Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report exe.exe

Overview

General Information

Sample Name:exe.exe
Analysis ID:528196
MD5:ccdf9de19a42d303579dfcc11f846bcb
SHA1:413b2f4c1cc4f242d50bd95faa7ca85bcbcfbdef
SHA256:0a2a2c18fa708a33573b788860a4911e6d6d6fd3ddf8cacdddf4d9d100ca562d
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w7x64
  • exe.exe (PID: 2632 cmdline: "C:\Users\user\Desktop\exe.exe" MD5: CCDF9DE19A42D303579DFCC11F846BCB)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: exe.exeVirustotal: Detection: 20%Perma Link
    Source: exe.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download
    Source: exe.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: exe.exe, 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenaturforholdene.exe vs exe.exe
    Source: exe.exeBinary or memory string: OriginalFilenamenaturforholdene.exe vs exe.exe
    Source: C:\Users\user\Desktop\exe.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_0040153C0_2_0040153C
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_004017780_2_00401778
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_0040172B0_2_0040172B
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002D6C380_2_002D6C38
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002CD95C0_2_002CD95C
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002C14390_2_002C1439
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002CE4540_2_002CE454
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002D44EE0_2_002D44EE
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002CCCFE0_2_002CCCFE
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002D4CD40_2_002D4CD4
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002C11440_2_002C1144
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002CD5A80_2_002CD5A8
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002CD95C NtAllocateVirtualMemory,0_2_002CD95C
    Source: C:\Users\user\Desktop\exe.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\exe.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: exe.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: C:\Users\user\Desktop\exe.exeProcess Stats: CPU usage > 98%
    Source: exe.exeVirustotal: Detection: 20%
    Source: exe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\exe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\exe.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\exe.exeFile created: C:\Users\user\AppData\Local\Temp\~DF56168A067CC46460.TMPJump to behavior
    Source: classification engineClassification label: mal76.troj.evad.winEXE@1/1@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_0040443B push ds; iretd 0_2_0040443C
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_00412CE9 pushfd ; iretd 0_2_00412CEF
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_004078BA push esp; ret 0_2_004078C0
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_00408951 push esi; iretd 0_2_0040895C
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_0040A585 push edi; ret 0_2_0040A587
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002C3C7D push cs; retf 0_2_002C3C7E
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002C1F2E push esi; retf 0_2_002C1F31
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002C3720 push 00E981C1h; iretd 0_2_002C3725
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002C2B1E push ecx; ret 0_2_002C2B45
    Source: C:\Users\user\Desktop\exe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\exe.exeRDTSC instruction interceptor: First address: 00000000002CCB31 second address: 00000000002CCB31 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 2948E649h 0x00000007 xor eax, EC82DA16h 0x0000000c xor eax, 4667AFFBh 0x00000011 xor eax, 83AD93A5h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB0E10DF5ADh 0x0000001e lfence 0x00000021 mov edx, A0C7F784h 0x00000026 sub edx, AABF78E8h 0x0000002c xor edx, 1F5F6D33h 0x00000032 xor edx, 96A913BBh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 test cl, 0000005Eh 0x00000047 dec ecx 0x00000048 mov dword ptr [ebp+00000215h], edx 0x0000004e mov edx, D915E9E9h 0x00000053 add edx, F5E97DD3h 0x00000059 xor edx, 8364302Bh 0x0000005f sub edx, 4D9B5797h 0x00000065 jmp 00007FB0E10DF5B5h 0x0000006a test dl, cl 0x0000006c cmp ecx, edx 0x0000006e mov edx, dword ptr [ebp+00000215h] 0x00000074 jne 00007FB0E10DF3C9h 0x0000007a mov dword ptr [ebp+000001C7h], esi 0x00000080 mov esi, ecx 0x00000082 push esi 0x00000083 mov esi, dword ptr [ebp+000001C7h] 0x00000089 call 00007FB0E10DF628h 0x0000008e call 00007FB0E10DF5CEh 0x00000093 lfence 0x00000096 mov edx, A0C7F784h 0x0000009b sub edx, AABF78E8h 0x000000a1 xor edx, 1F5F6D33h 0x000000a7 xor edx, 96A913BBh 0x000000ad mov edx, dword ptr [edx] 0x000000af lfence 0x000000b2 ret 0x000000b3 mov esi, edx 0x000000b5 pushad 0x000000b6 rdtsc
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002CD230 rdtsc 0_2_002CD230

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\exe.exeProcess Stats: CPU usage > 90% for more than 60s
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002D29ED mov eax, dword ptr fs:[00000030h]0_2_002D29ED
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002D33A4 mov eax, dword ptr fs:[00000030h]0_2_002D33A4
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002CC7A0 mov eax, dword ptr fs:[00000030h]0_2_002CC7A0
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002CD230 rdtsc 0_2_002CD230
    Source: C:\Users\user\Desktop\exe.exeCode function: 0_2_002D6C38 RtlAddVectoredExceptionHandler,0_2_002D6C38
    Source: exe.exe, 00000000.00000002.936131711.00000000009A0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: exe.exe, 00000000.00000002.936131711.00000000009A0000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: exe.exe, 00000000.00000002.936131711.00000000009A0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
    Source: C:\Users\user\Desktop\exe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Process Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)DLL Side-Loading1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Information Discovery12Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    exe.exe21%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:528196
    Start date:24.11.2021
    Start time:20:50:07
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 19s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:exe.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:3
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.troj.evad.winEXE@1/1@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 66.4% (good quality ratio 45%)
    • Quality average: 31.7%
    • Quality standard deviation: 27.8%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Temp\~DF56168A067CC46460.TMP
    Process:C:\Users\user\Desktop\exe.exe
    File Type:data
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:CE338FE6899778AACFC28414F2D9498B
    SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
    SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
    SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
    Malicious:false
    Reputation:moderate, very likely benign file
    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.802371954737389
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:exe.exe
    File size:131072
    MD5:ccdf9de19a42d303579dfcc11f846bcb
    SHA1:413b2f4c1cc4f242d50bd95faa7ca85bcbcfbdef
    SHA256:0a2a2c18fa708a33573b788860a4911e6d6d6fd3ddf8cacdddf4d9d100ca562d
    SHA512:3cac24c5db93f786247392af6c4425bc840fa7be314699b9d06f54b266cb8f326d9ab877270d7c70f7c445daf1f84cb8ec84802e0813ea00fc9d725c5a52dfd2
    SSDEEP:768:tyJDhaJ0vn7EZR5EjsXC1M+P7p/z8oI8e0JOCKIh3yOL1Z+lrNqVGPookwXB90JM:tkD00uzM7pAygkl5ZAk174OzyfD
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...`.AS.....................0....................@........

    File Icon

    Icon Hash:981dca909cee36b0

    Static PE Info

    General

    Entrypoint:0x4013b4
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x5341DD60 [Sun Apr 6 23:04:00 2014 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:d77040f4614bccfda7b8aa2e04863738

    Entrypoint Preview

    Instruction
    push 00401FDCh
    call 00007FB0E0AD7FB5h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [edx-05h], dh
    pop edi
    xchg eax, ebp
    retf 518Bh
    dec edi
    test dword ptr [edi], ecx
    jl 00007FB0E0AD8023h
    inc edi
    lea esp, eax
    inc edx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    inc ecx
    add byte ptr [eax], ah
    or byte ptr [ecx+00h], al
    inc ecx
    outsb
    popad
    insb
    jne 00007FB0E0AD8035h
    imul esp, dword ptr [ecx+6Eh], 00000000h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    add eax, C835BD30h
    jnle 00007FB0E0AD7F95h
    cld
    dec edi
    mov edx, 7C5A1C50h
    xor al, bh
    inc edx
    push ecx
    add al, byte ptr [edx]
    leave
    cmp byte ptr [ecx+eax*2+3A8B53A2h], al
    and al, 84h
    enter 3A0Eh, 4Fh
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    cld
    or dword ptr [eax], eax
    add byte ptr [esi], dl
    or dword ptr [eax], eax
    add byte ptr [eax], al
    pop es
    add byte ptr [ebp+55h], cl
    dec esi
    inc esp
    inc ebp
    dec esi
    inc ebp
    add byte ptr [4C000C01h], cl
    jns 00007FB0E0AD8035h
    push 00646C6Fh

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x1d9640x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x200000xf60.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2300x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x11c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x1ce6c0x1d000False0.35092268319data4.98845354205IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x1e0000x141c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x200000xf600x1000False0.3388671875data3.27120333743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    CUSTOM0x20e220x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
    CUSTOM0x20ce40x13eMS Windows icon resource - 1 icon, 16x16, 16 colorsEnglishUnited States
    RT_ICON0x2043c0x8a8data
    RT_GROUP_ICON0x204280x14data
    RT_VERSION0x201700x2b8COM executable for DOSTurkmenTurkmenistan

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0442 0x04b0
    LegalCopyrightLips
    InternalNamenaturforholdene
    FileVersion1.00
    CompanyNameLips
    LegalTrademarksLips
    ProductNameLips
    ProductVersion1.00
    FileDescriptionLips
    OriginalFilenamenaturforholdene.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States
    TurkmenTurkmenistan

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    Analysis Process: exe.exe PID: 2632 Parent PID: 2680

    General

    Start time:20:50:19
    Start date:24/11/2021
    Path:C:\Users\user\Desktop\exe.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\exe.exe"
    Imagebase:0x400000
    File size:131072 bytes
    MD5 hash:CCDF9DE19A42D303579DFCC11F846BCB
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Chronological Activities

    Disassembly

    Code Analysis

    Reset < >

      Analysis Process: exe.exe PID: 2632 Parent PID: 2680 exe.exeCOMMON

      Execution Graph

      Execution Coverage:3.3%
      Dynamic/Decrypted Code Coverage:68.9%
      Signature Coverage:22.7%
      Total number of Nodes:225
      Total number of Limit Nodes:9

