L004012A6();
				L004012CA();
				_t438 =  *((intOrPtr*)( *_t645 + 0x6f8))(_t645, _t437, _t437,  &_v204, _v188, _v192,  &_v204);
				if(_t438 < 0) {
					_push(0x6f8);
					_push(0x42ac24);
					_push(_t645);
					_push(_t438);
					L00401306();
				}
				_push( &_v204);
				_push( &_v192);
				_push( &_v188);
				_push( &_v200);
				_push(4);
				L004012EE();
				_push( &_v212);
				_push( &_v228);
				_push( &_v224);
				_push( &_v220);
				_push( &_v216);
				_push( &_v208);
				_push(6);
				L004012E8();
				_t698 = _t697 + 0x30;
				L0040131E();
				_t449 =  *0x430010; // 0x4afc90
				if(_t449 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t449 =  *0x430010; // 0x4afc90
				}
				_t451 =  &_v208;
				L00401312();
				_t670 = _t451;
				_t453 =  *((intOrPtr*)( *_t670 + 0xe0))(_t670,  &_v360, _t451,  *((intOrPtr*)( *_t449 + 0x2fc))(_t449));
				asm("fclex");
				if(_t453 < 0) {
					_push(0xe0);
					_push(0x42b130);
					_push(_t670);
					_push(_t453);
					L00401306();
				}
				_t583 =  &_v368;
				 *_t698 =  *0x401140;
				_v376 = 0x2be54;
				_v368 = 0xad9;
				_v364 = 0x83c;
				_t455 =  *((intOrPtr*)( *_t645 + 0x6fc))(_t645,  &_v364, _t583, _t583, _t583, _v360,  &_v376,  &_v380);
				if(_t455 < 0) {
					_push(0x6fc);
					_push(0x42ac24);
					_push(_a4);
					_push(_t455);
					L00401306();
				}
				L00401300();
				_t456 =  *0x430010; // 0x4afc90
				if(_t456 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t456 =  *0x430010; // 0x4afc90
				}
				_t458 =  &_v208;
				L00401312();
				_t671 = _t458;
				_t460 =  *((intOrPtr*)( *_t671 + 0x98))(_t671,  &_v360, _t458,  *((intOrPtr*)( *_t456 + 0x324))(_t456));
				asm("fclex");
				if(_t460 < 0) {
					_push(0x98);
					_push(0x42b1b0);
					_push(_t671);
					_push(_t460);
					L00401306();
				}
				_t461 =  *0x430010; // 0x4afc90
				if(_t461 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t461 =  *0x430010; // 0x4afc90
				}
				_t463 =  &_v212;
				L00401312();
				_t672 = _t463;
				_t465 =  *((intOrPtr*)( *_t672 + 0xb8))(_t672,  &_v364, _t463,  *((intOrPtr*)( *_t461 + 0x324))(_t461));
				asm("fclex");
				if(_t465 < 0) {
					_push(0xb8);
					_push(0x42b1b0);
					_push(_t672);
					_push(_t465);
					L00401306();
				}
				_t673 = _a4;
				_t592 =  &_v372;
				 *_t698 =  *0x401138;
				_v372 = _v360;
				_v376 = 0x684fff;
				_v368 = 0x10b1;
				_t468 =  *((intOrPtr*)( *_t673 + 0x6fc))(_t673,  &_v368, _t592, _t592, _t592, _v364,  &_v376,  &_v380);
				if(_t468 < 0) {
					_push(0x6fc);
					_push(0x42ac24);
					_push(_t673);
					_push(_t468);
					L00401306();
				}
				L004012E8();
				_v376 =  *0x401130;
				_t699 = _t698 + 0xc;
				 *((intOrPtr*)( *_t673 + 0x708))(_t673,  &_v376, 0x7d676c, 0x24a61260, 0x5af9,  &_v360, 2,  &_v208,  &_v212);
				_t473 =  *0x430010; // 0x4afc90
				if(_t473 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t473 =  *0x430010; // 0x4afc90
				}
				_t475 =  &_v208;
				L00401312();
				_t674 = _t475;
				_t477 =  *((intOrPtr*)( *_t674 + 0x198))(_t674,  &_v360, _t475,  *((intOrPtr*)( *_t473 + 0x318))(_t473));
				asm("fclex");
				if(_t477 < 0) {
					_push(0x198);
					_push(0x42b120);
					_push(_t674);
					_push(_t477);
					L00401306();
				}
				_t478 =  *0x430010; // 0x4afc90
				if(_t478 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t478 =  *0x430010; // 0x4afc90
				}
				_t480 =  &_v212;
				L00401312();
				_t675 = _t480;
				_t482 =  *((intOrPtr*)( *_t675 + 0x178))(_t675,  &_v364, _t480,  *((intOrPtr*)( *_t478 + 0x320))(_t478));
				asm("fclex");
				if(_t482 < 0) {
					_push(0x178);
					_push(0x42b1c0);
					_push(_t675);
					_push(_t482);
					L00401306();
				}
				_t483 =  *0x430010; // 0x4afc90
				if(_t483 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t483 =  *0x430010; // 0x4afc90
				}
				_t485 =  &_v216;
				L00401312();
				_t676 = _t485;
				_t487 =  *((intOrPtr*)( *_t676 + 0x58))(_t676,  &_v376, _t485,  *((intOrPtr*)( *_t483 + 0x32c))(_t483));
				asm("fclex");
				if(_t487 < 0) {
					_push(0x58);
					_push(0x42b110);
					_push(_t676);
					_push(_t487);
					L00401306();
				}
				_t677 = _a4;
				_t604 =  &_v372;
				_v380 = _v376;
				 *_t699 =  *0x401128;
				_v368 = _v360;
				_v372 = 0x6b40;
				_t491 =  *((intOrPtr*)( *_t677 + 0x6fc))(_t677,  &_v368, _t604, _t604, _t604, _v364,  &_v380,  &_v384);
				if(_t491 < 0) {
					_push(0x6fc);
					_push(0x42ac24);
					_push(_t677);
					_push(_t491);
					L00401306();
				}
				_push( &_v216);
				_push( &_v212);
				_push( &_v208);
				_t678 = 3;
				_push(_t678);
				L004012E8();
				_t636 = 1;
				_t495 = 0;
				while(_t495 <= 0x12e63) {
					_t495 = _t495 + _t636;
				}
				_t647 = 0xa;
				_v284 = 0x80020004;
				_v268 = 0x80020004;
				_v252 = 0x80020004;
				_push( &_v292);
				_push( &_v276);
				_push( &_v260);
				_push(0);
				_push( &_v244);
				_v292 = _t647;
				_v276 = _t647;
				_v260 = _t647;
				_v236 = 0xaf1aa;
				_a678 = 0x4205ef;
				_a678 = _a678 - 0xffffdda0;
				goto _a678;
			}

0x0042b846
0x0042b84d
0x0042b856
0x0042b859
0x0042b860
0x0042b868
0x0042b86b
0x0042b871
0x0042b874
0x0042b879
0x0042b87b
0x0042b883
0x0042b884
0x0042b887
0x0042b88a
0x0042b88d
0x0042b890
0x0042b893
0x0042b896
0x0042b899
0x0042b89c
0x0042b8a2
0x0042b8a8
0x0042b8ae
0x0042b8b4
0x0042b8ba
0x0042b8c0
0x0042b8c6
0x0042b8cc
0x0042b8d2
0x0042b8d8
0x0042b8de
0x0042b8e4
0x0042b8ea
0x0042b8f0
0x0042b8f6
0x0042b8fc
0x0042b902
0x0042b908
0x0042b90e
0x0042b914
0x0042b91a
0x0042b920
0x0042b926
0x0042b92c
0x0042b932
0x0042b938
0x0042b93e
0x0042b944
0x0042b94a
0x0042b950
0x0042b955
0x0042b957
0x0042b95c
0x0042b962
0x0042b963
0x0042b96d
0x0042b96e
0x0042b96f
0x0042b974
0x0042b97a
0x0042b982
0x0042b989
0x0042b98a
0x0042b994
0x0042b99f
0x0042b9a0
0x0042b9a6
0x0042b9ac
0x0042b9b6
0x0042b9b7
0x0042b9c5
0x0042b9cc
0x0042b9cd
0x0042b9cf
0x0042b9d4
0x0042b9da
0x0042b9dc
0x0042b9e7
0x0042b9e8
0x0042b9f2
0x0042b9fc
0x0042ba07
0x0042ba0c
0x0042ba0e
0x0042ba13
0x0042ba13
0x0042ba18
0x0042ba1f
0x0042ba21
0x0042ba26
0x0042ba2b
0x0042ba30
0x0042ba30
0x0042ba3f
0x0042ba46
0x0042ba4b
0x0042ba50
0x0042ba56
0x0042ba5a
0x0042ba5c
0x0042ba61
0x0042ba66
0x0042ba67
0x0042ba68
0x0042ba68
0x0042ba73
0x0042ba78
0x0042ba7f
0x0042ba81
0x0042ba86
0x0042ba8b
0x0042ba90
0x0042ba90
0x0042ba9f
0x0042baa6
0x0042bab1
0x0042bab7
0x0042babd
0x0042bac1
0x0042bac3
0x0042bac8
0x0042bacd
0x0042bace
0x0042bacf
0x0042bacf
0x0042bad4
0x0042badb
0x0042badd
0x0042bae2
0x0042bae7
0x0042baec
0x0042baec
0x0042bafb
0x0042bb02
0x0042bb0d
0x0042bb13
0x0042bb19
0x0042bb1d
0x0042bb1f
0x0042bb24
0x0042bb29
0x0042bb2a
0x0042bb2b
0x0042bb2b
0x0042bb30
0x0042bb31
0x0042bb37
0x0042bb3d
0x0042bb3e
0x0042bb43
0x0042bb44
0x0042bb4a
0x0042bb50
0x0042bb51
0x0042bb56
0x0042bb57
0x0042bb5c
0x0042bb62
0x0042bb80
0x0042bb87
0x0042bb8e
0x0042bb95
0x0042bb96
0x0042bb98
0x0042bba3
0x0042bbaa
0x0042bbab
0x0042bbad
0x0042bbb2
0x0042bbb8
0x0042bbbe
0x0042bbc5
0x0042bbc7
0x0042bbcc
0x0042bbd1
0x0042bbd6
0x0042bbd6
0x0042bbe5
0x0042bbec
0x0042bbf7
0x0042bbfd
0x0042bc00
0x0042bc04
0x0042bc06
0x0042bc08
0x0042bc0d
0x0042bc0e
0x0042bc0f
0x0042bc0f
0x0042bc14
0x0042bc1a
0x0042bc2e
0x0042bc1c
0x0042bc1c
0x0042bc21
0x0042bc26
0x0042bc27
0x0042bc27
0x0042bc33
0x0042bc43
0x0042bc46
0x0042bc4a
0x0042bc4c
0x0042bc4e
0x0042bc53
0x0042bc54
0x0042bc55
0x0042bc55
0x0042bc5a
0x0042bc6a
0x0042bc6d
0x0042bc73
0x0042bc77
0x0042bc79
0x0042bc7e
0x0042bc83
0x0042bc84
0x0042bc85
0x0042bc85
0x0042bc90
0x0042bc9b
0x0042bca2
0x0042bca3
0x0042bca5
0x0042bcaa
0x0042bcaf
0x0042bcb4
0x0042bcb6
0x0042bcbb
0x0042bcc0
0x0042bcc5
0x0042bcc5
0x0042bcd4
0x0042bcdb
0x0042bce6
0x0042bcec
0x0042bcef
0x0042bcf3
0x0042bcf5
0x0042bcf7
0x0042bcfc
0x0042bcfd
0x0042bcfe
0x0042bcfe
0x0042bd03
0x0042bd09
0x0042bd0b
0x0042bd10
0x0042bd11
0x0042bd11
0x0042bd16
0x0042bd26
0x0042bd29
0x0042bd2d
0x0042bd2f
0x0042bd31
0x0042bd36
0x0042bd37
0x0042bd38
0x0042bd38
0x0042bd3d
0x0042bd4d
0x0042bd50
0x0042bd56
0x0042bd5a
0x0042bd5c
0x0042bd61
0x0042bd66
0x0042bd67
0x0042bd68
0x0042bd68
0x0042bd73
0x0042bd7e
0x0042bd85
0x0042bd86
0x0042bd88
0x0042bd8d
0x0042bd90
0x0042bd96
0x0042bd98
0x0042bd9d
0x0042bd9e
0x0042bd9e
0x0042bda3
0x0042bdb4
0x0042bdbb
0x0042bdc0
0x0042bdc4
0x0042bdca
0x0042bdd1
0x0042bdd8
0x0042bddb
0x0042bddf
0x0042bde1
0x0042bde3
0x0042bde8
0x0042bde9
0x0042bdea
0x0042bdea
0x0042bdf5
0x0042be00
0x0042be05
0x0042be05
0x0042be08
0x0042be0d
0x0042be13
0x0042be14
0x0042be19
0x0042be1a
0x0042be1f
0x0042be25
0x0042be44
0x0042be4c
0x0042be52
0x0042be58
0x0042be5a
0x0042be5f
0x0042be64
0x0042be64
0x0042be69
0x0042be79
0x0042be7c
0x0042be80
0x0042be82
0x0042be84
0x0042be89
0x0042be8a
0x0042be8b
0x0042be8b
0x0042be90
0x0042bea0
0x0042bea2
0x0042bea5
0x0042bea9
0x0042beab
0x0042bead
0x0042beb2
0x0042beb3
0x0042beb4
0x0042beb4
0x0042bec2
0x0042bec8
0x0042bed3
0x0042bed8
0x0042bed9
0x0042beda
0x0042bedc
0x0042bee9
0x0042beee
0x0042bef5
0x0042bef7
0x0042befc
0x0042bf01
0x0042bf06
0x0042bf06
0x0042bf15
0x0042bf1c
0x0042bf27
0x0042bf2d
0x0042bf33
0x0042bf37
0x0042bf39
0x0042bf3e
0x0042bf43
0x0042bf44
0x0042bf45
0x0042bf45
0x0042bf4a
0x0042bf4b
0x0042bf57
0x0042bf58
0x0042bf5d
0x0042bf68
0x0042bf69
0x0042bf6a
0x0042bf6b
0x0042bf6c
0x0042bf72
0x0042bf73
0x0042bf7e
0x0042bf89
0x0042bf94
0x0042bf99
0x0042bf99
0x0042bf9c
0x0042bfa3
0x0042bfa5
0x0042bfaa
0x0042bfaf
0x0042bfb4
0x0042bfb4
0x0042bfc3
0x0042bfca
0x0042bfd5
0x0042bfdb
0x0042bfe1
0x0042bfe5
0x0042bfe7
0x0042bfec
0x0042bff1
0x0042bff2
0x0042bff3
0x0042bff3
0x0042c007
0x0042c00c
0x0042c00f
0x0042c016
0x0042c034
0x0042c03d
0x0042c047
0x0042c050
0x0042c05a
0x0042c064
0x0042c06c
0x0042c06e
0x0042c073
0x0042c078
0x0042c079
0x0042c07a
0x0042c07a
0x0042c085
0x0042c08c
0x0042c08d
0x0042c08f
0x0042c094
0x0042c09d
0x0042c0a2
0x0042c0a9
0x0042c0ab
0x0042c0b0
0x0042c0b5
0x0042c0ba
0x0042c0ba
0x0042c0c9
0x0042c0d0
0x0042c0db
0x0042c0e1
0x0042c0e7
0x0042c0eb
0x0042c0ed
0x0042c0f2
0x0042c0f7
0x0042c0f8
0x0042c0f9
0x0042c0f9
0x0042c110
0x0042c119
0x0042c125
0x0042c12a
0x0042c131
0x0042c133
0x0042c138
0x0042c13d
0x0042c142
0x0042c142
0x0042c151
0x0042c158
0x0042c163
0x0042c169
0x0042c16f
0x0042c173
0x0042c175
0x0042c17a
0x0042c17f
0x0042c180
0x0042c181
0x0042c181
0x0042c186
0x0042c191
0x0042c1b7
0x0042c1c3
0x0042c1c8
0x0042c1cf
0x0042c1d1
0x0042c1d6
0x0042c1db
0x0042c1e0
0x0042c1e0
0x0042c1ef
0x0042c1f6
0x0042c201
0x0042c207
0x0042c20a
0x0042c20e
0x0042c210
0x0042c212
0x0042c217
0x0042c218
0x0042c219
0x0042c219
0x0042c21e
0x0042c225
0x0042c227
0x0042c22c
0x0042c231
0x0042c236
0x0042c236
0x0042c245
0x0042c24c
0x0042c257
0x0042c25d
0x0042c260
0x0042c264
0x0042c266
0x0042c268
0x0042c26d
0x0042c26e
0x0042c26f
0x0042c26f
0x0042c274
0x0042c27f
0x0042c2a0
0x0042c2ac
0x0042c2b3
0x0042c2b4
0x0042c2b6
0x0042c2bb
0x0042c2c0
0x0042c2c5
0x0042c2c7
0x0042c2cc
0x0042c2d1
0x0042c2d6
0x0042c2d6
0x0042c2e5
0x0042c2ec
0x0042c2f7
0x0042c2fd
0x0042c303
0x0042c307
0x0042c309
0x0042c30e
0x0042c313
0x0042c314
0x0042c315
0x0042c315
0x0042c31a
0x0042c31b
0x0042c31c
0x0042c328
0x0042c329
0x0042c32e
0x0042c333
0x0042c338
0x0042c351
0x0042c33a
0x0042c33a
0x0042c33f
0x0042c344
0x0042c345
0x0042c34a
0x0042c34a
0x0042c360
0x0042c367
0x0042c372
0x0042c378
0x0042c37b
0x0042c37f
0x0042c381
0x0042c383
0x0042c388
0x0042c389
0x0042c38a
0x0042c38a
0x0042c38f
0x0042c396
0x0042c398
0x0042c39d
0x0042c39e
0x0042c3a3
0x0042c3a3
0x0042c3b2
0x0042c3b9
0x0042c3c4
0x0042c3ca
0x0042c3d0
0x0042c3d4
0x0042c3d6
0x0042c3db
0x0042c3e0
0x0042c3e1
0x0042c3e2
0x0042c3e2
0x0042c3e7
0x0042c3ee
0x0042c3f0
0x0042c3f5
0x0042c3f6
0x0042c3fb
0x0042c3fb
0x0042c40a
0x0042c411
0x0042c41c
0x0042c422
0x0042c425
0x0042c429
0x0042c42b
0x0042c42d
0x0042c432
0x0042c433
0x0042c434
0x0042c434
0x0042c439
0x0042c440
0x0042c442
0x0042c447
0x0042c448
0x0042c44d
0x0042c44d
0x0042c45c
0x0042c463
0x0042c46e
0x0042c474
0x0042c47a
0x0042c47e
0x0042c480
0x0042c485
0x0042c48a
0x0042c48b
0x0042c48c
0x0042c48c
0x0042c49d
0x0042c4a3
0x0042c4ae
0x0042c4c0
0x0042c4cd
0x0042c4d1
0x0042c4de
0x0042c4e5
0x0042c4ed
0x0042c4ef
0x0042c4f4
0x0042c4f9
0x0042c4fa
0x0042c4fb
0x0042c4fb
0x0042c506
0x0042c50d
0x0042c514
0x0042c51b
0x0042c51c
0x0042c51e
0x0042c529
0x0042c530
0x0042c537
0x0042c53e
0x0042c545
0x0042c54c
0x0042c54d
0x0042c54f
0x0042c554
0x0042c55d
0x0042c562
0x0042c569
0x0042c56b
0x0042c570
0x0042c575
0x0042c57a
0x0042c57a
0x0042c589
0x0042c590
0x0042c59b
0x0042c5a1
0x0042c5a7
0x0042c5ab
0x0042c5ad
0x0042c5b2
0x0042c5b7
0x0042c5b8
0x0042c5b9
0x0042c5b9
0x0042c5da
0x0042c5e3
0x0042c5ee
0x0042c5f8
0x0042c602
0x0042c60c
0x0042c619
0x0042c61b
0x0042c61c
0x0042c621
0x0042c624
0x0042c625
0x0042c625
0x0042c630
0x0042c635
0x0042c63c
0x0042c63e
0x0042c643
0x0042c648
0x0042c64d
0x0042c64d
0x0042c65c
0x0042c663
0x0042c66e
0x0042c674
0x0042c67a
0x0042c67e
0x0042c680
0x0042c685
0x0042c68a
0x0042c68b
0x0042c68c
0x0042c68c
0x0042c691
0x0042c698
0x0042c69a
0x0042c69f
0x0042c6a4
0x0042c6a9
0x0042c6a9
0x0042c6b8
0x0042c6bf
0x0042c6ca
0x0042c6d0
0x0042c6d6
0x0042c6da
0x0042c6dc
0x0042c6e1
0x0042c6e6
0x0042c6e7
0x0042c6e8
0x0042c6e8
0x0042c6f9
0x0042c710
0x0042c719
0x0042c723
0x0042c72c
0x0042c736
0x0042c740
0x0042c748
0x0042c74a
0x0042c74b
0x0042c750
0x0042c751
0x0042c752
0x0042c752
0x0042c767
0x0042c774
0x0042c77a
0x0042c79b
0x0042c7a1
0x0042c7a8
0x0042c7aa
0x0042c7af
0x0042c7b4
0x0042c7b9
0x0042c7b9
0x0042c7c8
0x0042c7cf
0x0042c7da
0x0042c7e0
0x0042c7e6
0x0042c7ea
0x0042c7ec
0x0042c7f1
0x0042c7f6
0x0042c7f7
0x0042c7f8
0x0042c7f8
0x0042c7fd
0x0042c804
0x0042c806
0x0042c80b
0x0042c810
0x0042c815
0x0042c815
0x0042c824
0x0042c82b
0x0042c836
0x0042c83c
0x0042c842
0x0042c846
0x0042c848
0x0042c84d
0x0042c852
0x0042c853
0x0042c854
0x0042c854
0x0042c859
0x0042c860
0x0042c862
0x0042c867
0x0042c86c
0x0042c871
0x0042c871
0x0042c880
0x0042c887
0x0042c892
0x0042c898
0x0042c89b
0x0042c89f
0x0042c8a1
0x0042c8a3
0x0042c8a8
0x0042c8a9
0x0042c8aa
0x0042c8aa
0x0042c8bb
0x0042c8d2
0x0042c8db
0x0042c8e1
0x0042c8f1
0x0042c8fa
0x0042c904
0x0042c90c
0x0042c90e
0x0042c90f
0x0042c914
0x0042c915
0x0042c916
0x0042c916
0x0042c921
0x0042c928
0x0042c92f
0x0042c932
0x0042c933
0x0042c934
0x0042c943
0x0042c944
0x0042c946
0x0042c94a
0x0042c94a
0x0042c950
0x0042c956
0x0042c95c
0x0042c962
0x0042c96e
0x0042c975
0x0042c97c
0x0042c97d
0x0042c984
0x0042c985
0x0042c98b
0x0042c991
0x0042c997
0x0042c9a1
0x0042c9ab
0x0042c9b5