      Graph

      execution_graph 2986 2cf52f 2987 2cd95c 2 API calls 2986->2987 2988 2cf54e 2987->2988 2989 2d2a0c GetPEB 2988->2989 2990 2cf622 2989->2990 2991 2d2a0c GetPEB 2990->2991 2992 2cf639 2991->2992 2810 41c184 __vbaChkstk 2811 41c1d8 __vbaStrCat __vbaStrMove __vbaInStr __vbaFreeStr 2810->2811 2812 41c370 #573 __vbaStrCat __vbaVarTstNe __vbaFreeVarList 2811->2812 2813 41c23c __vbaOnError __vbaOnError 2811->2813 2814 41c405 #598 #611 __vbaStrMove #685 __vbaObjSet 2812->2814 2815 41d05d 2812->2815 2816 41c283 2813->2816 2817 41c268 __vbaNew2 2813->2817 2818 41c4c8 2814->2818 2903 41d20f 15 API calls 2815->2903 2822 41c2e4 2816->2822 2823 41c2c4 __vbaHresultCheckObj 2816->2823 2817->2816 2820 41c4f9 2818->2820 2821 41c4d9 __vbaHresultCheckObj 2818->2821 2819 41d09e 2914 41d488 __vbaChkstk 2819->2914 2824 41c500 __vbaFreeObj __vbaFreeVarList __vbaStrCopy __vbaStrToAnsi __vbaStrToAnsi 2820->2824 2821->2824 2827 41c2eb __vbaChkstk 2822->2827 2823->2827 2922 402f24 2824->2922 2825 41d0d2 2828 41d101 2825->2828 2829 41d0e1 __vbaHresultCheckObj 2825->2829 2835 41c32d 2827->2835 2830 41d108 __vbaFreeVar 2828->2830 2829->2830 2832 41d17f 11 API calls 2830->2832 2839 41c35e 2835->2839 2840 41c33e __vbaHresultCheckObj 2835->2840 2842 41c365 __vbaFreeObj 2839->2842 2840->2842 2842->2812 2904 41d40a __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaFreeStr 2903->2904 2905 41d30f #703 __vbaStrMove __vbaFreeVar 2903->2905 2904->2819 2907 41d361 2905->2907 2908 41d349 __vbaNew2 2905->2908 2909 41d3a1 2907->2909 2910 41d38a __vbaHresultCheckObj 2907->2910 2908->2907 2911 41d3c5 __vbaHresultCheckObj 2909->2911 2912 41d3dc 2909->2912 2910->2909 2913 41d3e0 __vbaStrMove __vbaFreeObj #570 2911->2913 2912->2913 2913->2904 2915 41d4c8 2914->2915 2916 41d501 2915->2916 2917 41d4e7 __vbaHresultCheckObj 2915->2917 2924 41d901 __vbaChkstk #644 2916->2924 2917->2916 2919 41d50a __vbaVarMove __vbaVarMove __vbaVarIdiv __vbaI4Var 2920 41d562 __vbaFreeVar __vbaFreeVar 2919->2920 2920->2825 2923 402f2d 2922->2923 2924->2919 3053 2c3de5 3054 2d6c33 RtlAddVectoredExceptionHandler 3053->3054 3055 2c3e14 3054->3055 3154 2cc7a0 GetPEB 2980 2cd47c 2981 2cd95c 2 API calls 2980->2981 2982 2cd49b 2981->2982 2983 2cd5a5 2982->2983 2984 2d33a4 GetPEB 2982->2984 2985 2d4334 2984->2985 3031 2c09b9 3032 2c0aa3 3031->3032 3033 2cd95c 2 API calls 3032->3033 3034 2c0abe 3033->3034 3035 2d2a0c GetPEB 3034->3035 3036 2c0ad4 3035->3036 3037 2d2a0c GetPEB 3036->3037 3038 2c0ae9 3037->3038 3041 2c0af8 3038->3041 3042 2c0bd4 3041->3042 3045 2d6c33 3042->3045 3046 2d6c38 RtlAddVectoredExceptionHandler 3045->3046 3135 2c1af4 3138 2cd31d 3135->3138 3139 2d2a0c GetPEB 3138->3139 3140 2cd32a 3139->3140 3141 2d2a0c GetPEB 3140->3141 3143 2cd93d 3140->3143 3142 2cdc30 NtAllocateVirtualMemory 3141->3142 3142->3143 2925 2d6c33 2927 2d6c38 2925->2927 2928 2d6c43 2927->2928 2929 2d79e1 RtlAddVectoredExceptionHandler 2928->2929 2930 2d79f4 2928->2930 2929->2930 2930->2930 3088 2ce232 3089 2cf6af 3088->3089 3092 2ce30f 3089->3092 3093 2d023e 3092->3093 3096 2ce317 3093->3096 3097 2cd95c 2 API calls 3096->3097 3098 2ce345 3097->3098 3099 2c4633 3100 2c464f 3099->3100 3101 2cd95c 2 API calls 3100->3101 3102 2c4676 3101->3102 3150 2c2373 3151 2c23a5 3150->3151 3152 2d2a0c GetPEB 3151->3152 3153 2c23ab 3152->3153 3155 2c0bce 3156 2c0bed 3155->3156 3157 2d6c33 RtlAddVectoredExceptionHandler 3155->3157 3157->3156 2993 2c4504 2996 2c58cd 2993->2996 2995 2c450d 2997 2d0639 2996->2997 3000 2c58d2 2997->3000 2999 2cc7b4 2999->2995 3001 2cd95c 2 API calls 3000->3001 3002 2c58fb 3001->3002 3002->2999 3003 2c1144 3004 2c114a 3003->3004 3004->3003 3013 2cccfe 3004->3013 3006 2c119c 3007 2cd95c 2 API calls 3006->3007 3008 2c12b1 3007->3008 3009 2d2a0c GetPEB 3008->3009 3010 2c12ee 3009->3010 3011 2d2a0c GetPEB 3010->3011 3012 2c1328 3011->3012 3015 2ccd03 3013->3015 3016 2cc7b4 3015->3016 3017 2cd0ca 3015->3017 3016->3006 3018 2cd0cf 3017->3018 3018->3015 3018->3017 3019 2d33a4 GetPEB 3018->3019 3020 2d4334 3019->3020 3060 2c21c5 3061 2c21ca 3060->3061 3062 2d6c33 RtlAddVectoredExceptionHandler 3061->3062 3063 2c236d 3062->3063 3158 2c47c5 3159 2c47c8 3158->3159 3160 2c47f0 3159->3160 3162 2c6d3a 3159->3162 3163 2d2a0c GetPEB 3162->3163 3164 2c6d47 3163->3164 3107 2c4681 3110 2c468d 3107->3110 3109 2c478d 3111 2ce454 3110->3111 3112 2d2a0c GetPEB 3111->3112 3113 2ce464 3112->3113 3114 2d2a0c GetPEB 3113->3114 3115 2ce47a 3114->3115 3116 2d2a0c GetPEB 3115->3116 3117 2ce493 3116->3117 3118 2d2a0c GetPEB 3117->3118 3119 2ce4af 3118->3119 3120 2d2a0c GetPEB 3119->3120 3125 2ce585 3120->3125 3121 2d2a0c 3122 2d33a4 GetPEB 3121->3122 3123 2d2b3e 3121->3123 3122->3123 3123->3109 3124 2d6c33 RtlAddVectoredExceptionHandler 3124->3125 3125->3121 3125->3124 3126 2cee74 3125->3126 3127 2d6c33 RtlAddVectoredExceptionHandler 3126->3127 3128 2cee87 3127->3128 3129 2d6c33 RtlAddVectoredExceptionHandler 3128->3129 3130 2cee98 3129->3130 3130->3109 3021 2c2543 3022 2c25bd 3021->3022 3023 2d33a4 GetPEB 3022->3023 3025 2c23ba 3022->3025 3024 2d4334 3023->3024 2797 2cd95c 2798 2cd964 2797->2798 2801 2cdebb 2798->2801 2803 2d2a0c 2798->2803 2800 2cdc30 NtAllocateVirtualMemory 2800->2801 2804 2d2b05 2803->2804 2806 2d2b3e 2804->2806 2807 2d33a4 GetPEB 2804->2807 2806->2800 2808 2d33bf 2807->2808 2808->2806 2969 2c281c 2974 2cd95c 2969->2974 2975 2cd964 2974->2975 2976 2d2a0c GetPEB 2975->2976 2978 2cdebb 2975->2978 2977 2cdc30 NtAllocateVirtualMemory 2976->2977 2977->2978 2809 4013b4 #100 3068 2c09d4 3069 2c09e1 3068->3069 3070 2c0aa1 3069->3070 3071 2c0abc 3069->3071 3073 2cd95c 2 API calls 3070->3073 3072 2d2a0c GetPEB 3071->3072 3074 2c0ad0 3072->3074 3077 2c0abe 3073->3077 3075 2c0ae9 3074->3075 3076 2d2a0c GetPEB 3074->3076 3080 2c0af8 RtlAddVectoredExceptionHandler 3075->3080 3076->3075 3078 2d2a0c GetPEB 3077->3078 3079 2c0ad4 3078->3079 3081 2d2a0c GetPEB 3079->3081 3082 2d7e8c 3080->3082 3081->3075 3083 4011ba __vbaExceptHandler 2931 41d5be __vbaChkstk __vbaObjSetAddref 2932 41d606 2931->2932 2933 41d611 __vbaHresultCheckObj 2932->2933 2934 41d628 2932->2934 2935 41d62c __vbaObjSetAddref #644 2933->2935 2934->2935 2946 41d835 __vbaChkstk 2935->2946 2938 41d835 5 API calls 2939 41d660 2938->2939 2954 41d8a7 __vbaChkstk 2939->2954 2941 41d673 __vbaChkstk __vbaChkstk 2942 41d6bf 2941->2942 2943 41d6e4 __vbaFreeObj 2942->2943 2944 41d6ca __vbaHresultCheckObj 2942->2944 2944->2943 2947 41d84b 2946->2947 2948 41d64d __vbaFreeObj 2946->2948 2956 41d73b __vbaChkstk 2947->2956 2948->2938 2951 41d73b 3 API calls 2952 41d862 2951->2952 2964 41d77b __vbaChkstk 2952->2964 2955 41d8be 2954->2955 2955->2941 2957 41d751 2956->2957 2963 41d76f 2956->2963 2965 41d875 __vbaChkstk 2957->2965 2960 41d875 __vbaChkstk 2961 41d766 2960->2961 2967 41d7a3 __vbaChkstk 2961->2967 2963->2951 2964->2948 2966 41d759 2965->2966 2966->2960 2968 41d7be 2967->2968 2968->2963

      Executed Functions

      Function 002D6C38, Relevance: 1.7, APIs: 1, Instructions: 179COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 163 2d6c38-2d6c42 164 2d6c43-2d6e35 163->164 167 2d6e3b-2d6f23 call 2d4bbc 164->167 171 2d6f29-2d6f3a 167->171 171->171 172 2d6f3c-2d71d6 171->172 176 2d71dc-2d720a 172->176 176->176 177 2d720c-2d7677 call 2d7af4 176->177 186 2d767d-2d7781 177->186 187 2d7a09-2d7a15 177->187 186->187 189 2d7787-2d787a 186->189 189->187 191 2d7880-2d7892 189->191 191->187 192 2d7898-2d78ad 191->192 192->187 193 2d78b3-2d78dc 192->193 193->187 194 2d78e2-2d79d0 193->194 194->187 196 2d79d2-2d79ef call 2d7af4 RtlAddVectoredExceptionHandler 194->196 199 2d79f4-2d79fc 196->199 199->199 200 2d79fe-2d7a04 199->200 200->187
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e2e04bd51aff37d4b4b46dfb7bf2cd4717454012b64c20bce92d096f23883177
      • Instruction ID: 90bce05c8450611a05b4ee9b2967a855cfbd56b6b80c8806d8f453046b668269
      • Opcode Fuzzy Hash: e2e04bd51aff37d4b4b46dfb7bf2cd4717454012b64c20bce92d096f23883177
      • Instruction Fuzzy Hash: B161F371628386CFDB39DE29C9987E977A2EF58300F65412BCC0A8B754E7759E508B01
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002CD95C, Relevance: 1.6, APIs: 1, Instructions: 121memorynativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 201 2cd95c-2cd964 203 2cd96a-2cdeb5 call 2d2a0c NtAllocateVirtualMemory 201->203 204 2cdebb-2ce22d call 2d2909 call 2cdfcc 201->204 203->204
      APIs
      • NtAllocateVirtualMemory.NTDLL ref: 002CDE9E
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 8e54b83903c1d2118eb0f83407efd9dc6e3441a35b3907ebb1b9ea3fc005dbd9
      • Instruction ID: 3f03d00f64e8da1027a226991de6b1c6b70da225254dbc735cd699e38167b179
      • Opcode Fuzzy Hash: 8e54b83903c1d2118eb0f83407efd9dc6e3441a35b3907ebb1b9ea3fc005dbd9
      • Instruction Fuzzy Hash: 1341F071A28349CFDB309F68CD45BEABBA1EF55340F15452DDC899B251C370AA94CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041C184, Relevance: 202.1, APIs: 105, Strings: 10, Instructions: 878COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 41c184-41c236 __vbaChkstk __vbaStrCat __vbaStrMove __vbaInStr __vbaFreeStr 2 41c370-41c3ff #573 __vbaStrCat __vbaVarTstNe __vbaFreeVarList 0->2 3 41c23c-41c266 __vbaOnError * 2 0->3 4 41c405-41c4d7 #598 #611 __vbaStrMove #685 __vbaObjSet 2->4 5 41d05d-41d0cc call 41d20f call 41d488 2->5 6 41c283 3->6 7 41c268-41c281 __vbaNew2 3->7 12 41c4f9 4->12 13 41c4d9-41c4f7 __vbaHresultCheckObj 4->13 17 41d0d2-41d0df 5->17 8 41c28d-41c2c2 6->8 7->8 14 41c2e4 8->14 15 41c2c4-41c2e2 __vbaHresultCheckObj 8->15 16 41c500-41c5d4 __vbaFreeObj __vbaFreeVarList __vbaStrCopy __vbaStrToAnsi * 2 call 402f24 __vbaSetSystemError __vbaFreeStrList 12->16 13->16 19 41c2eb-41c33c __vbaChkstk 14->19 15->19 25 41c78b-41c813 __vbaStrCopy __vbaStrToAnsi call 402f78 __vbaSetSystemError __vbaFreeStrList 16->25 26 41c5da-41c692 __vbaStrCat __vbaStrMove #541 __vbaStrVarMove __vbaStrMove __vbaFreeStr __vbaFreeVar #703 __vbaStrMove __vbaFreeVar 16->26 20 41d101 17->20 21 41d0e1-41d0ff __vbaHresultCheckObj 17->21 31 41c35e 19->31 32 41c33e-41c35c __vbaHresultCheckObj 19->32 22 41d108-41d1ef __vbaFreeVar __vbaRecDestructAnsi __vbaFreeStr * 7 __vbaRecDestruct __vbaFreeObj __vbaFreeStr 20->22 21->22 36 41c819-41c827 25->36 37 41ca4b-41caa0 __vbaStrToAnsi call 402fd4 __vbaSetSystemError __vbaFreeStr 25->37 29 41c694-41c6ad __vbaNew2 26->29 30 41c6af 26->30 34 41c6b9-41c6ee 29->34 30->34 35 41c365-41c36b __vbaFreeObj 31->35 32->35 44 41c710 34->44 45 41c6f0-41c70e __vbaHresultCheckObj 34->45 35->2 38 41c844 36->38 39 41c829-41c842 __vbaNew2 36->39 46 41caa6-41cab4 37->46 47 41cd2f-41cda9 __vbaRecUniToAnsi call 40304c __vbaSetSystemError __vbaRecAnsiToUni __vbaRecDestructAnsi 37->47 43 41c84e-41c883 38->43 39->43 54 41c8a5 43->54 55 41c885-41c8a3 __vbaHresultCheckObj 43->55 48 41c717-41c74c 44->48 45->48 49 41cad1 46->49 50 41cab6-41cacf __vbaNew2 46->50 47->5 61 41cdaf-41ce19 #613 __vbaStrVarMove __vbaStrMove __vbaFreeVarList 47->61 59 41c76e 48->59 60 41c74e-41c76c __vbaHresultCheckObj 48->60 53 41cadb-41cb10 49->53 50->53 67 41cb32 53->67 68 41cb12-41cb30 __vbaHresultCheckObj 53->68 58 41c8ac-41c8df 54->58 55->58 71 41c901 58->71 72 41c8e1-41c8ff __vbaHresultCheckObj 58->72 65 41c775-41c786 __vbaFreeObj 59->65 60->65 62 41ce36 61->62 63 41ce1b-41ce34 __vbaNew2 61->63 66 41ce40-41ce75 62->66 63->66 65->25 77 41ce97 66->77 78 41ce77-41ce95 __vbaHresultCheckObj 66->78 70 41cb39-41cb6f 67->70 68->70 82 41cb71-41cb92 __vbaHresultCheckObj 70->82 83 41cb94 70->83 73 41c908-41c942 __vbaStrMove __vbaFreeObj 71->73 72->73 75 41c944-41c95d __vbaNew2 73->75 76 41c95f 73->76 80 41c969-41c99e 75->80 76->80 81 41ce9e-41ced1 77->81 78->81 90 41c9c0 80->90 91 41c9a0-41c9be __vbaHresultCheckObj 80->91 92 41cef3 81->92 93 41ced3-41cef1 __vbaHresultCheckObj 81->93 84 41cb9b-41cc18 __vbaStrMove __vbaFreeObj #536 __vbaStrMove __vbaFreeVar 82->84 83->84 87 41cc35 84->87 88 41cc1a-41cc33 __vbaNew2 84->88 89 41cc3f-41cc74 87->89 88->89 99 41cc96 89->99 100 41cc76-41cc94 __vbaHresultCheckObj 89->100 94 41c9c7-41c9fd 90->94 91->94 95 41cefa-41cf25 __vbaFreeObj 92->95 93->95 104 41ca22 94->104 105 41c9ff-41ca20 __vbaHresultCheckObj 94->105 97 41cf42 95->97 98 41cf27-41cf40 __vbaNew2 95->98 102 41cf4c-41cf81 97->102 98->102 103 41cc9d-41ccda 99->103 100->103 108 41cfa3 102->108 109 41cf83-41cfa1 __vbaHresultCheckObj 102->109 112 41ccfc 103->112 113 41ccdc-41ccfa __vbaHresultCheckObj 103->113 107 41ca29-41ca46 __vbaFreeObj __vbaEnd 104->107 105->107 107->37 111 41cfaa-41d01c __vbaChkstk __vbaCastObj __vbaObjSet 108->111 109->111 116 41d03e 111->116 117 41d01e-41d03c __vbaHresultCheckObj 111->117 114 41cd03-41cd2a __vbaStrMove __vbaFreeObj 112->114 113->114 114->47 118 41d045-41d05a __vbaFreeObjList 116->118 117->118 118->5
      C-Code - Quality: 55%
      			E0041C184(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				short _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				short _v76;
				char _v136;
				intOrPtr _v140;
				void* _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				signed int _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				signed int _v180;
				signed int _v188;
				signed int _v196;
				char _v204;
				signed int _v212;
				char _v220;
				signed int _v228;
				char _v236;
				signed int _v244;
				signed int _v252;
				void* _v304;
				char _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				signed int _v332;
				signed int _v336;
				void* _v340;
				signed int _v344;
				char _v404;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				intOrPtr* _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				signed int _v488;
				intOrPtr* _v492;
				signed int _v496;
				signed int _v500;
				intOrPtr* _v504;
				signed int _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				void* _t466;
				char* _t469;
				signed int _t471;
				signed int _t475;
				signed int _t486;
				char* _t488;
				signed int _t489;
				signed int _t496;
				signed int* _t500;
				char* _t503;
				char* _t504;
				short _t511;
				char* _t513;
				signed int* _t520;
				char* _t526;
				signed int _t544;
				signed int _t549;
				signed int _t556;
				void* _t558;
				char* _t559;
				signed int _t562;
				signed int _t570;
				signed int _t575;
				signed int _t583;
				signed int _t588;
				signed int _t595;
				signed int _t600;
				signed int _t607;
				signed int _t612;
				signed int _t622;
				signed int _t627;
				signed int _t633;
				signed int _t638;
				void* _t697;
				void* _t699;
				intOrPtr _t700;