APIs

__vbaAryConstruct2.MSVBVM60(?,0042B284,00000003), ref: 0042B950
__vbaAryConstruct2.MSVBVM60(?,0042B2A0,00000011,?,0042B284,00000003), ref: 0042B963
__vbaStrCat.MSVBVM60(0042B0DC,0042B0DC,?,0042B2A0,00000011,?,0042B284,00000003), ref: 0042B96F
#617.MSVBVM60(?,?,00000001,0042B0DC,0042B0DC,?,0042B2A0,00000011,?,0042B284,00000003), ref: 0042B994
__vbaVarTstNe.MSVBVM60(?,?,?,?,00000001,0042B0DC,0042B0DC,?,0042B2A0,00000011,?,0042B284,00000003), ref: 0042B9B7
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,00000001,0042B0DC,0042B0DC,?,0042B2A0,00000011,?,0042B284,00000003), ref: 0042B9CF
#598.MSVBVM60 ref: 0042B9DC
#648.MSVBVM60(00000008), ref: 0042B9FC
__vbaFreeVar.MSVBVM60(00000008), ref: 0042BA07
#580.MSVBVM60(Smaaartikler4,00000001,00000008), ref: 0042BA13
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042BA2B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042BA46
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B100,00000128), ref: 0042BA68
__vbaFreeObj.MSVBVM60(00000000,00000000,0042B100,00000128), ref: 0042BA73
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042BA8B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042BAA6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,000000E8), ref: 0042BACF
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042BAE7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042BB02
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B120,00000108), ref: 0042BB2B
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042BB3E
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,?,00000000), ref: 0042BB51
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,?,?,00000000), ref: 0042BB62
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BB98
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000004,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BBAD
__vbaNew2.MSVBVM60(0042A030,00430010,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BBD1
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BBEC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B130,00000048,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC0F
__vbaNew2.MSVBVM60(0042AFA0,00430340,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC27
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC55
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,00000138,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC85
__vbaFreeStr.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000), ref: 0042BC90
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BCA5
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BCC0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BCDB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B120,00000048,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BCFE
__vbaNew2.MSVBVM60(0042AFA0,00430340,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD11
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD38
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,00000138,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD68
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD73
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD88
__vbaNew2.MSVBVM60(0042AFA0,00430340,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BD9E
__vbaLateMemCallLd.MSVBVM60(00000008,?,jHCw1jHImJpY116,00000000,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 0042BDBB
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042BDC4
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042BDD1
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,0000000C,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042BDEA
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 0042BDF5
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 0042BE00
__vbaStrToAnsi.MSVBVM60(?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE14
__vbaSetSystemError.MSVBVM60(00000000,?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE25
__vbaFreeStr.MSVBVM60(00000000,?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE44
__vbaNew2.MSVBVM60(0042AFA0,00430340,00000000,?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE64
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BE8B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,00000060,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BEB4
__vbaStrMove.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000), ref: 0042BEC8
__vbaFreeObj.MSVBVM60(?,00000000,?,?,00000000,?,?,00000000), ref: 0042BED3
#706.MSVBVM60(00000001,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BEDC
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BEE9
__vbaNew2.MSVBVM60(0042A030,00430010,00000001,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF01
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF1C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,00000198,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF45
#716.MSVBVM60(00000008,?,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF58
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF73
__vbaFreeStr.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF7E
__vbaFreeObj.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF89
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BF94
__vbaNew2.MSVBVM60(0042A030,00430010,00000000,?,Mariamman,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BFAF
__vbaObjSet.MSVBVM60(?,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BFCA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B120,00000178,?,00000000,?,?,00000000,?,?,00000000), ref: 0042BFF3
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C007
__vbaI4Var.MSVBVM60(00000008,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C016
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC24,000006FC,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C07A
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C08F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C09D
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C0B5
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C0D0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B120,000000A0,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042C0F9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C125
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C13D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C158
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B120,000001A0,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042C181
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0042C1C3
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C1DB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C1F6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,00000078,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042C219
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C231
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?,?), ref: 0042C24C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B120,00000060,?,?,?,?,?,?,?,?,00000000,?,?,00000000), ref: 0042C26F
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 0042C2B6
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0042C2D1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 0042C2EC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B130,00000178,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042C315
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042C329
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042C345
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C367
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B100,00000068), ref: 0042C38A
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042C39E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C3B9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,000000F0), ref: 0042C3E2
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042C3F6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C411
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B120,00000050), ref: 0042C434
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042C448
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C463
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,000000A0), ref: 0042C48C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042C4A3
__vbaStrVarMove.MSVBVM60(00000008,?,?,?,?), ref: 0042C4D1
__vbaStrMove.MSVBVM60(00000008,?,?,?,?), ref: 0042C4DE
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC24,000006F8,?,?,?,?), ref: 0042C4FB
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,?,?,?,?), ref: 0042C51E
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,00000004,?,?,?,?,?,?,?,?), ref: 0042C54F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C55D
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C575
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C590
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B130,000000E0,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C5B9
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC24,000006FC,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C625
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C630
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C648
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C663
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B1B0,00000098,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C68C
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C6A4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C6BF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B1B0,000000B8,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C6E8
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC24,000006FC,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C752
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C767
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C7B4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C7CF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B120,00000198), ref: 0042C7F8
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C810
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C82B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B1C0,00000178), ref: 0042C854
__vbaNew2.MSVBVM60(0042A030,00430010,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C86C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0042C887
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,00000058), ref: 0042C8AA
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,0042AC24,000006FC), ref: 0042C916
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0042C934

Strings

Smaaartikler4, xrefs: 0042BA0E
Mariamman, xrefs: 0042BE08
jHCw1jHImJpY116, xrefs: 0042BDAC
AMPHORAL, xrefs: 0042C104
@k, xrefs: 0042C8FA

Memory Dump Source

Source File: 00000000.00000002.725105961.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.725054128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.725071696.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725085018.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725129355.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.725156948.0000000000431000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_dt9XEhpeQQ.jbxd

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Move$Late$AnsiCall$Construct2ErrorSystem$#580#598#617#648#706#716Addref
String ID: @k$AMPHORAL$Mariamman$Smaaartikler4$jHCw1jHImJpY116
API String ID: 1772267442-3703120728
Opcode ID: d275b03054d06f71af20a6f4e4325961dfa4c11ec35586978877fe9d8c90d68d
Instruction ID: b8e32eec01393805d1a3e03fe08c950c98262c8c807d7e897199c62f4f54a873
Opcode Fuzzy Hash: d275b03054d06f71af20a6f4e4325961dfa4c11ec35586978877fe9d8c90d68d
Instruction Fuzzy Hash: 47A272B1A00228ABDB24EF51DC95FDE77B8EF08304F5005AAF549F7191DB785A848F68

Uniqueness

Uniqueness Score: -1.00%

Function 0042E6CD, Relevance: 79.0, APIs: 42, Strings: 3, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0042E6CD(void* __ebx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, void* _a8, void* _a16, void* _a20) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v80;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _t78;
				signed int _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				void* _t85;
				intOrPtr* _t87;
				intOrPtr* _t89;
				void* _t91;
				char* _t92;
				intOrPtr* _t99;
				char _t139;
				intOrPtr* _t141;
				intOrPtr* _t148;
				intOrPtr* _t149;
				void* _t150;
				void* _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				void* _t155;
				intOrPtr _t161;
				void* _t168;

				_t168 = __fp0;
				_t153 = _t152 - 0xc;
				 *[fs:0x0] = _t153;
				_t154 = _t153 - 0x68;
				_v16 = _t154;
				_v12 = 0x401168;
				_v8 = 0;
				_t141 = _a4;
				 *((intOrPtr*)( *_t141 + 4))(_t141, __edi, __esi, __ebx,  *[fs:0x0], 0x4011b6, _t150);
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v72 = 0;
				_v88 = 0;
				_v108 = 0;
				L0040128E();
				L0040128E();
				L0040128E();
				_t78 =  *((intOrPtr*)( *_t141 + 0x114))(_t141, 1);
				asm("fclex");
				if(_t78 < 0) {
					_push(0x114);
					_push(0x42abf4);
					_push(_t141);
					_push(_t78);
					L00401306();
				}
				_t80 =  *((intOrPtr*)( *_t141 + 0x110))(_t141,  &_v108);
				asm("fclex");
				if(_t80 < 0) {
					_push(0x110);
					_push(0x42abf4);
					_push(_t141);
					_push(_t80);
					L00401306();
				}
				if(_v108 == 0) {
					L00401276();
					L004012CA();
					_push( &_v88);
					_v80 = 0x80020004;
					_v88 = 0xa;
					L00401270();
					st0 = _t168;
					L0040131E();
					_t161 =  *0x430340; // 0x220e8b4
					if(_t161 == 0) {
						_push(0x430340);
						_push(0x42afa0);
						L0040130C();
					}
					_t149 =  *0x430340; // 0x220e8b4
					_t80 =  *((intOrPtr*)( *_t149 + 0x48))(_t149, 0x9b,  &_v64);
					asm("fclex");
					if(_t80 < 0) {
						_push(0x48);
						_push(0x42b150);
						_push(_t149);
						_push(_t80);
						L00401306();
					}
					_v64 = 0;
					L004012CA();
				}
				_t155 = _t154 - 0x10;
				_v96 = 0x80020004;
				_v104 = 0xa;
				asm("movsd");
				asm("movsd");
				_push(L"Multigyrate");
				asm("movsd");
				_push(L"HAMPSHIREMEN");
				_push(L"HUNDEAGTIG");
				asm("movsd"); // executed
				L00401264(); // executed
				L004012CA();
				_push(_t80);
				_push(0);
				L0040126A();
				asm("sbb esi, esi");
				L004012E2();
				if( ~( ~( ~_t80)) != 0) {
					_t139 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v88);
					_v80 = 0;
					_v88 = _t139;
					L0040125E();
					L004012CA();
					L0040131E();
					L00401276();
					L004012CA();
					_t87 =  *0x430010; // 0x4afc90
					if(_t87 == 0) {
						_push(0x430010);
						_push(0x42a030);
						L0040130C();
						_t87 =  *0x430010; // 0x4afc90
					}
					_t89 =  &_v68;
					L00401312();
					_t148 = _t89;
					_t91 =  *((intOrPtr*)( *_t148 + 0x130))(_t148,  &_v72, _t89,  *((intOrPtr*)( *_t87 + 0x320))(_t87));
					asm("fclex");
					if(_t91 < 0) {
						_push(0x130);
						_push(0x42b1c0);
						_push(_t148);
						_push(_t91);
						L00401306();
					}
					_push(0);
					_push(0);
					_push(_v72);
					_t92 =  &_v88;
					_push(_t92);
					L004012B2();
					_push(_t92);
					L004012A6();
					L004012CA();
					_push(_t92);
					L00401258();
					L004012E2();
					_push( &_v72);
					_push( &_v68);
					_push(_t139);
					L004012E8();
					_t155 = _t155 + 0x1c;
					L0040131E();
				}
				_t81 =  *0x430010; // 0x4afc90
				if(_t81 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t81 =  *0x430010; // 0x4afc90
				}
				_t83 =  &_v68;
				L00401312();
				_v96 = 0x80020004;
				_v104 = 0xa;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t99 = _t83;
				asm("movsd");
				_t85 =  *((intOrPtr*)( *_t99 + 0x1b0))(_t99, _t83,  *((intOrPtr*)( *_t81 + 0x31c))(_t81));
				asm("fclex");
				if(_t85 < 0) {
					_push(0x1b0);
					_push(0x42b1c0);
					_push(_t99);
					_push(_t85);
					L00401306();
				}
				L00401300();
				asm("wait");
				_push(0x42ea1e);
				L004012E2();
				L004012E2();
				L004012E2();
				L004012E2();
				L004012E2();
				L004012E2();
				L004012E2();
				return _t85;
			}

0x0042e6cd
0x0042e6d0
0x0042e6df
0x0042e6e6
0x0042e6ec
0x0042e6ef
0x0042e6f8
0x0042e6fb
0x0042e701
0x0042e70a
0x0042e70d
0x0042e710
0x0042e713
0x0042e716
0x0042e719
0x0042e71c
0x0042e71f
0x0042e722
0x0042e725
0x0042e728
0x0042e72b
0x0042e72e
0x0042e739
0x0042e744
0x0042e74e
0x0042e754
0x0042e758
0x0042e75a
0x0042e75f
0x0042e764
0x0042e765
0x0042e766
0x0042e766
0x0042e772
0x0042e778
0x0042e77c
0x0042e77e
0x0042e783
0x0042e788
0x0042e789
0x0042e78a
0x0042e78a
0x0042e793
0x0042e795
0x0042e79f
0x0042e7a7
0x0042e7a8
0x0042e7af
0x0042e7b6
0x0042e7bb
0x0042e7c0
0x0042e7c5
0x0042e7cb
0x0042e7cd
0x0042e7d2
0x0042e7d7
0x0042e7d7
0x0042e7dc
0x0042e7ee
0x0042e7f1
0x0042e7f5
0x0042e7f7
0x0042e7f9
0x0042e7fe
0x0042e7ff
0x0042e800
0x0042e800
0x0042e80b
0x0042e80e
0x0042e80e
0x0042e813
0x0042e818
0x0042e81f
0x0042e829
0x0042e82a
0x0042e82b
0x0042e830
0x0042e831
0x0042e836
0x0042e83b
0x0042e83c
0x0042e846
0x0042e84b
0x0042e84c
0x0042e84d
0x0042e856
0x0042e85f
0x0042e867
0x0042e86f
0x0042e870
0x0042e872
0x0042e874
0x0042e876
0x0042e87b
0x0042e87c
0x0042e87f
0x0042e882
0x0042e88c
0x0042e894
0x0042e899
0x0042e8a3
0x0042e8a8
0x0042e8af
0x0042e8b1
0x0042e8b6
0x0042e8bb
0x0042e8c0
0x0042e8c0
0x0042e8cf
0x0042e8d3
0x0042e8db
0x0042e8e1
0x0042e8e7
0x0042e8eb
0x0042e8ed
0x0042e8f2
0x0042e8f7
0x0042e8f8
0x0042e8f9
0x0042e8f9
0x0042e8fe
0x0042e8ff
0x0042e900
0x0042e903
0x0042e906
0x0042e907
0x0042e90f
0x0042e910
0x0042e91a
0x0042e91f
0x0042e920
0x0042e928
0x0042e930
0x0042e934
0x0042e935
0x0042e936
0x0042e93b
0x0042e941
0x0042e941
0x0042e946
0x0042e94d
0x0042e94f
0x0042e954
0x0042e959
0x0042e95e
0x0042e95e
0x0042e96d
0x0042e971
0x0042e979
0x0042e980
0x0042e98c
0x0042e98d
0x0042e98e
0x0042e98f
0x0042e994
0x0042e995
0x0042e99d
0x0042e99f
0x0042e9a1
0x0042e9a6
0x0042e9ab
0x0042e9ac
0x0042e9ad
0x0042e9ad
0x0042e9b5
0x0042e9ba
0x0042e9bb
0x0042e9e8
0x0042e9f0
0x0042e9f8
0x0042ea00
0x0042ea08
0x0042ea10
0x0042ea18
0x0042ea1d