				_t700 = _t699 - 0x18;
				 *[fs:0x0] = _t700;
				L00401210();
				_v28 = _t700;
				_v24 = E00401120;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				_t466 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t697);
				_v8 = 1;
				_v8 = 2;
				_push(2);
				_push(0x403080);
				_push(0x40308c);
				L0040138A();
				L00401390();
				_push(_t466);
				_push(0x40308c);
				_push(0);
				L00401396();
				_v332 =  ~(0 | _t466 != 0x00000003);
				L00401384();
				if(_v332 != 0) {
					_v8 = 3;
					_push(0xffffffff);
					L0040137E();
					_v8 = 4;
					_push(0xffffffff);
					L0040137E();
					_v8 = 5;
					if( *0x41e5f0 != 0) {
						_v440 = 0x41e5f0;
					} else {
						_push(0x41e5f0);
						_push(0x4030b0);
						L00401378();
						_v440 = 0x41e5f0;
					}
					_v332 =  *_v440;
					_t633 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
					asm("fclex");
					_v336 = _t633;
					if(_v336 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4030a0);
						_push(_v332);
						_push(_v336);
						L00401372();
						_v444 = _t633;
					}
					_v340 = _v168;
					_v244 = _v244 & 0x00000000;
					_v252 = 2;
					L00401210();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t638 =  *((intOrPtr*)( *_v340 + 0x2c))(_v340, 0x10);
					asm("fclex");
					_v344 = _t638;
					if(_v344 >= 0) {
						_v448 = _v448 & 0x00000000;
					} else {
						_push(0x2c);
						_push(0x4030c0);
						_push(_v340);
						_push(_v344);
						L00401372();
						_v448 = _t638;
					}
					L0040136C();
				}
				_v8 = 7;
				_v180 = 0x4b;
				_v188 = 2;
				_push( &_v188);
				_t469 =  &_v204;
				_push(_t469);
				L00401360();
				_push(0x4030d4);
				_push(0x4030dc);
				L0040138A();
				_v212 = _t469;
				_v220 = 0x8008;
				_push( &_v204);
				_t471 =  &_v220;
				_push(_t471);
				L00401366();
				_v332 = _t471;
				_push( &_v220);
				_push( &_v204);
				_push( &_v188);
				_push(3);
				L0040135A();
				_t475 = _v332;
				if(_t475 != 0) {
					_v8 = 8;
					L00401354();
					_v8 = 9;
					L0040134E();
					L00401390();
					_v8 = 0xa;
					L00401342();
					_t489 =  &_v168;
					L00401348();
					_v332 = _t489;
					_v228 = 0x80020004;
					_v236 = 0xa;
					_v212 = 0x80020004;
					_v220 = 0xa;
					_v196 = 0x80020004;
					_v204 = 0xa;
					_v180 = 0x80020004;
					_v188 = 0xa;
					_t496 =  *((intOrPtr*)( *_v332 + 0x44))(_v332, 0x291f,  &_v188,  &_v204,  &_v220,  &_v236, _t489, _t475);
					asm("fclex");
					_v336 = _t496;
					if(_v336 >= 0) {
						_v452 = _v452 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x4030e0);
						_push(_v332);
						_push(_v336);
						L00401372();
						_v452 = _t496;
					}
					L0040136C();
					_push( &_v236);
					_push( &_v220);
					_push( &_v204);
					_t500 =  &_v188;
					_push(_t500);
					_push(4);
					L0040135A();
					_v8 = 0xb;
					_v308 = 0x6317b;
					L00401336();
					_push(_t500);
					_push( &_v160);
					L0040133C();
					_push( &_v308);
					_push(0x297142);
					_push(L"ANDREWARTHA");
					_t503 =  &_v164;
					_push(_t503);
					L0040133C();
					_push(_t503);
					_t504 =  &_v160;
					_push(_t504);
					E00402F24();
					_v312 = _t504;
					L00401330();
					_v332 =  ~(0 | _v312 == 0x001b827e);
					_push( &_v164);
					_push( &_v160);
					_push( &_v156);
					_push(3);
					L0040132A();
					_t511 = _v332;
					if(_t511 != 0) {
						_v8 = 0xc;
						_push(0x403134);
						_push("4:4");
						L0040138A();
						L00401390();
						_push(_t511);
						_push( &_v188);
						L0040131E();
						_push( &_v188);
						L00401324();
						L00401390();
						L00401384();
						L00401318();
						_v8 = 0xd;
						_v180 = 1;
						_v188 = 2;
						_push(0xfffffffe);
						_push(0xfffffffe);
						_push(0xfffffffe);
						_push(0xffffffff);
						_push( &_v188);
						L00401312();
						L00401390();
						L00401318();
						_v8 = 0xe;
						_v8 = 0xf;
						if( *0x41e5f0 != 0) {
							_v456 = 0x41e5f0;
						} else {
							_push(0x41e5f0);
							_push(0x4030b0);
							L00401378();
							_v456 = 0x41e5f0;
						}
						_v332 =  *_v456;
						_t622 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t622;
						if(_v336 >= 0) {
							_v460 = _v460 & 0x00000000;
						} else {
							_push(0x1c);
							_push(0x4030a0);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v460 = _t622;
						}
						_v340 = _v168;
						_t627 =  *((intOrPtr*)( *_v340 + 0x64))(_v340, 1,  &_v304);
						asm("fclex");
						_v344 = _t627;
						if(_v344 >= 0) {
							_v464 = _v464 & 0x00000000;
						} else {
							_push(0x64);
							_push(0x403148);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v464 = _t627;
						}
						_t511 = _v304;
						_v56 = _t511;
						L0040136C();
					}
					_v8 = 0x11;
					L00401336();
					_push(_t511);
					_push( &_v160);
					L0040133C();
					_t513 =  &_v160;
					_push(_t513);
					_push(0x83bcf2);
					_push(0x2ea394);
					_push(0x59ae9b);
					_push(0x4f0673);
					E00402F78();
					_v308 = _t513;
					L00401330();
					_v332 =  ~(0 | _v308 == 0x0066f1e8);
					_push( &_v160);
					_push( &_v156);
					_push(2);
					L0040132A();
					if(_v332 != 0) {
						_v8 = 0x12;
						if( *0x41e5f0 != 0) {
							_v468 = 0x41e5f0;
						} else {
							_push(0x41e5f0);
							_push(0x4030b0);
							L00401378();
							_v468 = 0x41e5f0;
						}
						_v332 =  *_v468;
						_t595 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t595;
						if(_v336 >= 0) {
							_v472 = _v472 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x4030a0);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v472 = _t595;
						}
						_v340 = _v168;
						_t600 =  *((intOrPtr*)( *_v340 + 0x60))(_v340,  &_v156);
						asm("fclex");
						_v344 = _t600;
						if(_v344 >= 0) {
							_v476 = _v476 & 0x00000000;
						} else {
							_push(0x60);
							_push(0x403170);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v476 = _t600;
						}
						_v428 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
						_v8 = 0x13;
						if( *0x41e5f0 != 0) {
							_v480 = 0x41e5f0;
						} else {
							_push(0x41e5f0);
							_push(0x4030b0);
							L00401378();
							_v480 = 0x41e5f0;
						}
						_v332 =  *_v480;
						_t607 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t607;
						if(_v336 >= 0) {
							_v484 = _v484 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x4030a0);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v484 = _t607;
						}
						_v340 = _v168;
						_t612 =  *((intOrPtr*)( *_v340 + 0x140))(_v340,  &_v304);
						asm("fclex");
						_v344 = _t612;
						if(_v344 >= 0) {
							_v488 = _v488 & 0x00000000;
						} else {
							_push(0x140);
							_push(0x403170);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v488 = _t612;
						}
						_v76 = _v304;
						L0040136C();
						_v8 = 0x14;
						L0040130C();
					}
					_v8 = 0x16;
					_push(L"Contangoes3");
					_t520 =  &_v156;
					_push(_t520);
					L0040133C();
					_push(_t520);
					E00402FD4();
					_v308 = _t520;
					L00401330();
					_v332 =  ~(0 | _v308 == 0x003c82f5);
					L00401384();
					if(_v332 != 0) {
						_v8 = 0x17;
						if( *0x41e5f0 != 0) {
							_v492 = 0x41e5f0;
						} else {
							_push(0x41e5f0);
							_push(0x4030b0);
							L00401378();
							_v492 = 0x41e5f0;
						}
						_v332 =  *_v492;
						_t570 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t570;
						if(_v336 >= 0) {
							_v496 = _v496 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x4030a0);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v496 = _t570;
						}
						_v340 = _v168;
						_t575 =  *((intOrPtr*)( *_v340 + 0x130))(_v340,  &_v156);
						asm("fclex");
						_v344 = _t575;
						if(_v344 >= 0) {
							_v500 = _v500 & 0x00000000;
						} else {
							_push(0x130);
							_push(0x403170);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v500 = _t575;
						}
						_v432 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
						_v8 = 0x18;
						_v180 = 2;
						_v188 = 2;
						_push( &_v188);
						L00401306();
						L00401390();
						L00401318();
						_v8 = 0x19;
						_v8 = 0x1a;
						if( *0x41e5f0 != 0) {
							_v504 = 0x41e5f0;
						} else {
							_push(0x41e5f0);
							_push(0x4030b0);
							L00401378();
							_v504 = 0x41e5f0;
						}
						_v332 =  *_v504;
						_t583 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t583;
						if(_v336 >= 0) {
							_v508 = _v508 & 0x00000000;
						} else {
							_push(0x4c);
							_push(0x4030a0);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v508 = _t583;
						}
						_v340 = _v168;
						_t588 =  *((intOrPtr*)( *_v340 + 0x24))(_v340, L"iliau", L"Lstes8",  &_v156);
						asm("fclex");
						_v344 = _t588;
						if(_v344 >= 0) {
							_v512 = _v512 & 0x00000000;
						} else {
							_push(0x24);
							_push(0x4030c0);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v512 = _t588;
						}
						_v436 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
					}
					_v8 = 0x1c;
					_push( &_v136);
					_t526 =  &_v404;
					_push(_t526);
					_push(0x402e74);
					L00401300();
					_push(_t526);
					E0040304C();
					_v308 = _t526;
					L00401330();
					_push( &_v404);
					_push( &_v136);
					_push(0x402e74);
					L004012FA();
					_v332 =  ~(0 | _v308 == 0x0028d15d);
					_push( &_v404);
					_push(0x402e74);
					L004012F4();
					if(_v332 != 0) {
						_v8 = 0x1d;
						_v180 = 2;
						_v188 = 2;
						_push( &_v188);
						_push( &_v204);
						L004012EE();
						_push( &_v204);
						L00401324();
						L00401390();
						_push( &_v204);
						_push( &_v188);
						_push(2);
						L0040135A();
						_v8 = 0x1e;
						if( *0x41e5f0 != 0) {
							_v516 = 0x41e5f0;
						} else {
							_push(0x41e5f0);
							_push(0x4030b0);
							L00401378();
							_v516 = 0x41e5f0;
						}
						_v332 =  *_v516;
						_t544 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t544;
						if(_v336 >= 0) {
							_v520 = _v520 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x4030a0);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v520 = _t544;
						}
						_v340 = _v168;
						_t549 =  *((intOrPtr*)( *_v340 + 0x78))(_v340,  &_v304);
						asm("fclex");
						_v344 = _t549;
						if(_v344 >= 0) {
							_v524 = _v524 & 0x00000000;
						} else {
							_push(0x78);
							_push(0x403170);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v524 = _t549;
						}
						_v40 = _v304;
						L0040136C();
						_v8 = 0x1f;
						_v8 = 0x20;
						if( *0x41e5f0 != 0) {
							_v528 = 0x41e5f0;
						} else {
							_push(0x41e5f0);
							_push(0x4030b0);
							L00401378();
							_v528 = 0x41e5f0;
						}
						_v332 =  *_v528;
						_t556 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t556;
						if(_v336 >= 0) {
							_v532 = _v532 & 0x00000000;
						} else {
							_push(0x1c);
							_push(0x4030a0);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v532 = _t556;
						}
						_v340 = _v168;
						_v244 = 1;
						_v252 = 2;
						_t558 = 0x10;
						L00401210();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						L004012E8();
						_t559 =  &_v172;
						L00401348();
						_t562 =  *((intOrPtr*)( *_v340 + 0x58))(_v340, _t559, _t559, _t558, _v140, 0x4031c0);
						asm("fclex");
						_v344 = _t562;
						if(_v344 >= 0) {
							_v536 = _v536 & 0x00000000;
						} else {
							_push(0x58);
							_push(0x403148);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v536 = _t562;
						}
						_push( &_v168);
						_push( &_v172);
						_push(2);
						L004012E2();
					}
				}
				_v8 = 0x23;
				_v320 = 0x1ee95e40;
				_v316 = 0x5b03;
				 *((intOrPtr*)( *_a4 + 0x700))(_a4, L"stretchier",  &_v320, 0x2277,  &_v328);
				_v152 = _v328;
				_v148 = _v324;
				_v8 = 0x24;
				_t486 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v188);
				_v332 = _t486;
				if(_v332 >= 0) {
					_v540 = _v540 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402d84);
					_push(_a4);
					_push(_v332);
					L00401372();
					_v540 = _t486;
				}
				L00401318();
				_v20 = 0;
				_push(0x41d1f0);
				_push( &_v404);
				_push(0x402e74);
				L004012F4();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				_t488 =  &_v136;
				_push(_t488);
				_push(0x402e74);
				L004012DC();
				L0040136C();
				L00401384();
				return _t488;
			}



















































































