APIs

__vbaStrCopy.MSVBVM60 ref: 0042E72E
__vbaStrCopy.MSVBVM60 ref: 0042E739
__vbaStrCopy.MSVBVM60 ref: 0042E744
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0042ABF4,00000114), ref: 0042E766
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,0042ABF4,00000110), ref: 0042E78A
#611.MSVBVM60(00000000,00401168,0042ABF4,00000110), ref: 0042E795
__vbaStrMove.MSVBVM60(00000000,00401168,0042ABF4,00000110), ref: 0042E79F
#593.MSVBVM60(?), ref: 0042E7B6
__vbaFreeVar.MSVBVM60(?), ref: 0042E7C0
__vbaNew2.MSVBVM60(0042AFA0,00430340,?), ref: 0042E7D7
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000048), ref: 0042E800
__vbaStrMove.MSVBVM60(00000000,0220E8B4,0042B150,00000048), ref: 0042E80E
#689.MSVBVM60(HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E83C
__vbaStrMove.MSVBVM60(HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E846
__vbaStrCmp.MSVBVM60(00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E84D
__vbaFreeStr.MSVBVM60(00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E85F
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E882
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E88C
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E894
#611.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E899
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E8A3
__vbaNew2.MSVBVM60(0042A030,00430010,?,000000FF,000000FE,000000FE,000000FE,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E8BB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042E8D3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B1C0,00000130), ref: 0042E8F9
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042E907
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042E910
__vbaStrMove.MSVBVM60(00000000), ref: 0042E91A
#531.MSVBVM60(00000000,00000000), ref: 0042E920
__vbaFreeStr.MSVBVM60(00000000,00000000), ref: 0042E928
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,00000000), ref: 0042E936
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 0042E941
__vbaNew2.MSVBVM60(0042A030,00430010,00000000,00000000,HUNDEAGTIG,HAMPSHIREMEN,Multigyrate), ref: 0042E959
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042E971
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B1C0,000001B0), ref: 0042E9AD
__vbaFreeObj.MSVBVM60(00000000,00000000,0042B1C0,000001B0), ref: 0042E9B5
__vbaFreeStr.MSVBVM60(0042EA1E), ref: 0042E9E8
__vbaFreeStr.MSVBVM60(0042EA1E), ref: 0042E9F0
__vbaFreeStr.MSVBVM60(0042EA1E), ref: 0042E9F8
__vbaFreeStr.MSVBVM60(0042EA1E), ref: 0042EA00
__vbaFreeStr.MSVBVM60(0042EA1E), ref: 0042EA08
__vbaFreeStr.MSVBVM60(0042EA1E), ref: 0042EA10
__vbaFreeStr.MSVBVM60(0042EA1E), ref: 0042EA18

Strings

HAMPSHIREMEN, xrefs: 0042E831
HUNDEAGTIG, xrefs: 0042E836
Multigyrate, xrefs: 0042E82B

Memory Dump Source

Source File: 00000000.00000002.725105961.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.725054128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.725071696.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725085018.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725129355.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.725156948.0000000000431000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_dt9XEhpeQQ.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresult$CopyNew2$#611$#531#593#689#704CallLateList
String ID: HAMPSHIREMEN$HUNDEAGTIG$Multigyrate
API String ID: 4052605307-3540949827
Opcode ID: 06f90f8a130ebd04f4af5338024709c3fbbc642db77552f6bf914ea279beaba7
Instruction ID: 1eada3e1e51c7d07ff67b8f038f1208142cf80b3a76150b1833d638706eb1baf
Opcode Fuzzy Hash: 06f90f8a130ebd04f4af5338024709c3fbbc642db77552f6bf914ea279beaba7
Instruction Fuzzy Hash: F9917F70A00218ABCB04EFE6D896EDEB7B8AF08304F60457EF512B71E5DB785905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 006215F3, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.725355353.0000000000620000.00000020.00000001.sdmp, Offset: 00620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_dt9XEhpeQQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7ea6595fc8bebe7cbb02128d8673e9ec24ef43a908befcfba26f1f903d87ec1
Instruction ID: 6e06abac7ef6bdf6cb0e33cd5dde13af73edf5263a396abeed5c32d1b7752301
Opcode Fuzzy Hash: f7ea6595fc8bebe7cbb02128d8673e9ec24ef43a908befcfba26f1f903d87ec1
Instruction Fuzzy Hash: 7AD05E7130F280AFD309DB249D1699A3FF49B87211B1908FEE544CB283E6149C458B22

Uniqueness

Uniqueness Score: -1.00%

Function 0042AE64, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.725105961.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.725054128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.725071696.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725085018.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725129355.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.725156948.0000000000431000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_dt9XEhpeQQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2a18af3ef13eb26cfeddca0a18b11fead565a88cece920636cdc4de70cfcc93
Instruction ID: b63c465e44f853c5aae564998e2fcdecb3df0ff2ba61df4efbd747293e9f26a8
Opcode Fuzzy Hash: a2a18af3ef13eb26cfeddca0a18b11fead565a88cece920636cdc4de70cfcc93
Instruction Fuzzy Hash: E4B012103C41119B520042546C42825328093407803A50D73FD40D21A0DA18CD51823F

Uniqueness

Uniqueness Score: -1.00%

Function 0042AEB8, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.725105961.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.725054128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.725071696.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725085018.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725129355.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.725156948.0000000000431000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_dt9XEhpeQQ.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b01787749095553df2a2c0117c056f9b527d89aa555824e79c444d58f1eee368
Instruction ID: 37f56a260c71b3d43d7287515492887dadbee2fdee13d04a342efa4777383eb4
Opcode Fuzzy Hash: b01787749095553df2a2c0117c056f9b527d89aa555824e79c444d58f1eee368
Instruction Fuzzy Hash: 3AB012103D81139B931042586C02C226181D7443C03A10CB3F900D11D0C778CC11822F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02272CBB, Relevance: 5.2, Strings: 3, Instructions: 1427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@bXN, xrefs: 02272E42
p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: @bXN$p;n$p;n
API String ID: 0-2243440554
Opcode ID: 14e2510a8d09736ea3875f339bb16f9080d69212cf423b86f73adbe1ab60ba63
Instruction ID: 10ef7216a93147b19ec1420bda908a0c918bcc2fc7f6c7f4c67e4097a50fbdc7
Opcode Fuzzy Hash: 14e2510a8d09736ea3875f339bb16f9080d69212cf423b86f73adbe1ab60ba63
Instruction Fuzzy Hash: 27B23071A0434A9FDB349F78CD947DAB7A2FF49350F95822DDC899B244D7309A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02278F6A, Relevance: 4.7, Strings: 3, Instructions: 980
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

a^8B, xrefs: 02279204
p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: a^8B$p;n$p;n
API String ID: 0-1784159263
Opcode ID: 8ea949d3a3149350b724982557ed27469f1561f28a917438b3016b858f7296cb
Instruction ID: 45a7783c8e929baccba2c834b8d32e40c3ca50ea621760149ff72c9ab670e381
Opcode Fuzzy Hash: 8ea949d3a3149350b724982557ed27469f1561f28a917438b3016b858f7296cb
Instruction Fuzzy Hash: E272617260430A9FDF349E78C9947DABBA3FF56350F91822DDC899B214D7348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022723A5, Relevance: 4.6, Strings: 3, Instructions: 861
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p;n, xrefs: 02274EC7
(o, xrefs: 022723AB
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: p;n$p;n$(o
API String ID: 0-4237956624
Opcode ID: 6395be070ad972bcc21a22ab3cb1ed48adfe74e9480304551ab1869eab7f9942
Instruction ID: 78328a4fa2c3dfd9ce80e730efcb2c2003a1f166fc96f63d7534eadf2e360df2
Opcode Fuzzy Hash: 6395be070ad972bcc21a22ab3cb1ed48adfe74e9480304551ab1869eab7f9942
Instruction Fuzzy Hash: 666251B1A0434A9FDF349E78C9947DABBB2FF55350F85812DDC899B214D7308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02277929, Relevance: 4.5, Strings: 3, Instructions: 766
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`, xrefs: 022779DA
p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: `$p;n$p;n
API String ID: 0-2209806609
Opcode ID: 891893f2670cae1ed9dc505649da5b3e18a7c19165f55ff8f657a19c29723d68
Instruction ID: 0cfb00f7d2874e04574f5a6adfa571790b2cb4951ed909a7a0a0a3d887ad4310
Opcode Fuzzy Hash: 891893f2670cae1ed9dc505649da5b3e18a7c19165f55ff8f657a19c29723d68
Instruction Fuzzy Hash: DE52527260434A9FDF349E78C9947DABBB2FF59350F86822DDC8997214D7348A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0227282E, Relevance: 3.4, Strings: 2, Instructions: 950
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: p;n$p;n
API String ID: 0-1709402006
Opcode ID: be4ad51ccf4fa305fa6526c8261b6d7fda7717bfec2f5463eb4a5e0736fa99a0
Instruction ID: fda461cf4e224c00c4badb375cf816c62e960240e0769d1a5a150b714d381893
Opcode Fuzzy Hash: be4ad51ccf4fa305fa6526c8261b6d7fda7717bfec2f5463eb4a5e0736fa99a0
Instruction Fuzzy Hash: D472427160834A9FDB349E78CD947DABBB2FF59350F91422EDC899B214D7318A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022741B9, Relevance: 3.2, Strings: 2, Instructions: 713
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: p;n$p;n
API String ID: 0-1709402006
Opcode ID: c71b3b8d614d83d2852c40e69c76b0c8cc777d6d04f22640c2eb055ff8126b73
Instruction ID: 9a48023d707a63a05fdbf29885fdf7a8a26c39ee3ae12a4bb3bb5cc8ebcedcfe
Opcode Fuzzy Hash: c71b3b8d614d83d2852c40e69c76b0c8cc777d6d04f22640c2eb055ff8126b73
Instruction Fuzzy Hash: 72523072A1534A9FDF249F68C9947DABBB3FF19350F81812DDC899B214D7344A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0227452A, Relevance: 3.0, Strings: 2, Instructions: 542COMMON

Download Yara Rule

Strings

p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: p;n$p;n
API String ID: 0-1709402006
Opcode ID: 7eb0bc0d03a212edec665b19ee29795bd63bd40eba6e4c0c69a8e49875281309
Instruction ID: 2470c64ed2f7270ce774b9e12b694dd6cbf7716b702d0cd61c49b23eb91f18c2
Opcode Fuzzy Hash: 7eb0bc0d03a212edec665b19ee29795bd63bd40eba6e4c0c69a8e49875281309
Instruction Fuzzy Hash: 00223372A1534A9FDF209F68C9847DAB7B3FF19390F85812DDC899B214D7344A82CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02274700, Relevance: 2.9, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: p;n$p;n
API String ID: 0-1709402006
Opcode ID: c4f9ecc53641e5cc964adbfd686596c90acd812bcf8832593078765af30b58ad
Instruction ID: 3b71bc3062977511d3a872cb3c9d28da9485454883812cbaf60ffc713e7e5bef
Opcode Fuzzy Hash: c4f9ecc53641e5cc964adbfd686596c90acd812bcf8832593078765af30b58ad
Instruction Fuzzy Hash: DAF15076A04389AFDF349E68CD947EA7BB3EF59340F86412DDC889B214D7704A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02274922, Relevance: 2.8, Strings: 2, Instructions: 346COMMON

Download Yara Rule

Strings

p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: p;n$p;n
API String ID: 0-1709402006
Opcode ID: 7f85f5f087a8aaef7590f6bbbfeb5af66a9fec2f28111266e2c26077fe7694e1
Instruction ID: d1827e9eb202b0921d2371a7d17eade995c21010526ec063980283bf0bd8aa8f
Opcode Fuzzy Hash: 7f85f5f087a8aaef7590f6bbbfeb5af66a9fec2f28111266e2c26077fe7694e1
Instruction Fuzzy Hash: 2FD11072A15349DBCF249F68CC847DAB7B3FF15394F85812ADC899B214D7354A82CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02274A31, Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: p;n$p;n
API String ID: 0-1709402006
Opcode ID: 52a608964dc6963371a2aeebd7034633171089b183877855faf707b592e869fa
Instruction ID: 8225c0584e9be8b461820e6752b4d612a206324372c06261be98003bf20503e3
Opcode Fuzzy Hash: 52a608964dc6963371a2aeebd7034633171089b183877855faf707b592e869fa
Instruction Fuzzy Hash: 9FB13175A0438A9FDF359E78CD947DA7BB2FF19380F85412ADC898B220D7714A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02274B5A, Relevance: 2.8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

Strings

p;n, xrefs: 02274EC7
p;n, xrefs: 02274E02

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: p;n$p;n
API String ID: 0-1709402006
Opcode ID: c5303ad161478f82e94e15b0509eddfb59f2addc22bb12464b1b381e9f0e2a28
Instruction ID: 70d6fb582150f6050b5f82012105710604b37a1c68f6c172aa23980bca3162b9
Opcode Fuzzy Hash: c5303ad161478f82e94e15b0509eddfb59f2addc22bb12464b1b381e9f0e2a28
Instruction Fuzzy Hash: E1913075A1434AAFDF359E78CC947EA7BA3FF19340F854129EC888B214DB314A84CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02271F06, Relevance: 1.7, Strings: 1, Instructions: 475COMMON

Download Yara Rule

Strings

B_, xrefs: 02270A6C

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: B_
API String ID: 0-3718968702
Opcode ID: 4fab6cf20eeca970a18c726793cd82a9b65a8a4318bed663f32c1fbc38656876
Instruction ID: 4fcdee93711782b86a8c827dffced30e64b169fbb23c4f6b19f32c8ccbdfb2d1
Opcode Fuzzy Hash: 4fab6cf20eeca970a18c726793cd82a9b65a8a4318bed663f32c1fbc38656876
Instruction Fuzzy Hash: 3BF1B533E2671ACACB10AF64C8913DBB7B3BF513A0F41D02ADC9596209D3394A56C74B

Uniqueness

Uniqueness Score: -1.00%

Function 02271C8D, Relevance: 1.7, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

B_, xrefs: 02270A6C

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: B_
API String ID: 0-3718968702
Opcode ID: f9c91e5a1d4a6b38243a23b84d4308f47e16ef444ea530e889b9a70745bbafa9
Instruction ID: 2c2e30189d69e5fd7b5db311b74cbd7e5f452b46d8cfc7642f20fb765f11c777
Opcode Fuzzy Hash: f9c91e5a1d4a6b38243a23b84d4308f47e16ef444ea530e889b9a70745bbafa9
Instruction Fuzzy Hash: DAF1B473A2671ACACB10AF64C8D53DBB7B3BF543A4F40D12ADC95A6209D3354A52C70B

Uniqueness

Uniqueness Score: -1.00%

Function 022705C4, Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

B_, xrefs: 02270A6C

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: B_
API String ID: 0-3718968702
Opcode ID: 0ca2ae5e2903b6bcc87a227d23b27977e0a56611f167c5ea9050f0d2a841e584
Instruction ID: b1ba26ef7ead659388ca2164c58215caf6ef7749e731b96f1013055ddd87214b
Opcode Fuzzy Hash: 0ca2ae5e2903b6bcc87a227d23b27977e0a56611f167c5ea9050f0d2a841e584
Instruction Fuzzy Hash: 56C13233E27716C6CB10AF54C8D12DBB6B3BF653E4F45E02ACC9696209E3354A56870B

Uniqueness

Uniqueness Score: -1.00%

Function 02270763, Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

B_, xrefs: 02270A6C

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: B_
API String ID: 0-3718968702
Opcode ID: 9b32646882baa76b23027782197b15159e6cbba06b7b76552b74d704f515b1a2
Instruction ID: efa4cd961d13f79b33f4892ec8d45f2374c97df4360203d5da7aee2e23186ff1
Opcode Fuzzy Hash: 9b32646882baa76b23027782197b15159e6cbba06b7b76552b74d704f515b1a2
Instruction Fuzzy Hash: B9B12373E2775AC5CB10AB14C8D12CBB6B3BF653E4F14E02ACC9295259D3394A17870B

Uniqueness

Uniqueness Score: -1.00%

Function 022776CE, Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

B_, xrefs: 02270A6C

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: B_
API String ID: 0-3718968702
Opcode ID: 188a96b035c3de0504a8890c2bf1b49050301343a6d059f3eef0cb67431616fb
Instruction ID: ac087f9e664f391074010813335580fc82bb9d1570eef4aa39619425364dab1b
Opcode Fuzzy Hash: 188a96b035c3de0504a8890c2bf1b49050301343a6d059f3eef0cb67431616fb
Instruction Fuzzy Hash: 2DB10173E3771AC5CB10AB10C8D12DBB6B3BF653E4F45E02ACC96A5209D3394A16834B

Uniqueness

Uniqueness Score: -1.00%

Function 0227737E, Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

B_, xrefs: 02270A6C

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: B_
API String ID: 0-3718968702
Opcode ID: 7b9ee60ffac14ca735ff16d6197fa8c0faf02ee70560195fd6fec625a0fb5af2
Instruction ID: 686d5c96819c07461142f0e973cb5a8c5323370f5a7ca70d457058fac2ff7dae
Opcode Fuzzy Hash: 7b9ee60ffac14ca735ff16d6197fa8c0faf02ee70560195fd6fec625a0fb5af2
Instruction Fuzzy Hash: 3FB10F33E2771AC5CB10AB14C8D12DBB6B3BF653E4F41E02ACC96A5209D3394A17874B

Uniqueness

Uniqueness Score: -1.00%

Function 02271793, Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

B_, xrefs: 02270A6C

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: B_
API String ID: 0-3718968702
Opcode ID: 8dc891e98f0c9d14751819b96a5c9876a7f6df749dd2a803961e923aaf4534a1
Instruction ID: 4fa6eee62ffba16f0ac7a50e6d1d759e225af90c25ab0ac5d6e0d3500665210d
Opcode Fuzzy Hash: 8dc891e98f0c9d14751819b96a5c9876a7f6df749dd2a803961e923aaf4534a1
Instruction Fuzzy Hash: 9DB1F073E2771AC5CB10AF14C8D12DBB6B3BF653E4F45E02ACC92A5219D3394A16874B

Uniqueness

Uniqueness Score: -1.00%

Function 02270F82, Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

T?, xrefs: 02271384

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: T?
API String ID: 0-2357207537
Opcode ID: 7ebf3e7d382b7e5967eba2dd4355afabfd1dc3be9ca25a11dc331ad4bda516ee
Instruction ID: 73c84c635dfe9eb342457db5816e269b4d02444b2fae8cc61777fa71cfaab920
Opcode Fuzzy Hash: 7ebf3e7d382b7e5967eba2dd4355afabfd1dc3be9ca25a11dc331ad4bda516ee
Instruction Fuzzy Hash: 96819D311083878FDF315EB888953EFBBA3AF52390F66426ECC8997589C7758485CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02271389, Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

k, xrefs: 022716F4

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: k
API String ID: 0-2690311395
Opcode ID: 29fb7a51ff4195a4970e24c473a8bd6d808b0c7c2593fdad2a5fc830981121d1
Instruction ID: 5ead69581d7ef21ba778c24027dd0b91b5d0a9dc2055cf46781da755afe244be
Opcode Fuzzy Hash: 29fb7a51ff4195a4970e24c473a8bd6d808b0c7c2593fdad2a5fc830981121d1
Instruction Fuzzy Hash: 94719A71A08345CFCB245F38CD947EA7BE2AF66350F5A412DDCCA97255D3748985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02271498, Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

k, xrefs: 022716F4

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: k
API String ID: 0-2690311395
Opcode ID: 96e3a8f6cf31fd2f9fba58940edbd2ea881b0845c7fc9526638cf1ec0689ec4c
Instruction ID: e275aaebba7f5491a6285a7863a304491f15ca5146e3ffe141221c6bcfb13334
Opcode Fuzzy Hash: 96e3a8f6cf31fd2f9fba58940edbd2ea881b0845c7fc9526638cf1ec0689ec4c
Instruction Fuzzy Hash: C3612333A26759CACB10AF24C8C16DBB7B3BF213A4F15902ECC9296219D3358952C70B

Uniqueness

Uniqueness Score: -1.00%

Function 02278F7C, Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

a^8B, xrefs: 02279204

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: a^8B
API String ID: 0-1269944455
Opcode ID: aed4923f6b305518f1801f0366454b4c7f8a112cdd5b3171572646980badadbc
Instruction ID: ce75b20448e7b784ed50f56bcc272bd23a9c591cb9d7ddc321b3488419303d47
Opcode Fuzzy Hash: aed4923f6b305518f1801f0366454b4c7f8a112cdd5b3171572646980badadbc
Instruction Fuzzy Hash: 7351E733A3770689DB11AB64C8953DBB6B3BF113A4F10E029CC529A119D3798992870A

Uniqueness

Uniqueness Score: -1.00%

Function 0227903F, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

a^8B, xrefs: 02279204

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: a^8B
API String ID: 0-1269944455
Opcode ID: 7cb6fadd9bc66e459f3092e988d3528cc9e18ef2beab422931a43083eba76844
Instruction ID: b5a48941c173ebdbd4bb13c227e91f34f70d43c2fb1dc25d526f56e2a3560348
Opcode Fuzzy Hash: 7cb6fadd9bc66e459f3092e988d3528cc9e18ef2beab422931a43083eba76844
Instruction Fuzzy Hash: 0851E833A33716CDDB11AB64C8953DBB6B3BF113B4F10E02ACC529A119D3798592874A

Uniqueness

Uniqueness Score: -1.00%

Function 0227127D, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

T?, xrefs: 02271384

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID: T?
API String ID: 0-2357207537
Opcode ID: ff20af00b9ce20f2782fc4ab4b73eb5d4d9c85700bf1a692fd4ad33a81da3b7c
Instruction ID: 1d8c88f2f6f7561a89ae3758cc07e26af0edae020a2ddb5b0c15ec86cb2763e7
Opcode Fuzzy Hash: ff20af00b9ce20f2782fc4ab4b73eb5d4d9c85700bf1a692fd4ad33a81da3b7c
Instruction Fuzzy Hash: A13148311087C7ABDB319E7C89593DEFBE16F52364F8A839ECC944B59AC3754049CA02

Uniqueness

Uniqueness Score: -1.00%

Function 022782E3, Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f963664a8e8a647cfcce32a07ff5ecae446a2f91797b0dcba150c3d3cedc827b
Instruction ID: 88c1e0b2392372e655c801fe3a22d0febf7d98ce86c2bbc7b30c7d5d5230adfc
Opcode Fuzzy Hash: f963664a8e8a647cfcce32a07ff5ecae446a2f91797b0dcba150c3d3cedc827b
Instruction Fuzzy Hash: 9A020661A183828EDB21CB78C8DC796BBD29F17260F59C29EC8E58F1DAD3758446C713