      0x0041c187
      0x0041c196
      0x0041c1a2
      0x0041c1aa
      0x0041c1ad
      0x0041c1ba
      0x0041c1c3
      0x0041c1c6
      0x0041c1d5
      0x0041c1d8
      0x0041c1df
      0x0041c1e6
      0x0041c1e8
      0x0041c1ed
      0x0041c1f2
      0x0041c1ff
      0x0041c204
      0x0041c205
      0x0041c20a
      0x0041c20c
      0x0041c21b
      0x0041c228
      0x0041c236
      0x0041c23c
      0x0041c243
      0x0041c245
      0x0041c24a
      0x0041c251
      0x0041c253
      0x0041c258
      0x0041c266
      0x0041c283
      0x0041c268
      0x0041c268
      0x0041c26d
      0x0041c272
      0x0041c277
      0x0041c277
      0x0041c295
      0x0041c2b0
      0x0041c2b3
      0x0041c2b5
      0x0041c2c2
      0x0041c2e4
      0x0041c2c4
      0x0041c2c4
      0x0041c2c6
      0x0041c2cb
      0x0041c2d1
      0x0041c2d7
      0x0041c2dc
      0x0041c2dc
      0x0041c2f1
      0x0041c2f7
      0x0041c2fe
      0x0041c30b
      0x0041c318
      0x0041c319
      0x0041c31a
      0x0041c31b
      0x0041c32a
      0x0041c32d
      0x0041c32f
      0x0041c33c
      0x0041c35e
      0x0041c33e
      0x0041c33e
      0x0041c340
      0x0041c345
      0x0041c34b
      0x0041c351
      0x0041c356
      0x0041c356
      0x0041c36b
      0x0041c36b
      0x0041c370
      0x0041c377
      0x0041c381
      0x0041c391
      0x0041c392
      0x0041c398
      0x0041c399
      0x0041c39e
      0x0041c3a3
      0x0041c3a8
      0x0041c3ad
      0x0041c3b3
      0x0041c3c3
      0x0041c3c4
      0x0041c3ca
      0x0041c3cb
      0x0041c3d0
      0x0041c3dd
      0x0041c3e4
      0x0041c3eb
      0x0041c3ec
      0x0041c3ee
      0x0041c3f6
      0x0041c3ff
      0x0041c405
      0x0041c40c
      0x0041c411
      0x0041c418
      0x0041c422
      0x0041c427
      0x0041c42e
      0x0041c434
      0x0041c43b
      0x0041c440
      0x0041c446
      0x0041c450
      0x0041c45a
      0x0041c464
      0x0041c46e
      0x0041c478
      0x0041c482
      0x0041c48c
      0x0041c4c5
      0x0041c4c8
      0x0041c4ca
      0x0041c4d7
      0x0041c4f9
      0x0041c4d9
      0x0041c4d9
      0x0041c4db
      0x0041c4e0
      0x0041c4e6
      0x0041c4ec
      0x0041c4f1
      0x0041c4f1
      0x0041c506
      0x0041c511
      0x0041c518
      0x0041c51f
      0x0041c520
      0x0041c526
      0x0041c527
      0x0041c529
      0x0041c531
      0x0041c538
      0x0041c54d
      0x0041c552
      0x0041c559
      0x0041c55a
      0x0041c565
      0x0041c566
      0x0041c56b
      0x0041c570
      0x0041c576
      0x0041c577
      0x0041c57c
      0x0041c57d
      0x0041c583
      0x0041c584
      0x0041c589
      0x0041c58f
      0x0041c5a5
      0x0041c5b2
      0x0041c5b9
      0x0041c5c0
      0x0041c5c1
      0x0041c5c3
      0x0041c5cb
      0x0041c5d4
      0x0041c5da
      0x0041c5e1
      0x0041c5e6
      0x0041c5eb
      0x0041c5f8
      0x0041c5fd
      0x0041c604
      0x0041c605
      0x0041c610
      0x0041c611
      0x0041c61e
      0x0041c629
      0x0041c634
      0x0041c639
      0x0041c640
      0x0041c64a
      0x0041c654
      0x0041c656
      0x0041c658
      0x0041c65a
      0x0041c662
      0x0041c663
      0x0041c66d
      0x0041c678
      0x0041c67d
      0x0041c684
      0x0041c692
      0x0041c6af
      0x0041c694
      0x0041c694
      0x0041c699
      0x0041c69e
      0x0041c6a3
      0x0041c6a3
      0x0041c6c1
      0x0041c6dc
      0x0041c6df
      0x0041c6e1
      0x0041c6ee
      0x0041c710
      0x0041c6f0
      0x0041c6f0
      0x0041c6f2
      0x0041c6f7
      0x0041c6fd
      0x0041c703
      0x0041c708
      0x0041c708
      0x0041c71d
      0x0041c73a
      0x0041c73d
      0x0041c73f
      0x0041c74c
      0x0041c76e
      0x0041c74e
      0x0041c74e
      0x0041c750
      0x0041c755
      0x0041c75b
      0x0041c761
      0x0041c766
      0x0041c766
      0x0041c775
      0x0041c77c
      0x0041c786
      0x0041c786
      0x0041c78b
      0x0041c79d
      0x0041c7a2
      0x0041c7a9
      0x0041c7aa
      0x0041c7af
      0x0041c7b5
      0x0041c7b6
      0x0041c7bb
      0x0041c7c0
      0x0041c7c5
      0x0041c7ca
      0x0041c7cf
      0x0041c7d5
      0x0041c7eb
      0x0041c7f8
      0x0041c7ff
      0x0041c800
      0x0041c802
      0x0041c813
      0x0041c819
      0x0041c827
      0x0041c844
      0x0041c829
      0x0041c829
      0x0041c82e
      0x0041c833
      0x0041c838
      0x0041c838
      0x0041c856
      0x0041c871
      0x0041c874
      0x0041c876
      0x0041c883
      0x0041c8a5
      0x0041c885
      0x0041c885
      0x0041c887
      0x0041c88c
      0x0041c892
      0x0041c898
      0x0041c89d
      0x0041c89d
      0x0041c8b2
      0x0041c8cd
      0x0041c8d0
      0x0041c8d2
      0x0041c8df
      0x0041c901
      0x0041c8e1
      0x0041c8e1
      0x0041c8e3
      0x0041c8e8
      0x0041c8ee
      0x0041c8f4
      0x0041c8f9
      0x0041c8f9
      0x0041c90e
      0x0041c914
      0x0041c924
      0x0041c92f
      0x0041c934
      0x0041c942
      0x0041c95f
      0x0041c944
      0x0041c944
      0x0041c949
      0x0041c94e
      0x0041c953
      0x0041c953
      0x0041c971
      0x0041c98c
      0x0041c98f
      0x0041c991
      0x0041c99e
      0x0041c9c0
      0x0041c9a0
      0x0041c9a0
      0x0041c9a2
      0x0041c9a7
      0x0041c9ad
      0x0041c9b3
      0x0041c9b8
      0x0041c9b8
      0x0041c9cd
      0x0041c9e8
      0x0041c9ee
      0x0041c9f0
      0x0041c9fd
      0x0041ca22
      0x0041c9ff
      0x0041c9ff
      0x0041ca04
      0x0041ca09
      0x0041ca0f
      0x0041ca15
      0x0041ca1a
      0x0041ca1a
      0x0041ca30
      0x0041ca3a
      0x0041ca3f
      0x0041ca46
      0x0041ca46
      0x0041ca4b
      0x0041ca52
      0x0041ca57
      0x0041ca5d
      0x0041ca5e
      0x0041ca63
      0x0041ca64
      0x0041ca69
      0x0041ca6f
      0x0041ca85
      0x0041ca92
      0x0041caa0
      0x0041caa6
      0x0041cab4
      0x0041cad1
      0x0041cab6
      0x0041cab6
      0x0041cabb
      0x0041cac0
      0x0041cac5
      0x0041cac5
      0x0041cae3
      0x0041cafe
      0x0041cb01
      0x0041cb03
      0x0041cb10
      0x0041cb32
      0x0041cb12
      0x0041cb12
      0x0041cb14
      0x0041cb19
      0x0041cb1f
      0x0041cb25
      0x0041cb2a
      0x0041cb2a
      0x0041cb3f
      0x0041cb5a
      0x0041cb60
      0x0041cb62
      0x0041cb6f
      0x0041cb94
      0x0041cb71
      0x0041cb71
      0x0041cb76
      0x0041cb7b
      0x0041cb81
      0x0041cb87
      0x0041cb8c
      0x0041cb8c
      0x0041cba1
      0x0041cba7
      0x0041cbb7
      0x0041cbc2
      0x0041cbc7
      0x0041cbce
      0x0041cbd8
      0x0041cbe8
      0x0041cbe9
      0x0041cbf3
      0x0041cbfe
      0x0041cc03
      0x0041cc0a
      0x0041cc18
      0x0041cc35
      0x0041cc1a
      0x0041cc1a
      0x0041cc1f
      0x0041cc24
      0x0041cc29
      0x0041cc29
      0x0041cc47
      0x0041cc62
      0x0041cc65
      0x0041cc67
      0x0041cc74
      0x0041cc96
      0x0041cc76
      0x0041cc76
      0x0041cc78
      0x0041cc7d
      0x0041cc83
      0x0041cc89
      0x0041cc8e
      0x0041cc8e
      0x0041cca3
      0x0041ccc8
      0x0041cccb
      0x0041cccd
      0x0041ccda
      0x0041ccfc
      0x0041ccdc
      0x0041ccdc
      0x0041ccde
      0x0041cce3
      0x0041cce9
      0x0041ccef
      0x0041ccf4
      0x0041ccf4
      0x0041cd09
      0x0041cd0f
      0x0041cd1f
      0x0041cd2a
      0x0041cd2a
      0x0041cd2f
      0x0041cd3c
      0x0041cd3d
      0x0041cd43
      0x0041cd44
      0x0041cd49
      0x0041cd4e
      0x0041cd4f
      0x0041cd54
      0x0041cd5a
      0x0041cd65
      0x0041cd6c
      0x0041cd6d
      0x0041cd72
      0x0041cd88
      0x0041cd95
      0x0041cd96
      0x0041cd9b
      0x0041cda9
      0x0041cdaf
      0x0041cdb6
      0x0041cdc0
      0x0041cdd0
      0x0041cdd7
      0x0041cdd8
      0x0041cde3
      0x0041cde4
      0x0041cdee
      0x0041cdf9
      0x0041ce00
      0x0041ce01
      0x0041ce03
      0x0041ce0b
      0x0041ce19
      0x0041ce36
      0x0041ce1b
      0x0041ce1b
      0x0041ce20
      0x0041ce25
      0x0041ce2a
      0x0041ce2a
      0x0041ce48
      0x0041ce63
      0x0041ce66
      0x0041ce68
      0x0041ce75
      0x0041ce97
      0x0041ce77
      0x0041ce77
      0x0041ce79
      0x0041ce7e
      0x0041ce84
      0x0041ce8a
      0x0041ce8f
      0x0041ce8f
      0x0041cea4
      0x0041cebf
      0x0041cec2
      0x0041cec4
      0x0041ced1
      0x0041cef3
      0x0041ced3
      0x0041ced3
      0x0041ced5
      0x0041ceda
      0x0041cee0
      0x0041cee6
      0x0041ceeb
      0x0041ceeb
      0x0041cf01
      0x0041cf0b
      0x0041cf10
      0x0041cf17
      0x0041cf25
      0x0041cf42
      0x0041cf27
      0x0041cf27
      0x0041cf2c
      0x0041cf31
      0x0041cf36
      0x0041cf36
      0x0041cf54
      0x0041cf6f
      0x0041cf72
      0x0041cf74
      0x0041cf81
      0x0041cfa3
      0x0041cf83
      0x0041cf83
      0x0041cf85
      0x0041cf8a
      0x0041cf90
      0x0041cf96
      0x0041cf9b
      0x0041cf9b
      0x0041cfb0
      0x0041cfb6
      0x0041cfc0
      0x0041cfcc
      0x0041cfcd
      0x0041cfda
      0x0041cfdb
      0x0041cfdc
      0x0041cfdd
      0x0041cfe9
      0x0041cfef
      0x0041cff6
      0x0041d00a
      0x0041d00d
      0x0041d00f
      0x0041d01c
      0x0041d03e
      0x0041d01e
      0x0041d01e
      0x0041d020
      0x0041d025
      0x0041d02b
      0x0041d031
      0x0041d036
      0x0041d036
      0x0041d04b
      0x0041d052
      0x0041d053
      0x0041d055
      0x0041d05a
      0x0041cda9
      0x0041d05d
      0x0041d064
      0x0041d06e
      0x0041d098
      0x0041d0a4
      0x0041d0b0
      0x0041d0b6
      0x0041d0cc
      0x0041d0d2
      0x0041d0df
      0x0041d101
      0x0041d0e1
      0x0041d0e1
      0x0041d0e6
      0x0041d0eb
      0x0041d0ee
      0x0041d0f4
      0x0041d0f9
      0x0041d0f9
      0x0041d10e
      0x0041d113
      0x0041d11a
      0x0041d185
      0x0041d186
      0x0041d18b
      0x0041d193
      0x0041d19b
      0x0041d1a3
      0x0041d1ab
      0x0041d1b3
      0x0041d1bb
      0x0041d1c3
      0x0041d1c8
      0x0041d1ce
      0x0041d1cf
      0x0041d1d4
      0x0041d1df
      0x0041d1ea
      0x0041d1ef