Uniqueness

Uniqueness Score: -1.00%

Function 02272F01, Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36d30e14e7485c6bc818cedee27e1cc0079d27d452fbd3e61dc8b9d673eca184
Instruction ID: 69b63a5774db209714ee51cee03c350a82b32ffc9833dbebc649fea626c48276
Opcode Fuzzy Hash: 36d30e14e7485c6bc818cedee27e1cc0079d27d452fbd3e61dc8b9d673eca184
Instruction Fuzzy Hash: AAC1EF32B2570ADBDB24CF68CC907DAB3B3BF053A0F448229DC999B245D7355A92CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02273041, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23a31342189f51803f39f41ec877b3b5cef1739036565d6b05d65b5922eeae82
Instruction ID: 884b8ce91eb6d285e3ee66b4688ab2a5d9a11a274846765ed730b4ba50797cc9
Opcode Fuzzy Hash: 23a31342189f51803f39f41ec877b3b5cef1739036565d6b05d65b5922eeae82
Instruction Fuzzy Hash: 9B9132317047069FDB25CFB8CC947EAB7A2FF46310F944229DCA88B285D770A995CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0227389C, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c21a3011a47384bf99b67678c3294345965a463ba2276a450c245b28d009d564
Instruction ID: fb9e7a8c22a42fc6fccd98b3e37c4312f2f27d54925cabbe9af21037cbd35481
Opcode Fuzzy Hash: c21a3011a47384bf99b67678c3294345965a463ba2276a450c245b28d009d564
Instruction Fuzzy Hash: 66919A717183419FDB289F78C9E87EA77A2FF16350F51826DDC969B2A5C7308981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022730D6, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c42b5fe8fdb74209c73a692af78de7bb88351887d9fb48dd1a9ce031d9d8bfe
Instruction ID: 38a25e8531e97d6d190aa9161e85741b5c10deaa16c334820bd8f8dac60af18d
Opcode Fuzzy Hash: 0c42b5fe8fdb74209c73a692af78de7bb88351887d9fb48dd1a9ce031d9d8bfe
Instruction Fuzzy Hash: 269120317047469FDB25CFB8CC90BEA77A2FF45310F984229DC998B284DB70A995CB91

Uniqueness

Uniqueness Score: -1.00%

Function 022783EB, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33c7bad26b8706c3d07487e63e84cd13365563c1a101216d0b19197ad9e94e85
Instruction ID: 271c44f322e9fefc4a617b0b65ed3308389c156a8552339449dcf1c47a1da81a
Opcode Fuzzy Hash: 33c7bad26b8706c3d07487e63e84cd13365563c1a101216d0b19197ad9e94e85
Instruction Fuzzy Hash: E881A0519183C24EDB228B78899CB56AED19F13270F5DC3EAC8E94E0EBD3758446C713

Uniqueness

Uniqueness Score: -1.00%

Function 02272869, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da58f9b1aec4407098aaa0a6f4f64ace539d89466d719ad5d63b59210949b166
Instruction ID: e18ebf39d208a9921eeab771176c0225930df55b503edb7d98651eff19136135
Opcode Fuzzy Hash: da58f9b1aec4407098aaa0a6f4f64ace539d89466d719ad5d63b59210949b166
Instruction Fuzzy Hash: 14717531618349DFDB309E788C947DB7BA6EF99760F91422EDC899B258D3314A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02270247, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41531ccc29dce6f7d8e77795890d46cae34edd3e20d26e767bb94acc3a32a6f0
Instruction ID: 70143e85ceb2a0944c28795d05ca3bc7bbb65b370d0279bd9679313d54097f03
Opcode Fuzzy Hash: 41531ccc29dce6f7d8e77795890d46cae34edd3e20d26e767bb94acc3a32a6f0
Instruction Fuzzy Hash: DB61F677E26316DACB106B64C8D13DFB7B3BF513A0F41912ACC91A6209E73949878707

Uniqueness

Uniqueness Score: -1.00%

Function 022784E9, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11422ca7acd03f100eecd89e25be94c0fe2f041e24ee44ac3b63e586578797c8
Instruction ID: cf75b1664d684abba9ccb5cc656820fec52eacfef53e017d5d51fe7ba379c2fe
Opcode Fuzzy Hash: 11422ca7acd03f100eecd89e25be94c0fe2f041e24ee44ac3b63e586578797c8
Instruction Fuzzy Hash: 1361E2519183825EDB218B7888CCB56BED19F13270F5DC3E9C8A54E1EBE3798445C313

Uniqueness

Uniqueness Score: -1.00%

Function 02271F11, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fa668eca64f4eb115ee6fb882fc4e6faeb0fa40aa36361f3b4a8f88c39d764
Instruction ID: 56b814710c18e8a6a93b4d0d83165d122fb751c86e721ec0e2bcbf800bc98bc6
Opcode Fuzzy Hash: c8fa668eca64f4eb115ee6fb882fc4e6faeb0fa40aa36361f3b4a8f88c39d764
Instruction Fuzzy Hash: F151C573E26756CACB20AF64CC816CFB6B3BF613A0F40D11DDC959A205E3354A92C75A

Uniqueness

Uniqueness Score: -1.00%

Function 022717A4, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4eee5bc261b89b9d0caca471fdd842f9964a6773870160bcca15262061ddfb
Instruction ID: c39bd2bfdec6cd7c35669d0b26fcad613396a0214394e9c3e89930469f149c5f
Opcode Fuzzy Hash: 2d4eee5bc261b89b9d0caca471fdd842f9964a6773870160bcca15262061ddfb
Instruction Fuzzy Hash: 055105306087C65FDB228E7C8C547DA7FA2AF47320F99839EC8D88B196D3395556C782

Uniqueness

Uniqueness Score: -1.00%

Function 02272A05, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fda08eca8db078cc54c7649f747f516a7e08efa3c2c3f0adb10c98418912146b
Instruction ID: 429f78326cefa45c4bd1b4574677aeda1c6141ca08e175f56adf33b6785c7c49
Opcode Fuzzy Hash: fda08eca8db078cc54c7649f747f516a7e08efa3c2c3f0adb10c98418912146b
Instruction Fuzzy Hash: FE418971518399DFDB309EB88D983D73BA6EF16350F91062EDC8AC7255D3314A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022725ED, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf741a6410b124d00b038169e3ed70faf020f1847209b585f21dfe155cb4ef5
Instruction ID: 60284301d140ac3fcfebd5667421a4e566a13fd3e19eb991f7244b5a19906f61
Opcode Fuzzy Hash: 7bf741a6410b124d00b038169e3ed70faf020f1847209b585f21dfe155cb4ef5
Instruction Fuzzy Hash: BE413571A1434A8FDB209EB4CDE47EE33A7AF85390F84423DEC8A5B248D7754A85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0227541A, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22754a82f963a3f16024ce6922cd03ee21c1b28ebe473057441a666e7b0c6a7
Instruction ID: 7fa9171225312b70ee56f51d6119354176be3efb45011176f72bb7cdaffa9955
Opcode Fuzzy Hash: e22754a82f963a3f16024ce6922cd03ee21c1b28ebe473057441a666e7b0c6a7
Instruction Fuzzy Hash: 3D3138712143494BCB388E788DE47EF73A79F95340F95813DEC4ACA694E3358985C205

Uniqueness

Uniqueness Score: -1.00%

Function 0227787F, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9bfc5c822f19b8ae040d038f8aefcb976024a190a867f8fdf974a8cd676dfe
Instruction ID: 7d06606267d3191d05ea8ddc114680863d23124017fe076a13d763823272006d
Opcode Fuzzy Hash: 7a9bfc5c822f19b8ae040d038f8aefcb976024a190a867f8fdf974a8cd676dfe
Instruction Fuzzy Hash: 52F0B8347286168FC724CE48C5D8FA9B3A5AF18714F858066E8848B669C330EC80DF20

Uniqueness

Uniqueness Score: -1.00%

Function 02275346, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a450e0c0679e8d8f474f34c8c3cc520e259c049b0fcadc843ba1cb42428e6721
Instruction ID: 5689d5d5a5f5b523f4951cd059355b596d6d1a66694fc7e3e4dd51b19337a4b0
Opcode Fuzzy Hash: a450e0c0679e8d8f474f34c8c3cc520e259c049b0fcadc843ba1cb42428e6721
Instruction Fuzzy Hash: 2AB092B62416818FEF02CA48C4C1B4073E0F704644B0804E0E002CB751D268ED40CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02277390, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.726927827.0000000002270000.00000040.00000001.sdmp, Offset: 02270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2270000_dt9XEhpeQQ.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547b9292f2af6695911f46c5a1de5c506702afa9df24216b6881de48a1abf447
Instruction ID: 6796a63299ce9b77ea74ad4216dfb0aa33e5aff24751ff814fb4ccff335d1c79
Opcode Fuzzy Hash: 547b9292f2af6695911f46c5a1de5c506702afa9df24216b6881de48a1abf447
Instruction Fuzzy Hash: 84B092383116408FC641CE0AC2C0F84B3A0BB48A40BD144A4E80187B11C228E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 0042EC4E, Relevance: 109.0, APIs: 58, Strings: 4, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E0042EC4E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v80;
				char _v84;
				char _v88;
				void* _t105;
				intOrPtr* _t106;
				void* _t107;
				void* _t109;
				intOrPtr* _t110;
				void* _t111;
				intOrPtr* _t115;
				intOrPtr* _t117;
				void* _t119;
				char* _t120;
				char* _t121;
				intOrPtr* _t128;
				intOrPtr* _t130;
				void* _t132;
				intOrPtr _t133;
				void* _t135;
				intOrPtr* _t136;
				void* _t137;
				intOrPtr* _t138;
				intOrPtr* _t140;
				void* _t142;
				void* _t144;
				intOrPtr* _t145;
				void* _t146;
				char* _t149;
				char* _t150;
				void* _t151;
				void* _t153;
				intOrPtr* _t154;
				void* _t155;
				void* _t157;
				intOrPtr* _t158;
				void* _t159;
				char* _t160;
				void* _t161;
				intOrPtr* _t163;
				void* _t210;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr* _t214;
				intOrPtr* _t215;
				intOrPtr* _t217;
				intOrPtr* _t219;
				intOrPtr* _t220;
				intOrPtr* _t221;
				intOrPtr* _t222;
				intOrPtr* _t223;
				intOrPtr* _t224;
				intOrPtr* _t225;
				intOrPtr* _t226;
				intOrPtr* _t227;
				intOrPtr* _t228;
				intOrPtr* _t229;
				intOrPtr* _t230;
				intOrPtr _t233;
				intOrPtr _t238;

				_push(0x4011b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t233;
				_v12 = _t233 - 0x68;
				_v8 = E00401198;
				_t238 =  *0x430340; // 0x220e8b4
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v80 = 0;
				_v84 = 0;
				_v88 = 0;
				_t163 = 0x430340;
				if(_t238 == 0) {
					_push(0x430340);
					_push(0x42afa0);
					L0040130C();
				}
				_t212 =  *0x430340; // 0x220e8b4
				_t105 =  *((intOrPtr*)( *_t212 + 0x14))(_t212,  &_v60);
				asm("fclex");
				if(_t105 >= 0) {
					_t210 = 0x42b150;
				} else {
					_push(0x14);
					_t210 = 0x42b150;
					_push(0x42b150);
					_push(_t212);
					_push(_t105);
					L00401306();
				}
				_t106 = _v60;
				_t213 = _t106;
				_t107 =  *((intOrPtr*)( *_t106 + 0xc8))(_t106,  &_v84);
				asm("fclex");
				if(_t107 < 0) {
					_push(0xc8);
					_push(0x42ac60);
					_push(_t213);
					_push(_t107);
					L00401306();
				}
				L00401300();
				if( *0x430340 == 0) {
					_push(_t163);
					_push(0x42afa0);
					L0040130C();
				}
				_t214 =  *0x430340; // 0x220e8b4
				_t109 =  *((intOrPtr*)( *_t214 + 0x14))(_t214,  &_v60);
				asm("fclex");
				if(_t109 < 0) {
					_push(0x14);
					_push(_t210);
					_push(_t214);
					_push(_t109);
					L00401306();
				}
				_t110 = _v60;
				_t215 = _t110;
				_t111 =  *((intOrPtr*)( *_t110 + 0x100))(_t110,  &_v88);
				asm("fclex");
				if(_t111 < 0) {
					_push(0x100);
					_push(0x42ac60);
					_push(_t215);
					_push(_t111);
					L00401306();
				}
				L00401300();
				if( ~(0 | _v88 != 0x00400000) != 0) {
					if( *0x430340 == 0) {
						_push(_t163);
						_push(0x42afa0);
						L0040130C();
					}
					_t226 =  *0x430340; // 0x220e8b4
					_t153 =  *((intOrPtr*)( *_t226 + 0x14))(_t226,  &_v60);
					asm("fclex");
					if(_t153 < 0) {
						_push(0x14);
						_push(_t210);
						_push(_t226);
						_push(_t153);
						L00401306();
					}
					_t154 = _v60;
					_t227 = _t154;
					_t155 =  *((intOrPtr*)( *_t154 + 0xd0))(_t154,  &_v48);
					asm("fclex");
					if(_t155 < 0) {
						_push(0xd0);
						_push(0x42ac60);
						_push(_t227);
						_push(_t155);
						L00401306();
					}
					_v48 = _v48 & 0x00000000;
					L004012CA();
					L00401300();
					if( *0x430340 == 0) {
						_push(_t163);
						_push(0x42afa0);
						L0040130C();
					}
					_t228 =  *0x430340; // 0x220e8b4
					_t157 =  *((intOrPtr*)( *_t228 + 0x14))(_t228,  &_v60);
					asm("fclex");
					if(_t157 < 0) {
						_push(0x14);
						_push(_t210);
						_push(_t228);
						_push(_t157);
						L00401306();
					}
					_t158 = _v60;
					_t229 = _t158;
					_t159 =  *((intOrPtr*)( *_t158 + 0x58))(_t158,  &_v48);
					asm("fclex");
					if(_t159 < 0) {
						_push(0x58);
						_push(0x42ac60);
						_push(_t229);
						_push(_t159);
						L00401306();
					}
					_v48 = _v48 & 0x00000000;
					L004012CA();
					L00401300();
					if( *0x430340 == 0) {
						_push(0x430340);
						_push(0x42afa0);
						L0040130C();
					}
					_t230 =  *0x430340; // 0x220e8b4
					L00401246();
					_t160 =  &_v60;
					L00401312();
					_t161 =  *((intOrPtr*)( *_t230 + 0x40))(_t230, _t160, _t160, _t159, _v32, 0x42b35c, L"erantissen");
					asm("fclex");
					if(_t161 < 0) {
						_push(0x40);
						_push(_t210);
						_push(_t230);
						_push(_t161);
						L00401306();
					}
					L00401300();
					_t163 = 0x430340;
				}
				_t115 =  *0x430010; // 0x4afc90
				if(_t115 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t115 =  *0x430010; // 0x4afc90
				}
				_t117 =  &_v60;
				L00401312();
				_t217 = _t117;
				_t119 =  *((intOrPtr*)( *_t217 + 0x158))(_t217,  &_v48, _t117,  *((intOrPtr*)( *_t115 + 0x32c))(_t115));
				asm("fclex");
				if(_t119 < 0) {
					_push(0x158);
					_push(0x42b110);
					_push(_t217);
					_push(_t119);
					L00401306();
				}
				_push(0);
				_push(_v48);
				_t120 =  &_v56;
				_push(_t120);
				L004012FA();
				_push(_t120);
				_push(L"Belj");
				_t121 =  &_v52;
				_push(_t121);
				L004012FA();
				_push(_t121);
				E0042AE64();
				_v88 = _t121;
				L004012F4();
				_push( &_v56);
				_push( &_v48);
				_push( &_v52);
				_push(3);
				L004012EE();
				L00401300();
				if( ~(0 | _v88 == 0x00000379) != 0) {
					if( *0x430340 == 0) {
						_push(_t163);
						_push(0x42afa0);
						L0040130C();
					}
					_t220 =  *0x430340; // 0x220e8b4
					_t135 =  *((intOrPtr*)( *_t220 + 0x14))(_t220,  &_v60);
					asm("fclex");
					if(_t135 < 0) {
						_push(0x14);
						_push(_t210);
						_push(_t220);
						_push(_t135);
						L00401306();
					}
					_t136 = _v60;
					_t221 = _t136;
					_t137 =  *((intOrPtr*)( *_t136 + 0x138))(_t136, L"Hjerneskade2", 1);
					asm("fclex");
					if(_t137 < 0) {
						_push(0x138);
						_push(0x42ac60);
						_push(_t221);
						_push(_t137);
						L00401306();
					}
					L00401300();
					_t138 =  *0x430010; // 0x4afc90
					if(_t138 == 0) {
						_push(0x430010);
						_push(0x42a030);
						L0040130C();
						_t138 =  *0x430010; // 0x4afc90
					}
					_t140 =  &_v60;
					L00401312();
					_t222 = _t140;
					_t142 =  *((intOrPtr*)( *_t222 + 0x238))(_t222,  &_v48, _t140,  *((intOrPtr*)( *_t138 + 0x330))(_t138));
					asm("fclex");
					if(_t142 < 0) {
						_push(0x238);
						_push(0x42b110);
						_push(_t222);
						_push(_t142);
						L00401306();
					}
					if( *0x430340 == 0) {
						_push(_t163);
						_push(0x42afa0);
						L0040130C();
					}
					_t223 =  *0x430340; // 0x220e8b4
					_t144 =  *((intOrPtr*)( *_t223 + 0x14))(_t223,  &_v64);
					asm("fclex");
					if(_t144 < 0) {
						_push(0x14);
						_push(_t210);
						_push(_t223);
						_push(_t144);
						L00401306();
					}
					_t145 = _v64;
					_t224 = _t145;
					_t146 =  *((intOrPtr*)( *_t145 + 0x138))(_t145, _v48, 1);
					asm("fclex");
					if(_t146 < 0) {
						_push(0x138);
						_push(0x42ac60);
						_push(_t224);
						_push(_t146);
						L00401306();
					}
					L004012E2();
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L004012E8();
					if( *0x430340 == 0) {
						_push(0x430340);
						_push(0x42afa0);
						L0040130C();
					}
					_t225 =  *0x430340; // 0x220e8b4
					_t149 =  &_v80;
					L004012D0();
					L004012D6();
					_t150 =  &_v60;
					L004012DC();
					_t151 =  *((intOrPtr*)( *_t225 + 0xc))(_t225, _t150, _t150, _t149, _t149, _t149, _v40, L"L5kppEjAHuXwB01I3FcVsAcOnr6ZrARmCtewD172", 0);
					asm("fclex");
					if(_t151 < 0) {
						_push(0xc);
						_push(_t210);
						_push(_t225);
						_push(_t151);
						L00401306();
					}
					L00401300();
					L0040131E();
				}
				_t128 =  *0x430010; // 0x4afc90
				if(_t128 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t128 =  *0x430010; // 0x4afc90
				}
				_t130 =  &_v60;
				L00401312();
				_t219 = _t130;
				_t132 =  *((intOrPtr*)( *_t219 + 0x168))(_t219,  &_v84, _t130,  *((intOrPtr*)( *_t128 + 0x330))(_t128));
				asm("fclex");
				if(_t132 < 0) {
					_push(0x168);
					_push(0x42b110);
					_push(_t219);
					_push(_t132);
					L00401306();
				}
				_t133 = _v84;
				_v24 = _t133;
				L00401300();
				_push(0x42f1e4);
				L00401300();
				L004012E2();
				L00401300();
				L004012E2();
				return _t133;
			}

0x0042ec53
0x0042ec5e
0x0042ec5f
0x0042ec6c
0x0042ec6f
0x0042ec78
0x0042ec7e
0x0042ec81
0x0042ec84
0x0042ec87
0x0042ec8a
0x0042ec8d
0x0042ec90
0x0042ec93
0x0042ec96
0x0042ec99
0x0042ec9c
0x0042ec9f
0x0042eca2
0x0042eca7
0x0042eca9
0x0042ecaa
0x0042ecaf
0x0042ecaf
0x0042ecb4
0x0042ecc1
0x0042ecc4
0x0042ecc8
0x0042ecdb
0x0042ecca
0x0042ecca
0x0042eccc
0x0042ecd1
0x0042ecd2
0x0042ecd3
0x0042ecd4
0x0042ecd4
0x0042ece0
0x0042ecea
0x0042ecec
0x0042ecf2
0x0042ecf6
0x0042ecf8
0x0042ecfd
0x0042ed02
0x0042ed03
0x0042ed04
0x0042ed04
0x0042ed0c
0x0042ed18
0x0042ed1a
0x0042ed1b
0x0042ed20
0x0042ed20
0x0042ed25
0x0042ed32
0x0042ed35
0x0042ed39
0x0042ed3b
0x0042ed3d
0x0042ed3e
0x0042ed3f
0x0042ed40
0x0042ed40
0x0042ed45
0x0042ed4f
0x0042ed51
0x0042ed57
0x0042ed5b
0x0042ed5d
0x0042ed62
0x0042ed67
0x0042ed68
0x0042ed69
0x0042ed69
0x0042ed82
0x0042ed8a
0x0042ed97
0x0042ed99
0x0042ed9a
0x0042ed9f
0x0042ed9f
0x0042eda4
0x0042edb1
0x0042edb4
0x0042edb8
0x0042edba
0x0042edbc
0x0042edbd
0x0042edbe
0x0042edbf
0x0042edbf
0x0042edc4
0x0042edce
0x0042edd0
0x0042edd6
0x0042edda
0x0042eddc
0x0042ede1
0x0042ede6
0x0042ede7
0x0042ede8
0x0042ede8
0x0042edf0
0x0042edf7
0x0042edff
0x0042ee0b
0x0042ee0d
0x0042ee0e
0x0042ee13
0x0042ee13
0x0042ee18
0x0042ee25
0x0042ee28
0x0042ee2c
0x0042ee2e
0x0042ee30
0x0042ee31
0x0042ee32
0x0042ee33
0x0042ee33
0x0042ee38
0x0042ee42
0x0042ee44
0x0042ee47
0x0042ee4b
0x0042ee4d
0x0042ee4f
0x0042ee54
0x0042ee55
0x0042ee56
0x0042ee56
0x0042ee5e
0x0042ee65
0x0042ee6d
0x0042ee79
0x0042ee7b
0x0042ee80
0x0042ee85
0x0042ee85
0x0042ee8a
0x0042ee9f
0x0042eea5
0x0042eea9
0x0042eeb0
0x0042eeb3
0x0042eeb7
0x0042eeb9
0x0042eebb
0x0042eebc
0x0042eebd
0x0042eebe
0x0042eebe
0x0042eec6
0x0042eecb
0x0042eecb
0x0042eed0
0x0042eed7
0x0042eed9
0x0042eede
0x0042eee3
0x0042eee8
0x0042eee8
0x0042eef7
0x0042eefb
0x0042ef03
0x0042ef09
0x0042ef0f
0x0042ef13
0x0042ef15
0x0042ef1a
0x0042ef1f
0x0042ef20
0x0042ef21
0x0042ef21
0x0042ef26
0x0042ef28
0x0042ef2b
0x0042ef2e
0x0042ef2f
0x0042ef34
0x0042ef35
0x0042ef3a
0x0042ef3d
0x0042ef3e
0x0042ef43
0x0042ef44
0x0042ef49
0x0042ef4c
0x0042ef65
0x0042ef69
0x0042ef6d
0x0042ef6e
0x0042ef70
0x0042ef7b
0x0042ef83
0x0042ef90
0x0042ef92
0x0042ef93
0x0042ef98
0x0042ef98
0x0042ef9d
0x0042efaa
0x0042efad
0x0042efb1
0x0042efb3
0x0042efb5
0x0042efb6
0x0042efb7
0x0042efb8
0x0042efb8
0x0042efbd
0x0042efca
0x0042efcc
0x0042efd2
0x0042efd6
0x0042efd8
0x0042efdd
0x0042efe2
0x0042efe3
0x0042efe4
0x0042efe4
0x0042efec
0x0042eff1
0x0042eff8
0x0042effa
0x0042efff
0x0042f004
0x0042f009
0x0042f009
0x0042f018
0x0042f01c
0x0042f024
0x0042f02a
0x0042f030
0x0042f034
0x0042f036
0x0042f03b
0x0042f040
0x0042f041
0x0042f042
0x0042f042
0x0042f04e
0x0042f050
0x0042f051
0x0042f056
0x0042f056
0x0042f05b
0x0042f068
0x0042f06b
0x0042f06f
0x0042f071
0x0042f073
0x0042f074
0x0042f075
0x0042f076
0x0042f076
0x0042f07b
0x0042f085
0x0042f088
0x0042f08e
0x0042f092
0x0042f094
0x0042f099
0x0042f09e
0x0042f09f
0x0042f0a0
0x0042f0a0
0x0042f0a8
0x0042f0b0
0x0042f0b4
0x0042f0b5
0x0042f0b7
0x0042f0c6
0x0042f0c8
0x0042f0cd
0x0042f0d2
0x0042f0d2
0x0042f0d7
0x0042f0e9
0x0042f0ed
0x0042f0f6
0x0042f0fc
0x0042f100
0x0042f107
0x0042f10a
0x0042f10e
0x0042f110
0x0042f112
0x0042f113
0x0042f114
0x0042f115
0x0042f115
0x0042f11d
0x0042f125
0x0042f125
0x0042f12a
0x0042f131
0x0042f133
0x0042f138
0x0042f13d
0x0042f142
0x0042f142
0x0042f151
0x0042f155
0x0042f15d
0x0042f163
0x0042f169
0x0042f16d
0x0042f16f
0x0042f174
0x0042f179
0x0042f17a
0x0042f17b
0x0042f17b
0x0042f180
0x0042f186
0x0042f189
0x0042f18e
0x0042f1c6
0x0042f1ce
0x0042f1d6
0x0042f1de
0x0042f1e3