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041C1A2
      • __vbaStrCat.MSVBVM60(0040308C,00403080,00000002,?,?,?,?,00401216), ref: 0041C1F2
      • __vbaStrMove.MSVBVM60(0040308C,00403080,00000002,?,?,?,?,00401216), ref: 0041C1FF
      • __vbaInStr.MSVBVM60(00000000,0040308C,00000000,0040308C,00403080,00000002,?,?,?,?,00401216), ref: 0041C20C
      • __vbaFreeStr.MSVBVM60(00000000,0040308C,00000000,0040308C,00403080,00000002,?,?,?,?,00401216), ref: 0041C228
      • __vbaOnError.MSVBVM60(000000FF,00000000,0040308C,00000000,0040308C,00403080,00000002,?,?,?,?,00401216), ref: 0041C245
      • __vbaOnError.MSVBVM60(000000FF,000000FF,00000000,0040308C,00000000,0040308C,00403080,00000002,?,?,?,?,00401216), ref: 0041C253
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0,000000FF,000000FF,00000000,0040308C,00000000,0040308C,00403080,00000002,?,?,?,?,00401216), ref: 0041C272
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,0000004C), ref: 0041C2D7
      • __vbaChkstk.MSVBVM60(00000000,?,004030A0,0000004C), ref: 0041C30B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030C0,0000002C), ref: 0041C351
      • __vbaFreeObj.MSVBVM60(00000000,?,004030C0,0000002C), ref: 0041C36B
      • #573.MSVBVM60(?,00000002), ref: 0041C399
      • __vbaStrCat.MSVBVM60(004030DC,004030D4,?,00000002), ref: 0041C3A8
      • __vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,004030DC,004030D4,?,00000002), ref: 0041C3CB
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,00008008,00008008,?,?,?,?,?,004030DC,004030D4,?,00000002), ref: 0041C3EE
      • #598.MSVBVM60(?,?,?,00401216), ref: 0041C40C
      • #611.MSVBVM60(?,?,?,00401216), ref: 0041C418
      • __vbaStrMove.MSVBVM60(?,?,?,00401216), ref: 0041C422
      • #685.MSVBVM60(?,?,?,00401216), ref: 0041C42E
      • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00401216), ref: 0041C43B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030E0,00000044), ref: 0041C4EC
      • __vbaFreeObj.MSVBVM60(00000000,?,004030E0,00000044), ref: 0041C506
      • __vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0041C529
      • __vbaStrCopy.MSVBVM60 ref: 0041C54D
      • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041C55A
      • __vbaStrToAnsi.MSVBVM60(?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C577
      • __vbaSetSystemError.MSVBVM60(?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C58F
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041C5C3
      • __vbaStrCat.MSVBVM60(4:4,00403134,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C5EB
      • __vbaStrMove.MSVBVM60(4:4,00403134,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C5F8
      • #541.MSVBVM60(?,00000000,4:4,00403134,?,?,?,?,?,?,?,?,00000000), ref: 0041C605
      • __vbaStrVarMove.MSVBVM60(?,?,00000000,4:4,00403134,?,?,?,?,?,?,?,?,00000000), ref: 0041C611
      • __vbaStrMove.MSVBVM60(?,?,00000000,4:4,00403134,?,?,?,?,?,?,?,?,00000000), ref: 0041C61E
      • __vbaFreeStr.MSVBVM60(?,?,00000000,4:4,00403134,?,?,?,?,?,?,?,?,00000000), ref: 0041C629
      • __vbaFreeVar.MSVBVM60(?,?,00000000,4:4,00403134,?,?,?,?,?,?,?,?,00000000), ref: 0041C634
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C663
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C66D
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C678
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041C69E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,0000001C), ref: 0041C703
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403148,00000064), ref: 0041C761
      • __vbaFreeObj.MSVBVM60(00000000,?,00403148,00000064), ref: 0041C786
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C79D
      • __vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041C7AA
      • __vbaSetSystemError.MSVBVM60(004F0673,0059AE9B,002EA394,0083BCF2,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041C7D5
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041C802
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041C833
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,00000014), ref: 0041C898
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403170,00000060), ref: 0041C8F4
      • __vbaStrMove.MSVBVM60(00000000,?,00403170,00000060), ref: 0041C924
      • __vbaFreeObj.MSVBVM60(00000000,?,00403170,00000060), ref: 0041C92F
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0), ref: 0041C94E
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,00000014), ref: 0041C9B3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403170,00000140), ref: 0041CA15
      • __vbaFreeObj.MSVBVM60(00000000,?,00403170,00000140), ref: 0041CA3A
      • __vbaEnd.MSVBVM60(00000000,?,00403170,00000140), ref: 0041CA46
      • __vbaStrToAnsi.MSVBVM60(?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CA5E
      • __vbaSetSystemError.MSVBVM60(00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CA6F
      • __vbaFreeStr.MSVBVM60(00000000,00000000,Contangoes3), ref: 0041CA92
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0), ref: 0041CAC0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,00000014), ref: 0041CB25
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403170,00000130), ref: 0041CB87
      • __vbaStrMove.MSVBVM60(00000000,?,00403170,00000130), ref: 0041CBB7
      • __vbaFreeObj.MSVBVM60(00000000,?,00403170,00000130), ref: 0041CBC2
      • #536.MSVBVM60(00000002), ref: 0041CBE9
      • __vbaStrMove.MSVBVM60(00000002), ref: 0041CBF3
      • __vbaFreeVar.MSVBVM60(00000002), ref: 0041CBFE
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0,00000002), ref: 0041CC24
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,0000004C), ref: 0041CC89
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030C0,00000024), ref: 0041CCEF
      • __vbaStrMove.MSVBVM60(00000000,?,004030C0,00000024), ref: 0041CD1F
      • __vbaFreeObj.MSVBVM60(00000000,?,004030C0,00000024), ref: 0041CD2A
      • __vbaRecUniToAnsi.MSVBVM60(00402E74,?,?), ref: 0041CD49
      • __vbaSetSystemError.MSVBVM60(00000000,00402E74,?,?), ref: 0041CD5A
      • __vbaRecAnsiToUni.MSVBVM60(00402E74,?,?,00000000,00402E74,?,?), ref: 0041CD72
      • __vbaRecDestructAnsi.MSVBVM60(00402E74,?,00402E74,?,?,00000000,00402E74,?,?), ref: 0041CD9B
      • #613.MSVBVM60(?,00000002,00402E74,?,00402E74,?,?,00000000,00402E74,?,?), ref: 0041CDD8
      • __vbaStrVarMove.MSVBVM60(?,?,00000002,00402E74,?,00402E74,?,?,00000000,00402E74,?,?), ref: 0041CDE4
      • __vbaStrMove.MSVBVM60(?,?,00000002,00402E74,?,00402E74,?,?,00000000,00402E74,?,?), ref: 0041CDEE
      • __vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,00402E74,?,00402E74,?,?,00000000,00402E74,?,?), ref: 0041CE03
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0,00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0041CE25
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,00000014), ref: 0041CE8A
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403170,00000078), ref: 0041CEE6
      • __vbaFreeObj.MSVBVM60(00000000,?,00403170,00000078), ref: 0041CF0B
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0), ref: 0041CF31
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,0000001C), ref: 0041CF96
      • __vbaChkstk.MSVBVM60(00000000,?,004030A0,0000001C), ref: 0041CFCD
      • __vbaCastObj.MSVBVM60(?,004031C0), ref: 0041CFE9
      • __vbaObjSet.MSVBVM60(?,00000000,?,004031C0), ref: 0041CFF6
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403148,00000058), ref: 0041D031
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D055
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D84,000006F8), ref: 0041D0F4
      • __vbaFreeVar.MSVBVM60(00000000,?,00402D84,000006F8), ref: 0041D10E
      • __vbaRecDestructAnsi.MSVBVM60(00402E74,?,0041D1F0), ref: 0041D18B
      • __vbaFreeStr.MSVBVM60(00402E74,?,0041D1F0), ref: 0041D193
      • __vbaFreeStr.MSVBVM60(00402E74,?,0041D1F0), ref: 0041D19B
      • __vbaFreeStr.MSVBVM60(00402E74,?,0041D1F0), ref: 0041D1A3
      • __vbaFreeStr.MSVBVM60(00402E74,?,0041D1F0), ref: 0041D1AB
      • __vbaFreeStr.MSVBVM60(00402E74,?,0041D1F0), ref: 0041D1B3
      • __vbaFreeStr.MSVBVM60(00402E74,?,0041D1F0), ref: 0041D1BB
      • __vbaFreeStr.MSVBVM60(00402E74,?,0041D1F0), ref: 0041D1C3
      • __vbaRecDestruct.MSVBVM60(00402E74,?,00402E74,?,0041D1F0), ref: 0041D1D4
      • __vbaFreeObj.MSVBVM60(00402E74,?,00402E74,?,0041D1F0), ref: 0041D1DF
      • __vbaFreeStr.MSVBVM60(00402E74,?,00402E74,?,0041D1F0), ref: 0041D1EA
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.935842509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.935839388.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.935853184.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_exe.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$Move$AnsiNew2$ErrorList$System$ChkstkDestruct$Copy$#536#541#573#598#611#613#685#703Cast
      • String ID: $$4:4$ANDREWARTHA$Contangoes3$Dorosoma5$K$Lstes8$iliau$stretchier$thyroidization
      • API String ID: 1936441329-1455819464
      • Opcode ID: 20eda4ca9d768e674bf7d19c4d09116672ae375d2d70da5700812740ffec2185
      • Instruction ID: 4dfe429144c3daf04acecc446606ad83ff251baa1cdd92691d80bed40e470a83
      • Opcode Fuzzy Hash: 20eda4ca9d768e674bf7d19c4d09116672ae375d2d70da5700812740ffec2185
      • Instruction Fuzzy Hash: 9E92E370940228EFDB61DF61CC45BDDB7B5BF09309F1040EAE509BA2A1DB785AC88F59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D20F, Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 165COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 52%
      			E0041D20F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v52;
				char _v56;
				char _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				char* _v88;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _t74;
				signed int _t81;
				signed int _t88;
				signed int _t93;
				intOrPtr _t124;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(0x70);
				L00401210();
				_v12 = _t124;
				_v8 = 0x4011d8;
				L00401336();
				_v72 = 1;
				_v80 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v80); // executed
				L00401312(); // executed
				L00401390();
				L00401318();
				_v88 = L"PRESSIE";
				_v96 = 8;
				L004012CA();
				_t74 =  &_v80;
				_push(_t74);
				L004012D0();
				L00401390();
				_push(_t74);
				_push("Str");
				_push(0x4031f4);
				L0040138A();
				L00401390();
				_push(_t74);
				_push(0x403200);
				L0040138A();
				L00401390();
				_push(_t74);
				L004012D6();
				asm("sbb eax, eax");
				_v100 =  ~( ~( ~_t74));
				_push( &_v60);
				_push( &_v56);
				_push( &_v52);
				_push(3);
				L0040132A();
				L00401318();
				_t81 = _v100;
				if(_t81 != 0) {
					_v72 = 1;
					_v80 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v80);
					L00401312();
					L00401390();
					L00401318();
					if( *0x41e5f0 != 0) {
						_v124 = 0x41e5f0;
					} else {
						_push(0x41e5f0);
						_push(0x4030b0);
						L00401378();
						_v124 = 0x41e5f0;
					}
					_v100 =  *_v124;
					_t88 =  *((intOrPtr*)( *_v100 + 0x14))(_v100,  &_v64);
					asm("fclex");
					_v104 = _t88;
					if(_v104 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4030a0);
						_push(_v100);
						_push(_v104);
						L00401372();
						_v128 = _t88;
					}
					_v108 = _v64;
					_t93 =  *((intOrPtr*)( *_v108 + 0x60))(_v108,  &_v52);
					asm("fclex");
					_v112 = _t93;
					if(_v112 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403170);
						_push(_v108);
						_push(_v112);
						L00401372();
						_v132 = _t93;
					}
					_t81 = _v52;
					_v120 = _t81;
					_v52 = _v52 & 0x00000000;
					L00401390();
					L0040136C();
					_push(0xe5);
					L004012C4();
					_v44 = _t81;
				}
				_v28 = 0x26222e40;
				_v24 = 0x5afd;
				_push(0x41d467);
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				return _t81;
			}

