APIs

__vbaNew2.MSVBVM60(0042AFA0,00430340), ref: 0042ECAF
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014), ref: 0042ECD4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,000000C8), ref: 0042ED04
__vbaFreeObj.MSVBVM60(00000000,?,0042AC60,000000C8), ref: 0042ED0C
__vbaNew2.MSVBVM60(0042AFA0,00430340), ref: 0042ED20
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014), ref: 0042ED40
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,00000100), ref: 0042ED69
__vbaFreeObj.MSVBVM60(00000000,?,0042AC60,00000100), ref: 0042ED82
__vbaNew2.MSVBVM60(0042AFA0,00430340), ref: 0042ED9F
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014), ref: 0042EDBF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,000000D0), ref: 0042EDE8
__vbaStrMove.MSVBVM60(00000000,?,0042AC60,000000D0), ref: 0042EDF7
__vbaFreeObj.MSVBVM60(00000000,?,0042AC60,000000D0), ref: 0042EDFF
__vbaNew2.MSVBVM60(0042AFA0,00430340), ref: 0042EE13
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014), ref: 0042EE33
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,00000058), ref: 0042EE56
__vbaStrMove.MSVBVM60(00000000,?,0042AC60,00000058), ref: 0042EE65
__vbaFreeObj.MSVBVM60(00000000,?,0042AC60,00000058), ref: 0042EE6D
__vbaNew2.MSVBVM60(0042AFA0,00430340), ref: 0042EE85
__vbaCastObj.MSVBVM60(?,0042B35C,erantissen), ref: 0042EE9F
__vbaObjSet.MSVBVM60(?,00000000,?,0042B35C,erantissen), ref: 0042EEA9
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000040), ref: 0042EEBE
__vbaFreeObj.MSVBVM60(00000000,0220E8B4,0042B150,00000040), ref: 0042EEC6
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042EEE3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042EEFB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,00000158), ref: 0042EF21
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 0042EF2F
__vbaStrToAnsi.MSVBVM60(?,Belj,00000000,?,?,00000000), ref: 0042EF3E
__vbaSetSystemError.MSVBVM60(00000000,?,Belj,00000000,?,?,00000000), ref: 0042EF4C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Belj,00000000,?,?,00000000), ref: 0042EF70
__vbaFreeObj.MSVBVM60(00000000), ref: 0042EF7B
__vbaNew2.MSVBVM60(0042AFA0,00430340,00000000), ref: 0042EF98
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014), ref: 0042EFB8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,00000138), ref: 0042EFE4
__vbaFreeObj.MSVBVM60 ref: 0042EFEC
__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042F004
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F01C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,00000238), ref: 0042F042
__vbaNew2.MSVBVM60(0042AFA0,00430340), ref: 0042F056
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014), ref: 0042F076
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,00000138), ref: 0042F0A0
__vbaFreeStr.MSVBVM60 ref: 0042F0A8
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042F0B7
__vbaNew2.MSVBVM60(0042AFA0,00430340), ref: 0042F0D2
__vbaLateMemCallLd.MSVBVM60(?,?,L5kppEjAHuXwB01I3FcVsAcOnr6ZrARmCtewD172,00000000), ref: 0042F0ED
__vbaObjVar.MSVBVM60(00000000), ref: 0042F0F6
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 0042F100
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,0000000C), ref: 0042F115
__vbaFreeObj.MSVBVM60 ref: 0042F11D
__vbaFreeVar.MSVBVM60 ref: 0042F125
__vbaNew2.MSVBVM60(0042A030,00430010,00000000), ref: 0042F13D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F155
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B110,00000168), ref: 0042F17B
__vbaFreeObj.MSVBVM60 ref: 0042F189
__vbaFreeObj.MSVBVM60(0042F1E4), ref: 0042F1C6
__vbaFreeStr.MSVBVM60(0042F1E4), ref: 0042F1CE
__vbaFreeObj.MSVBVM60(0042F1E4), ref: 0042F1D6
__vbaFreeStr.MSVBVM60(0042F1E4), ref: 0042F1DE

Strings

erantissen, xrefs: 0042EE92
L5kppEjAHuXwB01I3FcVsAcOnr6ZrARmCtewD172, xrefs: 0042F0E1
Belj, xrefs: 0042EF35
Hjerneskade2, xrefs: 0042EFC4

Memory Dump Source

Source File: 00000000.00000002.725105961.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.725054128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.725071696.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725085018.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725129355.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.725156948.0000000000431000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_dt9XEhpeQQ.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2$AnsiListMove$AddrefCallCastErrorLateSystem
String ID: Belj$Hjerneskade2$L5kppEjAHuXwB01I3FcVsAcOnr6ZrARmCtewD172$erantissen
API String ID: 2267351454-1023941644
Opcode ID: d7cda5c9697a68405b98ec6b43d85c12ee0297ad8c1d1aac00cd90d5255f5d73
Instruction ID: 12baf145fed9858e901f4cbb6b4dd91d77ce6d64713a1d57f6b44b144f068bed
Opcode Fuzzy Hash: d7cda5c9697a68405b98ec6b43d85c12ee0297ad8c1d1aac00cd90d5255f5d73
Instruction Fuzzy Hash: FFF17470A00218ABEB14EBA2EC5AFDE77BCEF54745F50052EF841B71A1DB785904CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042EA3B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0042EA3B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				void* _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				char _v56;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				void* _t30;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				intOrPtr* _t36;
				intOrPtr* _t49;
				intOrPtr* _t50;
				void* _t51;
				void* _t53;
				intOrPtr _t54;

				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				_v16 = _t54 - 0x38;
				_v12 = 0x401178;
				_v8 = 0;
				_t24 = _a4;
				 *((intOrPtr*)( *_t24 + 4))(_t24, __edi, __esi, __ebx,  *[fs:0x0], 0x4011b6, _t51);
				_t26 =  *0x430010; // 0x4afc90
				_v28 = 0;
				_v36 = 0;
				_v56 = 0;
				if(_t26 == 0) {
					_push(0x430010);
					_push(0x42a030);
					L0040130C();
					_t26 =  *0x430010; // 0x4afc90
				}
				_t28 =  &_v36;
				L00401312();
				_v44 = 0x80020004;
				_v52 = 0xa;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t36 = _t28;
				asm("movsd");
				_t30 =  *((intOrPtr*)( *_t36 + 0x1ec))(_t36, L"UNSPROUTED", _t28,  *((intOrPtr*)( *_t26 + 0x2fc))(_t26));
				asm("fclex");
				if(_t30 < 0) {
					_push(0x1ec);
					_push(0x42b130);
					_push(_t36);
					_push(_t30);
					L00401306();
				}
				L00401300();
				if( *0x430340 == 0) {
					_push(0x430340);
					_push(0x42afa0);
					L0040130C();
				}
				_t49 =  *0x430340; // 0x220e8b4
				_t32 =  *((intOrPtr*)( *_t49 + 0x14))(_t49,  &_v36);
				asm("fclex");
				if(_t32 < 0) {
					_push(0x14);
					_push(0x42b150);
					_push(_t49);
					_push(_t32);
					L00401306();
				}
				_t33 = _v36;
				_t50 = _t33;
				_t34 =  *((intOrPtr*)( *_t33 + 0x70))(_t33,  &_v56);
				asm("fclex");
				if(_t34 < 0) {
					_push(0x70);
					_push(0x42ac60);
					_push(_t50);
					_push(_t34);
					L00401306();
				}
				L00401300();
				_v28 = 0x4a1061;
				_push(0x42eb73);
				return _t34;
			}

0x0042ea3e
0x0042ea4d
0x0042ea5a
0x0042ea5d
0x0042ea66
0x0042ea69
0x0042ea6f
0x0042ea72
0x0042ea79
0x0042ea7c
0x0042ea7f
0x0042ea82
0x0042ea84
0x0042ea89
0x0042ea8e
0x0042ea93
0x0042ea93
0x0042eaa2
0x0042eaa6
0x0042eab0
0x0042eab7
0x0042eac1
0x0042eac2
0x0042eac3
0x0042eac4
0x0042eace
0x0042eacf
0x0042ead7
0x0042ead9
0x0042eadb
0x0042eae0
0x0042eae5
0x0042eae6
0x0042eae7
0x0042eae7
0x0042eaef
0x0042eafb
0x0042eafd
0x0042eb02
0x0042eb07
0x0042eb07
0x0042eb0c
0x0042eb19
0x0042eb1c
0x0042eb20
0x0042eb22
0x0042eb24
0x0042eb29
0x0042eb2a
0x0042eb2b
0x0042eb2b
0x0042eb30
0x0042eb3a
0x0042eb3c
0x0042eb3f
0x0042eb43
0x0042eb45
0x0042eb47
0x0042eb4c
0x0042eb4d
0x0042eb4e
0x0042eb4e
0x0042eb56
0x0042eb5b
0x0042eb62
0x00000000

APIs

__vbaNew2.MSVBVM60(0042A030,00430010), ref: 0042EA8E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042EAA6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042B130,000001EC), ref: 0042EAE7
__vbaFreeObj.MSVBVM60 ref: 0042EAEF
__vbaNew2.MSVBVM60(0042AFA0,00430340), ref: 0042EB07
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,0042B150,00000014), ref: 0042EB2B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042AC60,00000070), ref: 0042EB4E
__vbaFreeObj.MSVBVM60 ref: 0042EB56

Strings

UNSPROUTED, xrefs: 0042EAC8

Memory Dump Source

Source File: 00000000.00000002.725105961.0000000000429000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.725054128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.725071696.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725085018.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.725129355.0000000000430000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.725156948.0000000000431000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_dt9XEhpeQQ.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID: UNSPROUTED
API String ID: 4261391273-2728902956
Opcode ID: 2e6359a35c09a00f56732e73a0f6d71d2a5a133a3bd548cfb176ef989db3ac36
Instruction ID: fa976339c283b99dae10e2187bc069faeaafc777618fc29d17100bc2e568e496
Opcode Fuzzy Hash: 2e6359a35c09a00f56732e73a0f6d71d2a5a133a3bd548cfb176ef989db3ac36
Instruction Fuzzy Hash: AD315670A40224ABDB14EF95DC59F9E7BB8BF08744F50016AF901B7291D7B8A5048BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report dt9XEhpeQQ

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: dt9XEhpeQQ.exe PID: 3924 Parent PID: 5716

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: dt9XEhpeQQ.exe PID: 3924 Parent PID: 5716 dt9XEhpeQQ.exeCOMMON

Execution Graph

Graph

Executed Functions

Function 0227578F, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 838memorynativeCOMMON

Control-flow Graph

Function 00401368, Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1193COMMON

Function 0227578F, Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 838
memorynativeCOMMON

Function 00401368, Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1193
COMMON

Function 0042B834, Relevance: 248.0, APIs: 136, Strings: 5, Instructions: 1279
COMMON

Function 0042E6CD, Relevance: 79.0, APIs: 42, Strings: 3, Instructions: 259
COMMON

Function 006215F3, Relevance: .0, Instructions: 17
COMMON

Function 0042AE64, Relevance: .0, Instructions: 8
COMMON

Function 0042AEB8, Relevance: .0, Instructions: 8
COMMON

Function 02272CBB, Relevance: 5.2, Strings: 3, Instructions: 1427
COMMON

Function 02278F6A, Relevance: 4.7, Strings: 3, Instructions: 980
COMMON

Function 022723A5, Relevance: 4.6, Strings: 3, Instructions: 861
COMMON

Function 02277929, Relevance: 4.5, Strings: 3, Instructions: 766
COMMON

Function 0227282E, Relevance: 3.4, Strings: 2, Instructions: 950
COMMON

Function 022741B9, Relevance: 3.2, Strings: 2, Instructions: 713
COMMON

Function 0042EC4E, Relevance: 109.0, APIs: 58, Strings: 4, Instructions: 464
COMMON

Function 0042EA3B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100
COMMON