      0x0041d214
      0x0041d21f
      0x0041d220
      0x0041d227
      0x0041d22a
      0x0041d232
      0x0041d235
      0x0041d242
      0x0041d247
      0x0041d24e
      0x0041d255
      0x0041d257
      0x0041d259
      0x0041d25b
      0x0041d260
      0x0041d261
      0x0041d26b
      0x0041d273
      0x0041d278
      0x0041d27f
      0x0041d28c
      0x0041d291
      0x0041d294
      0x0041d295
      0x0041d29f
      0x0041d2a4
      0x0041d2a5
      0x0041d2aa
      0x0041d2af
      0x0041d2b9
      0x0041d2be
      0x0041d2bf
      0x0041d2c4
      0x0041d2ce
      0x0041d2d3
      0x0041d2d4
      0x0041d2db
      0x0041d2e1
      0x0041d2e8
      0x0041d2ec
      0x0041d2f0
      0x0041d2f1
      0x0041d2f3
      0x0041d2fe
      0x0041d303
      0x0041d309
      0x0041d30f
      0x0041d316
      0x0041d31d
      0x0041d31f
      0x0041d321
      0x0041d323
      0x0041d328
      0x0041d329
      0x0041d333
      0x0041d33b
      0x0041d347
      0x0041d361
      0x0041d349
      0x0041d349
      0x0041d34e
      0x0041d353
      0x0041d358
      0x0041d358
      0x0041d36d
      0x0041d37c
      0x0041d37f
      0x0041d381
      0x0041d388
      0x0041d3a1
      0x0041d38a
      0x0041d38a
      0x0041d38c
      0x0041d391
      0x0041d394
      0x0041d397
      0x0041d39c
      0x0041d39c
      0x0041d3a8
      0x0041d3b7
      0x0041d3ba
      0x0041d3bc
      0x0041d3c3
      0x0041d3dc
      0x0041d3c5
      0x0041d3c5
      0x0041d3c7
      0x0041d3cc
      0x0041d3cf
      0x0041d3d2
      0x0041d3d7
      0x0041d3d7
      0x0041d3e0
      0x0041d3e3
      0x0041d3e6
      0x0041d3f0
      0x0041d3f8
      0x0041d3fd
      0x0041d402
      0x0041d407
      0x0041d407
      0x0041d40a
      0x0041d411
      0x0041d418
      0x0041d449
      0x0041d451
      0x0041d459
      0x0041d461
      0x0041d466

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D22A
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041D242
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D261
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D26B
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D273
      • __vbaVarDup.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D28C
      • #591.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D295
      • __vbaStrMove.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D29F
      • __vbaStrCat.MSVBVM60(004031F4,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D2AF
      • __vbaStrMove.MSVBVM60(004031F4,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D2B9
      • __vbaStrCat.MSVBVM60(00403200,00000000,004031F4,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D2C4
      • __vbaStrMove.MSVBVM60(00403200,00000000,004031F4,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D2CE
      • __vbaStrCmp.MSVBVM60(00000000,00403200,00000000,004031F4,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D2D4
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,00403200,00000000,004031F4,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D2F3
      • __vbaFreeVar.MSVBVM60 ref: 0041D2FE
      • #703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D329
      • __vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D333
      • __vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D33B
      • __vbaNew2.MSVBVM60(004030B0,0041E5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D353
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004030A0,00000014,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D397
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00403170,00000060,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D3D2
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D3F0
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D3F8
      • #570.MSVBVM60(000000E5,?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D402
      • __vbaFreeStr.MSVBVM60(0041D467,?,?,?,00401216), ref: 0041D449
      • __vbaFreeStr.MSVBVM60(0041D467,?,?,?,00401216), ref: 0041D451
      • __vbaFreeStr.MSVBVM60(0041D467,?,?,?,00401216), ref: 0041D459
      • __vbaFreeStr.MSVBVM60(0041D467,?,?,?,00401216), ref: 0041D461
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.935842509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.935839388.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.935853184.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_exe.jbxd
      Similarity
      • API ID: __vba$Free$Move$#703CheckHresult$#570#591ChkstkCopyListNew2
      • String ID: @."&$PRESSIE$Str
      • API String ID: 4270550733-397218167
      • Opcode ID: 31079f61bf4015215de2d8a5f3c712ede0cf30d2fe136c634844f519035aa5d3
      • Instruction ID: 174bebe562f5073815b91b065e6bdfcc71d0d837cd534d26a21c2176c3165871
      • Opcode Fuzzy Hash: 31079f61bf4015215de2d8a5f3c712ede0cf30d2fe136c634844f519035aa5d3
      • Instruction Fuzzy Hash: DA61EC71D0021DABDB04EFE5C845ADDBBB9BF04318F20422AF825B75E1DB785945CB58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D5BE, Relevance: 15.1, APIs: 10, Instructions: 102COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 54%
      			E0041D5BE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401210();
				_v12 = _t76;
				_v8 = 0x4011f8;
				L004012AC();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401216, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x402d54);
					_push(_a4);
					_push(_v76);
					L00401372();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004012AC();
				L004012A6();
				_v28 = E0041D835( &_v36);
				L0040136C();
				_v32 = E0041D835(_v28) + 0x2b0;
				E0041D8A7(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x402d54);
					_push(_a4);
					_push(_v76);
					L00401372();
					_v88 = _t62;
				}
				_push(0x41d701);
				L0040136C();
				return _t62;
			}






















      0x0041d5be
      0x0041d5cf
      0x0041d5d9
      0x0041d5e1
      0x0041d5e4
      0x0041d5f2
      0x0041d603
      0x0041d606
      0x0041d608
      0x0041d60f
      0x0041d628
      0x0041d611
      0x0041d611
      0x0041d613
      0x0041d618
      0x0041d61b
      0x0041d61e
      0x0041d623
      0x0041d623
      0x0041d62f
      0x0041d639
      0x0041d642
      0x0041d64d
      0x0041d653
      0x0041d665
      0x0041d66e
      0x0041d673
      0x0041d67a
      0x0041d681
      0x0041d688
      0x0041d692
      0x0041d69c
      0x0041d69d
      0x0041d69e
      0x0041d69f
      0x0041d6a3
      0x0041d6ad
      0x0041d6ae
      0x0041d6af
      0x0041d6b0
      0x0041d6b9
      0x0041d6bf
      0x0041d6c1
      0x0041d6c8
      0x0041d6e4
      0x0041d6ca
      0x0041d6ca
      0x0041d6cf
      0x0041d6d4
      0x0041d6d7
      0x0041d6da
      0x0041d6df
      0x0041d6df
      0x0041d6e8
      0x0041d6fb
      0x0041d700

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D5D9
      • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401216), ref: 0041D5F2
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,00000058), ref: 0041D61E
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 0041D639
      • #644.MSVBVM60(?,?,?), ref: 0041D642
      • __vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 0041D653
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041D692
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041D6A3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402D54,000002B0), ref: 0041D6DA
      • __vbaFreeObj.MSVBVM60(0041D701), ref: 0041D6FB
      Memory Dump Source
      • Source File: 00000000.00000002.935842509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.935839388.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.935853184.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_exe.jbxd
      Similarity
      • API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
      • String ID:
      • API String ID: 1032928638-0
      • Opcode ID: 8bf7ed1c93fb7dc912cb578d0caf1e043f2a9cc69d01ec9760b1f593e8d2bcff
      • Instruction ID: 05429914a0843c3d5482b55551c3f6d7ec9a339b5923bb53a50af4017060b57a
      • Opcode Fuzzy Hash: 8bf7ed1c93fb7dc912cb578d0caf1e043f2a9cc69d01ec9760b1f593e8d2bcff
      • Instruction Fuzzy Hash: BF41E5B1D40608AFDF01EFA1C846BDEBBB5BF05344F10442AF505BA1A1C7B999869B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D488, Relevance: 12.1, APIs: 8, Instructions: 70COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 77%
      			E0041D488(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v72;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				signed int _v108;
				signed int _v120;
				signed int _t42;
				char* _t46;
				void* _t49;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				L00401210();
				_v16 = _t62;
				_v12 = 0x4011e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x401216, _t59);
				 *_a8 =  *_a8 & 0x00000000;
				_t42 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v108 = _t42;
				if(_v108 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402d54);
					_push(_a4);
					_push(_v108);
					L00401372();
					_v120 = _t42;
				}
				E0041D901();
				_v96 = 2;
				_v104 = 2;
				L004012BE();
				_v96 = 0x806d5e;
				_v104 = 3;
				L004012BE();
				_t46 =  &_v88;
				L004012B2();
				L004012B8();
				_t49 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _t46, _t46, _t46,  &_v40,  &_v72);
				_push(0x41d595);
				L00401318();
				L00401318();
				return _t49;
			}



















      0x0041d48b
      0x0041d49a
      0x0041d4a4
      0x0041d4ac
      0x0041d4af
      0x0041d4b6
      0x0041d4c5
      0x0041d4cb
      0x0041d4d6
      0x0041d4dc
      0x0041d4de
      0x0041d4e5
      0x0041d501
      0x0041d4e7
      0x0041d4e7
      0x0041d4ec
      0x0041d4f1
      0x0041d4f4
      0x0041d4f7
      0x0041d4fc
      0x0041d4fc
      0x0041d505
      0x0041d50a
      0x0041d511
      0x0041d51e
      0x0041d523
      0x0041d52a
      0x0041d537
      0x0041d544
      0x0041d548
      0x0041d54e
      0x0041d55c
      0x0041d562
      0x0041d587
      0x0041d58f
      0x0041d594

      APIs
      • __vbaChkstk.MSVBVM60(?,00401216), ref: 0041D4A4
      • __vbaHresultCheckObj.MSVBVM60(00000000,004011E8,00402D54,000002B4), ref: 0041D4F7
      • __vbaVarMove.MSVBVM60(00000000,004011E8,00402D54,000002B4), ref: 0041D51E
      • __vbaVarMove.MSVBVM60(00000000,004011E8,00402D54,000002B4), ref: 0041D537
      • __vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041D548
      • __vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041D54E
      • __vbaFreeVar.MSVBVM60(0041D595), ref: 0041D587
      • __vbaFreeVar.MSVBVM60(0041D595), ref: 0041D58F
      Memory Dump Source
      • Source File: 00000000.00000002.935842509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.935839388.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.935853184.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_exe.jbxd
      Similarity
      • API ID: __vba$FreeMove$CheckChkstkHresultIdiv
      • String ID:
      • API String ID: 3577542843-0
      • Opcode ID: b3e1631d3e0ebe264962ada8147f2da585c6417ec3ebcc8b284588f59adef4d4
      • Instruction ID: 2e51fb0c2936344b9ed8bc562f9466a08e9a82987e989c5b27ba8faeabe23737
      • Opcode Fuzzy Hash: b3e1631d3e0ebe264962ada8147f2da585c6417ec3ebcc8b284588f59adef4d4
      • Instruction Fuzzy Hash: 4031E6B1900208AFDB00EFD5C989FCDBBB9AF04708F10416AF409BB1A1D779AA45CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004013B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 162 4013b4-4013d4 #100
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.935842509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.935839388.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.935853184.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_exe.jbxd
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: 9a94b7ceb17355202ee0080735b4014a8cd5960355a55b26ca1fcab50f2c8bee
      • Instruction ID: fdfc0dbbd0d4cc89e751fe15d97570a08a5a295c5dd9cbc402434296dcb3d277
      • Opcode Fuzzy Hash: 9a94b7ceb17355202ee0080735b4014a8cd5960355a55b26ca1fcab50f2c8bee
      • Instruction Fuzzy Hash: F1D0AE1564E3D20ED303537558254097F741A5362030B41EBD481DE5E3C59C488AC337
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 002D44EE, Relevance: 2.5, Strings: 2, Instructions: 48COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 320 2d44ee-2d45d3 322 2d45d9-2d4614 320->322 322->322 323 2d4616-2d475f 322->323
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: =Y8x$QD
      • API String ID: 0-1236460104
      • Opcode ID: 006ac7973b9b4d18a6c69f1b27ec12efb71e821ff6a43caee66d6d6ac4706bb8
      • Instruction ID: d17da82f880b327f4a7bdf4275b6c524b3c92eb81457b85ea0bec85c0363acc7
      • Opcode Fuzzy Hash: 006ac7973b9b4d18a6c69f1b27ec12efb71e821ff6a43caee66d6d6ac4706bb8
      • Instruction Fuzzy Hash: BC11C172414299CFDF75AE34C9657EE37A0AF51314F01002EDC968B210C7308B61CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002CE454, Relevance: 1.5, Strings: 1, Instructions: 281COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 335 2ce454-2ce594 call 2d2a0c * 5 347 2ce59a-2ce723 call 2d6c33 335->347 351 2ce729-2ce841 347->351 352 2cef67-2cefc2 call 2d6c33 * 3 347->352 356 2d2a0c-2d2b32 351->356 357 2ce847-2ce953 call 2d6c33 351->357 352->347 362 2d2b4b-2d2b5f call 2d2b68 356->362 363 2d2b34-2d2b48 call 2d33a4 call 2d2b68 356->363 357->352 368 2ce959-2ceae0 call 2d6c33 357->368 363->362 368->352 379 2ceae6-2cebfe 368->379 381 2cec08-2ced29 379->381 383 2ced2b 381->383 384 2ced31-2cee52 call 2d6c33 381->384 383->384 384->352 388 2cee58-2cee60 384->388 389 2cee74-2ceea1 call 2d6c33 * 2 388->389 390 2cee62-2cee6f 388->390 390->381
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: +
      • API String ID: 0-2126386893
      • Opcode ID: 5146a8630a9106faad7d38019c938500a8c5ec0788c76053d6894350e2b1a5db
      • Instruction ID: 42af59ad5ef694cf9b8e3fc1caf3a9bafc6ca8e82eab6187ddb1b72389bc6aae
      • Opcode Fuzzy Hash: 5146a8630a9106faad7d38019c938500a8c5ec0788c76053d6894350e2b1a5db
      • Instruction Fuzzy Hash: C9C1DC7021438A8FCF34AF64CD95BEE37A6BF49380F55452AED8E9B251D7304A51CB12
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002CCCFE, Relevance: 1.3, Strings: 1, Instructions: 99COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: `
      • API String ID: 0-1850852036
      • Opcode ID: a0fe593532492f2283c5746074678ddfa3f09c2dd888ae9fd3b77c6e220c2dff
      • Instruction ID: 2c62cbd0dcf81712d373b25448b4e7d08e3c5f44a2e471e9b808c67b36107083
      • Opcode Fuzzy Hash: a0fe593532492f2283c5746074678ddfa3f09c2dd888ae9fd3b77c6e220c2dff
      • Instruction Fuzzy Hash: 8531257262834DDFDB38CE69ACA57EF36A2AF59350F60422ECC4F8B285E77055548A01
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002C1439, Relevance: 1.3, Strings: 1, Instructions: 88COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: i3L
      • API String ID: 0-1683457265
      • Opcode ID: 1ab117f5ff390f1676bf9af7e985522aa97b73499b9fb13002da8ecccc464003
      • Instruction ID: b4a5ebe98ca72b10ac091d0c31710faa9144a04b95b8961cb52e99cd40a0bb1d
      • Opcode Fuzzy Hash: 1ab117f5ff390f1676bf9af7e985522aa97b73499b9fb13002da8ecccc464003
      • Instruction Fuzzy Hash: 8721CAB15682199FC32C9FB4DC536F67FA0EF55710F148E1DD6AB89AD2CA3014118B82
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002C1144, Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8db5219e1cb4da8ccb71c2b8773f3e758bc9b21e029341e956b73f7c1e60749d
      • Instruction ID: 9e303111316fdb112553d13f959d0de4c51601186c0713f69ba96612c085d04e
      • Opcode Fuzzy Hash: 8db5219e1cb4da8ccb71c2b8773f3e758bc9b21e029341e956b73f7c1e60749d
      • Instruction Fuzzy Hash: 9F619873A291A08FC3118F24EDC3BE93F609B77724B185758E491E6113C27CD97287A5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040153C, Relevance: .2, Instructions: 153COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935842509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.935839388.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.935853184.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_exe.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
      • Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
      • Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
      • Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002CD5A8, Relevance: .1, Instructions: 87COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b81ea34c76e84b11128b09bb461c246a6d8178aa614894f9b91ca3846cd081b0
      • Instruction ID: bef3b69bb9daaf6ada2173f40c2b61c300ab3dc17caf76c84dcf190f8cb998db
      • Opcode Fuzzy Hash: b81ea34c76e84b11128b09bb461c246a6d8178aa614894f9b91ca3846cd081b0
      • Instruction Fuzzy Hash: E13143325183499FCB388E3899D97DBB7B2EF59740F92821ECC8E8B611C3700A45CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002D4CD4, Relevance: .1, Instructions: 78COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b61dfa4005e8906262251f50c74a44a9497d589de73d61e466f88ce09d01448e
      • Instruction ID: be144a03e75c8356229949b4631154b2403cd78cbf10bda1ce43e0adba21b196
      • Opcode Fuzzy Hash: b61dfa4005e8906262251f50c74a44a9497d589de73d61e466f88ce09d01448e
      • Instruction Fuzzy Hash: 5921B33176538A8FCB20AE68C8D07DA6391AB7A310F59416BDD5ACB301F2709C669B52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401778, Relevance: .1, Instructions: 59COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935842509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.935839388.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.935853184.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_exe.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
      • Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
      • Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
      • Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002D33A4, Relevance: .0, Instructions: 39COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ec5ba7d68d8f856c62095abbf95bcd20517bd79a45a35348cfaeb0a3271af1e9
      • Instruction ID: 15c2ab469f13fab179c013848b12d709451d7b09154e52de36958428d4c994ab
      • Opcode Fuzzy Hash: ec5ba7d68d8f856c62095abbf95bcd20517bd79a45a35348cfaeb0a3271af1e9
      • Instruction Fuzzy Hash: 65111775628389DFCB78DF18C984BDA77A0BB58310F5440AADC0ACB350C370EE50DA51
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040172B, Relevance: .0, Instructions: 35COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935842509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.935839388.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.935853184.000000000041E000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.935857300.0000000000420000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_exe.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
      • Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
      • Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
      • Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002CC7A0, Relevance: .0, Instructions: 7COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2ef75211a101d6e96d2a2c03f21042291f99a774924905786315243bb8994cc0
      • Instruction ID: e2907e0260287d47dbd7bda134550ca8282b32ccca83665195093c326f34a2ec
      • Opcode Fuzzy Hash: 2ef75211a101d6e96d2a2c03f21042291f99a774924905786315243bb8994cc0
      • Instruction Fuzzy Hash: 26B092BB2425808FEF12CB08C481B8073A0FB15688B0804D0E402CB752C224E900CA00
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002CD230, Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
      • Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction Fuzzy Hash:
      Uniqueness

      Uniqueness Score: -1.00%

      Function 002D29ED, Relevance: .0, Instructions: 5COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.935818125.00000000002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2c0000_exe.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d0f27454b22165ac988221332097ecea58b2998f3ec01ca057d83040b988d053
      • Instruction ID: ec2197b102b1d31fc2a6f84c64b10eb6944caec8e64fce4ee92dd3ba31397747
      • Opcode Fuzzy Hash: d0f27454b22165ac988221332097ecea58b2998f3ec01ca057d83040b988d053
      • Instruction Fuzzy Hash: 7CB092302115408FCA41CA08C180E4073A0B704600B810480E4018BA51C224E801CA00
      Uniqueness

      Uniqueness Score: -1.00%